buran | 390d7472201e8ea9bdc6c7fa2b4ab1f6faca02071f1f997037cc5f52759a9cb6

Resubmissions

12-11-2021 18:04

211112-wnzb8aahhm 10

19-11-2020 10:08

201119-rhwlt38jrx 10

18-11-2020 17:26

201118-htd4fq29va 10

Analysis

max time kernel
259s
max time network
301s
platform
windows10_x64
resource
win10-en-20211104
submitted
12-11-2021 18:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

default.exe
Size

211KB
MD5

f42abb7569dbc2ff5faa7e078cb71476
SHA1

04530a6165fc29ab536bab1be16f6b87c46288e6
SHA256

516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd
SHA512

3277534a02435538e144dea3476416e1d9117fcddef3dcb4379b82f33516c3e87767c3b0d2b880e61a3d803b583c96d772a0bdeecbfc109fe66444e9b29216af

Score

10^/10

buran persistence ransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] or [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Your personal ID: 137-003-116 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 2 IoCs

Processes:

taskeng.exetaskeng.exe

pid process

4392 taskeng.exe
3672 taskeng.exe
Deletes itself 1 IoCs

Processes:

notepad.exe

pid process

4360 notepad.exe

pid	process
4392	taskeng.exe
3672	taskeng.exe

pid	process
4360	notepad.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

default.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run	default.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskeng.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\taskeng.exe\" -start"	default.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskeng.exe

description	ioc	process
File opened (read-only)	\??\Y:	taskeng.exe
File opened (read-only)	\??\T:	taskeng.exe
File opened (read-only)	\??\S:	taskeng.exe
File opened (read-only)	\??\R:	taskeng.exe
File opened (read-only)	\??\Q:	taskeng.exe
File opened (read-only)	\??\N:	taskeng.exe
File opened (read-only)	\??\B:	taskeng.exe
File opened (read-only)	\??\X:	taskeng.exe
File opened (read-only)	\??\V:	taskeng.exe
File opened (read-only)	\??\U:	taskeng.exe
File opened (read-only)	\??\K:	taskeng.exe
File opened (read-only)	\??\H:	taskeng.exe
File opened (read-only)	\??\P:	taskeng.exe
File opened (read-only)	\??\O:	taskeng.exe
File opened (read-only)	\??\I:	taskeng.exe
File opened (read-only)	\??\G:	taskeng.exe
File opened (read-only)	\??\F:	taskeng.exe
File opened (read-only)	\??\Z:	taskeng.exe
File opened (read-only)	\??\W:	taskeng.exe
File opened (read-only)	\??\M:	taskeng.exe
File opened (read-only)	\??\L:	taskeng.exe
File opened (read-only)	\??\J:	taskeng.exe
File opened (read-only)	\??\E:	taskeng.exe
File opened (read-only)	\??\A:	taskeng.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

10 geoiptool.com

flow	ioc
10	geoiptool.com

Drops file in Program Files directory 64 IoCs

Processes:

taskeng.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\OutlookMailBadge.scale-100.png	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-ul-phn.xrm-ms.137-003-116	taskeng.exe
File created	C:\Program Files\VideoLAN\VLC\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\za_16x11.png	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviews_super.gif.137-003-116	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.properties.137-003-116	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AXIS\AXIS.ELM.137-003-116	taskeng.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Messaging_3.2.24002.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\CalculatorWideTile.scale-100.png	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Advanced-Light.scale-100.png	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hu-hu\ui-strings.js	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ar-ae\ui-strings.js.137-003-116	taskeng.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt.137-003-116	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-pl.xrm-ms	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WorldClockSmallTile.contrast-black_scale-125.png	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\animations\OneNoteFRE_ClipAndAdd_LTR_Tablet.mp4	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreLargeTile.scale-200.png	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\Close.png	taskeng.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_cs.jar.137-003-116	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-keyring-fallback.jar.137-003-116	taskeng.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\meta\reader\filename.luac.137-003-116	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\informix.xsl	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Moon.png	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\mo_16x11.png	taskeng.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-sampler.xml	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Grace-ul-oob.xrm-ms.137-003-116	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH.HXS.137-003-116	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PROOF\LTSHYPH_FR.LEX.137-003-116	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-24_altform-unplated_contrast-white.png	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\PeopleApp.exe	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-20_altform-unplated_contrast-black.png	taskeng.exe
File opened for modification	C:\Program Files\StartCompress.cab.137-003-116	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_ko.properties.137-003-116	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ppd.xrm-ms.137-003-116	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sk-sk\ui-strings.js.137-003-116	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\en-gb\ui-strings.js.137-003-116	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\fi-fi\ui-strings.js	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\virgo-new-folder.svg.137-003-116	taskeng.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\es-es\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\nl-nl\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filter-down_32.svg.137-003-116	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-pl.xrm-ms	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Exchange.scale-300.png	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_11.19.19003.0_x64__8wekyb3d8bbwe\AppxManifest.xml	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\OFFSYMXL.TTF.137-003-116	taskeng.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\gl\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Icons\icon_rate_and_review.png	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.properties.137-003-116	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.configuration_5.5.0.165303.jar	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.theme.nl_zh_4.4.0.v20140623020002.jar	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\new_icons_retina.png	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_nl_135x40.svg.137-003-116	taskeng.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\zh-cn\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-core-kit.xml	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\MapsSplashScreen.scale-125.png	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\DarkTheme.acrotheme	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-ppd.xrm-ms.137-003-116	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_sortedby_up_hover_18.svg	taskeng.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\ChronologicalLetter.dotx.137-003-116	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Office\ProjectionCylindric.scale-100.png	taskeng.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1884 vssadmin.exe

pid	process
1884	vssadmin.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

default.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	default.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	default.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

Processes:

default.exetaskeng.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	4244	default.exe
Token: SeDebugPrivilege	4244	default.exe
Token: SeDebugPrivilege	4392	taskeng.exe
Token: SeIncreaseQuotaPrivilege	2620	WMIC.exe
Token: SeSecurityPrivilege	2620	WMIC.exe
Token: SeTakeOwnershipPrivilege	2620	WMIC.exe
Token: SeLoadDriverPrivilege	2620	WMIC.exe
Token: SeSystemProfilePrivilege	2620	WMIC.exe
Token: SeSystemtimePrivilege	2620	WMIC.exe
Token: SeProfSingleProcessPrivilege	2620	WMIC.exe
Token: SeIncBasePriorityPrivilege	2620	WMIC.exe
Token: SeCreatePagefilePrivilege	2620	WMIC.exe
Token: SeBackupPrivilege	2620	WMIC.exe
Token: SeRestorePrivilege	2620	WMIC.exe
Token: SeShutdownPrivilege	2620	WMIC.exe
Token: SeDebugPrivilege	2620	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2620	WMIC.exe
Token: SeRemoteShutdownPrivilege	2620	WMIC.exe
Token: SeUndockPrivilege	2620	WMIC.exe
Token: SeManageVolumePrivilege	2620	WMIC.exe
Token: 33	2620	WMIC.exe
Token: 34	2620	WMIC.exe
Token: 35	2620	WMIC.exe
Token: 36	2620	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2620	WMIC.exe
Token: SeSecurityPrivilege	2620	WMIC.exe
Token: SeTakeOwnershipPrivilege	2620	WMIC.exe
Token: SeLoadDriverPrivilege	2620	WMIC.exe
Token: SeSystemProfilePrivilege	2620	WMIC.exe
Token: SeSystemtimePrivilege	2620	WMIC.exe
Token: SeProfSingleProcessPrivilege	2620	WMIC.exe
Token: SeIncBasePriorityPrivilege	2620	WMIC.exe
Token: SeCreatePagefilePrivilege	2620	WMIC.exe
Token: SeBackupPrivilege	2620	WMIC.exe
Token: SeRestorePrivilege	2620	WMIC.exe
Token: SeShutdownPrivilege	2620	WMIC.exe
Token: SeDebugPrivilege	2620	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2620	WMIC.exe
Token: SeRemoteShutdownPrivilege	2620	WMIC.exe
Token: SeUndockPrivilege	2620	WMIC.exe
Token: SeManageVolumePrivilege	2620	WMIC.exe
Token: 33	2620	WMIC.exe
Token: 34	2620	WMIC.exe
Token: 35	2620	WMIC.exe
Token: 36	2620	WMIC.exe
Token: SeBackupPrivilege	3172	vssvc.exe
Token: SeRestorePrivilege	3172	vssvc.exe
Token: SeAuditPrivilege	3172	vssvc.exe
Token: SeDebugPrivilege	4392	taskeng.exe
Token: SeDebugPrivilege	4392	taskeng.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

default.exetaskeng.execmd.execmd.exe

description	pid	process	target process
PID 4244 wrote to memory of 4392	4244	default.exe	taskeng.exe
PID 4244 wrote to memory of 4392	4244	default.exe	taskeng.exe
PID 4244 wrote to memory of 4392	4244	default.exe	taskeng.exe
PID 4244 wrote to memory of 4360	4244	default.exe	notepad.exe
PID 4244 wrote to memory of 4360	4244	default.exe	notepad.exe
PID 4244 wrote to memory of 4360	4244	default.exe	notepad.exe
PID 4244 wrote to memory of 4360	4244	default.exe	notepad.exe
PID 4244 wrote to memory of 4360	4244	default.exe	notepad.exe
PID 4244 wrote to memory of 4360	4244	default.exe	notepad.exe
PID 4392 wrote to memory of 3672	4392	taskeng.exe	taskeng.exe
PID 4392 wrote to memory of 3672	4392	taskeng.exe	taskeng.exe
PID 4392 wrote to memory of 3672	4392	taskeng.exe	taskeng.exe
PID 4392 wrote to memory of 592	4392	taskeng.exe	cmd.exe
PID 4392 wrote to memory of 592	4392	taskeng.exe	cmd.exe
PID 4392 wrote to memory of 592	4392	taskeng.exe	cmd.exe
PID 4392 wrote to memory of 1000	4392	taskeng.exe	cmd.exe
PID 4392 wrote to memory of 1000	4392	taskeng.exe	cmd.exe
PID 4392 wrote to memory of 1000	4392	taskeng.exe	cmd.exe
PID 4392 wrote to memory of 1056	4392	taskeng.exe	cmd.exe
PID 4392 wrote to memory of 1056	4392	taskeng.exe	cmd.exe
PID 4392 wrote to memory of 1056	4392	taskeng.exe	cmd.exe
PID 4392 wrote to memory of 1252	4392	taskeng.exe	cmd.exe
PID 4392 wrote to memory of 1252	4392	taskeng.exe	cmd.exe
PID 4392 wrote to memory of 1252	4392	taskeng.exe	cmd.exe
PID 4392 wrote to memory of 1500	4392	taskeng.exe	cmd.exe
PID 4392 wrote to memory of 1500	4392	taskeng.exe	cmd.exe
PID 4392 wrote to memory of 1500	4392	taskeng.exe	cmd.exe
PID 4392 wrote to memory of 1732	4392	taskeng.exe	cmd.exe
PID 4392 wrote to memory of 1732	4392	taskeng.exe	cmd.exe
PID 4392 wrote to memory of 1732	4392	taskeng.exe	cmd.exe
PID 4392 wrote to memory of 2076	4392	taskeng.exe	cmd.exe
PID 4392 wrote to memory of 2076	4392	taskeng.exe	cmd.exe
PID 4392 wrote to memory of 2076	4392	taskeng.exe	cmd.exe
PID 2076 wrote to memory of 2620	2076	cmd.exe	WMIC.exe
PID 2076 wrote to memory of 2620	2076	cmd.exe	WMIC.exe
PID 2076 wrote to memory of 2620	2076	cmd.exe	WMIC.exe
PID 4392 wrote to memory of 3792	4392	taskeng.exe	cmd.exe
PID 4392 wrote to memory of 3792	4392	taskeng.exe	cmd.exe
PID 4392 wrote to memory of 3792	4392	taskeng.exe	cmd.exe
PID 3792 wrote to memory of 1884	3792	cmd.exe	vssadmin.exe
PID 3792 wrote to memory of 1884	3792	cmd.exe	vssadmin.exe
PID 3792 wrote to memory of 1884	3792	cmd.exe	vssadmin.exe
PID 4392 wrote to memory of 4616	4392	taskeng.exe	notepad.exe
PID 4392 wrote to memory of 4616	4392	taskeng.exe	notepad.exe
PID 4392 wrote to memory of 4616	4392	taskeng.exe	notepad.exe
PID 4392 wrote to memory of 4616	4392	taskeng.exe	notepad.exe
PID 4392 wrote to memory of 4616	4392	taskeng.exe	notepad.exe
PID 4392 wrote to memory of 4616	4392	taskeng.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\default.exe
"C:\Users\Admin\AppData\Local\Temp\default.exe"
1⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4244

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe" -start
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4392

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe" -agent 0
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3672

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
PID:592

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
3⤵
PID:1000

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
3⤵
PID:1056

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup
3⤵
PID:1252

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup -keepversions:0
3⤵
PID:1500

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete backup
3⤵
PID:1732

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
3⤵
- Suspicious use of WriteProcessMemory
PID:2076

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2620

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
3⤵
- Suspicious use of WriteProcessMemory
PID:3792

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:1884

C:\Windows\SysWOW64\notepad.exe
notepad.exe
3⤵
PID:4616

C:\Windows\SysWOW64\notepad.exe
notepad.exe
2⤵
- Deletes itself
PID:4360

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3172

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

MD5
e3e3b0a46e8a480b91b2958f84492c21

SHA1
d53c4d0cae15edeb1364156cf5e7f1f78c8947a8

SHA256
8f80b0fc1c1c54daefb919e0ad44f52abfa9c4eb46da55fb8129b7f65209061f

SHA512
0549eddf61463dafce23e4d9808e64401d2ce9e61f65447287e98da73bcf9733fe9da2809b5887ac56dd4c313366496348510cb9d9576b264549148e4d0f39e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE

MD5
eed44928e946f50ed36d37752d7de3ac

SHA1
a2ae1a3cad33819ebb8022ea9558769e5a441921

SHA256
7626e74ff44217673c53af18c53b5bc37ba411bb3f4db0daa1dc13f5db0edb5d

SHA512
ef7c6263485fa47204c5cea4d0c782def13b7b568653037eb1ef1d057aaaacd026fd40db3ab9ae90ea9473f69f5a3866fdf1dfb64ec03ab47a589ecd131c5918

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
c026f0cefed02193d3bf7078c32c1f4b

SHA1
74357c790437e708d6152492f14f9a308a41c1ee

SHA256
a2293aa5e0cba820827fe6cbecf5d053a12c5cd625971c6470a5fc5079b95d8e

SHA512
f0e718e04dbd20c150659251786bd363f5aceb0a789f6e03b84e43405aebd3487e682a9fdfaf68c9f55e260a632fde553d0c85f317dd80960aec547632f6874a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

MD5
1183e2958166e358799b05fb7a4811bb

SHA1
3e79c3a1fc9f2d314517c3d7d1ef44f360821c0d

SHA256
285872350af4e78397a7ab1973d07f6b657b1efba691572d520649f4dbd61f9f

SHA512
0e33796e880929621ffa8ddf39ff9cab515a0492d8e836e86531f878ecf4fb0bace444b179032413176c56e95cb4d125e1f48991e36f3b4220def79d7bf1370d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE

MD5
d0ffee2a6c6f3d281dbf57866509b989

SHA1
41b9b2740fb4b3f8884e51a2f2ed10f520510799

SHA256
c00538fc442f039387caf73f98f416f67cdd4951715fe3b117e12ad073180451

SHA512
9bac21fad97133c098ffb448cc82d076f0a659eee8a6fb282e096fa475f0e94ab9bd6c06df0ebc6294ad5ad50b9c0b136aca0cae1e97ad1b1424715092ff7e7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
a0ed7ef79266ce47809afb5b73deef54

SHA1
72aaf2732f5445375b36c5cd8f2b438e9efa9c4d

SHA256
0f611c0387e0374503bfee4201d8b6591ddbf6945df27dacc066126ef80bdd6a

SHA512
6c65c01a25e63cc5c435908a99910c0e78225e1ca0874dc24f2416b858c87baea775234d72963b71dc8aa01810202c4275c19c799ee1b7ae58b5e6912b103240

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0JDXA5XR\ONK9N9E3.htm

MD5
6b17a59cec1a7783febae9aa55c56556

SHA1
01d4581e2b3a6348679147a915a0b22b2a66643a

SHA256
66987b14b90d41632be98836f9601b12e7f329ffab05595887889c9c5716fbeb

SHA512
3337efd12b9c06b7768eb928a78caae243b75257c5aabe7a49e908a2f735af55f7257a40bd2330dc13865ead18ed805b54a6c5105740fdcbbaccacf7997bcbc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8YCK9U05\31Y09QY2.htm

MD5
b1cd7c031debba3a5c77b39b6791c1a7

SHA1
e5d91e14e9c685b06f00e550d9e189deb2075f76

SHA256
57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

SHA512
d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe

MD5
f42abb7569dbc2ff5faa7e078cb71476

SHA1
04530a6165fc29ab536bab1be16f6b87c46288e6

SHA256
516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd

SHA512
3277534a02435538e144dea3476416e1d9117fcddef3dcb4379b82f33516c3e87767c3b0d2b880e61a3d803b583c96d772a0bdeecbfc109fe66444e9b29216af

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe

MD5
f42abb7569dbc2ff5faa7e078cb71476

SHA1
04530a6165fc29ab536bab1be16f6b87c46288e6

SHA256
516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd

SHA512
3277534a02435538e144dea3476416e1d9117fcddef3dcb4379b82f33516c3e87767c3b0d2b880e61a3d803b583c96d772a0bdeecbfc109fe66444e9b29216af

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe

MD5
f42abb7569dbc2ff5faa7e078cb71476

SHA1
04530a6165fc29ab536bab1be16f6b87c46288e6

SHA256
516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd

SHA512
3277534a02435538e144dea3476416e1d9117fcddef3dcb4379b82f33516c3e87767c3b0d2b880e61a3d803b583c96d772a0bdeecbfc109fe66444e9b29216af

Download Submit
C:\Users\Admin\Desktop\ClearRename.wmf.137-003-116

MD5
4e81886a36aa9c0b3d195b5e94a01089

SHA1
9275d8ea9e545d8fe3e025e05d159264431ca747

SHA256
61e3399be935a73dfafecd1a7d1ab14690bcb9d655e6d09037fe43263b325e5f

SHA512
f5482a62ed344f1cbae33a5f60372020c8dcc934f9361a7a42e7ca0fbf3540a93bc60dae16215903b21cc34ff4007081c7599489f67c71a212d5a35e347ff7c9

Download Submit
C:\Users\Admin\Desktop\CompressFormat.pps.137-003-116

MD5
54e07f8e19a8b1a80e837dc45011f9c5

SHA1
315263a66a69776bbf64f3e5a8a4638496260244

SHA256
24112a8a606fe0ea2935fad06bca47276b91f6786fc5a9889052149728423553

SHA512
787eee9b90448dadb1b2d9d51157e8726c9ad6686ff186d85ad2b5fe3b77f097c4eb21ff1421d4451d9da9daa4e90b3ee19b4f76674626f3764d0682e0330c83

Download Submit
C:\Users\Admin\Desktop\EditDisconnect.wps.137-003-116

MD5
f3b0b0c78dda9b0fb898b9a5f6b61256

SHA1
553eb7d300a1f2347889dc74a0064369c320eec9

SHA256
63cd9fc5ed746c0e68b8030f702138dcdd86ccf844e34635d01628a0999b8951

SHA512
bbea8bb1eea7e13e7daf49a931e5ccd0bc2652ec2092ad31985aa9305ae2ec32b49ca925bb0a536dce78d71bdba85716f9d28a20e68a0b0c28d6101698602f0c

Download Submit
C:\Users\Admin\Desktop\FindExpand.xps.137-003-116

MD5
05c3b392588aa6a37da2be179f5e4193

SHA1
a5e4c727fc1ab8b574c7350c70fb8f364dc73aeb

SHA256
b02153e96c728d33aad9848ed0a7f1e3b5bf93f92ed999780f22daf02a9be169

SHA512
15730bfd8a09dfd1f7dfffd34108db20be288a22bc5154c3a778d0bb56f0b7ffaf419791f543756a45e0d84398586812e0b74d3f1c78be694b9e8deebc65d587

Download Submit
C:\Users\Admin\Desktop\FindLimit.ods.137-003-116

MD5
cf0c221d2e35bb2d010acd26f30d16cc

SHA1
bcffea30dd03774688f4c8bb61a1e11b6e62aec7

SHA256
56d96546ab9b5e8d646f55b2419d8bf2711af56177d7c4fd4d9ff5e66b0737b8

SHA512
da8a10b46088fa500f596679c31f1b2fd240b39ee2345c17cdd1afb785bf0f5ca287910aa9b58d9947882c66033c72c9840dad96979ea08e85d4f4b88ebf5c87

Download Submit
C:\Users\Admin\Desktop\GroupImport.zip.137-003-116

MD5
76347e9801cf24f7b92a4d45261bc48a

SHA1
43ce080f30bb993891d21b691fb5567eb8ef5e88

SHA256
b7a74b40360294f8459bd5438e918187c693939dd4460e567592b081d1277c7c

SHA512
4aa609ac61c0c52f59fa8355298731512f73af37f92db48ebcc982bd756a584cd1bf8c5fcca25eb5019a9041f69c0b8baf8bd19a64a4414f16d0831267bca9cb

Download Submit
C:\Users\Admin\Desktop\ImportResolve.tif.137-003-116

MD5
e6e840f9d044a20e98abf59b0df86e26

SHA1
4affb9ec53772aafd8c54807bcf04d582730ac99

SHA256
0a54e4359d5eaf11b228cbf20f1e6fdb2a12905fb0ef673cbd94a5a3759e08ac

SHA512
b4a2764cf14c9decd11bdfcfede511a9637338aaf83b2b7d6f32dc7fc6d91821f1a10d8b552fdb40a0dc0edb49a105414039e1ae5340fb88e11b11e22ce7d0a3

Download Submit
C:\Users\Admin\Desktop\InvokeRequest.DVR.137-003-116

MD5
610d40bbf8eaac80ba90bd3dbb35d493

SHA1
7ba484460c13a58975700c9c6b0bd407656a1bf3

SHA256
784b0abd0ea70ed2ed0636791050ae524685d561aa65b9f9da02347a873f226f

SHA512
987a27956b01b9ce7ad7e5b11d74d24cb9f58cb06bec20f47f70420d0f769c11fdc134eacb1054d5c855531080d1d20d2d76a22844477af9afa377ec0d4fa18d

Download Submit
C:\Users\Admin\Desktop\JoinEnable.vsd.137-003-116

MD5
a3057444b8050f896a9f1dacb28f9c93

SHA1
9beaaa7485280b7784983c5fb6f591952fbe5334

SHA256
96ef550865c3553be2a877274f3d03d1d3d0fd2118d91d5244fb3caffaf60e5c

SHA512
4a2e7ed42c9c9900a355d75203c7bdcc921f5e5426dfdb82785918e68dbb300f684af07f2f4cf243348d175592cf81fee3321185283b010407a9fb0e290d1e67

Download Submit
C:\Users\Admin\Desktop\JoinRestart.xltm.137-003-116

MD5
b42c9dd6def3aaa1b995969ab1f4e430

SHA1
8c2aa3f96e8e4c00d6a0943db0e492b08c9cded0

SHA256
0b504fa8235abd79139ecb5bc61602e44b7398ba0039e1618d02037f8c3a293f

SHA512
9234d8288dd7ef767b228f7779f9cf123d513b7ce7361c870059eccc2ea06e2257a2a1ee9360b61603b72648173d94610e88715ffb83355e3e6814f695b338a2

Download Submit
C:\Users\Admin\Desktop\LimitPop.wmv.137-003-116

MD5
e207046a0c046cb2bec6487f1b180b30

SHA1
075c60706a0a7ee7f055fef00fa0d570c2c6eea2

SHA256
5091759161cee416dbf64918318bae2918698fe81b0f0ee286a6e3ffb375f593

SHA512
d507988c5477b6bd68ecc2674fa1d15211d6b652a4178cf41f47b445060270aa05d1446ece90de73a36bf1593cbe9f48ffaa0e2fc02b72b115d9a78024b06643

Download Submit
C:\Users\Admin\Desktop\MoveDismount.tiff.137-003-116

MD5
98a492f9ae727a7cdff03805e0a23bcd

SHA1
bb3f2839903c4e456b915fb4c72813ce21e5a459

SHA256
9cd417e39e9c7586760cfd9f79efd613d2b9a1161171bdf7e3c0c7df62b76476

SHA512
c607dfa5e794ecdd41efd8b2814e21ff53017a1bd76245f22d87fe398aaf7d8cb91e03287ff91efe23f85c811f044ea6b522befbe3cadceba26352dc0176bf2b

Download Submit
C:\Users\Admin\Desktop\NewStop.png.137-003-116

MD5
8d69e31dec295c958ba029563daef644

SHA1
d6fc04bc344504507a9e4d8e599422666e1a42c0

SHA256
4937f997e65ba9e57f91cebd6a7d2057a81d40ca0483ebce1c3fa58a746d0c91

SHA512
f22de4f213ff1ad95820a0b24caece5f52b90edf9342dd221d8ced4ab63f8f66a94114fc0a462c50e696a97ca1adb5830bb194f025f159cde6111a45683a0ce6

Download Submit
C:\Users\Admin\Desktop\PingBackup.ocx.137-003-116

MD5
2eda7e4ec219b6be1540c71bf4ca5172

SHA1
81cf6c577b440e9e96a55a366100e09da992341a

SHA256
2aba79e01fd2d84d9ae3b7f5e4a8630b89b9a147a962d0ea662d176bd4d5e7f5

SHA512
37617f431e4c4517f8e271faf1b86565e8507e4efc76881479c9edaa8abfb1f0a50a937aa5a3187bc2ecd557b3226ceadae5af5ff007c8b92ffb7f887546585a

Download Submit
C:\Users\Admin\Desktop\PushDisconnect.xps.137-003-116

MD5
870e7b9297336040f88507c66a1cde58

SHA1
21b5bb0869ca5f699134c881b666d296286027ca

SHA256
657907a80f77052ffc19be3109c4a2e926351eacb8fb22c627d48065d992ff65

SHA512
8dac2ab3062e825ef1ebf28c366d108329e98aabd01cee3cfc0fac3a03086e73c13c2bf06b388c7787ee2cffabf8137ffde5a89d594b1ed88c3f44568746a8a3

Download Submit
C:\Users\Admin\Desktop\RemoveHide.html.137-003-116

MD5
128f41610ee5aa32df5b1887069cfc1d

SHA1
afb95fd57c246cac88f3b86b898f85fa4f1cb92b

SHA256
16166bb3aa4d716086bd115d9dadfe6f63b18c78b44665d2df5b3431758d4bcc

SHA512
19aa880d8d6fedd8d3e5bd9c813c11b9c027edda0b2d392a4fabe351654f672933a911fbb3b307b116a4f6d970414931624362274e43ccc2bb1e6954bf37d5c3

Download Submit
C:\Users\Admin\Desktop\SaveRedo.cr2.137-003-116

MD5
1a62bdc4ed0986f499d2f3ba835f9877

SHA1
5809161db1c1dc20e5bab631c8876947fe3a9ee2

SHA256
5cc0c424212528ddab4070001a9bab259a288306815d0a6c5ca29a266c7d157c

SHA512
da090fca23ecc087943e2b804156faceab71da75b6013b2a018600c4bf3abfbe50773f8b56d7c0b425fe72cca6dfa1fc606b45803b836b31a5313a61f4b921e1

Download Submit
C:\Users\Admin\Desktop\SetAdd.ttc.137-003-116

MD5
44e04914a5a1b8d846b5a7e7dc544155

SHA1
6b673c5a46eea127d9b44bfaf526d68f941294b3

SHA256
74799c0adeda69a66429a095b83b1634727a4d90c5eb6199698450ba823c63e1

SHA512
a029b1d3488a2205286772deab2070116216458b92c8e3c6a4c03512c2076d5ca2fdda6fe201562efd4b0bfb4772976aa1ae16774e525952041400926f115b41

Download Submit
C:\Users\Admin\Desktop\TestSearch.m3u.137-003-116

MD5
1e3a9012f89d597c6fe9da80a956b7c6

SHA1
9a54441ee94fdc5e573d3c09e86aa51570b224df

SHA256
8b782ee1245aa01691a66621db8b9b49d9ac152bcf25b3707248d905e4e593fd

SHA512
0da93a1f5073cf77ea5cd0f720a4b2a97d22d9208d69bd2b3a7df3b8449c66caff9082bd5c6899d9529ac7857e5999bfebe0df69576a39524c92d73513788380

Download Submit
C:\Users\Admin\Desktop\TraceRename.vb.137-003-116

MD5
e594427740c1aff8dde2ef03b2a0965d

SHA1
b2ca3c50c93bd52cd5c043ab4f21c7edc1bd6531

SHA256
c9677fde3016a704e3ce86a205671369a4d2d71810f1f01dc71da216a10f406a

SHA512
63ed94a6b97ce14aa0fec0399480d600aa6d6fc7ee25c33e467511a3e2d8ec9581a4130e1d6ccb2850214a355e4ae4c0e0c0daf2efc40eb57d347aad0800390b

Download Submit
memory/592-133-0x0000000000000000-mapping.dmp

Download
memory/1000-134-0x0000000000000000-mapping.dmp

Download
memory/1056-135-0x0000000000000000-mapping.dmp

Download
memory/1252-136-0x0000000000000000-mapping.dmp

Download
memory/1500-137-0x0000000000000000-mapping.dmp

Download
memory/1732-138-0x0000000000000000-mapping.dmp

Download
memory/1884-142-0x0000000000000000-mapping.dmp

Download
memory/2076-139-0x0000000000000000-mapping.dmp

Download
memory/2620-140-0x0000000000000000-mapping.dmp

Download
memory/3672-131-0x0000000000000000-mapping.dmp

Download
memory/3792-141-0x0000000000000000-mapping.dmp

Download
memory/4360-130-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/4360-121-0x0000000000000000-mapping.dmp

Download
memory/4392-118-0x0000000000000000-mapping.dmp

Download
memory/4616-163-0x0000000000000000-mapping.dmp

Download
memory/4616-164-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download