buran | 824a76c39895bc3ad4f5dfc27fc3ac80d26514118c4669505a1f0cfdc8fdbcdc

Analysis

max time kernel
150s
max time network
183s
platform
windows7_x64
resource
win7v20210408
submitted
31-08-2021 20:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pattern.exe
Size

416KB
MD5

dcef208fcdac3345c6899a478d16980f
SHA1

fd127c6ecaee57972b7acc3b8e4a2d3b25f928e0
SHA256

824a76c39895bc3ad4f5dfc27fc3ac80d26514118c4669505a1f0cfdc8fdbcdc
SHA512

28e403a6d66895a2461828f49acb2862602e6be94405657bee0aec5d35d86dd83713c4cd1f33d28b94fed6546633683f9ffa693d37dc94bc862f6584833f9fba

Score

10^/10

buran persistence ransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Reserved email: [email protected] Your personal ID: 26D-D2B-2A5 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 2 IoCs

Processes:

TrustedInstaller.exeTrustedInstaller.exe

pid	Process
1760	TrustedInstaller.exe
832	TrustedInstaller.exe

Deletes itself 1 IoCs

Processes:

notepad.exe

pid	Process
1772	notepad.exe

Loads dropped DLL 1 IoCs

Processes:

pattern.exe

pid	Process
2032	pattern.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

pattern.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run	pattern.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\TrustedInstaller.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\TrustedInstaller.exe\" -start"	pattern.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

TrustedInstaller.exe

description	ioc	Process
File opened (read-only)	\??\T:	TrustedInstaller.exe
File opened (read-only)	\??\R:	TrustedInstaller.exe
File opened (read-only)	\??\O:	TrustedInstaller.exe
File opened (read-only)	\??\H:	TrustedInstaller.exe
File opened (read-only)	\??\F:	TrustedInstaller.exe
File opened (read-only)	\??\X:	TrustedInstaller.exe
File opened (read-only)	\??\Q:	TrustedInstaller.exe
File opened (read-only)	\??\N:	TrustedInstaller.exe
File opened (read-only)	\??\J:	TrustedInstaller.exe
File opened (read-only)	\??\I:	TrustedInstaller.exe
File opened (read-only)	\??\E:	TrustedInstaller.exe
File opened (read-only)	\??\W:	TrustedInstaller.exe
File opened (read-only)	\??\V:	TrustedInstaller.exe
File opened (read-only)	\??\P:	TrustedInstaller.exe
File opened (read-only)	\??\L:	TrustedInstaller.exe
File opened (read-only)	\??\K:	TrustedInstaller.exe
File opened (read-only)	\??\G:	TrustedInstaller.exe
File opened (read-only)	\??\B:	TrustedInstaller.exe
File opened (read-only)	\??\A:	TrustedInstaller.exe
File opened (read-only)	\??\Y:	TrustedInstaller.exe
File opened (read-only)	\??\U:	TrustedInstaller.exe
File opened (read-only)	\??\S:	TrustedInstaller.exe
File opened (read-only)	\??\M:	TrustedInstaller.exe
File opened (read-only)	\??\Z:	TrustedInstaller.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
6	geoiptool.com

Drops file in Program Files directory 64 IoCs

Processes:

TrustedInstaller.exe

description	ioc	Process
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport.png	TrustedInstaller.exe
File created	C:\Program Files\Java\jre7\lib\zi\Atlantic\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02466U.BMP	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\feature.properties.kd8eby0.26D-D2B-2A5	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00154_.GIF	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WebToolImages16x16.jpg	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_HighMask.bmp	TrustedInstaller.exe
File created	C:\Program Files\Java\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-api-caching.xml	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe.kd8eby0.26D-D2B-2A5	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Ulaanbaatar.kd8eby0.26D-D2B-2A5	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\license.html.kd8eby0.26D-D2B-2A5	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Ndjamena	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Antigua.kd8eby0.26D-D2B-2A5	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187829.WMF	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe.kd8eby0.26D-D2B-2A5	TrustedInstaller.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-masterfs.jar	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Porto_Velho	TrustedInstaller.exe
File created	C:\Program Files\VideoLAN\VLC\locale\th\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	TrustedInstaller.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\mobile.html.kd8eby0.26D-D2B-2A5	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00625_.WMF.kd8eby0.26D-D2B-2A5	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD20013_.WMF.kd8eby0.26D-D2B-2A5	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui_5.5.0.165303.jar	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\XMLSDK5.CHM	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-execution.jar	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Volgograd	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT.kd8eby0.26D-D2B-2A5	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_right_over.gif.kd8eby0.26D-D2B-2A5	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Paris	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME23.CSS.kd8eby0.26D-D2B-2A5	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-execution.jar.kd8eby0.26D-D2B-2A5	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-5	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01148_.WMF	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\NL.ROGERS.COM.XML.kd8eby0.26D-D2B-2A5	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Oasis\TAB_ON.GIF	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\El_Salvador.kd8eby0.26D-D2B-2A5	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\mix.gif.kd8eby0.26D-D2B-2A5	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EN00319_.WMF	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200273.WMF.kd8eby0.26D-D2B-2A5	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341554.JPG.kd8eby0.26D-D2B-2A5	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115865.GIF	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLLIBR.DLL.IDX_DLL.kd8eby0.26D-D2B-2A5	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\PAB.SAM.kd8eby0.26D-D2B-2A5	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0332364.WMF	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21334_.GIF.kd8eby0.26D-D2B-2A5	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Swift_Current	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341344.JPG	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSSP7ES.LEX.kd8eby0.26D-D2B-2A5	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\feature.xml	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox.nl_zh_4.4.0.v20140623020002.jar	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig.kd8eby0.26D-D2B-2A5	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\button_left_over.gif.kd8eby0.26D-D2B-2A5	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CERT.DPV.kd8eby0.26D-D2B-2A5	TrustedInstaller.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\203x8subpicture.png	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Atlantic\Cape_Verde	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR45F.GIF.kd8eby0.26D-D2B-2A5	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FLYERHM.POC	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Name.accft	TrustedInstaller.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	TrustedInstaller.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multitabs_zh_CN.jar	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf	TrustedInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382962.JPG	TrustedInstaller.exe

Drops file in Windows directory 1 IoCs

Processes:

TrustedInstaller.exe

description	ioc	Process
File created	C:\Windows\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	TrustedInstaller.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exe

pid	Process
416	vssadmin.exe
1624	vssadmin.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

pattern.exeTrustedInstaller.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	pattern.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	pattern.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	pattern.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	TrustedInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	TrustedInstaller.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

pattern.exeWMIC.exeWMIC.exevssvc.exe

description	pid	Process
Token: SeDebugPrivilege	2032	pattern.exe
Token: SeDebugPrivilege	2032	pattern.exe
Token: SeIncreaseQuotaPrivilege	960	WMIC.exe
Token: SeSecurityPrivilege	960	WMIC.exe
Token: SeTakeOwnershipPrivilege	960	WMIC.exe
Token: SeLoadDriverPrivilege	960	WMIC.exe
Token: SeSystemProfilePrivilege	960	WMIC.exe
Token: SeSystemtimePrivilege	960	WMIC.exe
Token: SeProfSingleProcessPrivilege	960	WMIC.exe
Token: SeIncBasePriorityPrivilege	960	WMIC.exe
Token: SeCreatePagefilePrivilege	960	WMIC.exe
Token: SeBackupPrivilege	960	WMIC.exe
Token: SeRestorePrivilege	960	WMIC.exe
Token: SeShutdownPrivilege	960	WMIC.exe
Token: SeDebugPrivilege	960	WMIC.exe
Token: SeSystemEnvironmentPrivilege	960	WMIC.exe
Token: SeRemoteShutdownPrivilege	960	WMIC.exe
Token: SeUndockPrivilege	960	WMIC.exe
Token: SeManageVolumePrivilege	960	WMIC.exe
Token: 33	960	WMIC.exe
Token: 34	960	WMIC.exe
Token: 35	960	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1072	WMIC.exe
Token: SeSecurityPrivilege	1072	WMIC.exe
Token: SeTakeOwnershipPrivilege	1072	WMIC.exe
Token: SeLoadDriverPrivilege	1072	WMIC.exe
Token: SeSystemProfilePrivilege	1072	WMIC.exe
Token: SeSystemtimePrivilege	1072	WMIC.exe
Token: SeProfSingleProcessPrivilege	1072	WMIC.exe
Token: SeIncBasePriorityPrivilege	1072	WMIC.exe
Token: SeCreatePagefilePrivilege	1072	WMIC.exe
Token: SeBackupPrivilege	1072	WMIC.exe
Token: SeRestorePrivilege	1072	WMIC.exe
Token: SeShutdownPrivilege	1072	WMIC.exe
Token: SeDebugPrivilege	1072	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1072	WMIC.exe
Token: SeRemoteShutdownPrivilege	1072	WMIC.exe
Token: SeUndockPrivilege	1072	WMIC.exe
Token: SeManageVolumePrivilege	1072	WMIC.exe
Token: 33	1072	WMIC.exe
Token: 34	1072	WMIC.exe
Token: 35	1072	WMIC.exe
Token: SeBackupPrivilege	1464	vssvc.exe
Token: SeRestorePrivilege	1464	vssvc.exe
Token: SeAuditPrivilege	1464	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1072	WMIC.exe
Token: SeSecurityPrivilege	1072	WMIC.exe
Token: SeTakeOwnershipPrivilege	1072	WMIC.exe
Token: SeLoadDriverPrivilege	1072	WMIC.exe
Token: SeSystemProfilePrivilege	1072	WMIC.exe
Token: SeSystemtimePrivilege	1072	WMIC.exe
Token: SeProfSingleProcessPrivilege	1072	WMIC.exe
Token: SeIncBasePriorityPrivilege	1072	WMIC.exe
Token: SeCreatePagefilePrivilege	1072	WMIC.exe
Token: SeBackupPrivilege	1072	WMIC.exe
Token: SeRestorePrivilege	1072	WMIC.exe
Token: SeShutdownPrivilege	1072	WMIC.exe
Token: SeDebugPrivilege	1072	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1072	WMIC.exe
Token: SeRemoteShutdownPrivilege	1072	WMIC.exe
Token: SeUndockPrivilege	1072	WMIC.exe
Token: SeManageVolumePrivilege	1072	WMIC.exe
Token: 33	1072	WMIC.exe
Token: 34	1072	WMIC.exe

Suspicious use of WriteProcessMemory 62 IoCs

Processes:

pattern.exeTrustedInstaller.execmd.execmd.execmd.exe

description	pid	Process	procid_target
PID 2032 wrote to memory of 1760	2032	pattern.exe	31
PID 2032 wrote to memory of 1760	2032	pattern.exe	31
PID 2032 wrote to memory of 1760	2032	pattern.exe	31
PID 2032 wrote to memory of 1760	2032	pattern.exe	31
PID 2032 wrote to memory of 1772	2032	pattern.exe	32
PID 2032 wrote to memory of 1772	2032	pattern.exe	32
PID 2032 wrote to memory of 1772	2032	pattern.exe	32
PID 2032 wrote to memory of 1772	2032	pattern.exe	32
PID 2032 wrote to memory of 1772	2032	pattern.exe	32
PID 2032 wrote to memory of 1772	2032	pattern.exe	32
PID 2032 wrote to memory of 1772	2032	pattern.exe	32
PID 1760 wrote to memory of 1176	1760	TrustedInstaller.exe	34
PID 1760 wrote to memory of 1176	1760	TrustedInstaller.exe	34
PID 1760 wrote to memory of 1176	1760	TrustedInstaller.exe	34
PID 1760 wrote to memory of 1176	1760	TrustedInstaller.exe	34
PID 1760 wrote to memory of 968	1760	TrustedInstaller.exe	36
PID 1760 wrote to memory of 968	1760	TrustedInstaller.exe	36
PID 1760 wrote to memory of 968	1760	TrustedInstaller.exe	36
PID 1760 wrote to memory of 968	1760	TrustedInstaller.exe	36
PID 1760 wrote to memory of 1580	1760	TrustedInstaller.exe	38
PID 1760 wrote to memory of 1580	1760	TrustedInstaller.exe	38
PID 1760 wrote to memory of 1580	1760	TrustedInstaller.exe	38
PID 1760 wrote to memory of 1580	1760	TrustedInstaller.exe	38
PID 1760 wrote to memory of 924	1760	TrustedInstaller.exe	39
PID 1760 wrote to memory of 924	1760	TrustedInstaller.exe	39
PID 1760 wrote to memory of 924	1760	TrustedInstaller.exe	39
PID 1760 wrote to memory of 924	1760	TrustedInstaller.exe	39
PID 1760 wrote to memory of 304	1760	TrustedInstaller.exe	43
PID 1760 wrote to memory of 304	1760	TrustedInstaller.exe	43
PID 1760 wrote to memory of 304	1760	TrustedInstaller.exe	43
PID 1760 wrote to memory of 304	1760	TrustedInstaller.exe	43
PID 1760 wrote to memory of 1356	1760	TrustedInstaller.exe	41
PID 1760 wrote to memory of 1356	1760	TrustedInstaller.exe	41
PID 1760 wrote to memory of 1356	1760	TrustedInstaller.exe	41
PID 1760 wrote to memory of 1356	1760	TrustedInstaller.exe	41
PID 1760 wrote to memory of 832	1760	TrustedInstaller.exe	46
PID 1760 wrote to memory of 832	1760	TrustedInstaller.exe	46
PID 1760 wrote to memory of 832	1760	TrustedInstaller.exe	46
PID 1760 wrote to memory of 832	1760	TrustedInstaller.exe	46
PID 1176 wrote to memory of 1072	1176	cmd.exe	48
PID 1176 wrote to memory of 1072	1176	cmd.exe	48
PID 1176 wrote to memory of 1072	1176	cmd.exe	48
PID 1176 wrote to memory of 1072	1176	cmd.exe	48
PID 304 wrote to memory of 416	304	cmd.exe	47
PID 304 wrote to memory of 416	304	cmd.exe	47
PID 304 wrote to memory of 416	304	cmd.exe	47
PID 304 wrote to memory of 416	304	cmd.exe	47
PID 1356 wrote to memory of 960	1356	cmd.exe	49
PID 1356 wrote to memory of 960	1356	cmd.exe	49
PID 1356 wrote to memory of 960	1356	cmd.exe	49
PID 1356 wrote to memory of 960	1356	cmd.exe	49
PID 1356 wrote to memory of 1624	1356	cmd.exe	52
PID 1356 wrote to memory of 1624	1356	cmd.exe	52
PID 1356 wrote to memory of 1624	1356	cmd.exe	52
PID 1356 wrote to memory of 1624	1356	cmd.exe	52
PID 1760 wrote to memory of 764	1760	TrustedInstaller.exe	54
PID 1760 wrote to memory of 764	1760	TrustedInstaller.exe	54
PID 1760 wrote to memory of 764	1760	TrustedInstaller.exe	54
PID 1760 wrote to memory of 764	1760	TrustedInstaller.exe	54
PID 1760 wrote to memory of 764	1760	TrustedInstaller.exe	54
PID 1760 wrote to memory of 764	1760	TrustedInstaller.exe	54
PID 1760 wrote to memory of 764	1760	TrustedInstaller.exe	54

C:\Users\Admin\AppData\Local\Temp\pattern.exe
"C:\Users\Admin\AppData\Local\Temp\pattern.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe" -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1176
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1072
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    PID:968
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:1580
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    PID:924
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1356
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:960
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:1624
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:304
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:416
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    PID:832
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:764
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  - Deletes itself
  PID:1772

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1464

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

MD5
bc382383b6c90d20dba3f58aa0f40ade

SHA1
b626e4d049d88702236910b302c955eecc8c7d5f

SHA256
bf25937b534e738f02e5ec01592dd9a72d79e67bc32f3a5e157a0608f5bbd117

SHA512
651e85acf56ec7bffdc10941ba3bcebea5aede44d479e4db5d61160de2b975c484499a95564adaf90f350d6a1bf3aa97774019f1464045114cbb97806fc76c2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE

MD5
a2981517afbb3ebe48d2168b07274f47

SHA1
78e0fa382ca97436ec5c43209a2e391b41d356ab

SHA256
f5ef795d1577213ce930034afc93387232cc95dfe53db40db0ed65fbb44bcfae

SHA512
4e939a2270036ebf0eaec96ba231eb38cb4e2389064a30e5f3b9e5e5581d363ab934431e69978e015f25f3352d17e3b3242d02357aa034838a94912fa8d6ba15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5
2902de11e30dcc620b184e3bb0f0c1cb

SHA1
5d11d14a2558801a2688dc2d6dfad39ac294f222

SHA256
e6a7f1f8810e46a736e80ee5ac6187690f28f4d5d35d130d410e20084b2c1544

SHA512
efd415cde25b827ac2a7ca4d6486ce3a43cdcc1c31d3a94fd7944681aa3e83a4966625bf2e6770581c4b59d05e35ff9318d9adaddade9070f131076892af2fa0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
0465994d32988b4ff5811340c4905188

SHA1
7b4043cbd9509bc78b08863ad22b720632686785

SHA256
b33b95c79ca7fc2da4e43282f29ec14db42bdafd53c8888de793cea52caa20bb

SHA512
04654263a6391c84e0fd230a992dbd107f905599a066d124055591ce19a9d74b61627bb9d4dc9df89f396b12f795b649f0331e4aad39304a5ad0e0bccc36ad43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

MD5
5767bca749b6323e6c7a3bd086178a4a

SHA1
22a5dde538a14d9605108410ce6d42642d6b7651

SHA256
b68b3f12e62fb954843b6043afca1fdd4e57ccc0cd1f565a99c475a0dbf38a12

SHA512
9d1d29cd2e8caa86f5929cace610a1a50ea64b13d5cad4becbb06b2db9b4f99d84ca95bd409136f9858b3802f57ba8d9398d4bf610e46d3c594068be83ac429c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE

MD5
ed6e002f959706915aa3608c14977b7d

SHA1
f71fbba1587d5e9a4c85a6d543253b9fec5b3dd3

SHA256
d695d3416d8388e22431809c4001380d436eccba96be7e95b596673552d57664

SHA512
4c74d5206b155132d88f57c65d53ec825990e1940cad4afc779c4d423682eac8167ac8922e57a66c4fcd4a792a7bc0d30b10abe67b554ce8a89fe5972d85b6c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5
a61147c8cd13871aa1960d8ee4e48f0c

SHA1
7a21af066faa92cd82fa036da587e80be9a842d8

SHA256
7cfe26be185fe22a58573a91a76e52518353d5d73bcf58ede2e1bf2e42d66536

SHA512
8a8deb510764af71b4b0a9a7103a4e7f45e7c4d69fb07048291ba5f051a82c6934d170d30a088a9b2638cfb1e61a51fc78a91c4ece40fdfbbb5bc48d22fa21bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
f0949a808b1e03860c841e6109f1bbc8

SHA1
5d56d659ae173b1d5c3cc6308002901514317d6c

SHA256
3422574988795f0295bcec0a014cbb6f56be1514e6382360a4567f1dcab21950

SHA512
2083deb9a54e789e2f3a69e8e43a27dde76001331c0092cabedd473856a3dcfa94e924f19fb3f49e5cd7e1716f22173f3d307f272b9c19aa633d44de57743274

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D4X32ZLU\XTQVPTAJ.htm

MD5
8615e70875c2cc0b9db16027b9adf11d

SHA1
4ed62cf405311c0ff562a3c59334a15ddc4f1bf9

SHA256
da96949ba6b0567343f144486505c8c8fa1d892fd88c9cbc3ef3d751a570724d

SHA512
cd9dfc88dc2af9438b7d6b618d1b62029b3bdf739fc4daa5b37397afd12c4528561b3bf2fc3f3f2adf3fd1f582d5524332441fd30248fcd078e41aa91e17cb73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L1Y3K90W\QA8PMDQV.htm

MD5
b1cd7c031debba3a5c77b39b6791c1a7

SHA1
e5d91e14e9c685b06f00e550d9e189deb2075f76

SHA256
57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

SHA512
d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat

MD5
ef572e2c7b1bbd57654b36e8dcfdc37a

SHA1
b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

SHA256
e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

SHA512
b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe

MD5
dcef208fcdac3345c6899a478d16980f

SHA1
fd127c6ecaee57972b7acc3b8e4a2d3b25f928e0

SHA256
824a76c39895bc3ad4f5dfc27fc3ac80d26514118c4669505a1f0cfdc8fdbcdc

SHA512
28e403a6d66895a2461828f49acb2862602e6be94405657bee0aec5d35d86dd83713c4cd1f33d28b94fed6546633683f9ffa693d37dc94bc862f6584833f9fba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe

MD5
dcef208fcdac3345c6899a478d16980f

SHA1
fd127c6ecaee57972b7acc3b8e4a2d3b25f928e0

SHA256
824a76c39895bc3ad4f5dfc27fc3ac80d26514118c4669505a1f0cfdc8fdbcdc

SHA512
28e403a6d66895a2461828f49acb2862602e6be94405657bee0aec5d35d86dd83713c4cd1f33d28b94fed6546633683f9ffa693d37dc94bc862f6584833f9fba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe

MD5
dcef208fcdac3345c6899a478d16980f

SHA1
fd127c6ecaee57972b7acc3b8e4a2d3b25f928e0

SHA256
824a76c39895bc3ad4f5dfc27fc3ac80d26514118c4669505a1f0cfdc8fdbcdc

SHA512
28e403a6d66895a2461828f49acb2862602e6be94405657bee0aec5d35d86dd83713c4cd1f33d28b94fed6546633683f9ffa693d37dc94bc862f6584833f9fba

Download Submit
C:\Users\Admin\Desktop\AssertOptimize.rtf.kd8eby0.26D-D2B-2A5

MD5
f634be74222708430178df05522da388

SHA1
9ee20da0ebc429ab042daddb521bb518530ce84b

SHA256
48db58d2feb899e6115283979d382423afcb6942efa5e4ab28b7a4e7bffaf980

SHA512
f12a13a28785e7331eb0f865ffa4e350aa88e64eddcec15a09a25b8222ff1afdb4e5c0b49468997ce466e0f157aed44650574e289738a0602a47818e145a2f34

Download Submit
C:\Users\Admin\Desktop\CheckpointUnblock.mhtml.kd8eby0.26D-D2B-2A5

MD5
eeeefbf559d8979c81916aa29be87f88

SHA1
ea437b73180a7ea4dd202e150b784209d6d89c06

SHA256
bcb6e06a0a760184e4eec82d5f0623d8f61c0c74f85128ec19053265df850b5b

SHA512
4ae740d24f6c9d8e7919e5271ce94cdfec7e5f41ce998ea1d94c79aeaaded7df173448821d87f6939ca45a5ffb2712cfc21406878585430d4f5454686b0bc3ea

Download Submit
C:\Users\Admin\Desktop\ConfirmApprove.crw.kd8eby0.26D-D2B-2A5

MD5
dd4b3a457c879da359902aec0b97d7af

SHA1
458d477b61c5ecd7e7349a8d3de125dc7b645d27

SHA256
431bbbd7b83aa3e83bbfae9d3c1395d2ab52c791a1c297fe06952bc8f7c65993

SHA512
d3d49367c0cbc28b683633428de5c4e74116148eafeb5428f06c349fce0bd97cef165079fc31b6b9d5011229beeeb9fa378873989da04bcadc37dcc1f28c363e

Download Submit
C:\Users\Admin\Desktop\ConvertToPublish.xlsx.kd8eby0.26D-D2B-2A5

MD5
8904dfe78528287e78962065c240973c

SHA1
9d62d348f104f4899f5237e8e0561057754e1c36

SHA256
d162c04eb5da4a154a80f47e7c1d7e676381c7c3e7301cfb66205fd895888a1a

SHA512
94903c32b5ba988b243bc01bb5b641281de3fc870509e0e5b7c7b3ce7250077af7a2caafdbea4c3595ce3377f0c9d3d2f2951bb4d699cd0b67df5333202f1d99

Download Submit
C:\Users\Admin\Desktop\DebugSkip.png.kd8eby0.26D-D2B-2A5

MD5
a3705b08211fa376a16573249bcd7873

SHA1
0267fc1c804f951f4103ab893076e0427d18c9b0

SHA256
47392346e279573e7581d4aecf3098dba12086981f8175b0c456eefeebf88ba8

SHA512
97fd947ebbbed6055a34ea6e5cc76329ca504f91b7551f3f56911e5e7c2694bd85d005fa1340341f80ee46681050bf874deace8a4f90b3137dd4125f51b1349c

Download Submit
C:\Users\Admin\Desktop\DisableExpand.midi.kd8eby0.26D-D2B-2A5

MD5
041f2a1fea2bebd8cc159ca3cce04a21

SHA1
e13dc50c1389077c18617a1b3b6ff20e66864eb5

SHA256
d9bbad0078a22fccac9c0730e81da9beb06b11694cb1bf7245f7b79549fcf1ee

SHA512
355dfbdf2cf304d8352477b427faff57167cb9637b2fd847f6f54154254520a7bd49f275542b17dc7dbbcb8038ff0d77c6371471ce233f77db34e0aa395f5f88

Download Submit
C:\Users\Admin\Desktop\DismountPing.htm.kd8eby0.26D-D2B-2A5

MD5
77339e7d101fe84c03dcab01b7af24c9

SHA1
ac73a77e785767a14734cda2c972c3bace799c6e

SHA256
7e7c0651cea9e5083b51503d9a8bf7fd0f22d2fe1e66478d831ca1ca2e48d954

SHA512
9954226eecebf9c5fde93888235053a87f2197507e240732db946193d5b727c98d2831a4d09f7d6785fbd7e868a5efa69a1a96a577edd9be66d790130b024e39

Download Submit
C:\Users\Admin\Desktop\ExportSave.midi.kd8eby0.26D-D2B-2A5

MD5
98b12784305e8e0b95b2dd16ae221a92

SHA1
1c0ed6bc3e77b120229f6997c1165eba9c53d9da

SHA256
0ecedf741656c87a33586506f56ce5ea0e882ac4564597db1ce9ea346d8e79b0

SHA512
8de471fc4574dfcde7e260fafc8105cd1b2461630b8ac84b661b7f94dcbab1ced34f92da9434a7e0b7296f178cad54ac0d8357c1866f999c56aef4648ed95bad

Download Submit
C:\Users\Admin\Desktop\FindMount.DVR-MS.kd8eby0.26D-D2B-2A5

MD5
73825ebb96c3d7333748206639bb13cb

SHA1
73ffc502205784ebb0f19ac2c95da8427deba62c

SHA256
dfe409d9df2bb9549dbce0c8b777e06920278cdcf021908833fa4c9b85336613

SHA512
b01de6352880c85d3369a87ec3a94aa662e4946ba2837f849c1ded30985889d3a31bebb81e5ea1afaa618dc97a1bf040e63765006cd16a6a1e5480dc6015eac5

Download Submit
C:\Users\Admin\Desktop\GrantImport.doc.kd8eby0.26D-D2B-2A5

MD5
78da089f9ab01620a74e7ed53e08d1f9

SHA1
cad16b09ce8051c658583e3a62762279cde51803

SHA256
b533147434e53810239a132f2a4edbf31b10d4e911f0a65bc4bf864dfa7a2e5f

SHA512
47b5cde501d34f39b89ae91daa0bcb48baeca318befcff3df23c0c935912da7cf19005140ed90493426a9467177ec299c6056e4aa558188ea464c6e38d67165a

Download Submit
C:\Users\Admin\Desktop\InstallFind.scf.kd8eby0.26D-D2B-2A5

MD5
58a684e91d4dc07e29d6053f82157438

SHA1
4f4bfebae9808b11559583d2fd29bccc9aef4b6e

SHA256
bf429d86443d129b2b4751b4d8ed2fc97dbb95c96df2c3ce5b075b9bfed03261

SHA512
9fea7b42c88c5018e46f4a673c574f2665041985291a2c416d82d9dce4d23887d395c681be5a1229370065523c6303a20abc1865e05188dc2be3252356ea9e6b

Download Submit
C:\Users\Admin\Desktop\MeasureSplit.ps1.kd8eby0.26D-D2B-2A5

MD5
53fea14efd5511645fbb21f8707dcab0

SHA1
98d21597cbd90b5d39c5f6c740d5e1e3e7db3ca9

SHA256
5756a0293debe67509c2a27d64b712cae1d0f7a2ce1a62e84f9b1c881d02809b

SHA512
a68f824222dae863a0299de3240bc8ecfbfdd7f785671803e5ffab86db124e6a537113ceff0b61d1fef5ada03fff82032ba537d290d343135bcbf93e5e4bc5ab

Download Submit
C:\Users\Admin\Desktop\MoveHide.mp4.kd8eby0.26D-D2B-2A5

MD5
9e0993cb18461f9e8ac3faa3ca76254c

SHA1
a9b26fb2342c6b4acb4831183e137dab5f7edc81

SHA256
7cfb72f2af190f7bab7db6a024cc4c01032f8a68b167204fc6d415a965dd9c35

SHA512
74ffffd5bdb410f629613bc26caf480f0a15c0de2ecf1212cf6c6bfdafe8f40b97d1521a6ece4908ab3ba77fad905c35ef07e9bdab840f130239e75697847aca

Download Submit
C:\Users\Admin\Desktop\OutEnter.mp4.kd8eby0.26D-D2B-2A5

MD5
00b687a2a7c2906ef1def7f6cfaa2886

SHA1
bf449289422578f027a8ae5e1db19f2d12bda390

SHA256
cc679b3c7d76d89019762c2cd9909d7608bbf0b91603688e309d841206eacd6e

SHA512
e59cb5725a921573a310feede36cedac68312d8c38bfdfc26be8e70c6a556d6823f01bccdc347208cb3d1a18c7a58d7ee042f0fe1d4829990b72d492a9c0a46e

Download Submit
C:\Users\Admin\Desktop\RedoTrace.edrwx.kd8eby0.26D-D2B-2A5

MD5
74f1fe4e28ff526a529652ab5906da76

SHA1
13c156b395a004f72cbddaa87e7ced7b6cb51f99

SHA256
2bc865918e9910e5de6172c9849d13964f332b705e5e7db92304b21f9a362c60

SHA512
db6f0d9f143777c1a05be01eed7ba442e914a1053f07b21f7916ecb770f77c10d79cf6ebaaa33ec8498b768bd00768e2ee4e19b31195f66d63139e407a2f23cb

Download Submit
C:\Users\Admin\Desktop\RenameDisconnect.odp.kd8eby0.26D-D2B-2A5

MD5
58c135107db2b1f885ad61ce663659fc

SHA1
2d34253324a364affe32885445272fab14cf87b8

SHA256
1a0656dc917036be20fa8e9d4137af439b6388585b317478372f22cf7bb716ba

SHA512
4df3f26035f2e995cccdf8538f566b524fab7f9b6ee0b8280da65f706caafc93f7b315d3cd0d68895cb9f95a981382757a3331fd6402f6d6922132855249c6e4

Download Submit
C:\Users\Admin\Desktop\SkipAdd.png.kd8eby0.26D-D2B-2A5

MD5
bdf976e42adade7ee9d86be97b1ed947

SHA1
e8416bd831d8153c1b44601e3147bfe4aa5f2d0b

SHA256
40512fb9fa0c2fefb906834028ed0738d904c181b65295b5d6957c178469483f

SHA512
5aed711b0befcaac5e42e3cad0af453bcb1a8b4853147f7427c02d9e3b951bba93c2fa136c879662cc92d6a23450c15ffaedb031c5b213f5a93d8b58bf4d29ec

Download Submit
C:\Users\Admin\Desktop\SplitProtect.pot.kd8eby0.26D-D2B-2A5

MD5
0598660cb9483c71087b1d0d133ea7c8

SHA1
8850b84ae73f0c6652cf65577122debddcf0f21f

SHA256
cde8e6aa87c1710822baa3b5bdd08a487ff25b8652203d57d08d4a2ff1316137

SHA512
251460e94655fca7aa6151dc7d0079691072baa009d28551e30605fdad8f2d7ef3ae3a18d0ddd1e39291051ca49307dbf343425e9664a7dd4b02b1273d3e3b74

Download Submit
C:\Users\Admin\Desktop\StepPublish.MTS.kd8eby0.26D-D2B-2A5

MD5
e20ade3787529bd2c931eaaa8d74eaa7

SHA1
3a9473c01fe00482cdcd3ab12e2770c31963f26c

SHA256
a7af912201418b809d0ea6a3c435c3dc0d423b99b9dd7bd8138e7b605dc9b2fa

SHA512
653e3dfa4efb0a655f6736b2fdfd7d8ede8b0eb1b5c47d17f03d812877ff95a49ee0d1ec6cafdc84cd406656b2a860fb127b19c93fcd39a06c9fbce0f31ac687

Download Submit
C:\Users\Admin\Desktop\UndoAdd.eprtx.kd8eby0.26D-D2B-2A5

MD5
2d5ed06ece46889a227d22c5144198ac

SHA1
0e7c04caa7cdfb87efde27749aa291fb9550d0d7

SHA256
a2190d71bc7a83259bf9bb6594f8e7e0ea4cbb8115b6e1d2b279cd37a4ac9919

SHA512
49bfe845aa0fe11ec96cacc0a44c5b34fc2c30c76e41912c63987e328a33ffe2207a69a43d02f2d4694abb8a2dacfd24d2a1d4a167fd350ad22941a3cfd3e013

Download Submit
C:\Users\Admin\Desktop\UnregisterSwitch.rmi.kd8eby0.26D-D2B-2A5

MD5
fdc0c7da7fe23cd3796fb14d8dd799d9

SHA1
c20d3c0cc6781625b9e404d8fde4ffe127fa4310

SHA256
57d92588e68f7e5883ada0d06ace7457df89d47a25ffd50a09951fd417e2cc08

SHA512
754561857c8c92d569807c0bba75077848d86b8559a6c93efdab2615876fb6df0a42ab4da3d6ae18bfe00c9177c9de2a79386774ac0cbacaa01d8de3fa7d4648

Download Submit
C:\Users\Admin\Desktop\UnregisterUndo.pps.kd8eby0.26D-D2B-2A5

MD5
109733d7ad2e8e35ff032cb31fa21170

SHA1
3d6e4bae75f4c6584936acfcc43df719eb7b5d09

SHA256
ff9578868cca2ca4757e5ab9d1abef241cdd8177abf95732d6b9335c8e0e2927

SHA512
f39556e92e66938fc0322d7bbfeea94071579afb3b262fb26da3f3b6ed3389ee7505f737d0d5ee923c2dfa40bfb65fdc361b2499983c22da0773e64702d62cac

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe

MD5
dcef208fcdac3345c6899a478d16980f

SHA1
fd127c6ecaee57972b7acc3b8e4a2d3b25f928e0

SHA256
824a76c39895bc3ad4f5dfc27fc3ac80d26514118c4669505a1f0cfdc8fdbcdc

SHA512
28e403a6d66895a2461828f49acb2862602e6be94405657bee0aec5d35d86dd83713c4cd1f33d28b94fed6546633683f9ffa693d37dc94bc862f6584833f9fba

Download Submit
memory/304-85-0x0000000000000000-mapping.dmp

Download
memory/416-90-0x0000000000000000-mapping.dmp

Download
memory/764-118-0x0000000000000000-mapping.dmp

Download
memory/832-87-0x0000000000000000-mapping.dmp

Download
memory/832-93-0x0000000001E80000-0x0000000001FC5000-memory.dmp

Filesize
1.3MB

Download
memory/924-84-0x0000000000000000-mapping.dmp

Download
memory/960-92-0x0000000000000000-mapping.dmp

Download
memory/968-82-0x0000000000000000-mapping.dmp

Download
memory/1072-89-0x0000000000000000-mapping.dmp

Download
memory/1176-81-0x0000000000000000-mapping.dmp

Download
memory/1356-86-0x0000000000000000-mapping.dmp

Download
memory/1580-83-0x0000000000000000-mapping.dmp

Download
memory/1624-95-0x0000000000000000-mapping.dmp

Download
memory/1760-72-0x0000000001DF0000-0x0000000001F35000-memory.dmp

Filesize
1.3MB

Download
memory/1760-64-0x0000000000000000-mapping.dmp

Download
memory/1772-66-0x0000000000000000-mapping.dmp

Download
memory/1772-71-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2032-62-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/2032-60-0x00000000754F1000-0x00000000754F3000-memory.dmp

Filesize
8KB

Download
memory/2032-61-0x0000000001F30000-0x0000000002075000-memory.dmp

Filesize
1.3MB

Download