buran | 2678ce604cb3012749c9bf1ee41b5d9974a4d398d9733723a01a0262b25b34c4

Analysis

max time kernel
152s
max time network
153s
platform
windows10_x64
resource
win10v20210408
submitted
31-08-2021 15:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2678ce604cb3012749c9bf1ee41b5d9974a4d398d9733723a01a0262b25b34c4.exe
Size

271KB
MD5

c5ef03ef2f2fe79aaa5c89dc4c57d4d6
SHA1

aeb47342503ac38543f1524f069931fa3e564ed6
SHA256

2678ce604cb3012749c9bf1ee41b5d9974a4d398d9733723a01a0262b25b34c4
SHA512

9a1ac46b8e112780add70c1986d147b486a129567d53fed69aaa709fd8efcac4c843f15dfefab2e278d7fbd98c10877b7e88608ef04b9f50e4f647bd951ee6f1

Score

10^/10

buran smokeloader backdoor discovery evasion persistence ransomware spyware stealer themida trojan

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. PAY FAST 500$=0.013 btc or the price will increase tomorrow bitcoin address bc1qqxnp9z0ff8x852dyflp5r9r6rzse8jl5hzmqz8 To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? [email protected] TELEGRAM @ payfast290 Your personal ID: 24A-53B-A87 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Extracted

Family

smokeloader

Version

2020

http://readinglistforaugust1.xyz/

http://readinglistforaugust2.xyz/

http://readinglistforaugust3.xyz/

http://readinglistforaugust4.xyz/

http://readinglistforaugust5.xyz/

http://readinglistforaugust6.xyz/

http://readinglistforaugust7.xyz/

http://readinglistforaugust8.xyz/

http://readinglistforaugust9.xyz/

http://readinglistforaugust10.xyz/

http://readinglistforaugust1.site/

http://readinglistforaugust2.site/

http://readinglistforaugust3.site/

http://readinglistforaugust4.site/

http://readinglistforaugust5.site/

http://readinglistforaugust6.site/

http://readinglistforaugust7.site/

http://readinglistforaugust8.site/

http://readinglistforaugust9.site/

http://readinglistforaugust10.site/

rc4.i32

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Executes dropped EXE 4 IoCs

Processes:

9C17.exe9FA2.exelsass.exelsass.exe

pid	Process
940	9C17.exe
1284	9FA2.exe
4016	lsass.exe
3364	lsass.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9FA2.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	9FA2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	9FA2.exe

Deletes itself 1 IoCs

Processes:

pid	Process
3028

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/files/0x0004000000015534-122.dat	themida
behavioral1/files/0x0004000000015534-123.dat	themida
behavioral1/memory/1284-129-0x00000000008F0000-0x00000000008F1000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

9C17.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run	9C17.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" -start"	9C17.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

9FA2.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	9FA2.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

lsass.exe

description	ioc	Process
File opened (read-only)	\??\G:	lsass.exe
File opened (read-only)	\??\F:	lsass.exe
File opened (read-only)	\??\B:	lsass.exe
File opened (read-only)	\??\A:	lsass.exe
File opened (read-only)	\??\Z:	lsass.exe
File opened (read-only)	\??\I:	lsass.exe
File opened (read-only)	\??\O:	lsass.exe
File opened (read-only)	\??\Y:	lsass.exe
File opened (read-only)	\??\X:	lsass.exe
File opened (read-only)	\??\P:	lsass.exe
File opened (read-only)	\??\K:	lsass.exe
File opened (read-only)	\??\J:	lsass.exe
File opened (read-only)	\??\T:	lsass.exe
File opened (read-only)	\??\Q:	lsass.exe
File opened (read-only)	\??\U:	lsass.exe
File opened (read-only)	\??\S:	lsass.exe
File opened (read-only)	\??\R:	lsass.exe
File opened (read-only)	\??\N:	lsass.exe
File opened (read-only)	\??\M:	lsass.exe
File opened (read-only)	\??\L:	lsass.exe
File opened (read-only)	\??\W:	lsass.exe
File opened (read-only)	\??\V:	lsass.exe
File opened (read-only)	\??\H:	lsass.exe
File opened (read-only)	\??\E:	lsass.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
25	geoiptool.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

9FA2.exe

pid	Process
1284	9FA2.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

2678ce604cb3012749c9bf1ee41b5d9974a4d398d9733723a01a0262b25b34c4.exe

description	pid	Process	procid_target
PID 4016 set thread context of 2548	4016	2678ce604cb3012749c9bf1ee41b5d9974a4d398d9733723a01a0262b25b34c4.exe	75

Drops file in Program Files directory 64 IoCs

Processes:

lsass.exe

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_KMS_Client-ul.xrm-ms	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_KMS_ClientC2R-ul.xrm-ms	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_logo_large.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\MainPageState2\dailyChallenge_bp_920.jpg	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\js\startup.js	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\_Resources\17.rsrc	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\plugin.js	lsass.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\hu-hu\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial-Times New Roman.xml	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-pl.xrm-ms	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ul-oob.xrm-ms	lsass.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\lv\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	lsass.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ckb\LC_MESSAGES\vlc.mo	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-24.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarSplashLogo.scale-200.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-24_contrast-black.png	lsass.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\tr-tr\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\sv-se\ui-strings.js	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProDemoR_BypassTrial180-ul-oob.xrm-ms	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\202.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.scale-400.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\snooze.contrast-white.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreAppList.targetsize-96.png	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\duplicate.svg.payfast290.24A-53B-A87	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\css\main.css	lsass.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\da-dk\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.webapp_3.6.300.v20140407-1855.jar	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-lib-uihandler.xml	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\CalculatorLargeTile.contrast-black_scale-100.png	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ru-ru\ui-strings.js	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ul-oob.xrm-ms	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-ul-oob.xrm-ms	lsass.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\DailyChallenges\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\es-es\ui-strings.js.payfast290.24A-53B-A87	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.engine.nl_ja_4.4.0.v20140623020002.jar.payfast290.24A-53B-A87	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64.nl_zh_4.4.0.v20140623020002.jar	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-io_ja.jar.payfast290.24A-53B-A87	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ppd.xrm-ms	lsass.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\LargeTile.scale-200.png	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jetty.continuation_8.1.14.v20131031.jar	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp3.scale-125.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_neutral_split.scale-100_8wekyb3d8bbwe\resources.pri	lsass.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\nb-no\ui-strings.js.payfast290.24A-53B-A87	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-actions.jar.payfast290.24A-53B-A87	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Grace-ul-oob.xrm-ms	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Icons\about.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemePreview\Themes\autumn.jpg	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\PeopleWideTile.scale-100.png	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\sendforsignature.svg.payfast290.24A-53B-A87	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\s_checkbox_selected_18.svg	lsass.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\management\jmxremote.access	lsass.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\bbc_co_uk.luac	lsass.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookWideTile.scale-200.png	lsass.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\es-es\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	lsass.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\tr-tr\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\Interceptor.tlb	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\xlicons.exe.payfast290.24A-53B-A87	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\3.jpg	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-mac.css.payfast290.24A-53B-A87	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\adobe_sign_tag_retina.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\kz_16x11.png	lsass.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

2678ce604cb3012749c9bf1ee41b5d9974a4d398d9733723a01a0262b25b34c4.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2678ce604cb3012749c9bf1ee41b5d9974a4d398d9733723a01a0262b25b34c4.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2678ce604cb3012749c9bf1ee41b5d9974a4d398d9733723a01a0262b25b34c4.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2678ce604cb3012749c9bf1ee41b5d9974a4d398d9733723a01a0262b25b34c4.exe

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exe

pid	Process
3944	vssadmin.exe
3628	vssadmin.exe

Modifies registry class 2 IoCs

Processes:

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

9C17.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	9C17.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	9C17.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2678ce604cb3012749c9bf1ee41b5d9974a4d398d9733723a01a0262b25b34c4.exe

pid	Process
2548	2678ce604cb3012749c9bf1ee41b5d9974a4d398d9733723a01a0262b25b34c4.exe
2548	2678ce604cb3012749c9bf1ee41b5d9974a4d398d9733723a01a0262b25b34c4.exe
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid	Process
3028

Suspicious behavior: MapViewOfSection 19 IoCs

Processes:

2678ce604cb3012749c9bf1ee41b5d9974a4d398d9733723a01a0262b25b34c4.exe

pid	Process
2548	2678ce604cb3012749c9bf1ee41b5d9974a4d398d9733723a01a0262b25b34c4.exe
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

9C17.exeWMIC.exeWMIC.exevssvc.exe

description	pid	Process
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeDebugPrivilege	940	9C17.exe
Token: SeDebugPrivilege	940	9C17.exe
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeIncreaseQuotaPrivilege	3640	WMIC.exe
Token: SeSecurityPrivilege	3640	WMIC.exe
Token: SeTakeOwnershipPrivilege	3640	WMIC.exe
Token: SeLoadDriverPrivilege	3640	WMIC.exe
Token: SeSystemProfilePrivilege	3640	WMIC.exe
Token: SeSystemtimePrivilege	3640	WMIC.exe
Token: SeProfSingleProcessPrivilege	3640	WMIC.exe
Token: SeIncBasePriorityPrivilege	3640	WMIC.exe
Token: SeCreatePagefilePrivilege	3640	WMIC.exe
Token: SeBackupPrivilege	3640	WMIC.exe
Token: SeRestorePrivilege	3640	WMIC.exe
Token: SeShutdownPrivilege	3640	WMIC.exe
Token: SeDebugPrivilege	3640	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3640	WMIC.exe
Token: SeRemoteShutdownPrivilege	3640	WMIC.exe
Token: SeUndockPrivilege	3640	WMIC.exe
Token: SeManageVolumePrivilege	3640	WMIC.exe
Token: 33	3640	WMIC.exe
Token: 34	3640	WMIC.exe
Token: 35	3640	WMIC.exe
Token: 36	3640	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2208	WMIC.exe
Token: SeSecurityPrivilege	2208	WMIC.exe
Token: SeTakeOwnershipPrivilege	2208	WMIC.exe
Token: SeLoadDriverPrivilege	2208	WMIC.exe
Token: SeSystemProfilePrivilege	2208	WMIC.exe
Token: SeSystemtimePrivilege	2208	WMIC.exe
Token: SeProfSingleProcessPrivilege	2208	WMIC.exe
Token: SeIncBasePriorityPrivilege	2208	WMIC.exe
Token: SeCreatePagefilePrivilege	2208	WMIC.exe
Token: SeBackupPrivilege	2208	WMIC.exe
Token: SeRestorePrivilege	2208	WMIC.exe
Token: SeShutdownPrivilege	2208	WMIC.exe
Token: SeDebugPrivilege	2208	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2208	WMIC.exe
Token: SeRemoteShutdownPrivilege	2208	WMIC.exe
Token: SeUndockPrivilege	2208	WMIC.exe
Token: SeManageVolumePrivilege	2208	WMIC.exe
Token: 33	2208	WMIC.exe
Token: 34	2208	WMIC.exe
Token: 35	2208	WMIC.exe
Token: 36	2208	WMIC.exe
Token: SeBackupPrivilege	1344	vssvc.exe
Token: SeRestorePrivilege	1344	vssvc.exe
Token: SeAuditPrivilege	1344	vssvc.exe
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeIncreaseQuotaPrivilege	2208	WMIC.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid	Process
3028

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2678ce604cb3012749c9bf1ee41b5d9974a4d398d9733723a01a0262b25b34c4.exe9C17.exelsass.exe

description	pid	Process	procid_target
PID 4016 wrote to memory of 2548	4016	2678ce604cb3012749c9bf1ee41b5d9974a4d398d9733723a01a0262b25b34c4.exe	75
PID 4016 wrote to memory of 2548	4016	2678ce604cb3012749c9bf1ee41b5d9974a4d398d9733723a01a0262b25b34c4.exe	75
PID 4016 wrote to memory of 2548	4016	2678ce604cb3012749c9bf1ee41b5d9974a4d398d9733723a01a0262b25b34c4.exe	75
PID 4016 wrote to memory of 2548	4016	2678ce604cb3012749c9bf1ee41b5d9974a4d398d9733723a01a0262b25b34c4.exe	75
PID 4016 wrote to memory of 2548	4016	2678ce604cb3012749c9bf1ee41b5d9974a4d398d9733723a01a0262b25b34c4.exe	75
PID 4016 wrote to memory of 2548	4016	2678ce604cb3012749c9bf1ee41b5d9974a4d398d9733723a01a0262b25b34c4.exe	75
PID 3028 wrote to memory of 940	3028		79
PID 3028 wrote to memory of 940	3028		79
PID 3028 wrote to memory of 940	3028		79
PID 3028 wrote to memory of 1284	3028		80
PID 3028 wrote to memory of 1284	3028		80
PID 3028 wrote to memory of 1284	3028		80
PID 3028 wrote to memory of 428	3028		82
PID 3028 wrote to memory of 428	3028		82
PID 3028 wrote to memory of 428	3028		82
PID 3028 wrote to memory of 428	3028		82
PID 3028 wrote to memory of 3956	3028		83
PID 3028 wrote to memory of 3956	3028		83
PID 3028 wrote to memory of 3956	3028		83
PID 3028 wrote to memory of 2372	3028		84
PID 3028 wrote to memory of 2372	3028		84
PID 3028 wrote to memory of 2372	3028		84
PID 3028 wrote to memory of 2372	3028		84
PID 940 wrote to memory of 4016	940	9C17.exe	85
PID 940 wrote to memory of 4016	940	9C17.exe	85
PID 940 wrote to memory of 4016	940	9C17.exe	85
PID 940 wrote to memory of 2900	940	9C17.exe	86
PID 940 wrote to memory of 2900	940	9C17.exe	86
PID 940 wrote to memory of 2900	940	9C17.exe	86
PID 940 wrote to memory of 2900	940	9C17.exe	86
PID 940 wrote to memory of 2900	940	9C17.exe	86
PID 940 wrote to memory of 2900	940	9C17.exe	86
PID 3028 wrote to memory of 1724	3028		87
PID 3028 wrote to memory of 1724	3028		87
PID 3028 wrote to memory of 1724	3028		87
PID 3028 wrote to memory of 3144	3028		88
PID 3028 wrote to memory of 3144	3028		88
PID 3028 wrote to memory of 3144	3028		88
PID 3028 wrote to memory of 3144	3028		88
PID 3028 wrote to memory of 1592	3028		89
PID 3028 wrote to memory of 1592	3028		89
PID 3028 wrote to memory of 1592	3028		89
PID 3028 wrote to memory of 2288	3028		90
PID 3028 wrote to memory of 2288	3028		90
PID 3028 wrote to memory of 2288	3028		90
PID 3028 wrote to memory of 2288	3028		90
PID 3028 wrote to memory of 2204	3028		91
PID 3028 wrote to memory of 2204	3028		91
PID 3028 wrote to memory of 2204	3028		91
PID 3028 wrote to memory of 3720	3028		92
PID 3028 wrote to memory of 3720	3028		92
PID 3028 wrote to memory of 3720	3028		92
PID 3028 wrote to memory of 3720	3028		92
PID 4016 wrote to memory of 1552	4016	lsass.exe	93
PID 4016 wrote to memory of 1552	4016	lsass.exe	93
PID 4016 wrote to memory of 1552	4016	lsass.exe	93
PID 4016 wrote to memory of 3952	4016	lsass.exe	94
PID 4016 wrote to memory of 3952	4016	lsass.exe	94
PID 4016 wrote to memory of 3952	4016	lsass.exe	94
PID 4016 wrote to memory of 1516	4016	lsass.exe	105
PID 4016 wrote to memory of 1516	4016	lsass.exe	105
PID 4016 wrote to memory of 1516	4016	lsass.exe	105
PID 4016 wrote to memory of 3636	4016	lsass.exe	96
PID 4016 wrote to memory of 3636	4016	lsass.exe	96

C:\Users\Admin\AppData\Local\Temp\2678ce604cb3012749c9bf1ee41b5d9974a4d398d9733723a01a0262b25b34c4.exe
"C:\Users\Admin\AppData\Local\Temp\2678ce604cb3012749c9bf1ee41b5d9974a4d398d9733723a01a0262b25b34c4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4016
- C:\Users\Admin\AppData\Local\Temp\2678ce604cb3012749c9bf1ee41b5d9974a4d398d9733723a01a0262b25b34c4.exe
  "C:\Users\Admin\AppData\Local\Temp\2678ce604cb3012749c9bf1ee41b5d9974a4d398d9733723a01a0262b25b34c4.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2548

C:\Users\Admin\AppData\Local\Temp\9C17.exe
C:\Users\Admin\AppData\Local\Temp\9C17.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:940
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious use of WriteProcessMemory
  PID:4016
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    PID:1552
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3640
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    PID:3952
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    PID:3636
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    PID:4000
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:3944
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
    3⤵
    PID:2984
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2208
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:3628
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:3364
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:1516
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:3148
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  PID:2900

C:\Users\Admin\AppData\Local\Temp\9FA2.exe
C:\Users\Admin\AppData\Local\Temp\9FA2.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1284

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:428

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3956

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2372

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1724

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3144

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1592

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2288

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2204

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3720

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1344

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Install Root Certificate

T1130

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

MD5
bc382383b6c90d20dba3f58aa0f40ade

SHA1
b626e4d049d88702236910b302c955eecc8c7d5f

SHA256
bf25937b534e738f02e5ec01592dd9a72d79e67bc32f3a5e157a0608f5bbd117

SHA512
651e85acf56ec7bffdc10941ba3bcebea5aede44d479e4db5d61160de2b975c484499a95564adaf90f350d6a1bf3aa97774019f1464045114cbb97806fc76c2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE

MD5
a2981517afbb3ebe48d2168b07274f47

SHA1
78e0fa382ca97436ec5c43209a2e391b41d356ab

SHA256
f5ef795d1577213ce930034afc93387232cc95dfe53db40db0ed65fbb44bcfae

SHA512
4e939a2270036ebf0eaec96ba231eb38cb4e2389064a30e5f3b9e5e5581d363ab934431e69978e015f25f3352d17e3b3242d02357aa034838a94912fa8d6ba15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
0465994d32988b4ff5811340c4905188

SHA1
7b4043cbd9509bc78b08863ad22b720632686785

SHA256
b33b95c79ca7fc2da4e43282f29ec14db42bdafd53c8888de793cea52caa20bb

SHA512
04654263a6391c84e0fd230a992dbd107f905599a066d124055591ce19a9d74b61627bb9d4dc9df89f396b12f795b649f0331e4aad39304a5ad0e0bccc36ad43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

MD5
8797ba09838a26d1f2799e33fd16b142

SHA1
6005bf3e3af39699fe1ff8d361d54a61612ddb4c

SHA256
cb3bb4f39f27c3accde5cefd90a77473cd7b377144a6c7a9ed7743790d8b5515

SHA512
0bae6d2f0c36d85d29d6c613bb2098d6d75c0da1f56cb13a565157d990c894a8acaf5a872c64cb21cb400a05b46cd51f342171902d809233fccc4b38d0f4a316

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE

MD5
25b21206ee0a7692bdce1ea09f18417d

SHA1
618d996d49db517c486fb6f07faf25dbc9d4704c

SHA256
d8c7b48174e4361158d6dbf0b9a71f287b6a987a7c73d6dbfd13706a10ee93b3

SHA512
2860227897dcc42b6030f7d7fc2f725753e0e86a2a4e9c97e3ddce630f3db3bda47f59ddf669c965fdf9133153e6fedb8ecaec3c54f0b934e65fd296810fe8b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
2cdc380b6127831276e323b4a1d24e23

SHA1
3032391fa59ba7edc97321543e0b5d47da545616

SHA256
7273b64e4365bfa34fb7d9078bc5aeddcb83e7500f30395daf1e211fa60b8da3

SHA512
97cd0b2149f1f4a3fa5192e7a6fdfaa4fd96ad8aded28a0a79aa07d2998517e5f60c4829231395671b8fa98e64e670a9d1628fe91afd6883b4f7f6aed98290b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DRMDU4BX\TPTPCN9C.htm

MD5
b1cd7c031debba3a5c77b39b6791c1a7

SHA1
e5d91e14e9c685b06f00e550d9e189deb2075f76

SHA256
57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

SHA512
d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZIIA2USJ\HDY8B0X8.htm

MD5
8615e70875c2cc0b9db16027b9adf11d

SHA1
4ed62cf405311c0ff562a3c59334a15ddc4f1bf9

SHA256
da96949ba6b0567343f144486505c8c8fa1d892fd88c9cbc3ef3d751a570724d

SHA512
cd9dfc88dc2af9438b7d6b618d1b62029b3bdf739fc4daa5b37397afd12c4528561b3bf2fc3f3f2adf3fd1f582d5524332441fd30248fcd078e41aa91e17cb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\9C17.exe

MD5
bdfde890a781bf135e6eb4339ff9424f

SHA1
a5bfca4601242d3ff52962432efb15ab9202217f

SHA256
b7972505fc2b3b41383bc9022824130ef912145ff1d858555536df477c3a59f5

SHA512
7af519bbda4994a15789520a56b4a961187aa64ef284830a0e8a083cb5257f9606a7e4647278ce9e2c01995f627dc83aa0750b9f7a1273218618f65af0f2a15b

Download Submit
C:\Users\Admin\AppData\Local\Temp\9C17.exe

MD5
bdfde890a781bf135e6eb4339ff9424f

SHA1
a5bfca4601242d3ff52962432efb15ab9202217f

SHA256
b7972505fc2b3b41383bc9022824130ef912145ff1d858555536df477c3a59f5

SHA512
7af519bbda4994a15789520a56b4a961187aa64ef284830a0e8a083cb5257f9606a7e4647278ce9e2c01995f627dc83aa0750b9f7a1273218618f65af0f2a15b

Download Submit
C:\Users\Admin\AppData\Local\Temp\9FA2.exe

MD5
47a68cf6b107308db52aa7335cfe44a4

SHA1
ffcc95c0e88766768e1eb0eed3388f48ce6306f7

SHA256
52d699631ae78b87cc151948a6626394d0a428f8d99004ef5c747c8cc9a56735

SHA512
a46a607a5130b23ed000d585458918e6933f016eb20b916f01e9e3aa065e2ae720ea5922ae2a5b1baf6f890f85c04f69638248e15614815c78355d88c6e61702

Download Submit
C:\Users\Admin\AppData\Local\Temp\9FA2.exe

MD5
47a68cf6b107308db52aa7335cfe44a4

SHA1
ffcc95c0e88766768e1eb0eed3388f48ce6306f7

SHA256
52d699631ae78b87cc151948a6626394d0a428f8d99004ef5c747c8cc9a56735

SHA512
a46a607a5130b23ed000d585458918e6933f016eb20b916f01e9e3aa065e2ae720ea5922ae2a5b1baf6f890f85c04f69638248e15614815c78355d88c6e61702

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat

MD5
ef572e2c7b1bbd57654b36e8dcfdc37a

SHA1
b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

SHA256
e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

SHA512
b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe

MD5
bdfde890a781bf135e6eb4339ff9424f

SHA1
a5bfca4601242d3ff52962432efb15ab9202217f

SHA256
b7972505fc2b3b41383bc9022824130ef912145ff1d858555536df477c3a59f5

SHA512
7af519bbda4994a15789520a56b4a961187aa64ef284830a0e8a083cb5257f9606a7e4647278ce9e2c01995f627dc83aa0750b9f7a1273218618f65af0f2a15b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe

MD5
bdfde890a781bf135e6eb4339ff9424f

SHA1
a5bfca4601242d3ff52962432efb15ab9202217f

SHA256
b7972505fc2b3b41383bc9022824130ef912145ff1d858555536df477c3a59f5

SHA512
7af519bbda4994a15789520a56b4a961187aa64ef284830a0e8a083cb5257f9606a7e4647278ce9e2c01995f627dc83aa0750b9f7a1273218618f65af0f2a15b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe

MD5
bdfde890a781bf135e6eb4339ff9424f

SHA1
a5bfca4601242d3ff52962432efb15ab9202217f

SHA256
b7972505fc2b3b41383bc9022824130ef912145ff1d858555536df477c3a59f5

SHA512
7af519bbda4994a15789520a56b4a961187aa64ef284830a0e8a083cb5257f9606a7e4647278ce9e2c01995f627dc83aa0750b9f7a1273218618f65af0f2a15b

Download Submit
C:\Users\Admin\Desktop\AddApprove.txt.payfast290.24A-53B-A87

MD5
21188e352b362fb42c7bedf9e78d55c2

SHA1
aac47b105b33f113531f5e99a856d387d38998c6

SHA256
98faf2c4caf4b3f4ae72b8cc7c7480a0904b962a710ed5818986a91495a5f1e8

SHA512
af065aceeec71f3e89e27d94e56177aa3a0b5235b2db9cdba48109e9799b603449bfe0175adacb5acee679b66f48c1b4b5354a43e87b45253098958d34b2c864

Download Submit
C:\Users\Admin\Desktop\ResizeImport.contact.payfast290.24A-53B-A87

MD5
3068b17f3062070302944845e0e36ac3

SHA1
c3b5bafa58956d4ee2a71d17bc1ba8e259e3df92

SHA256
82cab286567e8d9324e4eece0c5b59178d17db37672dbf55400f60e8bc77ad39

SHA512
708a60796323fb02af08d29bff4cc879e109c8bf28190c1ecabac7d4cd3a14fcfdf2829029fcb30f9b5235c91c3f3a48f2c57e8505e4200b80a0ad84980af30c

Download Submit
C:\Users\Admin\Desktop\ShowComplete.dxf.payfast290.24A-53B-A87

MD5
b1fdff297900a2b1e691b3581d7d59e4

SHA1
e4cdb0d2daa5695a57550eddb6ada17f44114b24

SHA256
3a920f945e5ee8501a356c0e4f989fe1769cbf1705e13f2c58d391e8d2de88db

SHA512
1077907d5693558347a9a1052cd25ec735052dc03bd88141d51224a51e53af9a287a1d2fbfe401803aaf0a42dc99cd6e508afa17c016ababc6610d4ebb8e6c26

Download Submit
C:\Users\Admin\Desktop\ShowRedo.rm.payfast290.24A-53B-A87

MD5
d57308b35f0fc10594c9ca000b4c0494

SHA1
6266ec7058b3df2daf7c2018ec264f73a86078cc

SHA256
090f2d55b0ad75025580a74d57027bc7c01a137103c3c9b7ec1956d5e75072a0

SHA512
b5c3b1d355c514d22412f38bf7f4ba3468a87793b220b0fdbbb6cf2adf54007f9050b84ff26d9e6a49a8a0fd01564f4e3d67e9953859acd400e42325dcc432d7

Download Submit
C:\Users\Admin\Desktop\SkipRename.i64.payfast290.24A-53B-A87

MD5
175dc2d01b59300bb6d18ccc6e0981e5

SHA1
0a003de505142b3c499c4a7c0c6b16b92f6f78fa

SHA256
af123ade940db11787d1b3bea7e2a7354197dfc909f260c22cd75486af9a8dd3

SHA512
ddad9efffa2098846805ee8e4dc52c69c9d71e8f8db9fcca9daaf254c2158fd96b7242bb1fbff04617ff10a30ebc8304dbea9253573dc2a7e4470337793e0211

Download Submit
C:\Users\Admin\Desktop\SuspendLock.au3.payfast290.24A-53B-A87

MD5
25cb6b5c0a7b28e014a546d47c2b64d9

SHA1
8c416d54ee7fea79536073f6d50524e39146f0b5

SHA256
baa9765c6ef572400a504694c4df2cde3afa90a76db096fcb32b57cea760d55d

SHA512
4e7a95cea50ef56d70d37caaf9cb419cbc916428c70d873b904c70d203ad3ddcba974f64ee91e3b12a1fd159769574330293d3143c43d5be490ef2f682b4c07e

Download Submit
C:\Users\Admin\Desktop\UnregisterReceive.midi.payfast290.24A-53B-A87

MD5
b934530f76de7ac782b249e3680978d1

SHA1
3589b673b8dd4b079119442a3755619e4bbaac70

SHA256
dc5c9400a126a4636d12b87eef48a465f0a9ca5d99b03a4d61901659a0060071

SHA512
7a0701d0127f4f2e2b4fadcde297d1619f28d74d8877dd9a39137fa61ee8a7225506829cb1796de9e19fb1e2e792472f471453e48a1340c3219b3c1e668b58a1

Download Submit
C:\Users\Admin\Desktop\UpdateDeny.rar.payfast290.24A-53B-A87

MD5
bcf12576920a4f4819e208692a345fe8

SHA1
cfd56a66f2889173fbc8f2e36956c88269462c33

SHA256
c4f3a9375a8331888a6dfe70f193e1e32f262474cbba2dfb22578b33e0c76aaf

SHA512
f5636df9de5c8d8c0163059ac63b3954fe483a7d6e56a436c14b9b77b2b78294be7bda9b443517bbce0eb9ac94d1c1e724b7bcc43c634747045a9844be8f73f7

Download Submit
C:\Users\Admin\Desktop\WaitImport.mpa.payfast290.24A-53B-A87

MD5
550b68fab0514f757b82e435e1a10672

SHA1
fdf4d77d283adfe75c8dc4c238c84dc090f938dc

SHA256
2782f1cd178183c2e3f9a71e03c4bc95ca1c8b6a3928a8ada2a8c4a5b6cacccd

SHA512
d1b5e1bf2b0c791c3db6f88daf2207fa97d1aeb1a8edd942495ff4cc85b11718d8aac2fb3d25c5059079d48c921e92ed6cb1ee27722fdeeaec7cb77f7c396018

Download Submit
C:\Users\Admin\Desktop\WatchInstall.clr.payfast290.24A-53B-A87

MD5
4bb68bbaa5d271a034dca0f777a8a82b

SHA1
0b36f6bca5ad6c69d5aa96cf5c59331f385194fe

SHA256
a5cb03b541721a78c3a529fe78e219e758117ae206532dcc77f77d273ce1a216

SHA512
d53da2059a3d5c295aeb330d27b1b06b5e09e42908241622dd9ae68d08918a89a6d592a089776e9d4a4ba58547b62affe79d77806687136cc1703044499cfc86

Download Submit
memory/428-126-0x0000000000A00000-0x0000000000A6B000-memory.dmp

Filesize
428KB

Download
memory/428-124-0x0000000000000000-mapping.dmp

Download
memory/428-125-0x0000000000A70000-0x0000000000AE4000-memory.dmp

Filesize
464KB

Download
memory/940-118-0x0000000000000000-mapping.dmp

Download
memory/1284-121-0x0000000000000000-mapping.dmp

Download
memory/1284-153-0x0000000005B30000-0x0000000005B31000-memory.dmp

Filesize
4KB

Download
memory/1284-129-0x00000000008F0000-0x00000000008F1000-memory.dmp

Filesize
4KB

Download
memory/1284-135-0x0000000006230000-0x0000000006231000-memory.dmp

Filesize
4KB

Download
memory/1284-192-0x0000000007520000-0x0000000007521000-memory.dmp

Filesize
4KB

Download
memory/1284-144-0x0000000005C20000-0x0000000005C21000-memory.dmp

Filesize
4KB

Download
memory/1284-193-0x0000000007B50000-0x0000000007B51000-memory.dmp

Filesize
4KB

Download
memory/1284-131-0x0000000077870000-0x00000000779FE000-memory.dmp

Filesize
1.6MB

Download
memory/1284-191-0x0000000008670000-0x0000000008671000-memory.dmp

Filesize
4KB

Download
memory/1284-190-0x0000000007830000-0x0000000007831000-memory.dmp

Filesize
4KB

Download
memory/1284-189-0x0000000007710000-0x0000000007711000-memory.dmp

Filesize
4KB

Download
memory/1284-157-0x0000000005C10000-0x0000000005C11000-memory.dmp

Filesize
4KB

Download
memory/1284-188-0x0000000007C40000-0x0000000007C41000-memory.dmp

Filesize
4KB

Download
memory/1284-159-0x0000000005B70000-0x0000000005B71000-memory.dmp

Filesize
4KB

Download
memory/1284-187-0x0000000007540000-0x0000000007541000-memory.dmp

Filesize
4KB

Download
memory/1284-138-0x0000000005AD0000-0x0000000005AD1000-memory.dmp

Filesize
4KB

Download
memory/1516-176-0x0000000000000000-mapping.dmp

Download
memory/1552-174-0x0000000000000000-mapping.dmp

Download
memory/1592-164-0x0000000000120000-0x000000000012C000-memory.dmp

Filesize
48KB

Download
memory/1592-163-0x0000000000130000-0x0000000000136000-memory.dmp

Filesize
24KB

Download
memory/1592-162-0x0000000000000000-mapping.dmp

Download
memory/1724-154-0x0000000001020000-0x0000000001029000-memory.dmp

Filesize
36KB

Download
memory/1724-155-0x0000000001010000-0x000000000101F000-memory.dmp

Filesize
60KB

Download
memory/1724-145-0x0000000000000000-mapping.dmp

Download
memory/2204-168-0x0000000000000000-mapping.dmp

Download
memory/2204-171-0x00000000001A0000-0x00000000001A9000-memory.dmp

Filesize
36KB

Download
memory/2204-170-0x00000000001B0000-0x00000000001B5000-memory.dmp

Filesize
20KB

Download
memory/2208-185-0x0000000000000000-mapping.dmp

Download
memory/2288-165-0x0000000000000000-mapping.dmp

Download
memory/2288-166-0x0000000000C30000-0x0000000000C34000-memory.dmp

Filesize
16KB

Download
memory/2288-167-0x0000000000C20000-0x0000000000C29000-memory.dmp

Filesize
36KB

Download
memory/2372-142-0x0000000000C50000-0x0000000000C5B000-memory.dmp

Filesize
44KB

Download
memory/2372-141-0x0000000000C60000-0x0000000000C67000-memory.dmp

Filesize
28KB

Download
memory/2372-134-0x0000000000000000-mapping.dmp

Download
memory/2548-116-0x0000000000402FAB-mapping.dmp

Download
memory/2548-115-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2900-140-0x0000000000000000-mapping.dmp

Download
memory/2900-156-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/2984-179-0x0000000000000000-mapping.dmp

Download
memory/3028-117-0x0000000000E00000-0x0000000000E16000-memory.dmp

Filesize
88KB

Download
memory/3144-161-0x0000000000CF0000-0x0000000000CF9000-memory.dmp

Filesize
36KB

Download
memory/3144-158-0x0000000000000000-mapping.dmp

Download
memory/3144-160-0x0000000000D00000-0x0000000000D05000-memory.dmp

Filesize
20KB

Download
memory/3364-180-0x0000000000000000-mapping.dmp

Download
memory/3628-186-0x0000000000000000-mapping.dmp

Download
memory/3636-177-0x0000000000000000-mapping.dmp

Download
memory/3640-184-0x0000000000000000-mapping.dmp

Download
memory/3720-173-0x0000000000B20000-0x0000000000B29000-memory.dmp

Filesize
36KB

Download
memory/3720-169-0x0000000000000000-mapping.dmp

Download
memory/3720-172-0x0000000000B30000-0x0000000000B35000-memory.dmp

Filesize
20KB

Download
memory/3944-182-0x0000000000000000-mapping.dmp

Download
memory/3952-175-0x0000000000000000-mapping.dmp

Download
memory/3956-133-0x0000000000B60000-0x0000000000B6C000-memory.dmp

Filesize
48KB

Download
memory/3956-132-0x0000000000B70000-0x0000000000B77000-memory.dmp

Filesize
28KB

Download
memory/3956-127-0x0000000000000000-mapping.dmp

Download
memory/4000-178-0x0000000000000000-mapping.dmp

Download
memory/4016-136-0x0000000000000000-mapping.dmp

Download
memory/4016-114-0x0000000000030000-0x000000000003A000-memory.dmp

Filesize
40KB

Download