buran | 824a76c39895bc3ad4f5dfc27fc3ac80d26514118c4669505a1f0cfdc8fdbcdc

Analysis

max time kernel
89s
max time network
129s
platform
windows10_x64
resource
win10v20210410
submitted
31-08-2021 16:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pattern.exe
Size

416KB
MD5

dcef208fcdac3345c6899a478d16980f
SHA1

fd127c6ecaee57972b7acc3b8e4a2d3b25f928e0
SHA256

824a76c39895bc3ad4f5dfc27fc3ac80d26514118c4669505a1f0cfdc8fdbcdc
SHA512

28e403a6d66895a2461828f49acb2862602e6be94405657bee0aec5d35d86dd83713c4cd1f33d28b94fed6546633683f9ffa693d37dc94bc862f6584833f9fba

Score

10^/10

buran persistence ransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Reserved email: [email protected] Your personal ID: 2DF-D86-2E1 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 2 IoCs

Processes:

spoolsv.exespoolsv.exe

pid	Process
200	spoolsv.exe
3668	spoolsv.exe

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

spoolsv.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\OptimizeResume.tiff	spoolsv.exe

Deletes itself 1 IoCs

Processes:

notepad.exe

pid	Process
1672	notepad.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

pattern.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run	pattern.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\spoolsv.exe\" -start"	pattern.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spoolsv.exe

description	ioc	Process
File opened (read-only)	\??\T:	spoolsv.exe
File opened (read-only)	\??\S:	spoolsv.exe
File opened (read-only)	\??\R:	spoolsv.exe
File opened (read-only)	\??\L:	spoolsv.exe
File opened (read-only)	\??\I:	spoolsv.exe
File opened (read-only)	\??\Y:	spoolsv.exe
File opened (read-only)	\??\W:	spoolsv.exe
File opened (read-only)	\??\U:	spoolsv.exe
File opened (read-only)	\??\A:	spoolsv.exe
File opened (read-only)	\??\J:	spoolsv.exe
File opened (read-only)	\??\F:	spoolsv.exe
File opened (read-only)	\??\E:	spoolsv.exe
File opened (read-only)	\??\B:	spoolsv.exe
File opened (read-only)	\??\P:	spoolsv.exe
File opened (read-only)	\??\O:	spoolsv.exe
File opened (read-only)	\??\N:	spoolsv.exe
File opened (read-only)	\??\M:	spoolsv.exe
File opened (read-only)	\??\G:	spoolsv.exe
File opened (read-only)	\??\Z:	spoolsv.exe
File opened (read-only)	\??\X:	spoolsv.exe
File opened (read-only)	\??\Q:	spoolsv.exe
File opened (read-only)	\??\V:	spoolsv.exe
File opened (read-only)	\??\K:	spoolsv.exe
File opened (read-only)	\??\H:	spoolsv.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
7	geoiptool.com

Drops file in Program Files directory 64 IoCs

Processes:

spoolsv.exe

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_neutral_split.scale-150_8wekyb3d8bbwe\Assets\starttile.dualsim1.smile.scale-150.png	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\7296_24x24x32.png	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxMailSplashLogo.scale-100.png	spoolsv.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-cn\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\check.cur	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_KMS_Client-ul-oob.xrm-ms.kd8eby0.2DF-D86-2E1	spoolsv.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Buttons\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-32.png	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\SpotlightMailHxS_2016-09.png	spoolsv.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.repository.nl_ja_4.4.0.v20140623020002.jar.kd8eby0.2DF-D86-2E1	spoolsv.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-black_scale-200.png	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nb-no\ui-strings.js	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\cloud_icon.png	spoolsv.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\de-de\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\AppStore_icon.svg	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\jawt.h.kd8eby0.2DF-D86-2E1	spoolsv.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-pl.xrm-ms.kd8eby0.2DF-D86-2E1	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\manifestAssets\Square310x310Logo.scale-100.png	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\W6.png	spoolsv.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ko-kr\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-80_contrast-black.png	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_empty_state.svg	spoolsv.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\hu-hu\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-heapdump_zh_CN.jar	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Integral.thmx.kd8eby0.2DF-D86-2E1	spoolsv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\vlc.mo	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\39.jpg	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-48_altform-unplated.png	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ru-ru\ui-strings.js	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-snaptracer.jar.kd8eby0.2DF-D86-2E1	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_Grace-ul-oob.xrm-ms	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\client_eula.txt.kd8eby0.2DF-D86-2E1	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Author2String.XSL.kd8eby0.2DF-D86-2E1	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hr-hr\ui-strings.js	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\SampleHeader\fullscreen32.png	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Voices\en-GB\en-GB_female_TTS\prompts_en-GB_TTS.lua	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Times New Roman-Arial.xml.kd8eby0.2DF-D86-2E1	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-140.png	spoolsv.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\nl\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CONCRETE\PREVIEW.GIF	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\WhatsNew.Store.exe	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Western\mask\12h.png	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-256.png	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Exchange.scale-250.png	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-coredump.jar.kd8eby0.2DF-D86-2E1	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.wordmui.msi.16.en-us.xml.kd8eby0.2DF-D86-2E1	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019DemoR_BypassTrial180-ul-oob.xrm-ms	spoolsv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\vlc.mo	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\_Resources\index.txt	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe7dd.png	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-il\ui-strings.js.kd8eby0.2DF-D86-2E1	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ru-ru\ui-strings.js	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\feature.properties	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\feature.properties	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-16.png	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailLargeTile.scale-125.png	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-black\WideTile.scale-125_contrast-black.png	spoolsv.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_neutral_split.scale-100_kzf8qxf38zg5c\SkypeApp\Assets\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	spoolsv.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreBadgeLogo.scale-200.png	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-ma\ui-strings.js.kd8eby0.2DF-D86-2E1	spoolsv.exe

Drops file in Windows directory 1 IoCs

Processes:

spoolsv.exe

description	ioc	Process
File created	C:\Windows\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exe

pid	Process
4060	vssadmin.exe
3000	vssadmin.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

pattern.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	pattern.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	pattern.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

pattern.exeWMIC.exeWMIC.exevssvc.exe

description	pid	Process
Token: SeDebugPrivilege	3176	pattern.exe
Token: SeDebugPrivilege	3176	pattern.exe
Token: SeIncreaseQuotaPrivilege	2592	WMIC.exe
Token: SeSecurityPrivilege	2592	WMIC.exe
Token: SeTakeOwnershipPrivilege	2592	WMIC.exe
Token: SeLoadDriverPrivilege	2592	WMIC.exe
Token: SeSystemProfilePrivilege	2592	WMIC.exe
Token: SeSystemtimePrivilege	2592	WMIC.exe
Token: SeProfSingleProcessPrivilege	2592	WMIC.exe
Token: SeIncBasePriorityPrivilege	2592	WMIC.exe
Token: SeCreatePagefilePrivilege	2592	WMIC.exe
Token: SeBackupPrivilege	2592	WMIC.exe
Token: SeRestorePrivilege	2592	WMIC.exe
Token: SeShutdownPrivilege	2592	WMIC.exe
Token: SeDebugPrivilege	2592	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2592	WMIC.exe
Token: SeRemoteShutdownPrivilege	2592	WMIC.exe
Token: SeUndockPrivilege	2592	WMIC.exe
Token: SeManageVolumePrivilege	2592	WMIC.exe
Token: 33	2592	WMIC.exe
Token: 34	2592	WMIC.exe
Token: 35	2592	WMIC.exe
Token: 36	2592	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2672	WMIC.exe
Token: SeSecurityPrivilege	2672	WMIC.exe
Token: SeTakeOwnershipPrivilege	2672	WMIC.exe
Token: SeLoadDriverPrivilege	2672	WMIC.exe
Token: SeSystemProfilePrivilege	2672	WMIC.exe
Token: SeSystemtimePrivilege	2672	WMIC.exe
Token: SeProfSingleProcessPrivilege	2672	WMIC.exe
Token: SeIncBasePriorityPrivilege	2672	WMIC.exe
Token: SeCreatePagefilePrivilege	2672	WMIC.exe
Token: SeBackupPrivilege	2672	WMIC.exe
Token: SeRestorePrivilege	2672	WMIC.exe
Token: SeShutdownPrivilege	2672	WMIC.exe
Token: SeDebugPrivilege	2672	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2672	WMIC.exe
Token: SeRemoteShutdownPrivilege	2672	WMIC.exe
Token: SeUndockPrivilege	2672	WMIC.exe
Token: SeManageVolumePrivilege	2672	WMIC.exe
Token: 33	2672	WMIC.exe
Token: 34	2672	WMIC.exe
Token: 35	2672	WMIC.exe
Token: 36	2672	WMIC.exe
Token: SeBackupPrivilege	3672	vssvc.exe
Token: SeRestorePrivilege	3672	vssvc.exe
Token: SeAuditPrivilege	3672	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2672	WMIC.exe
Token: SeSecurityPrivilege	2672	WMIC.exe
Token: SeTakeOwnershipPrivilege	2672	WMIC.exe
Token: SeLoadDriverPrivilege	2672	WMIC.exe
Token: SeSystemProfilePrivilege	2672	WMIC.exe
Token: SeSystemtimePrivilege	2672	WMIC.exe
Token: SeProfSingleProcessPrivilege	2672	WMIC.exe
Token: SeIncBasePriorityPrivilege	2672	WMIC.exe
Token: SeCreatePagefilePrivilege	2672	WMIC.exe
Token: SeBackupPrivilege	2672	WMIC.exe
Token: SeRestorePrivilege	2672	WMIC.exe
Token: SeShutdownPrivilege	2672	WMIC.exe
Token: SeDebugPrivilege	2672	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2672	WMIC.exe
Token: SeRemoteShutdownPrivilege	2672	WMIC.exe
Token: SeUndockPrivilege	2672	WMIC.exe
Token: SeManageVolumePrivilege	2672	WMIC.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

pattern.exespoolsv.execmd.execmd.execmd.exe

description	pid	Process	procid_target
PID 3176 wrote to memory of 200	3176	pattern.exe	76
PID 3176 wrote to memory of 200	3176	pattern.exe	76
PID 3176 wrote to memory of 200	3176	pattern.exe	76
PID 3176 wrote to memory of 1672	3176	pattern.exe	77
PID 3176 wrote to memory of 1672	3176	pattern.exe	77
PID 3176 wrote to memory of 1672	3176	pattern.exe	77
PID 3176 wrote to memory of 1672	3176	pattern.exe	77
PID 3176 wrote to memory of 1672	3176	pattern.exe	77
PID 3176 wrote to memory of 1672	3176	pattern.exe	77
PID 200 wrote to memory of 4064	200	spoolsv.exe	80
PID 200 wrote to memory of 4064	200	spoolsv.exe	80
PID 200 wrote to memory of 4064	200	spoolsv.exe	80
PID 200 wrote to memory of 1756	200	spoolsv.exe	81
PID 200 wrote to memory of 1756	200	spoolsv.exe	81
PID 200 wrote to memory of 1756	200	spoolsv.exe	81
PID 200 wrote to memory of 516	200	spoolsv.exe	92
PID 200 wrote to memory of 516	200	spoolsv.exe	92
PID 200 wrote to memory of 516	200	spoolsv.exe	92
PID 200 wrote to memory of 1824	200	spoolsv.exe	83
PID 200 wrote to memory of 1824	200	spoolsv.exe	83
PID 200 wrote to memory of 1824	200	spoolsv.exe	83
PID 200 wrote to memory of 1896	200	spoolsv.exe	84
PID 200 wrote to memory of 1896	200	spoolsv.exe	84
PID 200 wrote to memory of 1896	200	spoolsv.exe	84
PID 200 wrote to memory of 3604	200	spoolsv.exe	85
PID 200 wrote to memory of 3604	200	spoolsv.exe	85
PID 200 wrote to memory of 3604	200	spoolsv.exe	85
PID 200 wrote to memory of 3668	200	spoolsv.exe	88
PID 200 wrote to memory of 3668	200	spoolsv.exe	88
PID 200 wrote to memory of 3668	200	spoolsv.exe	88
PID 1896 wrote to memory of 4060	1896	cmd.exe	94
PID 1896 wrote to memory of 4060	1896	cmd.exe	94
PID 1896 wrote to memory of 4060	1896	cmd.exe	94
PID 3604 wrote to memory of 2592	3604	cmd.exe	93
PID 3604 wrote to memory of 2592	3604	cmd.exe	93
PID 3604 wrote to memory of 2592	3604	cmd.exe	93
PID 4064 wrote to memory of 2672	4064	cmd.exe	95
PID 4064 wrote to memory of 2672	4064	cmd.exe	95
PID 4064 wrote to memory of 2672	4064	cmd.exe	95
PID 3604 wrote to memory of 3000	3604	cmd.exe	98
PID 3604 wrote to memory of 3000	3604	cmd.exe	98
PID 3604 wrote to memory of 3000	3604	cmd.exe	98
PID 200 wrote to memory of 2920	200	spoolsv.exe	101
PID 200 wrote to memory of 2920	200	spoolsv.exe	101
PID 200 wrote to memory of 2920	200	spoolsv.exe	101
PID 200 wrote to memory of 2920	200	spoolsv.exe	101
PID 200 wrote to memory of 2920	200	spoolsv.exe	101
PID 200 wrote to memory of 2920	200	spoolsv.exe	101

C:\Users\Admin\AppData\Local\Temp\pattern.exe
"C:\Users\Admin\AppData\Local\Temp\pattern.exe"
1⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3176
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe" -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious use of WriteProcessMemory
  PID:200
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4064
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2672
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    PID:1756
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    PID:1824
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1896
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:4060
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3604
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2592
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:3000
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Modifies extensions of user files
    - Drops file in Program Files directory
    - Drops file in Windows directory
    PID:3668
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:516
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2920
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  - Deletes itself
  PID:1672

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3672

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

MD5
bc382383b6c90d20dba3f58aa0f40ade

SHA1
b626e4d049d88702236910b302c955eecc8c7d5f

SHA256
bf25937b534e738f02e5ec01592dd9a72d79e67bc32f3a5e157a0608f5bbd117

SHA512
651e85acf56ec7bffdc10941ba3bcebea5aede44d479e4db5d61160de2b975c484499a95564adaf90f350d6a1bf3aa97774019f1464045114cbb97806fc76c2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE

MD5
a2981517afbb3ebe48d2168b07274f47

SHA1
78e0fa382ca97436ec5c43209a2e391b41d356ab

SHA256
f5ef795d1577213ce930034afc93387232cc95dfe53db40db0ed65fbb44bcfae

SHA512
4e939a2270036ebf0eaec96ba231eb38cb4e2389064a30e5f3b9e5e5581d363ab934431e69978e015f25f3352d17e3b3242d02357aa034838a94912fa8d6ba15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
0465994d32988b4ff5811340c4905188

SHA1
7b4043cbd9509bc78b08863ad22b720632686785

SHA256
b33b95c79ca7fc2da4e43282f29ec14db42bdafd53c8888de793cea52caa20bb

SHA512
04654263a6391c84e0fd230a992dbd107f905599a066d124055591ce19a9d74b61627bb9d4dc9df89f396b12f795b649f0331e4aad39304a5ad0e0bccc36ad43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

MD5
dfecc0d125f867a1a35c78a4fb544e3a

SHA1
5a075caf6ef18373610acece2c15a46dc045ecb0

SHA256
005e3daad91b77bc782c2eedb723cbd10d362f927b6a1b5d66a6563bbf7966f1

SHA512
41a2f9187a0a17f9b28642fc862d5215dc4942b15ad6574a45df247dc1bcd6cff084dc53d4acbaef8960c6b405af93b7464b6b3ef3709335ae8bb851ea75d501

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE

MD5
6fbfeebb66f6110b1588cce66f286591

SHA1
1aed9cee7cb1c8813d9703abf2c79a80ac9a219e

SHA256
ed768a23ba27f4c70df86c391bbe6d29633bc949ba498888ddeeee5e329ba9c3

SHA512
ab151231178bc1157121f7e23c079190e4153977771cf98706a13e902b04612061be551f98f1612213d8133a952ec46291e47c1424ade569a48fba42b4427af8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
79cd7c11eee5b2fd422a1ee714f7a1cc

SHA1
2aa134013796fa3dd8bc8cb8fc315d95d320991a

SHA256
2c4dbc9a72d4bb2c2e06ea9964daf57a425197c164a954b86a93d205d2bb30ac

SHA512
fdfd97c6acebccb5d56a3793a8d49abf59fa5276d809ceb9d2ad5cc610c4fa9fb54ff1f9af47503cf645d92a07ed18b969ea540ad1210153d8a725cc285ae254

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GDGLHSEM\F3ZDE1DQ.htm

MD5
6b17a59cec1a7783febae9aa55c56556

SHA1
01d4581e2b3a6348679147a915a0b22b2a66643a

SHA256
66987b14b90d41632be98836f9601b12e7f329ffab05595887889c9c5716fbeb

SHA512
3337efd12b9c06b7768eb928a78caae243b75257c5aabe7a49e908a2f735af55f7257a40bd2330dc13865ead18ed805b54a6c5105740fdcbbaccacf7997bcbc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\U0EJMF7X\9U1CV2IY.htm

MD5
b1cd7c031debba3a5c77b39b6791c1a7

SHA1
e5d91e14e9c685b06f00e550d9e189deb2075f76

SHA256
57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

SHA512
d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat

MD5
ef572e2c7b1bbd57654b36e8dcfdc37a

SHA1
b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

SHA256
e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

SHA512
b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe

MD5
dcef208fcdac3345c6899a478d16980f

SHA1
fd127c6ecaee57972b7acc3b8e4a2d3b25f928e0

SHA256
824a76c39895bc3ad4f5dfc27fc3ac80d26514118c4669505a1f0cfdc8fdbcdc

SHA512
28e403a6d66895a2461828f49acb2862602e6be94405657bee0aec5d35d86dd83713c4cd1f33d28b94fed6546633683f9ffa693d37dc94bc862f6584833f9fba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe

MD5
dcef208fcdac3345c6899a478d16980f

SHA1
fd127c6ecaee57972b7acc3b8e4a2d3b25f928e0

SHA256
824a76c39895bc3ad4f5dfc27fc3ac80d26514118c4669505a1f0cfdc8fdbcdc

SHA512
28e403a6d66895a2461828f49acb2862602e6be94405657bee0aec5d35d86dd83713c4cd1f33d28b94fed6546633683f9ffa693d37dc94bc862f6584833f9fba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe

MD5
dcef208fcdac3345c6899a478d16980f

SHA1
fd127c6ecaee57972b7acc3b8e4a2d3b25f928e0

SHA256
824a76c39895bc3ad4f5dfc27fc3ac80d26514118c4669505a1f0cfdc8fdbcdc

SHA512
28e403a6d66895a2461828f49acb2862602e6be94405657bee0aec5d35d86dd83713c4cd1f33d28b94fed6546633683f9ffa693d37dc94bc862f6584833f9fba

Download Submit
C:\Users\Admin\Desktop\AddPing.potm.kd8eby0.2DF-D86-2E1

MD5
2d1da6664a529acd92cfd8a7e87e799d

SHA1
fe672806377c1dca7006246895fd84e13359184a

SHA256
18a3bf714e3e2f1007df0dbca006b0990cfa9d3f1b90f2e4dee7f8f520b0a1cb

SHA512
6c133ea7870b896d7f92905cc701763ae44e2a3bee0ff89a52190fc1e6666007eec2abc781dbbe384594c7ea4b68bec4be640f7f61a4a8387c6a4fdce8849cda

Download Submit
C:\Users\Admin\Desktop\CompleteUninstall.M2V.kd8eby0.2DF-D86-2E1

MD5
24210a3bd6ed5d5b829c5f59fb1fc217

SHA1
06f8c24ce22e04376209710a0244a25da0047144

SHA256
5556e2cb5802d86ff964b5e6e12f100f37b57189d5e1fcc98195c2606af9e996

SHA512
703607856e2e929ae199794a0bb6797fafeb5a25abfb22ed6a23bcd24f3709d355f39e83c60fedaf8e0a000247ae25b6a45efdcbb8d66d846080e8b046637f76

Download Submit
C:\Users\Admin\Desktop\CompressRestore.ocx.kd8eby0.2DF-D86-2E1

MD5
abb3a61061119f60e019911f492fb5c5

SHA1
702286c671c29d09697c35cde0bb4c60e05cb766

SHA256
d601fbf41d2ea8a32bc387b1dab4795c322bf11a0a4d5a1c43b35178111a0826

SHA512
c70c675bdaa7aced55557d76d4fc6ccfaec019f8840750ee1757a9781d21d91ce51275292c33e5be2c7fa73798094910fa6ccbaadaf9f76f46e1933221bd5408

Download Submit
C:\Users\Admin\Desktop\ConvertOptimize.nfo.kd8eby0.2DF-D86-2E1

MD5
29bcb4c9f8701c58516e2d87405c4545

SHA1
698f86bd91f5f73ec7f081af7025dc1d16bf9493

SHA256
1c53efdf11d648634769c6121a1f005df4a93e3d6342995996fff31940f53707

SHA512
196da01aa09a6a95e0ca37b51cc35c040bce2e146af0dc634a80c8767d5cb74da0caac3c0bb3c5539455e0288e24cda162199b6500ef6d21374a3a776fe71c54

Download Submit
C:\Users\Admin\Desktop\DismountResize.vbe.kd8eby0.2DF-D86-2E1

MD5
b1bc47eb1ba09397d91d3647ee0a6dee

SHA1
75a4d3ec8c563a25a1df02cbb4f6cc8bc8bb0d7f

SHA256
b8f40c04dd614c0223e16f6c18327810b4b7ba14db9a41418c03e6997dbcca98

SHA512
bb4e9aeaa30800f9edfbf6d3c46860f2651ccdb4b5bf1fedd8f743661ede6f6d3ff8a46913dadf0a4ce48a90ae53517e665c9d2f02b82edc4fd2e37406e731f9

Download Submit
C:\Users\Admin\Desktop\DismountStep.jpg.kd8eby0.2DF-D86-2E1

MD5
75986a90e8cfcbe6eeb82f1f9c57e41b

SHA1
ce19cfd21ae9485eaa196828ff1637a1b51b83ad

SHA256
e22f70a5cb7ae6e74a8484eb50f4a5b2d2a8574168bd7539821213b8c37b5a26

SHA512
6e46dc473f1e68302c082740877f2549baa2f3b568f46b9142e500afd70f8396e3188689335955bc194c3e9ecf29782653ccb657f94a552e24227a1b3c7358cf

Download Submit
C:\Users\Admin\Desktop\GroupResolve.js.kd8eby0.2DF-D86-2E1

MD5
aba874c437b569d20a0f2ba94580aa0b

SHA1
dad43939f5165cd066f0afb119dbedab48557e34

SHA256
e767f5f7aa3dbbeb7c45a463662d34cbb8b7ea716cf9829b53695f97e878a28f

SHA512
084955420e2b5bcb944560f4313a5e486f4c3206d0301700e5aeffdd3ae5af2e7566b8d3eafc1466bb22ff8d4e35366a3182eee8776dce0bca73d25ac2d3a241

Download Submit
C:\Users\Admin\Desktop\InstallWatch.vdw.kd8eby0.2DF-D86-2E1

MD5
be9758decd717a01e9a5e4b97eae0199

SHA1
bc8d93d2ef6468790b4e15b51726ae0cd663acb2

SHA256
f3bdf826516a70d72600f85e3d3637b3166c66d0e874c6def4cbc6e3aa1fe44d

SHA512
44f1d1ea7ffd8c32128ce0c773f6c0972260b337d8cdec07077f288e54634827fed0c351a1dd3cc3b50f8f9aced7f4b1b664cffe59d4e7bb7ebdecce04744241

Download Submit
C:\Users\Admin\Desktop\InvokeFind.reg.kd8eby0.2DF-D86-2E1

MD5
e1335cb300a405936387986748fab123

SHA1
5a9c9c8e9a92718bf2e801257db5aa8174cf8eb7

SHA256
08da35613ab9993c8bf6b1ea57cae0e78c21a31783a95ff8491461617f7b3831

SHA512
e2879176c7335b043663a85be73b7f4691c44f4c72c4df9152e4976e18d42944bac132426b2529a0659c4dc96c97154db4551cfbcd0810a2fd4007132b271c0c

Download Submit
C:\Users\Admin\Desktop\LimitDismount.potm.kd8eby0.2DF-D86-2E1

MD5
81c7cd21158afdeb9e40269ad8ce2116

SHA1
0f6040414a6b2391793e4b4f9e5dde13fabe0588

SHA256
9114794fe027183550d5830b53240e706a456e01dd249bfb824a3f5e2e05d5df

SHA512
fddcdc675543629f52bdb091e9194e023ec555b46411311f189a5f1bf442f5090fd6394fa44ae48c2f5c35a7c6b14f09006f365694d6fd97e0ee00acb72581e7

Download Submit
C:\Users\Admin\Desktop\MoveEnter.3gp.kd8eby0.2DF-D86-2E1

MD5
b0d869748411ca90ad3598849c83091a

SHA1
1485bed748655dc11755b833303876b3d2656674

SHA256
07427d3e42bba518f0be1d1e7b1661c0c706117da7d4a7c7f60f83a8aa7935a3

SHA512
5a75cbfd5dbcc9079ccdc5d9831daf135b2eb08c7e98d8709105a9bd659c160a57a637b9e9edc3d8d529993cfe1f66edf69d2195e2f66fcdf7448d5e5c253249

Download Submit
C:\Users\Admin\Desktop\ProtectFormat.ogg.kd8eby0.2DF-D86-2E1

MD5
c61243bf62da934b209666028eeb0e5b

SHA1
2a60792234433d77b3eeddaf9f41a5722bf7f1db

SHA256
d7aaeedfc0a1d1c272b7bcfeb738557818504fbd99b4675556bb3339b2a21863

SHA512
0e54991d9df4b0e4cea15bc56e1af2202f28d20135ab8d544a64057848bd691c920b615a5ee9587f2f4877be97084357d64fd707d0c9d226a57a5287336f9927

Download Submit
C:\Users\Admin\Desktop\RedoWatch.xps.kd8eby0.2DF-D86-2E1

MD5
dcfcb6480aaef8dc61dfb5dab8335fe0

SHA1
49b3fede5caaf7ecd5b875ce5d904dcafa890874

SHA256
228e325b19ce9d6b807916f10a05a369edfd0e48fb1ecb5daef839f615246a27

SHA512
0afbc719392e2e74c0b3d44ce6b910d21486b4ef25e6d383b91821bf23c487758789e75d9a80f08bf334ad7f0318552bd28abcb83d5453077168a8d63de0a825

Download Submit
C:\Users\Admin\Desktop\RepairSet.dib.kd8eby0.2DF-D86-2E1

MD5
2c8824593cb1ae504dcc8e6867e400e4

SHA1
d8773b166d3a27e859911048e41ebbc006d1d989

SHA256
0a6c0783a263645d9d2fe98cbb6482c435c5ae9ef76423908876b761108af2b0

SHA512
c753180380afe1d31a42022fe0b288437513f1f116c0a3932b742b42e0d1e988091ebfca702752f90a13bf23d0f06840b45d0026b3218978704f88a77413506a

Download Submit
C:\Users\Admin\Desktop\SaveGroup.raw.kd8eby0.2DF-D86-2E1

MD5
5774c871f609dfbfca9ef38500bd9eca

SHA1
815ac71ebb140c316c90edff88220836335ec04a

SHA256
53f3c763b0da70c65ff479b8d4420e926b2891f0ac103d206f35d056c03a7e54

SHA512
07666166e8755a582324c645fd836c5170cacb232b641d183c47e934713dab887b20b420caa00d7b654626dc5bd0f0783e1f15b47f384bea036eb907588243e5

Download Submit
C:\Users\Admin\Desktop\SetConnect.AAC.kd8eby0.2DF-D86-2E1

MD5
463db6221b3dedbaf60ab3ad29f2eb15

SHA1
543bca52f0a9903dccadfa689101cee989880fb9

SHA256
22478af03b2cd7badf98459441ea918e0f590057342eef390c9096ee358e91a7

SHA512
ad06fcab5ae0922f6524096f8e53232bda33f83cdc5b46751b7c6870e039107adcc895e3e4d0e427b2ec9741d2e9584278bb02b1f9f02793b29d0b280350f2b2

Download Submit
C:\Users\Admin\Desktop\StepFind.xsl.kd8eby0.2DF-D86-2E1

MD5
4c44f85c45a6ffdddfa1dfc6bf892a0a

SHA1
52bd2e167042e46eda8a892f49271eaa9babffd5

SHA256
06d975f8347e2e1b268a2114ca92a2ea5389b00bf982e9b4e73c53dd8c2fafd1

SHA512
979458bc94fa8c359fa6542aec25c652596e118f5d37d680d625291e64fe209d08f7e109a15b6d897d529c3bde15972e27a9966aa1f33b5c93fc2561c679b42e

Download Submit
C:\Users\Admin\Desktop\UninstallConvertTo.vssx.kd8eby0.2DF-D86-2E1

MD5
cf9477939d662ce37765837158250b15

SHA1
2b8bdd6bd5fffbdd191699be96a0a0d692d71fe0

SHA256
e064aa3e53028c9d7b3fedfe54d69203116d514ff4c2eacc2ca92e89ec182201

SHA512
78a53f5dabc5c839a94e27826343925c3cabf2e91d2ba3f35e1d9b279391d962bc3c5a99dbb35e8a6ea9f52728e26036e36626b96b511a3f2fe9e24e2ecd3e2e

Download Submit
C:\Users\Admin\Desktop\UnregisterStop.7z.kd8eby0.2DF-D86-2E1

MD5
a4037ff89b3bd310902196146ca0b69b

SHA1
a61e8199bea37f21a91e53a5bdfca27b995b4af1

SHA256
e2fcf3c74e37213328bc13430129fb488c0860be0d140d235c5204e86e0aa760

SHA512
d41c223d2e4585f378aff6ae245bf27b33954015b9f860a308312c76f204a5075aa7459b4999decbe5d67b849793143985bd9aaff47fadaa67a71f6080abe0d9

Download Submit
C:\Users\Admin\Desktop\WatchNew.ADT.kd8eby0.2DF-D86-2E1

MD5
ecaf24cc25d67b566d97cdc211528f7b

SHA1
87ff94ec32a9b55e31807db552d8313745f9adad

SHA256
8eed111049d4feb953dae4070e6356e0fc7b9c882fbb22d10b9dc6cc21b0f28c

SHA512
7b06efa3581c158c0b4163646fa3fa399df2ab630f270f480e4f62fa20f96589be62cd6ab139fbbaad1a96e68ef968810759212e288004d80cfdcc3710845948

Download Submit
memory/200-116-0x0000000000000000-mapping.dmp

Download
memory/200-121-0x0000000000A90000-0x0000000000BD5000-memory.dmp

Filesize
1.3MB

Download
memory/516-132-0x0000000000000000-mapping.dmp

Download
memory/1672-122-0x0000000001080000-0x0000000001081000-memory.dmp

Filesize
4KB

Download
memory/1672-119-0x0000000000000000-mapping.dmp

Download
memory/1756-131-0x0000000000000000-mapping.dmp

Download
memory/1824-133-0x0000000000000000-mapping.dmp

Download
memory/1896-134-0x0000000000000000-mapping.dmp

Download
memory/2592-140-0x0000000000000000-mapping.dmp

Download
memory/2672-141-0x0000000000000000-mapping.dmp

Download
memory/2920-164-0x0000000000000000-mapping.dmp

Download
memory/3000-143-0x0000000000000000-mapping.dmp

Download
memory/3176-115-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/3176-114-0x0000000000B10000-0x0000000000C55000-memory.dmp

Filesize
1.3MB

Download
memory/3604-135-0x0000000000000000-mapping.dmp

Download
memory/3668-136-0x0000000000000000-mapping.dmp

Download
memory/3668-142-0x0000000000A60000-0x0000000000BA5000-memory.dmp

Filesize
1.3MB

Download
memory/4060-138-0x0000000000000000-mapping.dmp

Download
memory/4064-130-0x0000000000000000-mapping.dmp

Download