buran | 005b00d41740f7b0327d4d5fe0402dcfc84ae0df44a2231a89a59909eeb30b23

Analysis

max time kernel
136s
max time network
132s
platform
windows7_x64
resource
win7-en-20211104
submitted
12-11-2021 14:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

123.exe
Size

214KB
MD5

c14d403c9e9d6b6054e09ceee047fbf1
SHA1

2155b8d3b977f32641314207bb24126741b71d13
SHA256

005b00d41740f7b0327d4d5fe0402dcfc84ae0df44a2231a89a59909eeb30b23
SHA512

f5a0380cf6c7f3c14bd0efefeec1be88d0d92257ace44a97360e17c88e27c59cb424cd7283e2085431ba95d62eac30d017e3f41d7c1ccb4468a0bcaa3984d6d3

Score

10^/10

buran persistence ransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Reserved email: [email protected] Your personal ID: 63A-3FA-916 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 2 IoCs

Processes:

explorer.exeexplorer.exe

pid	Process
1300	explorer.exe
944	explorer.exe

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

explorer.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\UndoConvert.tiff	explorer.exe

Deletes itself 1 IoCs

Processes:

notepad.exe

pid	Process
1884	notepad.exe

Loads dropped DLL 2 IoCs

Processes:

123.exe

pid	Process
676	123.exe
676	123.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

123.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows\CurrentVersion\Run	123.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" -start"	123.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exe

description	ioc	Process
File opened (read-only)	\??\R:	explorer.exe
File opened (read-only)	\??\J:	explorer.exe
File opened (read-only)	\??\K:	explorer.exe
File opened (read-only)	\??\I:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\A:	explorer.exe
File opened (read-only)	\??\W:	explorer.exe
File opened (read-only)	\??\S:	explorer.exe
File opened (read-only)	\??\N:	explorer.exe
File opened (read-only)	\??\L:	explorer.exe
File opened (read-only)	\??\H:	explorer.exe
File opened (read-only)	\??\G:	explorer.exe
File opened (read-only)	\??\E:	explorer.exe
File opened (read-only)	\??\Z:	explorer.exe
File opened (read-only)	\??\U:	explorer.exe
File opened (read-only)	\??\T:	explorer.exe
File opened (read-only)	\??\Q:	explorer.exe
File opened (read-only)	\??\O:	explorer.exe
File opened (read-only)	\??\M:	explorer.exe
File opened (read-only)	\??\B:	explorer.exe
File opened (read-only)	\??\Y:	explorer.exe
File opened (read-only)	\??\X:	explorer.exe
File opened (read-only)	\??\V:	explorer.exe
File opened (read-only)	\??\P:	explorer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
4	geoiptool.com

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Program Files directory 64 IoCs

Processes:

explorer.exe

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02201_.GIF	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\TAB_OFF.GIF.kd8eby0.63A-3FA-916	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\classlist	explorer.exe
File opened for modification	C:\Program Files\Java\jre7\lib\jfr\default.jfc.kd8eby0.63A-3FA-916	explorer.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Godthab	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0301044.WMF	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert\TAB_ON.GIF	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macGrey.png	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0297727.WMF.kd8eby0.63A-3FA-916	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00011_.WMF	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\StarterApplicationDescriptors.xml.kd8eby0.63A-3FA-916	explorer.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\dotsdarkoverlay.png	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OIS_COL.HXC	explorer.exe
File opened for modification	C:\Program Files\SendSet.i64.kd8eby0.63A-3FA-916	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\EXITEM.CFG	explorer.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationRight_ButtonGraphic.png	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core.nl_zh_4.4.0.v20140623020002.jar	explorer.exe
File opened for modification	C:\Program Files\Java\jre7\lib\psfont.properties.ja.kd8eby0.63A-3FA-916	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00057_.GIF	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105240.WMF	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Monrovia.kd8eby0.63A-3FA-916	explorer.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Karachi.kd8eby0.63A-3FA-916	explorer.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bn_IN\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\NOTEBOOK.HTM	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Riyadh	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341534.JPG	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14692_.GIF	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\HEADER.GIF	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\TAB_OFF.GIF	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\epl-v10.html.kd8eby0.63A-3FA-916	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util.xml.kd8eby0.63A-3FA-916	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239965.WMF.kd8eby0.63A-3FA-916	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\El_Aaiun	explorer.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Grayscale.xml.kd8eby0.63A-3FA-916	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR4F.GIF.kd8eby0.63A-3FA-916	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FORM.JS.kd8eby0.63A-3FA-916	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.emf.ecore_2.10.1.v20140901-1043.jar	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-search_zh_CN.jar.kd8eby0.63A-3FA-916	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152688.WMF	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18208_.WMF	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-nodes_zh_CN.jar.kd8eby0.63A-3FA-916	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL022.XML	explorer.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\Documentation.url	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0175361.JPG.kd8eby0.63A-3FA-916	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\NL.ROGERS.COM.XML	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02071_.WMF.kd8eby0.63A-3FA-916	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\OrielMergeLetter.Dotx	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net.nl_zh_4.4.0.v20140623020002.jar.kd8eby0.63A-3FA-916	explorer.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ga\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Fancy\Hierarchy.js	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Swift_Current.kd8eby0.63A-3FA-916	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.nl_zh_4.4.0.v20140623020002.jar.kd8eby0.63A-3FA-916	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\ECLIPSE_.RSA	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-execution.xml	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_choosecolor.gif.kd8eby0.63A-3FA-916	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.XML	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\CUP.WMF	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02120_.WMF	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSPUB.HXS.kd8eby0.63A-3FA-916	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\MessageHistoryIconImagesMask.bmp.kd8eby0.63A-3FA-916	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageSlice.gif	explorer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\HEADER.GIF.kd8eby0.63A-3FA-916	explorer.exe

Drops file in Windows directory 1 IoCs

Processes:

explorer.exe

description	ioc	Process
File created	C:\Windows\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exe

pid	Process
1508	vssadmin.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

explorer.exe123.exe

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	123.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	123.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	123.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	explorer.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid	Process
1320	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

123.exeWMIC.exevssvc.exepowershell.exeWMIC.exe

description	pid	Process
Token: SeDebugPrivilege	676	123.exe
Token: SeDebugPrivilege	676	123.exe
Token: SeIncreaseQuotaPrivilege	1964	WMIC.exe
Token: SeSecurityPrivilege	1964	WMIC.exe
Token: SeTakeOwnershipPrivilege	1964	WMIC.exe
Token: SeLoadDriverPrivilege	1964	WMIC.exe
Token: SeSystemProfilePrivilege	1964	WMIC.exe
Token: SeSystemtimePrivilege	1964	WMIC.exe
Token: SeProfSingleProcessPrivilege	1964	WMIC.exe
Token: SeIncBasePriorityPrivilege	1964	WMIC.exe
Token: SeCreatePagefilePrivilege	1964	WMIC.exe
Token: SeBackupPrivilege	1964	WMIC.exe
Token: SeRestorePrivilege	1964	WMIC.exe
Token: SeShutdownPrivilege	1964	WMIC.exe
Token: SeDebugPrivilege	1964	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1964	WMIC.exe
Token: SeRemoteShutdownPrivilege	1964	WMIC.exe
Token: SeUndockPrivilege	1964	WMIC.exe
Token: SeManageVolumePrivilege	1964	WMIC.exe
Token: 33	1964	WMIC.exe
Token: 34	1964	WMIC.exe
Token: 35	1964	WMIC.exe
Token: SeBackupPrivilege	1364	vssvc.exe
Token: SeRestorePrivilege	1364	vssvc.exe
Token: SeAuditPrivilege	1364	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1964	WMIC.exe
Token: SeSecurityPrivilege	1964	WMIC.exe
Token: SeTakeOwnershipPrivilege	1964	WMIC.exe
Token: SeLoadDriverPrivilege	1964	WMIC.exe
Token: SeSystemProfilePrivilege	1964	WMIC.exe
Token: SeSystemtimePrivilege	1964	WMIC.exe
Token: SeProfSingleProcessPrivilege	1964	WMIC.exe
Token: SeIncBasePriorityPrivilege	1964	WMIC.exe
Token: SeCreatePagefilePrivilege	1964	WMIC.exe
Token: SeBackupPrivilege	1964	WMIC.exe
Token: SeRestorePrivilege	1964	WMIC.exe
Token: SeShutdownPrivilege	1964	WMIC.exe
Token: SeDebugPrivilege	1964	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1964	WMIC.exe
Token: SeRemoteShutdownPrivilege	1964	WMIC.exe
Token: SeUndockPrivilege	1964	WMIC.exe
Token: SeManageVolumePrivilege	1964	WMIC.exe
Token: 33	1964	WMIC.exe
Token: 34	1964	WMIC.exe
Token: 35	1964	WMIC.exe
Token: SeDebugPrivilege	1320	powershell.exe
Token: SeIncreaseQuotaPrivilege	612	WMIC.exe
Token: SeSecurityPrivilege	612	WMIC.exe
Token: SeTakeOwnershipPrivilege	612	WMIC.exe
Token: SeLoadDriverPrivilege	612	WMIC.exe
Token: SeSystemProfilePrivilege	612	WMIC.exe
Token: SeSystemtimePrivilege	612	WMIC.exe
Token: SeProfSingleProcessPrivilege	612	WMIC.exe
Token: SeIncBasePriorityPrivilege	612	WMIC.exe
Token: SeCreatePagefilePrivilege	612	WMIC.exe
Token: SeBackupPrivilege	612	WMIC.exe
Token: SeRestorePrivilege	612	WMIC.exe
Token: SeShutdownPrivilege	612	WMIC.exe
Token: SeDebugPrivilege	612	WMIC.exe
Token: SeSystemEnvironmentPrivilege	612	WMIC.exe
Token: SeRemoteShutdownPrivilege	612	WMIC.exe
Token: SeUndockPrivilege	612	WMIC.exe
Token: SeManageVolumePrivilege	612	WMIC.exe
Token: 33	612	WMIC.exe

Suspicious use of WriteProcessMemory 58 IoCs

Processes:

123.exeexplorer.execmd.execmd.exe

description	pid	Process	procid_target
PID 676 wrote to memory of 1300	676	123.exe	30
PID 676 wrote to memory of 1300	676	123.exe	30
PID 676 wrote to memory of 1300	676	123.exe	30
PID 676 wrote to memory of 1300	676	123.exe	30
PID 676 wrote to memory of 1884	676	123.exe	31
PID 676 wrote to memory of 1884	676	123.exe	31
PID 676 wrote to memory of 1884	676	123.exe	31
PID 676 wrote to memory of 1884	676	123.exe	31
PID 676 wrote to memory of 1884	676	123.exe	31
PID 676 wrote to memory of 1884	676	123.exe	31
PID 676 wrote to memory of 1884	676	123.exe	31
PID 1300 wrote to memory of 936	1300	explorer.exe	33
PID 1300 wrote to memory of 936	1300	explorer.exe	33
PID 1300 wrote to memory of 936	1300	explorer.exe	33
PID 1300 wrote to memory of 936	1300	explorer.exe	33
PID 1300 wrote to memory of 1936	1300	explorer.exe	36
PID 1300 wrote to memory of 1936	1300	explorer.exe	36
PID 1300 wrote to memory of 1936	1300	explorer.exe	36
PID 1300 wrote to memory of 1936	1300	explorer.exe	36
PID 1300 wrote to memory of 1672	1300	explorer.exe	35
PID 1300 wrote to memory of 1672	1300	explorer.exe	35
PID 1300 wrote to memory of 1672	1300	explorer.exe	35
PID 1300 wrote to memory of 1672	1300	explorer.exe	35
PID 1300 wrote to memory of 1720	1300	explorer.exe	41
PID 1300 wrote to memory of 1720	1300	explorer.exe	41
PID 1300 wrote to memory of 1720	1300	explorer.exe	41
PID 1300 wrote to memory of 1720	1300	explorer.exe	41
PID 1300 wrote to memory of 1312	1300	explorer.exe	40
PID 1300 wrote to memory of 1312	1300	explorer.exe	40
PID 1300 wrote to memory of 1312	1300	explorer.exe	40
PID 1300 wrote to memory of 1312	1300	explorer.exe	40
PID 1300 wrote to memory of 1616	1300	explorer.exe	43
PID 1300 wrote to memory of 1616	1300	explorer.exe	43
PID 1300 wrote to memory of 1616	1300	explorer.exe	43
PID 1300 wrote to memory of 1616	1300	explorer.exe	43
PID 1300 wrote to memory of 944	1300	explorer.exe	44
PID 1300 wrote to memory of 944	1300	explorer.exe	44
PID 1300 wrote to memory of 944	1300	explorer.exe	44
PID 1300 wrote to memory of 944	1300	explorer.exe	44
PID 936 wrote to memory of 1964	936	cmd.exe	45
PID 936 wrote to memory of 1964	936	cmd.exe	45
PID 936 wrote to memory of 1964	936	cmd.exe	45
PID 936 wrote to memory of 1964	936	cmd.exe	45
PID 1616 wrote to memory of 1320	1616	cmd.exe	48
PID 1616 wrote to memory of 1320	1616	cmd.exe	48
PID 1616 wrote to memory of 1320	1616	cmd.exe	48
PID 1616 wrote to memory of 1320	1616	cmd.exe	48
PID 1616 wrote to memory of 612	1616	cmd.exe	51
PID 1616 wrote to memory of 612	1616	cmd.exe	51
PID 1616 wrote to memory of 612	1616	cmd.exe	51
PID 1616 wrote to memory of 612	1616	cmd.exe	51
PID 1300 wrote to memory of 832	1300	explorer.exe	53
PID 1300 wrote to memory of 832	1300	explorer.exe	53
PID 1300 wrote to memory of 832	1300	explorer.exe	53
PID 1300 wrote to memory of 832	1300	explorer.exe	53
PID 1300 wrote to memory of 832	1300	explorer.exe	53
PID 1300 wrote to memory of 832	1300	explorer.exe	53
PID 1300 wrote to memory of 832	1300	explorer.exe	53

C:\Users\Admin\AppData\Local\Temp\123.exe
"C:\Users\Admin\AppData\Local\Temp\123.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:676
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:1300
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:936
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1964
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:1672
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    PID:1936
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    PID:1312
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:1508
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    PID:1720
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1616
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -ExecutionPolicy ByPass -Command "Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}"
      4⤵
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1320
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC.exe shadowcopy delete /nointeractive
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:612
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Modifies extensions of user files
    - Drops file in Program Files directory
    - Drops file in Windows directory
    PID:944
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:832
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  - Deletes itself
  PID:1884

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

MD5
e3e3b0a46e8a480b91b2958f84492c21

SHA1
d53c4d0cae15edeb1364156cf5e7f1f78c8947a8

SHA256
8f80b0fc1c1c54daefb919e0ad44f52abfa9c4eb46da55fb8129b7f65209061f

SHA512
0549eddf61463dafce23e4d9808e64401d2ce9e61f65447287e98da73bcf9733fe9da2809b5887ac56dd4c313366496348510cb9d9576b264549148e4d0f39e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE

MD5
eed44928e946f50ed36d37752d7de3ac

SHA1
a2ae1a3cad33819ebb8022ea9558769e5a441921

SHA256
7626e74ff44217673c53af18c53b5bc37ba411bb3f4db0daa1dc13f5db0edb5d

SHA512
ef7c6263485fa47204c5cea4d0c782def13b7b568653037eb1ef1d057aaaacd026fd40db3ab9ae90ea9473f69f5a3866fdf1dfb64ec03ab47a589ecd131c5918

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
c026f0cefed02193d3bf7078c32c1f4b

SHA1
74357c790437e708d6152492f14f9a308a41c1ee

SHA256
a2293aa5e0cba820827fe6cbecf5d053a12c5cd625971c6470a5fc5079b95d8e

SHA512
f0e718e04dbd20c150659251786bd363f5aceb0a789f6e03b84e43405aebd3487e682a9fdfaf68c9f55e260a632fde553d0c85f317dd80960aec547632f6874a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

MD5
467e595a29ec018b274a9a422936db4e

SHA1
61e207e27f778ae59533a0ca706c64d0458779cd

SHA256
78f461dd68a9d97f21a6de7f9ef9102c15bc3c4706ea796bf942f018c58bf969

SHA512
aa386f1d75bf5263252dfe55a68bdf80ae85a7b48d628e2503f56707a7ca28d5ce11796150375d498ad45a779a818a1560b338347da057748254a80c1aa8eaca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE

MD5
150b30a6cbe82692b8afbdf9a01c6dca

SHA1
33396a804f461e1d0e0e0244eecbae7e8b685b53

SHA256
3864667ab60f85cf2410a954aefd3eb1bc62849d2546e18bb4e1f37ee4b39b8b

SHA512
6a84060701d9d8a1c8a6d82999033392d69ccd969e0ce07dc5bfb9c5d8befaebd718904bc26f5ea17b54ae49b4b27d4c6e317ad213d1a5eda07ed68f95c9a752

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5
d828f5282a97fd75507ad8f816920f07

SHA1
5c18002ef2a65286f6822733a52642c49d4eae4a

SHA256
3bb9645615ed76bae8ebb2b4474b47333dbf95c76afe4627767c205896654858

SHA512
344f96b0224702e22eea340afb37a3414d2fb3b1fa00e54ca7adc193c8404532a7026732767673bcf5c2a43b85b1bb9f9b62a98560d5db53d6cf2fe9dee68f09

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
20e7523a1f28e43cfc852eb5b2bdf186

SHA1
e34cbc26991a811a0cc190615b1eb405a19b798e

SHA256
6f88d4bdcc0c96b8645a5aa4fc4dc0906ac9c612091557361bbf801b3b667c69

SHA512
4ae285358ef1a62ca3c7937d5e1f238b7b8de811593b0a6400de0d12e17d15ccd31b28ae20facb271506a5511e6d759e4157ddb0f8d5ac21f9f3a399bbd0e25f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EU9ERU9I\RC2XR4I5.htm

MD5
6b17a59cec1a7783febae9aa55c56556

SHA1
01d4581e2b3a6348679147a915a0b22b2a66643a

SHA256
66987b14b90d41632be98836f9601b12e7f329ffab05595887889c9c5716fbeb

SHA512
3337efd12b9c06b7768eb928a78caae243b75257c5aabe7a49e908a2f735af55f7257a40bd2330dc13865ead18ed805b54a6c5105740fdcbbaccacf7997bcbc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T6MYL4HM\HP86HNZ6.htm

MD5
b1cd7c031debba3a5c77b39b6791c1a7

SHA1
e5d91e14e9c685b06f00e550d9e189deb2075f76

SHA256
57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

SHA512
d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat

MD5
e6545ccb3660f88529716ed4e647c713

SHA1
ecd628f29985599a24c5c1d23083c689917dd74e

SHA256
e802bf0c4481bef693d4d1f307aba48301e330d3728dd46a4ec97c4a96b4d4a7

SHA512
f745e7d5dd006083234e783dd5dc7fb83043a7d0479ea2a91a2ddbc8c20ca47343516efbd155271768c675a22b32e88febdfe51551ec42dfdb64805c62c3188d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe

MD5
c14d403c9e9d6b6054e09ceee047fbf1

SHA1
2155b8d3b977f32641314207bb24126741b71d13

SHA256
005b00d41740f7b0327d4d5fe0402dcfc84ae0df44a2231a89a59909eeb30b23

SHA512
f5a0380cf6c7f3c14bd0efefeec1be88d0d92257ace44a97360e17c88e27c59cb424cd7283e2085431ba95d62eac30d017e3f41d7c1ccb4468a0bcaa3984d6d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe

MD5
c14d403c9e9d6b6054e09ceee047fbf1

SHA1
2155b8d3b977f32641314207bb24126741b71d13

SHA256
005b00d41740f7b0327d4d5fe0402dcfc84ae0df44a2231a89a59909eeb30b23

SHA512
f5a0380cf6c7f3c14bd0efefeec1be88d0d92257ace44a97360e17c88e27c59cb424cd7283e2085431ba95d62eac30d017e3f41d7c1ccb4468a0bcaa3984d6d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe

MD5
c14d403c9e9d6b6054e09ceee047fbf1

SHA1
2155b8d3b977f32641314207bb24126741b71d13

SHA256
005b00d41740f7b0327d4d5fe0402dcfc84ae0df44a2231a89a59909eeb30b23

SHA512
f5a0380cf6c7f3c14bd0efefeec1be88d0d92257ace44a97360e17c88e27c59cb424cd7283e2085431ba95d62eac30d017e3f41d7c1ccb4468a0bcaa3984d6d3

Download Submit
C:\Users\Admin\Desktop\BlockSkip.mpeg2.kd8eby0.63A-3FA-916

MD5
47a89c2142397aaa89bb5a15abc91592

SHA1
2e68b5fcfd7d7ef8a80316dad1a4162aaa864806

SHA256
87426943433ee9c12550d52a9ab53c39614fe85879a394dcda93c2618ad8fb62

SHA512
b80730069b00315a0f9033a34397b48d0abfadf00e7d565405d19cbf4849cafa5b014844ca79e0145d7b171662727cc7a7f3a391fc55ad385bc7ba9eea448975

Download Submit
C:\Users\Admin\Desktop\ConfirmOpen.bmp.kd8eby0.63A-3FA-916

MD5
151fe2c76e8278c81d4b9988977a1c84

SHA1
87941fbeb0c59f17d6bb244260922766029f6e87

SHA256
dc5af3b8e2ee73dbef0a401f15755ad431c7f69687385c0dc30ed9cd1cdc2893

SHA512
44e82829948195954c5def5fd14b4e73de1040c7827db99ecb395a67c06e86f97ce379bc977983fa350217b4e1b864d05c31acd4bf93ce3cb67dc1a69fc74248

Download Submit
C:\Users\Admin\Desktop\DebugInvoke.vssm.kd8eby0.63A-3FA-916

MD5
2c9ea07fda2809504d27ef153ba721eb

SHA1
e845c60424cf02fb6bc80f0db6b32c9ef71ce6f4

SHA256
0c253e8819e62d78094b08a5fc170833026fc3838d16e6bf00453cf54eb49352

SHA512
873697c2818aa73f9f702e6a7bf756156717e82a5ab09beca7476471a6e32561bf246b7790bef82381a305e4cdfc64bfe17e9183e0f694ab027f8cd7f4519df9

Download Submit
C:\Users\Admin\Desktop\DismountClose.wmx.kd8eby0.63A-3FA-916

MD5
7844083ed4027f829cafcd002af39b64

SHA1
434a79d260287dd8bac758a543d4da68d8614ea0

SHA256
a326dac370cb03c91b7aed7e0070edc65683d02f31b82aae2c8369f5d7f3f0ab

SHA512
24f6fd0bb2a04c610a545e22d388558d967176d5fda62a71e40ab044956b671e19869f50149371d52dbafe435c38d552ba41f47b1ef82976563633beff540788

Download Submit
C:\Users\Admin\Desktop\EnterUnblock.crw.kd8eby0.63A-3FA-916

MD5
3bb00fd04ce43c560ae572a69ed18a96

SHA1
353338750966f34e9b5430a753af3438e90070b5

SHA256
077fb94a9ed0d14497e8e3c151b6054eb038d96a28aecea6b159738f1b9d205c

SHA512
62d7d4d76c1ca1ae276c407dd0e4e5f2f5b975059deb6a1cac42e2b258493e8cb0848ba325a278d7aec7294e397aa02f41231664aaa333a1bd89f09da800fa41

Download Submit
C:\Users\Admin\Desktop\ExportDisable.csv.kd8eby0.63A-3FA-916

MD5
a865402d46fe2fd5f1a81caadcaed7c3

SHA1
045305536fd181f2bcc8809155b3edd53b184bbb

SHA256
89d55343e55c40b4b4848b669e74f864904e55420d8f42c60274d4a778be6f22

SHA512
6a5f07edc63554ae4a70e33702eba16ae4b73c4fa2b31ea0efe6399b2af0c5d15c609fb84ed291bd3a359c55f629b5ff378956ff3f08bbed1e576237cbc6872c

Download Submit
C:\Users\Admin\Desktop\GetNew.zip.kd8eby0.63A-3FA-916

MD5
add6a51ea062d76545e68917d1b11e76

SHA1
0c02729c6119cd547da124e574b5fce143d483a0

SHA256
2a278b37e54c541af84d2d903d3315b34acf4e1d3af024f9ada509d9cf531ea4

SHA512
69112e861c75077da7811695a873271ba635f5fe4ac36a95af359ac32f2a475bcf871ead0823a3a73f6ec73f6bedc6a21549109cc13a5baf9a3b1592e919befa

Download Submit
C:\Users\Admin\Desktop\GetRemove.contact.kd8eby0.63A-3FA-916

MD5
eeee7c2fa7b9e46a91971115ce9ed2b4

SHA1
7f06c9f5e9b89d15dba48b94c70dd0b93ff543ed

SHA256
f4c31540f554aa38b0bf028397e626745512d1942c9467f130892766c85d74c1

SHA512
56a1c65c68230045ae5d9c87c0a47663959ccbd97278d6aea8136968d2587889973382e38d3266e4fdad441e1b27bc8f8d8fe4a72cafaed2036eca4a38f3bc05

Download Submit
C:\Users\Admin\Desktop\JoinCompress.docm.kd8eby0.63A-3FA-916

MD5
b0344f62952ec5ed5055869b15039ce1

SHA1
984e51fb53292a4379cd6ebdb23e0c9a8828a3ca

SHA256
348eefb6cc06c437ac62e9ab54659bd7b6b3b8dcae8fe551da87415f2ce36703

SHA512
6982dc918516dc9f907e32810fd75d81b99db9bb1989308eed73b328f3042d85571ed5f18bf6ce39c98e362e29b6ae7f10ac27a7b2004353ed5563a78db0816a

Download Submit
C:\Users\Admin\Desktop\JoinUninstall.mp3.kd8eby0.63A-3FA-916

MD5
330fd52ef02554591a73686ec8002b71

SHA1
f95039179d36a5714f01c7d21e9408aa698364b8

SHA256
fa96f6347a4bac36c87ec5667e8b2f5b8ad62542b7c89abceb53707d6250a5bc

SHA512
f25962113d74b6d787ac8f01ef8a7cfec73693f19b20afb5c810bced6ea74747ca6f61e7294c1fa563fd88fb542a3630d0a76f4a5687b4bae41c8573d55df1b4

Download Submit
C:\Users\Admin\Desktop\NewCompress.mp2v.kd8eby0.63A-3FA-916

MD5
c12ec1dc3efecf182417b00d5ee1683a

SHA1
1706d5a1c51b7c38f046c55def1753c3d8e0db7b

SHA256
fe8996bc3ca834494d569e889cedeb418a21ccc7c5f2e8bdc903fa6223a8d75c

SHA512
78f8e89a07ccb9c1896ab6a08b13847cff406049cfaa028c22743c573bd35f7f99b75d093cc108686cfc9fc3fec013f08639af3f66d4746e13c9acece4a2dd1e

Download Submit
C:\Users\Admin\Desktop\NewConnect.ADTS.kd8eby0.63A-3FA-916

MD5
15334242dfafa9b3091509df56bffac8

SHA1
fbf35999891638b9cf7dc8baa6e7a7eeec71d6fe

SHA256
eb29d68eb4544e1a69d67dd6f0842b8c4ecfbebd9229b75193b77e7a746616d2

SHA512
479719ce0dbe4640dd785d2ccb6f0758061abc791f1a974d9106ad50f7b4dba977528db9624e0e364d73d47bd1417b13406c107f86289e434eb496eb4263e3a3

Download Submit
C:\Users\Admin\Desktop\ProtectSwitch.mpg.kd8eby0.63A-3FA-916

MD5
62cb2f200332ec189e531332827c8e10

SHA1
da597f3313f32d0b7ee7f77989bb4b7070a3dc48

SHA256
0a5084dccebc72acc28d1be5c327a1114454c82945176c2a5da9b8332fe3dc42

SHA512
1d72ac032a760a8878668b4e81418bf0cc6a1bbb0325da7bb52c51cab2f89368a3a5c8c07b2296730ffcbbad761f7a1c379463854e6e6a1f5e5a5eecc14870d0

Download Submit
C:\Users\Admin\Desktop\RenameStep.asx.kd8eby0.63A-3FA-916

MD5
86296fd4370e3495b4476577b8c197fb

SHA1
bbb0a55073a064e1eaf190f2c332e3adf10330d9

SHA256
7ac66a9ccf9f3dfcd89ecb855723d976357a23aa36eca5e73d1bacaf73849dcf

SHA512
076e461566be6de1b6ee1c6d6e68ffedb3aa132a2c41b4d4f4921dc4728b5b7371d8d03b169d6b8f085b198edb55929c330108397ca06dbb14d10dab229184b9

Download Submit
C:\Users\Admin\Desktop\RestoreInitialize.vst.kd8eby0.63A-3FA-916

MD5
c7b97c34a050dbf4cc67660ffb1a1872

SHA1
8383baeed7a1ca11d36bb53ff37aec834f130be0

SHA256
a1cb1688ef7f538693692bf31586dc5c4c1ec720aab2ebccd1091774b5fd667c

SHA512
36f2b339e98994727edcdd95864bc708c9372e4005a2d933582fcbfd85fa8e04d5978537fcab13e045cf962b5feadbd21b9e17b053db859d66b566278f76b14d

Download Submit
C:\Users\Admin\Desktop\SelectMeasure.tiff.kd8eby0.63A-3FA-916

MD5
0efb023e260a8f214beb5eab2dd648a6

SHA1
d8df094b1e8ccab5705f8052e66a72af7e9f6739

SHA256
70b55f968b2677cff7407b7def59580e0607c0e8289c9820d6db128bd8e8a8e7

SHA512
d1bd656a8a8a7d7517ebd10dfb6ad7c42b0752e2e2ad2261e562b03c2c28beac356e347e0bf9d27b8122133884fff364c17cd7c51aaa9217f7670bd517c4c86d

Download Submit
C:\Users\Admin\Desktop\SetPublish.ocx.kd8eby0.63A-3FA-916

MD5
02c89901b2efc82149c29eab095c144c

SHA1
6be7fe1cfc02f02b4e9648ec374a5fd5b7a9e144

SHA256
e534d04d01acd8fa17bb8cd032505d539890d955542bb67bf09952a223f7393c

SHA512
0333c036296291ff373a476042ef9187f3d072d537658aa1d4c10d89cf55b8a85780929890cc1e1e942ff2a5d98fa4ed3a07af65a6cdcbfe51d177fbc4b7f6dc

Download Submit
C:\Users\Admin\Desktop\StartExpand.exe.kd8eby0.63A-3FA-916

MD5
cb70aef669c0716647b56130ace454f4

SHA1
faa59c46fd7cba28d94b68b602a15c1cdbc028d3

SHA256
2cb89fe51efdebf2b8b2da8b28058b190bebb86025063b949ea9b8f2818e39ae

SHA512
d62200196d14f55aa1559926b6af9d3553845f7502dc65536798a6b6f0533e83e8ea759594daedf9bb7abc113c0dbdd8c9a247b10fd3a2f24dbac9259e16601f

Download Submit
C:\Users\Admin\Desktop\SuspendSelect.jpeg.kd8eby0.63A-3FA-916

MD5
29d19bab0d88cddf2716e9086eea625b

SHA1
88cb588af977574cdf8a7777da2d4b8e9cce7f40

SHA256
7ec276f2d83f38f6a875370d42865f8f13b4611c652afccb0756a7f991a01bbb

SHA512
5f2db76210e10c4509a634c21e2bb7b4528bf5edde6a68ed5714345c418fcfdd85ca8c6f2253b250f568daad177fecf3e439c403e82b830c4ad640022b6cd66c

Download Submit
C:\Users\Admin\Desktop\SwitchUnlock.wvx.kd8eby0.63A-3FA-916

MD5
6f6872c8ae18fff082b834f7caebfa92

SHA1
b0a0f9b96379fe63131ea363b1cd4497466ba992

SHA256
bf2fe4b543503d23915304d5c364037f206e19b2d2674ce5906aaa9a2ed35be6

SHA512
43d8aab512f8203ab79523992970a4d50913bc9c0f650d464cf3a4141d9b7b63c59ff9ca4520ff44795db0b682f0f9c85f3a9f68274eb55653696a52bd4b2952

Download Submit
C:\Users\Admin\Desktop\UndoGroup.xht.kd8eby0.63A-3FA-916

MD5
9d2d77bdcb2ebce7576a0ee33c925fb0

SHA1
a7a9e5875146829fa5297dcb2332ed188506006b

SHA256
7c4e274e584f35086d0513627d056dd3b99b31556e7d4018573b65b6a802c673

SHA512
ed453b2879c8626c4c38590197159e3e555cad432b9245547448b420d9ca34903aa84c306ce0ca378acd65098f6efc03c40f38046988d7de0ab2edd815c8656c

Download Submit
C:\Users\Admin\Desktop\UninstallSave.xlt.kd8eby0.63A-3FA-916

MD5
9fa7dc4312ec6819879a98a63e37430e

SHA1
8c526d26822ca9f604157c15200aaea7167d610f

SHA256
eb8470c39725b79dd6b22a5b17e9b8964598dda4eee517d3000aa4fc1a8c20f3

SHA512
0a966cf20f6d197cb35fe3edf47766fb130c2b12997abcfa536e5e1426ab698f1103c01295fc7fe87146a25955e4b35bc09dc72f40347d69b137f9d92fa56344

Download Submit
C:\Users\Admin\Desktop\UnprotectInitialize.wax.kd8eby0.63A-3FA-916

MD5
0f9a639128128b7d93443969376e813d

SHA1
f4cb36b1455dfb7c68f30df0493297065406da9e

SHA256
b4ebdc66a409261b283e84480af2bc777f242de7cbd62fd51d2454cdb0e778d8

SHA512
648c5347c95a19fa21c1a7e4cd006d75e42b5d792c4d3f566516d09edeacd9f19623c1987b87fcfc991160b6efa8f4b3b6bebc9ba8e87cead9b25fa741ad562a

Download Submit
C:\Users\Admin\Desktop\UnpublishLock.vssx.kd8eby0.63A-3FA-916

MD5
2394effbcef2a58e182550b9ea691a2e

SHA1
02079f31ac306874f09b4f297fd7f6428aaa40d1

SHA256
656506acd7848bfe1c003a5714236e0e26076e58539682abad785ea57002c7e9

SHA512
64c027504196edc33cc43e974c84481d803a60069c5678d002a757a733b4a3c8840c043da6e0468ab3bb2dcf12d9f06a5bb607922b93a71f437d78c60ebe1c04

Download Submit
C:\Users\Admin\Desktop\UnregisterSwitch.pps.kd8eby0.63A-3FA-916

MD5
98c7738a026ed2b5817d9256d1e05f00

SHA1
b6a1a620ce638a80a7320c9f169e40b5d09fbf03

SHA256
023dfb9a47e9f1a619b6710ae630ed3f18d55834577393eb7eebb3662a97005b

SHA512
9062eeacaee5a811d82837590246580a1d5512289a3b70e7be9ad46ae3286fe93beda69101846d5e9e8efc4c357d31b3b2412fe4f12138b5b51dcdbf0841cdfc

Download Submit
C:\Users\Admin\Desktop\WatchRevoke.png.kd8eby0.63A-3FA-916

MD5
6ca1a785849b5a7a94f41a95929988d0

SHA1
a67733a8cb947426fa425a07648bd90859d18f69

SHA256
406693c71299d49e5ca07121a3aeb2bc7e62d2f505e1ad6c3fe3bef8ed3a2a58

SHA512
1e4770b9a03bfae747790716d3d21b9cfa48c36df175b9c58970ead13f561bdd04b733db2de2dee2a86a99564ecb94955cbb80b5cf7e75f88c12da9c80231c12

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe

MD5
c14d403c9e9d6b6054e09ceee047fbf1

SHA1
2155b8d3b977f32641314207bb24126741b71d13

SHA256
005b00d41740f7b0327d4d5fe0402dcfc84ae0df44a2231a89a59909eeb30b23

SHA512
f5a0380cf6c7f3c14bd0efefeec1be88d0d92257ace44a97360e17c88e27c59cb424cd7283e2085431ba95d62eac30d017e3f41d7c1ccb4468a0bcaa3984d6d3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe

MD5
c14d403c9e9d6b6054e09ceee047fbf1

SHA1
2155b8d3b977f32641314207bb24126741b71d13

SHA256
005b00d41740f7b0327d4d5fe0402dcfc84ae0df44a2231a89a59909eeb30b23

SHA512
f5a0380cf6c7f3c14bd0efefeec1be88d0d92257ace44a97360e17c88e27c59cb424cd7283e2085431ba95d62eac30d017e3f41d7c1ccb4468a0bcaa3984d6d3

Download Submit
memory/612-93-0x0000000000000000-mapping.dmp

Download
memory/676-55-0x0000000075AB1000-0x0000000075AB3000-memory.dmp

Filesize
8KB

Download
memory/832-125-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/832-123-0x0000000000000000-mapping.dmp

Download
memory/936-76-0x0000000000000000-mapping.dmp

Download
memory/944-83-0x0000000000000000-mapping.dmp

Download
memory/1300-58-0x0000000000000000-mapping.dmp

Download
memory/1312-80-0x0000000000000000-mapping.dmp

Download
memory/1320-91-0x00000000024A0000-0x00000000030EA000-memory.dmp

Filesize
12.3MB

Download
memory/1320-90-0x00000000024A0000-0x00000000030EA000-memory.dmp

Filesize
12.3MB

Download
memory/1320-88-0x0000000000000000-mapping.dmp

Download
memory/1320-92-0x00000000024A0000-0x00000000030EA000-memory.dmp

Filesize
12.3MB

Download
memory/1616-81-0x0000000000000000-mapping.dmp

Download
memory/1672-78-0x0000000000000000-mapping.dmp

Download
memory/1720-79-0x0000000000000000-mapping.dmp

Download
memory/1884-67-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1884-64-0x0000000000000000-mapping.dmp

Download
memory/1884-61-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1936-77-0x0000000000000000-mapping.dmp

Download
memory/1964-86-0x0000000000000000-mapping.dmp

Download