buran | 824a76c39895bc3ad4f5dfc27fc3ac80d26514118c4669505a1f0cfdc8fdbcdc

Analysis

max time kernel
133s
max time network
150s
platform
windows10_x64
resource
win10v20210408
submitted
31-08-2021 17:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pattern.exe
Size

416KB
MD5

dcef208fcdac3345c6899a478d16980f
SHA1

fd127c6ecaee57972b7acc3b8e4a2d3b25f928e0
SHA256

824a76c39895bc3ad4f5dfc27fc3ac80d26514118c4669505a1f0cfdc8fdbcdc
SHA512

28e403a6d66895a2461828f49acb2862602e6be94405657bee0aec5d35d86dd83713c4cd1f33d28b94fed6546633683f9ffa693d37dc94bc862f6584833f9fba

Score

10^/10

buran persistence ransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Reserved email: [email protected] Your personal ID: 2F1-441-07F Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 2 IoCs

Processes:

csrss.execsrss.exe

pid	Process
1292	csrss.exe
2524	csrss.exe

Deletes itself 1 IoCs

Processes:

notepad.exe

pid	Process
3164	notepad.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

pattern.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run	pattern.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe\" -start"	pattern.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

csrss.exe

description	ioc	Process
File opened (read-only)	\??\Z:	csrss.exe
File opened (read-only)	\??\Y:	csrss.exe
File opened (read-only)	\??\K:	csrss.exe
File opened (read-only)	\??\J:	csrss.exe
File opened (read-only)	\??\H:	csrss.exe
File opened (read-only)	\??\X:	csrss.exe
File opened (read-only)	\??\O:	csrss.exe
File opened (read-only)	\??\N:	csrss.exe
File opened (read-only)	\??\M:	csrss.exe
File opened (read-only)	\??\B:	csrss.exe
File opened (read-only)	\??\W:	csrss.exe
File opened (read-only)	\??\V:	csrss.exe
File opened (read-only)	\??\U:	csrss.exe
File opened (read-only)	\??\R:	csrss.exe
File opened (read-only)	\??\Q:	csrss.exe
File opened (read-only)	\??\P:	csrss.exe
File opened (read-only)	\??\I:	csrss.exe
File opened (read-only)	\??\T:	csrss.exe
File opened (read-only)	\??\S:	csrss.exe
File opened (read-only)	\??\L:	csrss.exe
File opened (read-only)	\??\G:	csrss.exe
File opened (read-only)	\??\F:	csrss.exe
File opened (read-only)	\??\E:	csrss.exe
File opened (read-only)	\??\A:	csrss.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
10	geoiptool.com

Drops file in Program Files directory 64 IoCs

Processes:

csrss.exe

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-ppd.xrm-ms.kd8eby0.2F1-441-07F	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\bg_pattern_RHP.png	csrss.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\themes\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\example_icons.png	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\jvm.hprof.txt	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019DemoR_BypassTrial180-ppd.xrm-ms	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Calculator.exe	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_targetsize-16.png	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\nub.png.kd8eby0.2F1-441-07F	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\ECLIPSE_.SF	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1702.301.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderSmallTile.scale-200.png	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-charts.xml	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-32_altform-unplated.png	csrss.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\themes\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\com.oracle.jmc.executable.win32.win32.x86_64_5.5.0	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-text.jar	csrss.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\images\themeless\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\check-mark-2x.png	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-execution.xml.kd8eby0.2F1-441-07F	csrss.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\NavigationIcons\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filter-hover_32.svg	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Resources.pri	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-60_altform-unplated.png	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\locale\core_ja.jar.kd8eby0.2F1-441-07F	csrss.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-140.png	csrss.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedAppList.scale-200_contrast-black.png	csrss.exe
File opened for modification	C:\Program Files\7-Zip\License.txt.kd8eby0.2F1-441-07F	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe.kd8eby0.2F1-441-07F	csrss.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\da-dk\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PAPYRUS\THMBNAIL.PNG	csrss.exe
File created	C:\Program Files\VideoLAN\VLC\locale\es\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\W6.png	csrss.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\7260_24x24x32.png	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Exchange.scale-300.png	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe.kd8eby0.2F1-441-07F	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-pl.xrm-ms	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Lumia.VideoTk\PassthroughPS_UV.cso	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\StopwatchMedTile.contrast-black_scale-200.png	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_download_18.svg.kd8eby0.2F1-441-07F	csrss.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.services_1.1.0.v20140328-1925.jar.kd8eby0.2F1-441-07F	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-100.png	csrss.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sl\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-il\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\epdf\selector.js.kd8eby0.2F1-441-07F	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\plugins\rhp\combinepdf-tool-view.js	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\adc_logo.png	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-core-multitabs.jar.kd8eby0.2F1-441-07F	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_COL.HXC	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL027.XML	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL092.XML	csrss.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\152.png	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5601_40x40x32.png	csrss.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailMediumTile.scale-150.png	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial5-pl.xrm-ms.kd8eby0.2F1-441-07F	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-ul-oob.xrm-ms.kd8eby0.2F1-441-07F	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\files_icons.png	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_fi_135x40.svg.kd8eby0.2F1-441-07F	csrss.exe

Drops file in Windows directory 1 IoCs

Processes:

csrss.exe

description	ioc	Process
File created	C:\Windows\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exe

pid	Process
3196	vssadmin.exe
1160	vssadmin.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

pattern.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	pattern.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	pattern.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

pattern.exeWMIC.exeWMIC.exevssvc.exe

description	pid	Process
Token: SeDebugPrivilege	1400	pattern.exe
Token: SeDebugPrivilege	1400	pattern.exe
Token: SeIncreaseQuotaPrivilege	3164	WMIC.exe
Token: SeSecurityPrivilege	3164	WMIC.exe
Token: SeTakeOwnershipPrivilege	3164	WMIC.exe
Token: SeLoadDriverPrivilege	3164	WMIC.exe
Token: SeSystemProfilePrivilege	3164	WMIC.exe
Token: SeSystemtimePrivilege	3164	WMIC.exe
Token: SeProfSingleProcessPrivilege	3164	WMIC.exe
Token: SeIncBasePriorityPrivilege	3164	WMIC.exe
Token: SeCreatePagefilePrivilege	3164	WMIC.exe
Token: SeBackupPrivilege	3164	WMIC.exe
Token: SeRestorePrivilege	3164	WMIC.exe
Token: SeShutdownPrivilege	3164	WMIC.exe
Token: SeDebugPrivilege	3164	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3164	WMIC.exe
Token: SeRemoteShutdownPrivilege	3164	WMIC.exe
Token: SeUndockPrivilege	3164	WMIC.exe
Token: SeManageVolumePrivilege	3164	WMIC.exe
Token: 33	3164	WMIC.exe
Token: 34	3164	WMIC.exe
Token: 35	3164	WMIC.exe
Token: 36	3164	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2784	WMIC.exe
Token: SeSecurityPrivilege	2784	WMIC.exe
Token: SeTakeOwnershipPrivilege	2784	WMIC.exe
Token: SeLoadDriverPrivilege	2784	WMIC.exe
Token: SeSystemProfilePrivilege	2784	WMIC.exe
Token: SeSystemtimePrivilege	2784	WMIC.exe
Token: SeProfSingleProcessPrivilege	2784	WMIC.exe
Token: SeIncBasePriorityPrivilege	2784	WMIC.exe
Token: SeCreatePagefilePrivilege	2784	WMIC.exe
Token: SeBackupPrivilege	2784	WMIC.exe
Token: SeRestorePrivilege	2784	WMIC.exe
Token: SeShutdownPrivilege	2784	WMIC.exe
Token: SeDebugPrivilege	2784	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2784	WMIC.exe
Token: SeRemoteShutdownPrivilege	2784	WMIC.exe
Token: SeUndockPrivilege	2784	WMIC.exe
Token: SeManageVolumePrivilege	2784	WMIC.exe
Token: 33	2784	WMIC.exe
Token: 34	2784	WMIC.exe
Token: 35	2784	WMIC.exe
Token: 36	2784	WMIC.exe
Token: SeBackupPrivilege	744	vssvc.exe
Token: SeRestorePrivilege	744	vssvc.exe
Token: SeAuditPrivilege	744	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3164	WMIC.exe
Token: SeSecurityPrivilege	3164	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2784	WMIC.exe
Token: SeTakeOwnershipPrivilege	3164	WMIC.exe
Token: SeLoadDriverPrivilege	3164	WMIC.exe
Token: SeSecurityPrivilege	2784	WMIC.exe
Token: SeSystemProfilePrivilege	3164	WMIC.exe
Token: SeTakeOwnershipPrivilege	2784	WMIC.exe
Token: SeSystemtimePrivilege	3164	WMIC.exe
Token: SeLoadDriverPrivilege	2784	WMIC.exe
Token: SeProfSingleProcessPrivilege	3164	WMIC.exe
Token: SeSystemProfilePrivilege	2784	WMIC.exe
Token: SeIncBasePriorityPrivilege	3164	WMIC.exe
Token: SeSystemtimePrivilege	2784	WMIC.exe
Token: SeCreatePagefilePrivilege	3164	WMIC.exe
Token: SeProfSingleProcessPrivilege	2784	WMIC.exe
Token: SeBackupPrivilege	3164	WMIC.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

pattern.execsrss.execmd.execmd.execmd.exe

description	pid	Process	procid_target
PID 1400 wrote to memory of 1292	1400	pattern.exe	77
PID 1400 wrote to memory of 1292	1400	pattern.exe	77
PID 1400 wrote to memory of 1292	1400	pattern.exe	77
PID 1400 wrote to memory of 3164	1400	pattern.exe	78
PID 1400 wrote to memory of 3164	1400	pattern.exe	78
PID 1400 wrote to memory of 3164	1400	pattern.exe	78
PID 1400 wrote to memory of 3164	1400	pattern.exe	78
PID 1400 wrote to memory of 3164	1400	pattern.exe	78
PID 1400 wrote to memory of 3164	1400	pattern.exe	78
PID 1292 wrote to memory of 2320	1292	csrss.exe	80
PID 1292 wrote to memory of 2320	1292	csrss.exe	80
PID 1292 wrote to memory of 2320	1292	csrss.exe	80
PID 1292 wrote to memory of 3528	1292	csrss.exe	81
PID 1292 wrote to memory of 3528	1292	csrss.exe	81
PID 1292 wrote to memory of 3528	1292	csrss.exe	81
PID 1292 wrote to memory of 508	1292	csrss.exe	82
PID 1292 wrote to memory of 508	1292	csrss.exe	82
PID 1292 wrote to memory of 508	1292	csrss.exe	82
PID 1292 wrote to memory of 412	1292	csrss.exe	83
PID 1292 wrote to memory of 412	1292	csrss.exe	83
PID 1292 wrote to memory of 412	1292	csrss.exe	83
PID 1292 wrote to memory of 1096	1292	csrss.exe	84
PID 1292 wrote to memory of 1096	1292	csrss.exe	84
PID 1292 wrote to memory of 1096	1292	csrss.exe	84
PID 1292 wrote to memory of 2840	1292	csrss.exe	88
PID 1292 wrote to memory of 2840	1292	csrss.exe	88
PID 1292 wrote to memory of 2840	1292	csrss.exe	88
PID 1292 wrote to memory of 2524	1292	csrss.exe	89
PID 1292 wrote to memory of 2524	1292	csrss.exe	89
PID 1292 wrote to memory of 2524	1292	csrss.exe	89
PID 1096 wrote to memory of 3196	1096	cmd.exe	94
PID 1096 wrote to memory of 3196	1096	cmd.exe	94
PID 1096 wrote to memory of 3196	1096	cmd.exe	94
PID 2320 wrote to memory of 3164	2320	cmd.exe	93
PID 2320 wrote to memory of 3164	2320	cmd.exe	93
PID 2320 wrote to memory of 3164	2320	cmd.exe	93
PID 2840 wrote to memory of 2784	2840	cmd.exe	95
PID 2840 wrote to memory of 2784	2840	cmd.exe	95
PID 2840 wrote to memory of 2784	2840	cmd.exe	95
PID 2840 wrote to memory of 1160	2840	cmd.exe	98
PID 2840 wrote to memory of 1160	2840	cmd.exe	98
PID 2840 wrote to memory of 1160	2840	cmd.exe	98
PID 1292 wrote to memory of 572	1292	csrss.exe	100
PID 1292 wrote to memory of 572	1292	csrss.exe	100
PID 1292 wrote to memory of 572	1292	csrss.exe	100
PID 1292 wrote to memory of 572	1292	csrss.exe	100
PID 1292 wrote to memory of 572	1292	csrss.exe	100
PID 1292 wrote to memory of 572	1292	csrss.exe	100

C:\Users\Admin\AppData\Local\Temp\pattern.exe
"C:\Users\Admin\AppData\Local\Temp\pattern.exe"
1⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1400
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe" -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious use of WriteProcessMemory
  PID:1292
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2320
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3164
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    PID:3528
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:508
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    PID:412
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1096
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:3196
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2784
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:1160
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    PID:2524
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:572
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  - Deletes itself
  PID:3164

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:744

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

MD5
bc382383b6c90d20dba3f58aa0f40ade

SHA1
b626e4d049d88702236910b302c955eecc8c7d5f

SHA256
bf25937b534e738f02e5ec01592dd9a72d79e67bc32f3a5e157a0608f5bbd117

SHA512
651e85acf56ec7bffdc10941ba3bcebea5aede44d479e4db5d61160de2b975c484499a95564adaf90f350d6a1bf3aa97774019f1464045114cbb97806fc76c2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE

MD5
a2981517afbb3ebe48d2168b07274f47

SHA1
78e0fa382ca97436ec5c43209a2e391b41d356ab

SHA256
f5ef795d1577213ce930034afc93387232cc95dfe53db40db0ed65fbb44bcfae

SHA512
4e939a2270036ebf0eaec96ba231eb38cb4e2389064a30e5f3b9e5e5581d363ab934431e69978e015f25f3352d17e3b3242d02357aa034838a94912fa8d6ba15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
0465994d32988b4ff5811340c4905188

SHA1
7b4043cbd9509bc78b08863ad22b720632686785

SHA256
b33b95c79ca7fc2da4e43282f29ec14db42bdafd53c8888de793cea52caa20bb

SHA512
04654263a6391c84e0fd230a992dbd107f905599a066d124055591ce19a9d74b61627bb9d4dc9df89f396b12f795b649f0331e4aad39304a5ad0e0bccc36ad43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

MD5
cb87a6059b69ed0e7f6a9b4c92f4ff0e

SHA1
300ae024db7b31a833c0df3b9d61e0881831dcdb

SHA256
e3e67c634ad846f33f85775048aa289c27990a0636834ea0a79ccd6ff40a701c

SHA512
acc3b68b75147749b8324da257923127f1f5f13700acbf00fc5146c059f5be89062ab70b43b85b25ae214982a306906a72e144e315c2aa4ddc8dc7919ce0c3fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE

MD5
b16bc3294a9cdb1484eafa188d61093e

SHA1
df88ace64b8cb4169d5c878ec5ef07cbaff6c4af

SHA256
247b449759e3191d1dbb8d0c2440ed442a22c251d87ee4b23a2be8f2e4aeb49e

SHA512
1df863f5bfd943dd85b8bfb5f9b9d217c5969c5b6cb0ecd0f44255438a82a0a3293b0fc0ecd703d8666734e4ca3a6c30659d357307ed3c048b1784c5dcff2f4b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
f598a438d56f4d00a9b996d14038fa5b

SHA1
a3d5224b54779962191f9dd029f5bc134e056c98

SHA256
8810c667d017ed65b41646fb1259f77756055456a350a74d71ed03da564db60c

SHA512
246d5a20a0f7f910460053c5e53f5c9fed7189cbb2106118e2ffe06d7f40ffefbb84aa9177b4905f4dae15c4852e861025fbd6b26aa918916ba165b6d40b2bd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DRMDU4BX\LASN78U3.htm

MD5
b1cd7c031debba3a5c77b39b6791c1a7

SHA1
e5d91e14e9c685b06f00e550d9e189deb2075f76

SHA256
57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

SHA512
d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZIIA2USJ\HX1UXYJ9.htm

MD5
8615e70875c2cc0b9db16027b9adf11d

SHA1
4ed62cf405311c0ff562a3c59334a15ddc4f1bf9

SHA256
da96949ba6b0567343f144486505c8c8fa1d892fd88c9cbc3ef3d751a570724d

SHA512
cd9dfc88dc2af9438b7d6b618d1b62029b3bdf739fc4daa5b37397afd12c4528561b3bf2fc3f3f2adf3fd1f582d5524332441fd30248fcd078e41aa91e17cb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat

MD5
ef572e2c7b1bbd57654b36e8dcfdc37a

SHA1
b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

SHA256
e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

SHA512
b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe

MD5
dcef208fcdac3345c6899a478d16980f

SHA1
fd127c6ecaee57972b7acc3b8e4a2d3b25f928e0

SHA256
824a76c39895bc3ad4f5dfc27fc3ac80d26514118c4669505a1f0cfdc8fdbcdc

SHA512
28e403a6d66895a2461828f49acb2862602e6be94405657bee0aec5d35d86dd83713c4cd1f33d28b94fed6546633683f9ffa693d37dc94bc862f6584833f9fba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe

MD5
dcef208fcdac3345c6899a478d16980f

SHA1
fd127c6ecaee57972b7acc3b8e4a2d3b25f928e0

SHA256
824a76c39895bc3ad4f5dfc27fc3ac80d26514118c4669505a1f0cfdc8fdbcdc

SHA512
28e403a6d66895a2461828f49acb2862602e6be94405657bee0aec5d35d86dd83713c4cd1f33d28b94fed6546633683f9ffa693d37dc94bc862f6584833f9fba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe

MD5
dcef208fcdac3345c6899a478d16980f

SHA1
fd127c6ecaee57972b7acc3b8e4a2d3b25f928e0

SHA256
824a76c39895bc3ad4f5dfc27fc3ac80d26514118c4669505a1f0cfdc8fdbcdc

SHA512
28e403a6d66895a2461828f49acb2862602e6be94405657bee0aec5d35d86dd83713c4cd1f33d28b94fed6546633683f9ffa693d37dc94bc862f6584833f9fba

Download Submit
C:\Users\Admin\Desktop\ApproveProtect.wma.kd8eby0.2F1-441-07F

MD5
49ef0b225a51fae9156123a91bd85aa5

SHA1
96c5a9641475b22df64802c1541eedf709a7df59

SHA256
b5c7d6a58f5082872e709b922b02dbaa9c3df3c31e45b30a6997cdef491ec7b5

SHA512
43b1c72d58b2d1fa4c993a7150e9bd6e1ec30acd35db68fa45a97258f9c8103727f409d2365553824a034c538c6d5523ada264f9d9b1223a17c762d1bf9ce975

Download Submit
C:\Users\Admin\Desktop\BackupRead.asx.kd8eby0.2F1-441-07F

MD5
26d5d12508ea03f50a4dec97f834cfa2

SHA1
63b11a838617b98f99801d46e7b2e07ba7ca8bab

SHA256
28b8c0b6e1a6577e9676c09fb75f46432b8f35b82510fd6a88416fc8b2544153

SHA512
e5dbd13ef033aefac463f3d9d5513c8c67e348fc4953134b1e3d96919c098d8c0ae0c08b28dfbefb5b5ee686d89bc10b4853074f5b182ba79a7397c5c8c2d893

Download Submit
C:\Users\Admin\Desktop\BlockJoin.M2V.kd8eby0.2F1-441-07F

MD5
ff8e323c987b524ccc6f4ce876335e3a

SHA1
9dc23b45ab83b11b9ff2e7e6475c5b9dac035503

SHA256
b224ab5624e33e060922d66627d03ba69c0876299ddf992802ff1653c8122a47

SHA512
e5def485add529c6b7e3a74cc68c55b701e7cbec68741393f3aa1cb21be61510fcf980982a3fe1ba8d1b61e509c1615953f2181866787b89b6f0869d9107d8fd

Download Submit
C:\Users\Admin\Desktop\BlockJoin.cab.kd8eby0.2F1-441-07F

MD5
b9d3f937066fa787e523505a0014318d

SHA1
3b909fba40ff620778e2b9d53c9b24ac6cfedef9

SHA256
3c8938d1efe24edd1d6ee52cd05f7c18a2269394ee723a10cbfb9faed2ac6549

SHA512
6dcc9efd03ee68bc52677b445abe4288d21aa94602715622fea07cca175ac06dd7418756f210c4203c73c994c65ead3a713c0fbd505bc597ac11cc8ef1347a56

Download Submit
C:\Users\Admin\Desktop\BlockStart.dot.kd8eby0.2F1-441-07F

MD5
b7ab55ea19dad2737825f21fd6af1bf0

SHA1
1fb6690d3c4fce84204b16fcd7694fc1c2d92f8a

SHA256
80c827b406a333bd7c5976857a035abf668faccb86ee4dcbecd249e141c1951b

SHA512
07fc8d58cd1b98e43450a6cdced2dfc3461fef98b5f03b18c50412a92c3b8bcc341d3fb1cfb56180af664eaace7a9b9563ee7d48c18b3d08dc45f251622bcdb1

Download Submit
C:\Users\Admin\Desktop\CompressBackup.xlsx.kd8eby0.2F1-441-07F

MD5
9058bcb29eac472a392d2ce78086a3e3

SHA1
abdc1957d076622fe7f9c2b0e2c21bb365f34898

SHA256
379d704aa4c50c21085ca73b840cd1282b16a06be9b436740b01b9950ce43a71

SHA512
4a4c0a7a0cfe4a9475ef5b6bfa0263514b14a471459a0bb90de1ba8a328143808681bb9329691e7298b839135d1c5b62909666a3ed569806b12aaf06ae27da13

Download Submit
C:\Users\Admin\Desktop\ConvertToSkip.avi.kd8eby0.2F1-441-07F

MD5
25137a6d4130b4f238ae0d4652a0d9db

SHA1
139df1fb9356a74f08a8c35cf41d1679e131141f

SHA256
80220546c322a29ad50f3c515eb0ea89fc86120345f7b3820ed49ac71f685ae0

SHA512
a97a7a54e9ac3166add1de56d9a823a9c3180257f5bced7c504ca6fd7bebae976971e5b9618201d34eeedf06a89b3605aafe885024e58220cd483c1e3ee6c6e7

Download Submit
C:\Users\Admin\Desktop\CopyImport.html.kd8eby0.2F1-441-07F

MD5
a9ad656720226476375899092284e397

SHA1
d1439ade833b0ae275363e85e14b7e20cbe0d74c

SHA256
caf8f4ae8e1d565baef029caf39a50f49435afb6be0d2be38a8e4cce8ce0ee5a

SHA512
65751d7a73492b1a3bc391d8e39ee2eb141d05e08d0640c7a725d523a73e9da56503abb62a84aa0e1819b3f82dd1dcdf264284aacd8cc031d0d03ebe0e69f2cf

Download Submit
C:\Users\Admin\Desktop\DebugRestart.ttc.kd8eby0.2F1-441-07F

MD5
1c5baec30b3bf7151b1c0097ac419feb

SHA1
c79967cd12609fc11a915d7b8ed2ac6a4ed3676e

SHA256
2adcc15795d3f27c5266c40aed3353ea1893f007bfcc1425f280e5c7689ea8e9

SHA512
1676ab5af42271517dd98a420aaab7e6d2a05a606d3ce1c7fe5c5ba137f10dd64e05f83043b182b4ef88d0a0599c4068d4cfc5e59cecbd243e8fe9869682b614

Download Submit
C:\Users\Admin\Desktop\HideRestart.ini.kd8eby0.2F1-441-07F

MD5
daf3fa3dc3a0e408c6059593aa40719c

SHA1
5303eacc12581d9d03877e734e18106c50c51c0d

SHA256
4fe380caf7fbe1689400e653c049da53241feeb9c7db19e96e717f4b1aec9b8a

SHA512
cbb0709150a4221ca78d67548e723e91b89c1662b5d89e1388ccea4943b9b22d12c929198c474ef227763fd855bae97c3e8517839e29ad31ef1934e361446236

Download Submit
C:\Users\Admin\Desktop\InvokeNew.ADTS.kd8eby0.2F1-441-07F

MD5
facc46e4f2d038cf5c4044ece976659a

SHA1
39fc4f35d786d4266b476420d0afad7d765e5bca

SHA256
07a029f4325b564d2ea61598295e7af7b795b6f04de38875bfe4a82da297b4a6

SHA512
d2bb0343b73725b5488d4c939512a8de2bcbfb8da6174ef9bc430d31535202bcf7d2943c8df9ab11f51c5dcf1de4afbd6f3641f0d46480c38eb60809ea344978

Download Submit
C:\Users\Admin\Desktop\InvokeUndo.temp.kd8eby0.2F1-441-07F

MD5
0aa423b6ccf5b73d12b11584f2d94269

SHA1
af257005a8c08940af54818a54f0fd23b41e24b4

SHA256
b7b1fa956fd6f4717938f20000ac3d59fe3ebc8339356db2c38bb412159964bc

SHA512
848add383778355b89bdf9b83fab20c5b738f668a6cb239ad1f4a16bdd727e1d48a79c8e71fbbb481cbf73cd8c5b3c8765fa2dd4d39976e8cf9dfba6baa2fd51

Download Submit
C:\Users\Admin\Desktop\LockGet.mpeg.kd8eby0.2F1-441-07F

MD5
8bd542cbfe7bc5614af27157f5ebbd57

SHA1
f2217cf81b3ce7ed6f5935e2a07697fb80d5b773

SHA256
d0000817fa5f405a438b0f486f46199a05e5f994f18768a70d11d71cc535144a

SHA512
103233c70212e76e680d81505cdb0ac78b498bed97a6ab3b47ab31d96e2c14663005bf7c402e5c5edf6106611cdfb35c92801acb941bdb8d964013a6c2e2d877

Download Submit
C:\Users\Admin\Desktop\MergeEdit.contact.kd8eby0.2F1-441-07F

MD5
afa230e32f0205fcdaa55e07da9a543c

SHA1
f783390a713ae190cf2af91cee2f3c5fe898d7c3

SHA256
da614666b2267cff60096f99460159ec4df4212553ad13b37856e3b60ce816f4

SHA512
092eff70acf05563f2b447ec52b4c0e28c8065a914bb1408a1d19a9afb20ef2818b7c198e7b357e4825618f496921968cfe5518b10d5d06a7d6404add6f306b2

Download Submit
C:\Users\Admin\Desktop\MergeSync.inf.kd8eby0.2F1-441-07F

MD5
130c4bc90df96254b957dda0185ad877

SHA1
946fe24abb6e74df2c7dd326149c258e6dd446e4

SHA256
c52b0afc40fe368a2870a7226960698ab2f91369c5b717f99391f754f776b840

SHA512
a9de482383e437033adf2818d8e81fa942968974f1f8acf5a9346d24cdffc52253b4d82a7a82475a973ed33b310f5d83c2b30501b51196fa445264bda4ed1455

Download Submit
C:\Users\Admin\Desktop\OpenCompress.M2TS.kd8eby0.2F1-441-07F

MD5
a8e127a37887cd6a674387014dc7400a

SHA1
5b2f0db3c6003bcbef9f558b2089b8f5d87bd8bd

SHA256
d8cf7a83381981e5162eca0e8f600ad92000c0754dac0527053232ab977c645d

SHA512
592bc6dcd0244feb0de4f256991a33c763a99072e8b25c651b73b9bd7f889bd774b4d1e5bb1819a2474d5ab6b61d65ef662320e010690a96244ef5264d2b0dac

Download Submit
C:\Users\Admin\Desktop\OutClear.inf.kd8eby0.2F1-441-07F

MD5
f74d456f9dcecd4539836af6e242ed28

SHA1
ecf5e18cfc68e85c6f775ffc0161f08c04dadd18

SHA256
566f42739644321f2695a86fbf160ffcd5b2133d56d400176b3e896ce0b195d8

SHA512
664e8596cb1decfa493bb22bcdbe321c481663bd39c4add0aafa28ff01823727d32a122ba733c55e291c3ad87ac15ad149282a6cffce0b87ffb462c48167898a

Download Submit
C:\Users\Admin\Desktop\ProtectResize.inf.kd8eby0.2F1-441-07F

MD5
7e292d50697f9fd894a9ced20bc1969d

SHA1
12db0f72c8d5566424e1998dfdbd2243e290885d

SHA256
a2fe68d31be4b141411d2b7e57345d03a15009cb3676ce711c7de8797b99e6c1

SHA512
42e4b8d9f25f6b37c90bc1d453d40bda6ee19acfa3053bbf22e1fd8ad19b09c0ff0b0cfa9b4d4421e11373dbb495143350414e01edcc9b2505ecda5d653ab8af

Download Submit
C:\Users\Admin\Desktop\PushStep.mp4.kd8eby0.2F1-441-07F

MD5
6fbb0b21f6771f20cd68e7758a10428f

SHA1
ef71f3ed8fa6337db8a5739272898bccd435c37a

SHA256
322968b7bec35c63cada868644d83074b0b10b5fdde3706b3a501ef90cabe1db

SHA512
17d3affd4d8af2e2222a351ccd639834a5405cc2080596a41f26b764c5102c6eb3f635fdb626437721feaa657a4a590dcc192878e45c321065b472254e127998

Download Submit
C:\Users\Admin\Desktop\RequestInstall.vdx.kd8eby0.2F1-441-07F

MD5
ee1347ba1e793bf2ccd6ae8758d96e81

SHA1
09f2fa503b5dac8ac8843785e4d2aa8bfd4c67f2

SHA256
67bd7f1947f86ebca007f357eda507be2cead62d6c89f5765e99a2c2f995a2cd

SHA512
096f8afeed69e85e484fc207f46a0ae56a94c45d6d8d41736affc41b905fbd0c08b46202d219dcc474dc1716f0b558451b7a7fdaf710d6bf53d587ec9b9a231a

Download Submit
C:\Users\Admin\Desktop\SaveExpand.docx.kd8eby0.2F1-441-07F

MD5
e0521b657cf16f6720f4818199c4761b

SHA1
757fde0b9664d5f4e3beaea7ee01d7b2bf78acbd

SHA256
53b78b1aff90072a1da3ebb9c5748eedfd983c59d6928994c32dd7f2f08bdc15

SHA512
09fc555ba9eba72f76cd5c4de1712c10bdf1f62af66bcfb0d5b6f77732f9e20bd3eb18d4075dfacdef5a4ddd0f05ad3c34630518f3acca7ac7d595156d9585af

Download Submit
C:\Users\Admin\Desktop\SearchRepair.ttc.kd8eby0.2F1-441-07F

MD5
a5c7faebae62c59a62ebcf47a54a2949

SHA1
496e4ab9067824eb29246e9dfd38bba61d70b948

SHA256
6d7375d46a6e3cf9f98a60728e74a87b742de0cab86c8e875fba4dbb7e8445a8

SHA512
b7a6dbd0589d423f72e7bc97a24625b2aaa006dd06d624a1871cafc242a769d4b6318cfb78efa62845a48789bc30fa1869eeaf66db6f3becd8dd5cb2507f976d

Download Submit
C:\Users\Admin\Desktop\SelectRedo.rtf.kd8eby0.2F1-441-07F

MD5
ac70e356e85d72cfb99dcf613ff05272

SHA1
c01036a50a4a285935071fb79b3f1b99694d4049

SHA256
df4f55ad49de67a036f37f82ac1c1a2ec672502b09baab33a13454c657f3fc04

SHA512
5c95231d7b3e642adedf5d84daf2e6a1ca6b90fcf6eb8967a409e8f4cb992f7cd7910faa536f2b54c03958fa4d39fefe692b51f7cf07262b3aa0a1030c4594fa

Download Submit
C:\Users\Admin\Desktop\SetSearch.vsdm.kd8eby0.2F1-441-07F

MD5
ffbfb2e17a42be16da2ccb1ab6c5d705

SHA1
850368f09b467f9c58720bc81ad9cfc55eaa92bf

SHA256
e3068b2bd9419a245e01473abf40ab420a1e4c076e52e6c12cc5a1583890bfec

SHA512
b4f99b2e62469125f8a6370fe7dec7ddb3a76cb4f5ea535d5c9f6d7e914c025500982d0f01bb64e94679f6a4607e4d026e714234edd7451e6d4da1d280520b51

Download Submit
C:\Users\Admin\Desktop\SuspendClose.vssm.kd8eby0.2F1-441-07F

MD5
f65a4e6492d813d4e1188af7291ac9ba

SHA1
928a3e0eb01a2f24cffa099d3734792afcc96f23

SHA256
06628d6e5ef780f12686c13789f59d0629f0e3c0b3cd6eef94035ba2b71ab264

SHA512
ffffe1c73a927ed92f6f6bf20831b3d5434b228f10bc3327fb2228d3a778335f5ecfef3a7daa83e784668098524357a5840ff70c4365467b4010ac41201df7dc

Download Submit
C:\Users\Admin\Desktop\SuspendProtect.xltx.kd8eby0.2F1-441-07F

MD5
1ad326bedad65b4ea489ccf86004afef

SHA1
b6e26b22bd661975d78ee0bef64be6e37e38039f

SHA256
e0451e66a4c7ef364c7bbd9754739127505e8d4c19c02a51d76c21ece17d7172

SHA512
d703b731ebf7273bbb43a5a23da75d6413d7a5bbe8e0db299fd053d3a57898a2db04ddca72b7eacddca357f60b279265b46679149acef6f119991282b6d9b1dc

Download Submit
C:\Users\Admin\Desktop\SuspendUnblock.temp.kd8eby0.2F1-441-07F

MD5
f82e038531046459d901e9aca6fb0767

SHA1
cb44bcdb4072a3de6c46d8074527ad8eeb8cf710

SHA256
64d0f86f3e5294c76d10601a592773db99d9a44c748620601db796acd0bfc3b9

SHA512
23947c7eafce9d147c6a59404e2b41190f369af9a6de394b220e2918fb75b77a1f4dc225c56d73dbd253bc91b40e7751a95d1f3964d43a52288626ddd3caa3cb

Download Submit
C:\Users\Admin\Desktop\SwitchExport.reg.kd8eby0.2F1-441-07F

MD5
ec77983f30d7a9e10185d4df586c8325

SHA1
6c0d01c5dcfc2f6f5d304346d56e360bf221d946

SHA256
fa3af29a1769dd5642d23bd2f3c3ce2ff634e3f3705ae148523afb64d97e4074

SHA512
2fd37b0752150807b89b1006033489d8c3e7772cb51cc3e4cd1ef0fcc54aac0c2fecca475f40e934362c238c63d12a5643c1043fb5d0582440890b75c017a5d9

Download Submit
C:\Users\Admin\Desktop\UseDisable.html.kd8eby0.2F1-441-07F

MD5
cd2b71fc25de3fb3c7eeb7120b59b3d3

SHA1
66699ace531000366559d57149e29f35a75142e0

SHA256
f9189165ccf76fdda219b7577dc382e2181bcd5f80db68b140252705fd440af8

SHA512
fa819bc7ec07482a54eb7cb14b9f6dfbc71aa7bc02efc40f2fc5d59fa00ef8ac24a471bad569a9b9c8c80c37ecc584da5e1cb1b97c485894bd89e99f99a70937

Download Submit
memory/412-133-0x0000000000000000-mapping.dmp

Download
memory/508-132-0x0000000000000000-mapping.dmp

Download
memory/572-173-0x0000000000000000-mapping.dmp

Download
memory/1096-134-0x0000000000000000-mapping.dmp

Download
memory/1160-143-0x0000000000000000-mapping.dmp

Download
memory/1292-128-0x0000000000D00000-0x0000000000E45000-memory.dmp

Filesize
1.3MB

Download
memory/1292-116-0x0000000000000000-mapping.dmp

Download
memory/1400-115-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/1400-114-0x0000000000B80000-0x0000000000CC5000-memory.dmp

Filesize
1.3MB

Download
memory/2320-130-0x0000000000000000-mapping.dmp

Download
memory/2524-141-0x0000000000E00000-0x0000000000F45000-memory.dmp

Filesize
1.3MB

Download
memory/2524-136-0x0000000000000000-mapping.dmp

Download
memory/2784-142-0x0000000000000000-mapping.dmp

Download
memory/2840-135-0x0000000000000000-mapping.dmp

Download
memory/3164-129-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/3164-119-0x0000000000000000-mapping.dmp

Download
memory/3164-140-0x0000000000000000-mapping.dmp

Download
memory/3196-139-0x0000000000000000-mapping.dmp

Download
memory/3528-131-0x0000000000000000-mapping.dmp

Download