buran | f38c40c74a0a9953697c63fbd375c064cb2d59ce478435c7357bd68f382dd26f

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-en-20211208
submitted
10-12-2021 12:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1107.exe
Size

250KB
MD5

9fbe16a50773ecb9dbace5e388a6c37e
SHA1

d9da6460238150e2bc24a9e4b2bd085bab2b3e9e
SHA256

f38c40c74a0a9953697c63fbd375c064cb2d59ce478435c7357bd68f382dd26f
SHA512

d29eaad3167b01b7d5b6c7d2c0278ff56bf7c863cf1d13c55d13e16b7adebf33ad86df3b358c5f773bef3e3a9602cd248e1770557745b7ae8735186da8e154e8

Score

10^/10

buran persistence ransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Reserved email: [email protected] Your personal ID: 305-3DC-2B4 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 3 IoCs

Processes:

hgfdfds.execsrss.execsrss.exe

pid process

832 hgfdfds.exe
1212 csrss.exe
1620 csrss.exe

pid	process
832	hgfdfds.exe
1212	csrss.exe
1620	csrss.exe

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

csrss.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\ShowGrant.tiff	csrss.exe
File opened for modification	C:\Users\Admin\Pictures\StartResolve.tiff	csrss.exe
File opened for modification	C:\Users\Admin\Pictures\WatchStart.tiff	csrss.exe
File opened for modification	C:\Users\Admin\Pictures\CompleteBlock.tiff	csrss.exe

Loads dropped DLL 2 IoCs

Processes:

hgfdfds.exe

pid process

832 hgfdfds.exe
832 hgfdfds.exe

pid	process
832	hgfdfds.exe
832	hgfdfds.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

hgfdfds.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run	hgfdfds.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe\" -start"	hgfdfds.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

csrss.exe

description	ioc	process
File opened (read-only)	\??\N:	csrss.exe
File opened (read-only)	\??\I:	csrss.exe
File opened (read-only)	\??\F:	csrss.exe
File opened (read-only)	\??\E:	csrss.exe
File opened (read-only)	\??\Y:	csrss.exe
File opened (read-only)	\??\S:	csrss.exe
File opened (read-only)	\??\Q:	csrss.exe
File opened (read-only)	\??\P:	csrss.exe
File opened (read-only)	\??\G:	csrss.exe
File opened (read-only)	\??\T:	csrss.exe
File opened (read-only)	\??\K:	csrss.exe
File opened (read-only)	\??\J:	csrss.exe
File opened (read-only)	\??\H:	csrss.exe
File opened (read-only)	\??\M:	csrss.exe
File opened (read-only)	\??\L:	csrss.exe
File opened (read-only)	\??\B:	csrss.exe
File opened (read-only)	\??\Z:	csrss.exe
File opened (read-only)	\??\X:	csrss.exe
File opened (read-only)	\??\V:	csrss.exe
File opened (read-only)	\??\O:	csrss.exe
File opened (read-only)	\??\W:	csrss.exe
File opened (read-only)	\??\U:	csrss.exe
File opened (read-only)	\??\R:	csrss.exe
File opened (read-only)	\??\A:	csrss.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 geoiptool.com

flow	ioc
4	geoiptool.com

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Program Files directory 64 IoCs

Processes:

csrss.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Makassar.kd8eby0.305-3DC-2B4	csrss.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Mexico_City.kd8eby0.305-3DC-2B4	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309480.JPG.kd8eby0.305-3DC-2B4	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSClientManifest.man	csrss.exe
File created	C:\Program Files\VideoLAN\VLC\locale\uz\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099173.WMF	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MAPIR.DLL.IDX_DLL.kd8eby0.305-3DC-2B4	csrss.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\de-DE\PurblePlace.exe.mui.kd8eby0.305-3DC-2B4	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR15F.GIF	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200467.WMF.kd8eby0.305-3DC-2B4	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewTemplate.html.kd8eby0.305-3DC-2B4	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\Microsoft.Office.InfoPath.xml.kd8eby0.305-3DC-2B4	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Address.accft	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00512_.WMF.kd8eby0.305-3DC-2B4	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions_Person.css.kd8eby0.305-3DC-2B4	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\AddToViewArrow.jpg	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Vilnius	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.aup.kd8eby0.305-3DC-2B4	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04191_.WMF.kd8eby0.305-3DC-2B4	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01039_.WMF.kd8eby0.305-3DC-2B4	csrss.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107730.WMF.kd8eby0.305-3DC-2B4	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Equity.eftx	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR51F.GIF.kd8eby0.305-3DC-2B4	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\ZoneInfoMappings.kd8eby0.305-3DC-2B4	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\CST6CDT.kd8eby0.305-3DC-2B4	csrss.exe
File created	C:\Program Files\VideoLAN\VLC\locale\be\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\stopNetworkServer.kd8eby0.305-3DC-2B4	csrss.exe
File created	C:\Program Files\Microsoft Games\More Games\en-US\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239943.WMF	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00391_.WMF	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-swing-tabcontrol.jar.kd8eby0.305-3DC-2B4	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\LATIN1.SHP	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00921_.WMF	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\NOTE.CFG.kd8eby0.305-3DC-2B4	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PG_INDEX.XML.kd8eby0.305-3DC-2B4	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18229_.WMF.kd8eby0.305-3DC-2B4	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15060_.GIF	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR8F.GIF.kd8eby0.305-3DC-2B4	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\TexturedBlue.css	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl.css.kd8eby0.305-3DC-2B4	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.artifact.repository.nl_ja_4.4.0.v20140623020002.jar	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Madeira	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-lib-uihandler_zh_CN.jar	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099192.GIF.kd8eby0.305-3DC-2B4	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\COMBOBOX.JPG.kd8eby0.305-3DC-2B4	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk_1.0.300.v20140407-1803.jar.kd8eby0.305-3DC-2B4	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-explorer.xml	csrss.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\OLMAIL.FAE.kd8eby0.305-3DC-2B4	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jsse.jar.kd8eby0.305-3DC-2B4	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Winamac.kd8eby0.305-3DC-2B4	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core.nl_ja_4.4.0.v20140623020002.jar	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-views.xml.kd8eby0.305-3DC-2B4	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\MessageBoxIconImagesMask.bmp	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.net_1.2.200.v20120807-0927.jar	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00012_.WMF	csrss.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\New_Salem	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01658_.WMF.kd8eby0.305-3DC-2B4	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21303_.GIF	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21323_.GIF	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Apia	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\MakeAccessible.api	csrss.exe

Drops file in Windows directory 1 IoCs

Processes:

csrss.exe

description ioc process

File created C:\Windows\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT csrss.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1872 vssadmin.exe

description	ioc	process
File created	C:\Windows\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe

pid	process
1872	vssadmin.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

hgfdfds.execsrss.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	hgfdfds.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	hgfdfds.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	hgfdfds.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	csrss.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1492 powershell.exe

pid	process
1492	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

hgfdfds.exeWMIC.exevssvc.exepowershell.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	832	hgfdfds.exe
Token: SeDebugPrivilege	832	hgfdfds.exe
Token: SeIncreaseQuotaPrivilege	820	WMIC.exe
Token: SeSecurityPrivilege	820	WMIC.exe
Token: SeTakeOwnershipPrivilege	820	WMIC.exe
Token: SeLoadDriverPrivilege	820	WMIC.exe
Token: SeSystemProfilePrivilege	820	WMIC.exe
Token: SeSystemtimePrivilege	820	WMIC.exe
Token: SeProfSingleProcessPrivilege	820	WMIC.exe
Token: SeIncBasePriorityPrivilege	820	WMIC.exe
Token: SeCreatePagefilePrivilege	820	WMIC.exe
Token: SeBackupPrivilege	820	WMIC.exe
Token: SeRestorePrivilege	820	WMIC.exe
Token: SeShutdownPrivilege	820	WMIC.exe
Token: SeDebugPrivilege	820	WMIC.exe
Token: SeSystemEnvironmentPrivilege	820	WMIC.exe
Token: SeRemoteShutdownPrivilege	820	WMIC.exe
Token: SeUndockPrivilege	820	WMIC.exe
Token: SeManageVolumePrivilege	820	WMIC.exe
Token: 33	820	WMIC.exe
Token: 34	820	WMIC.exe
Token: 35	820	WMIC.exe
Token: SeBackupPrivilege	748	vssvc.exe
Token: SeRestorePrivilege	748	vssvc.exe
Token: SeAuditPrivilege	748	vssvc.exe
Token: SeIncreaseQuotaPrivilege	820	WMIC.exe
Token: SeSecurityPrivilege	820	WMIC.exe
Token: SeTakeOwnershipPrivilege	820	WMIC.exe
Token: SeLoadDriverPrivilege	820	WMIC.exe
Token: SeSystemProfilePrivilege	820	WMIC.exe
Token: SeSystemtimePrivilege	820	WMIC.exe
Token: SeProfSingleProcessPrivilege	820	WMIC.exe
Token: SeIncBasePriorityPrivilege	820	WMIC.exe
Token: SeCreatePagefilePrivilege	820	WMIC.exe
Token: SeBackupPrivilege	820	WMIC.exe
Token: SeRestorePrivilege	820	WMIC.exe
Token: SeShutdownPrivilege	820	WMIC.exe
Token: SeDebugPrivilege	820	WMIC.exe
Token: SeSystemEnvironmentPrivilege	820	WMIC.exe
Token: SeRemoteShutdownPrivilege	820	WMIC.exe
Token: SeUndockPrivilege	820	WMIC.exe
Token: SeManageVolumePrivilege	820	WMIC.exe
Token: 33	820	WMIC.exe
Token: 34	820	WMIC.exe
Token: 35	820	WMIC.exe
Token: SeDebugPrivilege	1492	powershell.exe
Token: SeIncreaseQuotaPrivilege	796	WMIC.exe
Token: SeSecurityPrivilege	796	WMIC.exe
Token: SeTakeOwnershipPrivilege	796	WMIC.exe
Token: SeLoadDriverPrivilege	796	WMIC.exe
Token: SeSystemProfilePrivilege	796	WMIC.exe
Token: SeSystemtimePrivilege	796	WMIC.exe
Token: SeProfSingleProcessPrivilege	796	WMIC.exe
Token: SeIncBasePriorityPrivilege	796	WMIC.exe
Token: SeCreatePagefilePrivilege	796	WMIC.exe
Token: SeBackupPrivilege	796	WMIC.exe
Token: SeRestorePrivilege	796	WMIC.exe
Token: SeShutdownPrivilege	796	WMIC.exe
Token: SeDebugPrivilege	796	WMIC.exe
Token: SeSystemEnvironmentPrivilege	796	WMIC.exe
Token: SeRemoteShutdownPrivilege	796	WMIC.exe
Token: SeUndockPrivilege	796	WMIC.exe
Token: SeManageVolumePrivilege	796	WMIC.exe
Token: 33	796	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1107.exehgfdfds.execsrss.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1576 wrote to memory of 832	1576	1107.exe	hgfdfds.exe
PID 1576 wrote to memory of 832	1576	1107.exe	hgfdfds.exe
PID 1576 wrote to memory of 832	1576	1107.exe	hgfdfds.exe
PID 1576 wrote to memory of 832	1576	1107.exe	hgfdfds.exe
PID 832 wrote to memory of 1212	832	hgfdfds.exe	csrss.exe
PID 832 wrote to memory of 1212	832	hgfdfds.exe	csrss.exe
PID 832 wrote to memory of 1212	832	hgfdfds.exe	csrss.exe
PID 832 wrote to memory of 1212	832	hgfdfds.exe	csrss.exe
PID 832 wrote to memory of 1144	832	hgfdfds.exe	notepad.exe
PID 832 wrote to memory of 1144	832	hgfdfds.exe	notepad.exe
PID 832 wrote to memory of 1144	832	hgfdfds.exe	notepad.exe
PID 832 wrote to memory of 1144	832	hgfdfds.exe	notepad.exe
PID 832 wrote to memory of 1144	832	hgfdfds.exe	notepad.exe
PID 832 wrote to memory of 1144	832	hgfdfds.exe	notepad.exe
PID 832 wrote to memory of 1144	832	hgfdfds.exe	notepad.exe
PID 1212 wrote to memory of 1716	1212	csrss.exe	cmd.exe
PID 1212 wrote to memory of 1716	1212	csrss.exe	cmd.exe
PID 1212 wrote to memory of 1716	1212	csrss.exe	cmd.exe
PID 1212 wrote to memory of 1716	1212	csrss.exe	cmd.exe
PID 1212 wrote to memory of 928	1212	csrss.exe	cmd.exe
PID 1212 wrote to memory of 928	1212	csrss.exe	cmd.exe
PID 1212 wrote to memory of 928	1212	csrss.exe	cmd.exe
PID 1212 wrote to memory of 928	1212	csrss.exe	cmd.exe
PID 1212 wrote to memory of 1940	1212	csrss.exe	cmd.exe
PID 1212 wrote to memory of 1940	1212	csrss.exe	cmd.exe
PID 1212 wrote to memory of 1940	1212	csrss.exe	cmd.exe
PID 1212 wrote to memory of 1940	1212	csrss.exe	cmd.exe
PID 1212 wrote to memory of 2028	1212	csrss.exe	cmd.exe
PID 1212 wrote to memory of 2028	1212	csrss.exe	cmd.exe
PID 1212 wrote to memory of 2028	1212	csrss.exe	cmd.exe
PID 1212 wrote to memory of 2028	1212	csrss.exe	cmd.exe
PID 1212 wrote to memory of 1988	1212	csrss.exe	cmd.exe
PID 1212 wrote to memory of 1988	1212	csrss.exe	cmd.exe
PID 1212 wrote to memory of 1988	1212	csrss.exe	cmd.exe
PID 1212 wrote to memory of 1988	1212	csrss.exe	cmd.exe
PID 1212 wrote to memory of 1412	1212	csrss.exe	cmd.exe
PID 1212 wrote to memory of 1412	1212	csrss.exe	cmd.exe
PID 1212 wrote to memory of 1412	1212	csrss.exe	cmd.exe
PID 1212 wrote to memory of 1412	1212	csrss.exe	cmd.exe
PID 1212 wrote to memory of 1620	1212	csrss.exe	csrss.exe
PID 1212 wrote to memory of 1620	1212	csrss.exe	csrss.exe
PID 1212 wrote to memory of 1620	1212	csrss.exe	csrss.exe
PID 1212 wrote to memory of 1620	1212	csrss.exe	csrss.exe
PID 1988 wrote to memory of 1872	1988	cmd.exe	vssadmin.exe
PID 1988 wrote to memory of 1872	1988	cmd.exe	vssadmin.exe
PID 1988 wrote to memory of 1872	1988	cmd.exe	vssadmin.exe
PID 1988 wrote to memory of 1872	1988	cmd.exe	vssadmin.exe
PID 1412 wrote to memory of 1492	1412	cmd.exe	powershell.exe
PID 1412 wrote to memory of 1492	1412	cmd.exe	powershell.exe
PID 1412 wrote to memory of 1492	1412	cmd.exe	powershell.exe
PID 1412 wrote to memory of 1492	1412	cmd.exe	powershell.exe
PID 1716 wrote to memory of 820	1716	cmd.exe	WMIC.exe
PID 1716 wrote to memory of 820	1716	cmd.exe	WMIC.exe
PID 1716 wrote to memory of 820	1716	cmd.exe	WMIC.exe
PID 1716 wrote to memory of 820	1716	cmd.exe	WMIC.exe
PID 1412 wrote to memory of 796	1412	cmd.exe	WMIC.exe
PID 1412 wrote to memory of 796	1412	cmd.exe	WMIC.exe
PID 1412 wrote to memory of 796	1412	cmd.exe	WMIC.exe
PID 1412 wrote to memory of 796	1412	cmd.exe	WMIC.exe
PID 1212 wrote to memory of 528	1212	csrss.exe	notepad.exe
PID 1212 wrote to memory of 528	1212	csrss.exe	notepad.exe
PID 1212 wrote to memory of 528	1212	csrss.exe	notepad.exe
PID 1212 wrote to memory of 528	1212	csrss.exe	notepad.exe
PID 1212 wrote to memory of 528	1212	csrss.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\1107.exe
"C:\Users\Admin\AppData\Local\Temp\1107.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1576

C:\Users\Public\Videos\hgfdfds.exe
"C:\Users\Public\Videos\hgfdfds.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:832

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe" -start
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1212

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
4⤵
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:820

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
4⤵
PID:928

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
4⤵
PID:1940

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
4⤵
PID:2028

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
4⤵
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
5⤵
- Interacts with shadow copies
PID:1872

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
4⤵
- Suspicious use of WriteProcessMemory
PID:1412

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy ByPass -Command "Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}"
5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1492

C:\Windows\SysWOW64\Wbem\WMIC.exe
WMIC.exe shadowcopy delete /nointeractive
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:796

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe" -agent 0
4⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1620

C:\Windows\SysWOW64\notepad.exe
notepad.exe
4⤵
PID:528

C:\Windows\SysWOW64\notepad.exe
notepad.exe
3⤵
PID:1144

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:748

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
MD5
7f997e364440385cf76045b4b6258bc2

SHA1
133867043c8bfc9809a9394f072f8599c2831720

SHA256
f30e2708743a73666cca5ec8bef719bfed63a994112e8675d6a84f5d3c47b8f3

SHA512
d1c913297a566c475c6cc20cd2e1d340c90afc789b46794fd38715dabb96bdd3584efdb97e6273f547083e066859f1683d50136dd916f7abd3c7e5f6448150ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
MD5
8dcfefc921bfbd5a98a7d0f5fc4c1780

SHA1
9048ee5ab9efbd7cafd404e43505fdee2ea26f6e

SHA256
014366405e4b48bb76e09244b3532fb1a30aa6bc6aa650a5feeb88afdff4e194

SHA512
a26faa4562373b2ce673dcca96b93c2a3f82a966be6bf2b8ad27212172c9a45b578e84462de224630983bd08b06836f4a80fd04a7d0a7728b46d3e24ac9c4858

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
61e098653a5cd0c15c9b77da2ebbddf2

SHA1
6f15f1f9238a082c5290d9e524c9508e25cfe2e9

SHA256
523b0d5fba1bd75a12a05644bb7c2e0fe1cf9ddf33f4ab2e13678b449d437ad0

SHA512
1b47fb4e0455a27ffb2610b1d14b9c891105c94cd8a8535f571fce0698fdd4e721d23a0230a9ef0b6838b641ffae7aa1e67f92ec5f4fc7abad4a509e389b74c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
MD5
8c8f9cd8245206164ece45e8ab6a4a1b

SHA1
b0ced986e7c5ec604d110d286d00d5aefc729e2a

SHA256
d017cfcee31178d752fbd274f2c9b467ef8d43b0bfb6887c7aaf64c73f9678a0

SHA512
5a6c344d274d7af5dc8b23ecbd876a127dbb73ee1bb4e73648dc451b6bc60c23a47fd7b0023a5679a90d52d154fba86e651280641681cac81ed2bd624f51cb0d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
MD5
513fb0be984958144e97bec173a0c400

SHA1
6f18c626980caa11d4ee28ec0db5e2f1256fc9fc

SHA256
ed5052cbbc0a550481ed294e53fe8c43db8bf4dc9e3af55dd169b445ded3b79a

SHA512
7003d6d4f8350afbf8f24ee95538cf895b1d72420f20432984ddf0a19da0ae0e32fd92b4f708e5d17cf4f9bfda04a12bfe200b294e50e42fcea8fa447e4ae1cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
ee8b7fc45231cd835ef5be65e525dba1

SHA1
5a84cc3f693a01f30dec50fdc460977e89ecc0db

SHA256
06bc83241e04eacfa5360b0d4ae16553b937d2ce1601294c95970307e211c096

SHA512
4668bf08501a61e0d0527eb236bf7ee148c0513aedb8afebb6540d04a38ee33933e4fc3a23b482711df83f8f9767fcb25ba1ecc03ee7b582361e0acd505eee7e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
b1dac22f2e83f1381c09c0c062fca296

SHA1
fc4768e037abfa7b9d027f237aafa6ed7019054b

SHA256
d95930829d1ef3a5256600150962e04bcd89f25ba5cf337c885b3fe054f1b66b

SHA512
4b5385b9baf6013a827dff652d6b714d4014f6622389dadb8ed325f7af216ee5eaaa004e4e53dd6a361d446519c1d7bff4d3f51b3bb7e95a0c7feb07eb117743

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T7QQD7BH\9Z2JCT3B.htm
MD5
b1cd7c031debba3a5c77b39b6791c1a7

SHA1
e5d91e14e9c685b06f00e550d9e189deb2075f76

SHA256
57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

SHA512
d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YFMJZ4T6\6AEG2CZ7.htm
MD5
8615e70875c2cc0b9db16027b9adf11d

SHA1
4ed62cf405311c0ff562a3c59334a15ddc4f1bf9

SHA256
da96949ba6b0567343f144486505c8c8fa1d892fd88c9cbc3ef3d751a570724d

SHA512
cd9dfc88dc2af9438b7d6b618d1b62029b3bdf739fc4daa5b37397afd12c4528561b3bf2fc3f3f2adf3fd1f582d5524332441fd30248fcd078e41aa91e17cb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat
MD5
e6545ccb3660f88529716ed4e647c713

SHA1
ecd628f29985599a24c5c1d23083c689917dd74e

SHA256
e802bf0c4481bef693d4d1f307aba48301e330d3728dd46a4ec97c4a96b4d4a7

SHA512
f745e7d5dd006083234e783dd5dc7fb83043a7d0479ea2a91a2ddbc8c20ca47343516efbd155271768c675a22b32e88febdfe51551ec42dfdb64805c62c3188d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe
MD5
c14d403c9e9d6b6054e09ceee047fbf1

SHA1
2155b8d3b977f32641314207bb24126741b71d13

SHA256
005b00d41740f7b0327d4d5fe0402dcfc84ae0df44a2231a89a59909eeb30b23

SHA512
f5a0380cf6c7f3c14bd0efefeec1be88d0d92257ace44a97360e17c88e27c59cb424cd7283e2085431ba95d62eac30d017e3f41d7c1ccb4468a0bcaa3984d6d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe
MD5
c14d403c9e9d6b6054e09ceee047fbf1

SHA1
2155b8d3b977f32641314207bb24126741b71d13

SHA256
005b00d41740f7b0327d4d5fe0402dcfc84ae0df44a2231a89a59909eeb30b23

SHA512
f5a0380cf6c7f3c14bd0efefeec1be88d0d92257ace44a97360e17c88e27c59cb424cd7283e2085431ba95d62eac30d017e3f41d7c1ccb4468a0bcaa3984d6d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe
MD5
c14d403c9e9d6b6054e09ceee047fbf1

SHA1
2155b8d3b977f32641314207bb24126741b71d13

SHA256
005b00d41740f7b0327d4d5fe0402dcfc84ae0df44a2231a89a59909eeb30b23

SHA512
f5a0380cf6c7f3c14bd0efefeec1be88d0d92257ace44a97360e17c88e27c59cb424cd7283e2085431ba95d62eac30d017e3f41d7c1ccb4468a0bcaa3984d6d3

Download Submit
C:\Users\Admin\Desktop\AddUnlock.css.kd8eby0.305-3DC-2B4
MD5
ea3530799a055c1723c714b7ff76e5bf

SHA1
6cd5be0585a30d3cc6ecc71cec69bd4037746174

SHA256
b8e5eaadf844d18892b1870cb25a84b5b4728da470f2adb0ab244d123a05d476

SHA512
e2442b13f602aed72efed77ec14124eb6f722902d0f7057564e13843485070999c3885fd8ea8502dd015b314626371d89c6364a3044adf589f8c34299b3e2a6d

Download Submit
C:\Users\Admin\Desktop\ConvertFromUnblock.dxf.kd8eby0.305-3DC-2B4
MD5
fd28f9f1eecfb1e279553263634e83de

SHA1
b58e65c4d6c5ea113d3134d831a740715f9dbd2f

SHA256
a98c93d592b355cf9bfcac6c89c9368f20a98318edc20f67f164784609e2a3c2

SHA512
267e686c20f7929d4d868887614b229fe869cc01e7d6a800e08df2d24b2aa786a832d2e4552e5bde1c8a00954208626f7acce946d09075e1ac9c8fdeadcc5718

Download Submit
C:\Users\Admin\Desktop\DebugFind.docx.kd8eby0.305-3DC-2B4
MD5
239b4502158f469a8e9a4015b55ede64

SHA1
eec1d7196bca4b79a204777a958216b51dd36a88

SHA256
6ec3061dce794442b3d1f2cd191efe48df2e8aa3b7f23d7987d5c73347f93991

SHA512
cdb342e89cd9fe3a68849fce535d21de9d25051f38cbf9452981e5440cb849efd6964d8403cda6a8295f3503270cdc719dd892e4114990562387120f1ef9724e

Download Submit
C:\Users\Admin\Desktop\DisableSkip.rle.kd8eby0.305-3DC-2B4
MD5
622ef50737fcb7a51771c1427ff5d995

SHA1
1e964ad23ec9f68cdc1c048ed70048dd56a7648c

SHA256
7ffc7147c0f83eb90b7d076530b49db849ca8a735b57838a91dc2a31887d9a21

SHA512
737601c8c245fa016722049aefc1f47b0fc388ce981189a9827aec797a47124911b8b06d11ffb7286d6cc5b5b741a3f236c5bf69bf9ce5d8b0daf448c9e152fc

Download Submit
C:\Users\Admin\Desktop\EditGroup.gif.kd8eby0.305-3DC-2B4
MD5
601673affcf34c36a2c4fc698b6d1593

SHA1
be93e776647f8a83442702a818f233fc88bd3c7e

SHA256
eb2a187ac7dfd34a37994a8152c98192ba95d5e0346608bacc31383f9519bb0c

SHA512
eeec0ed29fc879fb2305149a777763407d11b57f0ce157ef7dc80afe3b6f8ece263f0ce8421b783ddeee8d761f4afd5ac828b3d8e28a358a1c03dfbdebad69e7

Download Submit
C:\Users\Admin\Desktop\ExitExport.ini.kd8eby0.305-3DC-2B4
MD5
0bbb8b176092aff12540c5eaad96fc15

SHA1
59d9b34179bc18f33bbea4eaf8dc0ac526eb53dc

SHA256
dbac1652b5f8fe8626b8bb43820fe7a0891668b525fe0914e001c2ee05da48b5

SHA512
55b924566c5fbf96efbd3c8e349bcfdd3df3c81138ebf5968f4419825304196ad89642d8f13c7163f9e159d4281c0821f1eb1192defc645e220f41ffe30ac7e6

Download Submit
C:\Users\Admin\Desktop\ExpandTest.xltm.kd8eby0.305-3DC-2B4
MD5
0679529047f7d580979500ceb081d06f

SHA1
4e31f35d5862b349d747ec0a187e0f021fbfdb8a

SHA256
a442098961a9b290d925988bb580f264580b7c38adae8d66454be3360a42c472

SHA512
1dd520ecdf7693acbeb6bed91f4b9c26ab19815f711e76957a3087d9aadd8fd7daf75d16991286ec5ade3be33954941b5562e1aed6aa898a1c18ec46eab740d2

Download Submit
C:\Users\Admin\Desktop\ExportProtect.xlt.kd8eby0.305-3DC-2B4
MD5
97ffb117d4e02ef002928d9f626854ff

SHA1
39dc5376189c307141d4a2677928929c2daef58b

SHA256
78542ffd14a962f5d4a52dadd9abef6a30cc347436b96fc62928dd5026ef5b65

SHA512
b20b8e3e6bbab12dc61455eda2f02a596d2dc5dc4e227959c837975bf544fa09cddcc4c6afb5ec83ab83a91d0f369af403e9a5221fb81806b979dfcf65589447

Download Submit
C:\Users\Admin\Desktop\GetGroup.vssx.kd8eby0.305-3DC-2B4
MD5
341d0e7272c7b6d58c636278fbbdf893

SHA1
5342d67c860f2ae7356d580b0cef2e7fe486f875

SHA256
51d2fe7bbd4da547ba1d574adf414452340d0dfd68c00134e13e0650cdf66695

SHA512
52774fa522f7bd9c52b80bc60db3a26d6b5e1eefbc9e61db676bc0969767b9d607060ed29c26608429576cf5b3205f2063a5e84146c10a5fb6d14821906ac95d

Download Submit
C:\Users\Admin\Desktop\MergeResolve.vsd.kd8eby0.305-3DC-2B4
MD5
c8f42a5bff3a21a29a15b3d92d67ec67

SHA1
960767aba1652e1734c9b8472e0eab7ed1b85f20

SHA256
f8405e0cdab4695edbbb0d159d7a5dff39ea6dc113d03cd1398f68fab901a1e1

SHA512
056763b875464c49d7eb386bdf01fc034ada871cfcd25d27b2456f633ca301150f34e5c5ef5383eae745b370c4c6824386d96cb26b6fab7c4611518003fcbc7a

Download Submit
C:\Users\Admin\Desktop\MoveWait.vsdx.kd8eby0.305-3DC-2B4
MD5
de193cd6428f276e3533225c89bd4da1

SHA1
074039828d745acc65e7fb7774e720b05f91aafa

SHA256
30c33e9bd2b1788f93dd72909262fb358559d5c11190e896bfc3f2d730bf6194

SHA512
6b645ccce2edb85739d3b6fb5ae9389ec12e9ec9b72f97f2f34f51d184feee091b4212c265ca48de560256cf22b0eec73a9149f3821125cffbf06b9ed990bdfb

Download Submit
C:\Users\Admin\Desktop\ReadConvertTo.wps.kd8eby0.305-3DC-2B4
MD5
0283a926c86aaf0500b25e56ee1c4b5f

SHA1
106ab4c4e3d8954a24ff7cf367acc7672548a9a5

SHA256
c043531fd98d1a101cedcc74f2910509c8f6bc4db489a3daa349f67142f1f008

SHA512
83e8da8ac635ef933f06b0859fd3a2df67e92296234002e55e1641e0ade3c4e08d14931bbc3c9c6340da589eee0f0a57751193c1ec681181733f5b1feaceb18d

Download Submit
C:\Users\Admin\Desktop\RepairSearch.3gpp.kd8eby0.305-3DC-2B4
MD5
ecc75839b92a7a2cfa06ef78795d0530

SHA1
51018375309e27f2ebbd494055fe5c427c968f49

SHA256
2655754c7671afbf44899f7a324fe9831dc4bb08fb58ff982f0b692b227f68ab

SHA512
cf65ea5db4cf3d35ca403aa3903963a3bbe22d649bb1153c96e748af45b395293c0b3837231566d3fd2bec48a5c824be81a5bafaf5a37c5694475853a4f45b2a

Download Submit
C:\Users\Admin\Desktop\ResolveEnter.dib.kd8eby0.305-3DC-2B4
MD5
58c9a346862641c7c7e8556585cc1dd5

SHA1
d72687f88911da9e9710a0dfe0402c71d87c33d0

SHA256
f6c2b93b25cc79aa3e61719da22888be4e97c352b9b5f7dceb0083a066efc8f6

SHA512
bf26ac50ef03a01822001920263fab1a9f8b53cf8691474211867e2db37076c1547cbe21102eb1780d4db5c2923877f8f39ec990921e5b0bf7c60129fbdbcbd3

Download Submit
C:\Users\Admin\Desktop\RestartReset.ini.kd8eby0.305-3DC-2B4
MD5
82f68b4dcc3ab8cad8b20dce6d414d23

SHA1
8372d21ff212c4284433fbb544b11479016397e5

SHA256
1028cd436875a76c9cb513359bffca228fe090094d8214ac0e3ed3d13042832a

SHA512
4c4bee9fc6743752f0507cbe344826b66a64f037a6b24d2b44c83916cea6d4c036c19bbfc6ee58ab0f716a55894acae7081da5a41eb042a02621b4dcd9c3e468

Download Submit
C:\Users\Admin\Desktop\StepMerge.wmv.kd8eby0.305-3DC-2B4
MD5
1c03aa5aa7a6b8c05a8b401da3613ef7

SHA1
e120ca05ca92cc0887c83bda76f1a4de036abc21

SHA256
fb0066438bf84aa8be5882b4bd30fa2595b07c62786c10eb38e0cb076bb66ca2

SHA512
531ee0a01d429605779e5dbfe524c34fe51a52e26c54f13bcd05645a220c338b51a5fcdcbddcb5833755a1fc49f4b6d60768ffe62f0c39dae117959b6b33e141

Download Submit
C:\Users\Admin\Desktop\SubmitLimit.svg.kd8eby0.305-3DC-2B4
MD5
775dccaf737e158076d86c508788566d

SHA1
a0c80c08528a191a48b3406c59dea285cfcb2dd4

SHA256
9cc054c35fc530d8af03cf05f901ba73ea945b85f72360ee4565fd466d3f5b84

SHA512
8a630c3347ecaee672866f8b3826314af913db713a981eba074fd4e34adabd1c46ac922afdc20e28da563f309b6c00a9a96e0d5c0fa6e4007fe52b197e0f5197

Download Submit
C:\Users\Admin\Desktop\SwitchWatch.au3.kd8eby0.305-3DC-2B4
MD5
06c171031a18698e77dddf194afa81c8

SHA1
ad277f5400ebcad4bac339f91d3dee6c0227be78

SHA256
84010f5c840c5e7eb0ad3ff33c0e2c2b0ff4c3a940863b873195c62834b70e52

SHA512
68962747a88e4d81c358b0ace378d0e824336b3062f034b9b9e81155f8b274b3ac30bad4eb936b8b4674b6fc8aaad1882405ccaf81e7f7864ce55c8d6966d18d

Download Submit
C:\Users\Admin\Desktop\TestResume.MOD.kd8eby0.305-3DC-2B4
MD5
11611184d12ff51744befcf53d73cdb1

SHA1
f9bdaf00ae4dc0ac59f85da6b507b922ee8b589b

SHA256
dc2187ab86fe58882b67d1d17bbab4a4e734ba83cd53240eadfc9ce7e65b09d0

SHA512
ad03862eca580abaff76370eaac17fe257f08282ad2c10ccc701ffb75538e28b1d807cb438f7be46e18997b59dbdfa6957203eef8a690819a8a72464b0e1051c

Download Submit
C:\Users\Admin\Desktop\TestUndo.fon.kd8eby0.305-3DC-2B4
MD5
3ff058111c5b4dc4c89d2ce2759e3c27

SHA1
e558bad5b7a44cb548efdd515e1fb7315882788f

SHA256
1ee045ec67716d154d57f5249452a807744a9d338afc6299d9bea114770a3570

SHA512
c507406f0530601bed01cb885a23a4340a3f21f606e1db5a66a36d0aa0d3cc382be6d7f381db3ca14f132f4c0d43c4e3cb87a12b0ad9e0079015a17ad8605d11

Download Submit
C:\Users\Admin\Desktop\TraceDeny.pptm.kd8eby0.305-3DC-2B4
MD5
867a729db7d1650bc4fd13b8acececd5

SHA1
6e0ef3e1635b3899a553ba433d2791858e230bca

SHA256
5cdaf4988ba596997eef69763e0f8423775903ac2813c3abbade6563f0c94612

SHA512
3d6f2330ae0830212d2ce457bcd5efabfe95d9a9fb595697baee7ffb5d820e92cd0bca7689ea7abb5f4c53f04134db40400cb708e5d9b5108d9e1ce6a551776c

Download Submit
C:\Users\Admin\Desktop\UnprotectPing.tif.kd8eby0.305-3DC-2B4
MD5
d0795bec62c4ad5deb4551ac50a0fa48

SHA1
9dff030862e8945b288111fe8408eec01527abb1

SHA256
dcf4445edaaa554b5fec4fb48c40783231c055575eb307fd0b98e459676cd226

SHA512
d1ec68e698a9d71e44302c079cf483ee49b58e29d1577fd07afa5e1cba1c40dbd61decdbe67c5b807f1574aed0941997951edb30ca0f91c4ff5ff6341bb89326

Download Submit
C:\Users\Public\Videos\hgfdfds.exe
MD5
c14d403c9e9d6b6054e09ceee047fbf1

SHA1
2155b8d3b977f32641314207bb24126741b71d13

SHA256
005b00d41740f7b0327d4d5fe0402dcfc84ae0df44a2231a89a59909eeb30b23

SHA512
f5a0380cf6c7f3c14bd0efefeec1be88d0d92257ace44a97360e17c88e27c59cb424cd7283e2085431ba95d62eac30d017e3f41d7c1ccb4468a0bcaa3984d6d3

Download Submit
C:\Users\Public\Videos\hgfdfds.exe
MD5
c14d403c9e9d6b6054e09ceee047fbf1

SHA1
2155b8d3b977f32641314207bb24126741b71d13

SHA256
005b00d41740f7b0327d4d5fe0402dcfc84ae0df44a2231a89a59909eeb30b23

SHA512
f5a0380cf6c7f3c14bd0efefeec1be88d0d92257ace44a97360e17c88e27c59cb424cd7283e2085431ba95d62eac30d017e3f41d7c1ccb4468a0bcaa3984d6d3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe
MD5
c14d403c9e9d6b6054e09ceee047fbf1

SHA1
2155b8d3b977f32641314207bb24126741b71d13

SHA256
005b00d41740f7b0327d4d5fe0402dcfc84ae0df44a2231a89a59909eeb30b23

SHA512
f5a0380cf6c7f3c14bd0efefeec1be88d0d92257ace44a97360e17c88e27c59cb424cd7283e2085431ba95d62eac30d017e3f41d7c1ccb4468a0bcaa3984d6d3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe
MD5
c14d403c9e9d6b6054e09ceee047fbf1

SHA1
2155b8d3b977f32641314207bb24126741b71d13

SHA256
005b00d41740f7b0327d4d5fe0402dcfc84ae0df44a2231a89a59909eeb30b23

SHA512
f5a0380cf6c7f3c14bd0efefeec1be88d0d92257ace44a97360e17c88e27c59cb424cd7283e2085431ba95d62eac30d017e3f41d7c1ccb4468a0bcaa3984d6d3

Download Submit
memory/528-123-0x0000000000000000-mapping.dmp

Download
memory/528-125-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/796-97-0x0000000000000000-mapping.dmp

Download
memory/820-93-0x0000000000000000-mapping.dmp

Download
memory/832-58-0x00000000763F1000-0x00000000763F3000-memory.dmp

Filesize
8KB

Download
memory/832-56-0x0000000000000000-mapping.dmp

Download
memory/928-81-0x0000000000000000-mapping.dmp

Download
memory/1144-72-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1144-65-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1144-69-0x0000000000000000-mapping.dmp

Download
memory/1212-62-0x0000000000000000-mapping.dmp

Download
memory/1412-85-0x0000000000000000-mapping.dmp

Download
memory/1492-95-0x0000000002570000-0x00000000031BA000-memory.dmp

Filesize
12.3MB

Download
memory/1492-96-0x0000000002570000-0x00000000031BA000-memory.dmp

Filesize
12.3MB

Download
memory/1492-92-0x0000000000000000-mapping.dmp

Download
memory/1576-55-0x000007FEFC031000-0x000007FEFC033000-memory.dmp

Filesize
8KB

Download
memory/1620-87-0x0000000000000000-mapping.dmp

Download
memory/1716-80-0x0000000000000000-mapping.dmp

Download
memory/1872-91-0x0000000000000000-mapping.dmp

Download
memory/1940-82-0x0000000000000000-mapping.dmp

Download
memory/1988-84-0x0000000000000000-mapping.dmp

Download
memory/2028-83-0x0000000000000000-mapping.dmp

Download