buran | f38c40c74a0a9953697c63fbd375c064cb2d59ce478435c7357bd68f382dd26f

Analysis

max time kernel
121s
max time network
136s
platform
windows10_x64
resource
win10-en-20211208
submitted
10-12-2021 12:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1107.exe
Size

250KB
MD5

9fbe16a50773ecb9dbace5e388a6c37e
SHA1

d9da6460238150e2bc24a9e4b2bd085bab2b3e9e
SHA256

f38c40c74a0a9953697c63fbd375c064cb2d59ce478435c7357bd68f382dd26f
SHA512

d29eaad3167b01b7d5b6c7d2c0278ff56bf7c863cf1d13c55d13e16b7adebf33ad86df3b358c5f773bef3e3a9602cd248e1770557745b7ae8735186da8e154e8

Score

10^/10

buran persistence ransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Reserved email: [email protected] Your personal ID: E89-070-E57 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 3 IoCs

Processes:

hgfdfds.exesvchost.exesvchost.exe

pid process

3532 hgfdfds.exe
640 svchost.exe
2748 svchost.exe

pid	process
3532	hgfdfds.exe
640	svchost.exe
2748	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

hgfdfds.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run	hgfdfds.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\svchost.exe\" -start"	hgfdfds.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
File opened (read-only)	\??\F:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\A:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

14 geoiptool.com

flow	ioc
14	geoiptool.com

Drops file in Program Files directory 64 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-ul-oob.xrm-ms	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-ul-oob.xrm-ms.kd8eby0.E89-070-E57	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraMedTile.contrast-black_scale-100.png	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\[email protected]	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\smtp.jar	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\5313_24x24x32.png	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailLargeTile.scale-150.png	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_sv.properties.kd8eby0.E89-070-E57	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\ANALYS32.XLL	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Classic\classic_background_full.jpg	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\tr-tr\ui-strings.js.kd8eby0.E89-070-E57	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Viewer.aapp.kd8eby0.E89-070-E57	svchost.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\cmm\PYCC.pf	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL078.XML	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-200_8wekyb3d8bbwe\Assets\contrast-white\Movie-TVStoreLogo.scale-200_contrast-white.png	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\Microsoft.People.Relevance.winmd	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\ThankYou\GenericEnglish-2.jpg	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-white\MedTile.scale-100.png	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_x64__8wekyb3d8bbwe\AppxManifest.xml	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_listview.svg	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ca-es\ui-strings.js	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\7336_24x24x32.png	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-150_8wekyb3d8bbwe\Assets\SplashScreen.scale-150.png	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sl-si\ui-strings.js	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\faf_icons.png.kd8eby0.E89-070-E57	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Grace-ul-oob.xrm-ms	svchost.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_2017.311.255.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-32.png	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\feature.xml	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-jvm.jar	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription2-ppd.xrm-ms.kd8eby0.E89-070-E57	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\proofing.msi.16.en-us.boot.tree.dat.kd8eby0.E89-070-E57	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\models\de-DE.PhoneNumber.ot	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbynet.jar	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\resources.pri	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\manifestAssets\contrast-black\Square44x44Logo.targetsize-48.png	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\MSASignIn.winmd	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\models\appuri.ot	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\MapsAppList.scale-200.png	svchost.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\pt-br\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe.kd8eby0.E89-070-E57	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\feature.xml.kd8eby0.E89-070-E57	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL107.XML	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.24123.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-32_altform-unplated.png	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_ie8.gif	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-ppd.xrm-ms	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\en-us\oregres.dll.mui.kd8eby0.E89-070-E57	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\msjet.xsl.kd8eby0.E89-070-E57	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp10.scale-125.png	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-black\WideTile.scale-200_contrast-black.png	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\it-it\ui-strings.js.kd8eby0.E89-070-E57	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\it-it\ui-strings.js	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessDemoR_BypassTrial365-ul-oob.xrm-ms	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Microsoft.Xbox.Services.winmd	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookLargeTile.scale-100.png	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\WideTile.scale-200.png	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Place\SmallTile.scale-200.png	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hr-hr\ui-strings.js	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\zh-tw\ui-strings.js	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_K_COL.HXK	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART9.BDR.kd8eby0.E89-070-E57	svchost.exe

Drops file in Windows directory 1 IoCs

Processes:

svchost.exe

description ioc process

File created C:\Windows\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1380 vssadmin.exe

description	ioc	process
File created	C:\Windows\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	svchost.exe

pid	process
1380	vssadmin.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

hgfdfds.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	hgfdfds.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	hgfdfds.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

1196 powershell.exe
1196 powershell.exe
1196 powershell.exe

pid	process
1196	powershell.exe
1196	powershell.exe
1196	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

hgfdfds.exeWMIC.exevssvc.exepowershell.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	3532	hgfdfds.exe
Token: SeDebugPrivilege	3532	hgfdfds.exe
Token: SeIncreaseQuotaPrivilege	1040	WMIC.exe
Token: SeSecurityPrivilege	1040	WMIC.exe
Token: SeTakeOwnershipPrivilege	1040	WMIC.exe
Token: SeLoadDriverPrivilege	1040	WMIC.exe
Token: SeSystemProfilePrivilege	1040	WMIC.exe
Token: SeSystemtimePrivilege	1040	WMIC.exe
Token: SeProfSingleProcessPrivilege	1040	WMIC.exe
Token: SeIncBasePriorityPrivilege	1040	WMIC.exe
Token: SeCreatePagefilePrivilege	1040	WMIC.exe
Token: SeBackupPrivilege	1040	WMIC.exe
Token: SeRestorePrivilege	1040	WMIC.exe
Token: SeShutdownPrivilege	1040	WMIC.exe
Token: SeDebugPrivilege	1040	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1040	WMIC.exe
Token: SeRemoteShutdownPrivilege	1040	WMIC.exe
Token: SeUndockPrivilege	1040	WMIC.exe
Token: SeManageVolumePrivilege	1040	WMIC.exe
Token: 33	1040	WMIC.exe
Token: 34	1040	WMIC.exe
Token: 35	1040	WMIC.exe
Token: 36	1040	WMIC.exe
Token: SeBackupPrivilege	2284	vssvc.exe
Token: SeRestorePrivilege	2284	vssvc.exe
Token: SeAuditPrivilege	2284	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1040	WMIC.exe
Token: SeSecurityPrivilege	1040	WMIC.exe
Token: SeTakeOwnershipPrivilege	1040	WMIC.exe
Token: SeLoadDriverPrivilege	1040	WMIC.exe
Token: SeSystemProfilePrivilege	1040	WMIC.exe
Token: SeSystemtimePrivilege	1040	WMIC.exe
Token: SeProfSingleProcessPrivilege	1040	WMIC.exe
Token: SeIncBasePriorityPrivilege	1040	WMIC.exe
Token: SeCreatePagefilePrivilege	1040	WMIC.exe
Token: SeBackupPrivilege	1040	WMIC.exe
Token: SeRestorePrivilege	1040	WMIC.exe
Token: SeShutdownPrivilege	1040	WMIC.exe
Token: SeDebugPrivilege	1040	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1040	WMIC.exe
Token: SeRemoteShutdownPrivilege	1040	WMIC.exe
Token: SeUndockPrivilege	1040	WMIC.exe
Token: SeManageVolumePrivilege	1040	WMIC.exe
Token: 33	1040	WMIC.exe
Token: 34	1040	WMIC.exe
Token: 35	1040	WMIC.exe
Token: 36	1040	WMIC.exe
Token: SeDebugPrivilege	1196	powershell.exe
Token: SeIncreaseQuotaPrivilege	3596	WMIC.exe
Token: SeSecurityPrivilege	3596	WMIC.exe
Token: SeTakeOwnershipPrivilege	3596	WMIC.exe
Token: SeLoadDriverPrivilege	3596	WMIC.exe
Token: SeSystemProfilePrivilege	3596	WMIC.exe
Token: SeSystemtimePrivilege	3596	WMIC.exe
Token: SeProfSingleProcessPrivilege	3596	WMIC.exe
Token: SeIncBasePriorityPrivilege	3596	WMIC.exe
Token: SeCreatePagefilePrivilege	3596	WMIC.exe
Token: SeBackupPrivilege	3596	WMIC.exe
Token: SeRestorePrivilege	3596	WMIC.exe
Token: SeShutdownPrivilege	3596	WMIC.exe
Token: SeDebugPrivilege	3596	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3596	WMIC.exe
Token: SeRemoteShutdownPrivilege	3596	WMIC.exe
Token: SeUndockPrivilege	3596	WMIC.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

1107.exehgfdfds.exesvchost.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2424 wrote to memory of 3532	2424	1107.exe	hgfdfds.exe
PID 2424 wrote to memory of 3532	2424	1107.exe	hgfdfds.exe
PID 2424 wrote to memory of 3532	2424	1107.exe	hgfdfds.exe
PID 3532 wrote to memory of 640	3532	hgfdfds.exe	svchost.exe
PID 3532 wrote to memory of 640	3532	hgfdfds.exe	svchost.exe
PID 3532 wrote to memory of 640	3532	hgfdfds.exe	svchost.exe
PID 3532 wrote to memory of 904	3532	hgfdfds.exe	notepad.exe
PID 3532 wrote to memory of 904	3532	hgfdfds.exe	notepad.exe
PID 3532 wrote to memory of 904	3532	hgfdfds.exe	notepad.exe
PID 3532 wrote to memory of 904	3532	hgfdfds.exe	notepad.exe
PID 3532 wrote to memory of 904	3532	hgfdfds.exe	notepad.exe
PID 3532 wrote to memory of 904	3532	hgfdfds.exe	notepad.exe
PID 640 wrote to memory of 3744	640	svchost.exe	cmd.exe
PID 640 wrote to memory of 3744	640	svchost.exe	cmd.exe
PID 640 wrote to memory of 3744	640	svchost.exe	cmd.exe
PID 640 wrote to memory of 3628	640	svchost.exe	cmd.exe
PID 640 wrote to memory of 3628	640	svchost.exe	cmd.exe
PID 640 wrote to memory of 3628	640	svchost.exe	cmd.exe
PID 640 wrote to memory of 3484	640	svchost.exe	cmd.exe
PID 640 wrote to memory of 3484	640	svchost.exe	cmd.exe
PID 640 wrote to memory of 3484	640	svchost.exe	cmd.exe
PID 640 wrote to memory of 1156	640	svchost.exe	cmd.exe
PID 640 wrote to memory of 1156	640	svchost.exe	cmd.exe
PID 640 wrote to memory of 1156	640	svchost.exe	cmd.exe
PID 640 wrote to memory of 2636	640	svchost.exe	cmd.exe
PID 640 wrote to memory of 2636	640	svchost.exe	cmd.exe
PID 640 wrote to memory of 2636	640	svchost.exe	cmd.exe
PID 640 wrote to memory of 1444	640	svchost.exe	cmd.exe
PID 640 wrote to memory of 1444	640	svchost.exe	cmd.exe
PID 640 wrote to memory of 1444	640	svchost.exe	cmd.exe
PID 640 wrote to memory of 2748	640	svchost.exe	svchost.exe
PID 640 wrote to memory of 2748	640	svchost.exe	svchost.exe
PID 640 wrote to memory of 2748	640	svchost.exe	svchost.exe
PID 2636 wrote to memory of 1380	2636	cmd.exe	vssadmin.exe
PID 2636 wrote to memory of 1380	2636	cmd.exe	vssadmin.exe
PID 2636 wrote to memory of 1380	2636	cmd.exe	vssadmin.exe
PID 1444 wrote to memory of 1196	1444	cmd.exe	powershell.exe
PID 1444 wrote to memory of 1196	1444	cmd.exe	powershell.exe
PID 1444 wrote to memory of 1196	1444	cmd.exe	powershell.exe
PID 3744 wrote to memory of 1040	3744	cmd.exe	WMIC.exe
PID 3744 wrote to memory of 1040	3744	cmd.exe	WMIC.exe
PID 3744 wrote to memory of 1040	3744	cmd.exe	WMIC.exe
PID 1444 wrote to memory of 3596	1444	cmd.exe	WMIC.exe
PID 1444 wrote to memory of 3596	1444	cmd.exe	WMIC.exe
PID 1444 wrote to memory of 3596	1444	cmd.exe	WMIC.exe
PID 640 wrote to memory of 904	640	svchost.exe	notepad.exe
PID 640 wrote to memory of 904	640	svchost.exe	notepad.exe
PID 640 wrote to memory of 904	640	svchost.exe	notepad.exe
PID 640 wrote to memory of 904	640	svchost.exe	notepad.exe
PID 640 wrote to memory of 904	640	svchost.exe	notepad.exe
PID 640 wrote to memory of 904	640	svchost.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\1107.exe
"C:\Users\Admin\AppData\Local\Temp\1107.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2424

C:\Users\Public\Videos\hgfdfds.exe
"C:\Users\Public\Videos\hgfdfds.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3532

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe" -start
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:640

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
4⤵
- Suspicious use of WriteProcessMemory
PID:3744

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1040

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
4⤵
PID:3628

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
4⤵
PID:3484

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
4⤵
- Suspicious use of WriteProcessMemory
PID:1444

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy ByPass -Command "Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1196

C:\Windows\SysWOW64\Wbem\WMIC.exe
WMIC.exe shadowcopy delete /nointeractive
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3596

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
4⤵
- Suspicious use of WriteProcessMemory
PID:2636

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
5⤵
- Interacts with shadow copies
PID:1380

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe" -agent 0
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2748

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
4⤵
PID:1156

C:\Windows\SysWOW64\notepad.exe
notepad.exe
4⤵
PID:904

C:\Windows\SysWOW64\notepad.exe
notepad.exe
3⤵
PID:904

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2284

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
MD5
7f997e364440385cf76045b4b6258bc2

SHA1
133867043c8bfc9809a9394f072f8599c2831720

SHA256
f30e2708743a73666cca5ec8bef719bfed63a994112e8675d6a84f5d3c47b8f3

SHA512
d1c913297a566c475c6cc20cd2e1d340c90afc789b46794fd38715dabb96bdd3584efdb97e6273f547083e066859f1683d50136dd916f7abd3c7e5f6448150ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
MD5
8dcfefc921bfbd5a98a7d0f5fc4c1780

SHA1
9048ee5ab9efbd7cafd404e43505fdee2ea26f6e

SHA256
014366405e4b48bb76e09244b3532fb1a30aa6bc6aa650a5feeb88afdff4e194

SHA512
a26faa4562373b2ce673dcca96b93c2a3f82a966be6bf2b8ad27212172c9a45b578e84462de224630983bd08b06836f4a80fd04a7d0a7728b46d3e24ac9c4858

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
61e098653a5cd0c15c9b77da2ebbddf2

SHA1
6f15f1f9238a082c5290d9e524c9508e25cfe2e9

SHA256
523b0d5fba1bd75a12a05644bb7c2e0fe1cf9ddf33f4ab2e13678b449d437ad0

SHA512
1b47fb4e0455a27ffb2610b1d14b9c891105c94cd8a8535f571fce0698fdd4e721d23a0230a9ef0b6838b641ffae7aa1e67f92ec5f4fc7abad4a509e389b74c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
MD5
91faa5ba21a804a53b771f1874d242e4

SHA1
66cc09cc76dc6acd51fe92f534f65132cfb4fe15

SHA256
b7b4485467ce68e50ac1ae09f4f66bafc22245683a66af91109f4c900d942dbf

SHA512
da9659e06b5a3b8ddba0adf6f96b95e6553f55107464a571c48cbbc403cd7171ffeeb09eb52171dadc102a5ff22c5a7233fdb35a9aedadd1f7962dd7916bc23d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
MD5
36ab16c53e1bcc43736953357c13b5f7

SHA1
d87bab7d3c92e588589100e06e2a1384f15d8d42

SHA256
3c182f29321ebce0e1962a7e231b68e0fc01247f6e9579f810bf52c338a6083f

SHA512
d2d8e79a2fdc14e1286193532e7f1fac8d4fbec3dba26b4d05f4d7a22212f9ba217c009ccce7bba276d15f3f245b859b158fb40fc947155ad3a82566ae113064

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
56130969f0f4eeafd034c5cd6136fda5

SHA1
9b8e953da1921933f3d0ce035ec45a5e6e8ff671

SHA256
e7ea20b4ed288a5c44b2b6a5ab566be968b4f513daa7f77a99af4807562f46df

SHA512
a9549238cbf8fd849aa8321d4e48f7d2e7d96d65f11f633394d5228729b6a734e84a9e2057c8c86573ad6cd6d877468714aabc5fd45c93c15cac446b4ed6fd52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCJJ9ZOX\JPMOAD2J.htm
MD5
6b17a59cec1a7783febae9aa55c56556

SHA1
01d4581e2b3a6348679147a915a0b22b2a66643a

SHA256
66987b14b90d41632be98836f9601b12e7f329ffab05595887889c9c5716fbeb

SHA512
3337efd12b9c06b7768eb928a78caae243b75257c5aabe7a49e908a2f735af55f7257a40bd2330dc13865ead18ed805b54a6c5105740fdcbbaccacf7997bcbc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UJMJYC0S\QKCQ0OTC.htm
MD5
b1cd7c031debba3a5c77b39b6791c1a7

SHA1
e5d91e14e9c685b06f00e550d9e189deb2075f76

SHA256
57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

SHA512
d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat
MD5
e6545ccb3660f88529716ed4e647c713

SHA1
ecd628f29985599a24c5c1d23083c689917dd74e

SHA256
e802bf0c4481bef693d4d1f307aba48301e330d3728dd46a4ec97c4a96b4d4a7

SHA512
f745e7d5dd006083234e783dd5dc7fb83043a7d0479ea2a91a2ddbc8c20ca47343516efbd155271768c675a22b32e88febdfe51551ec42dfdb64805c62c3188d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
MD5
c14d403c9e9d6b6054e09ceee047fbf1

SHA1
2155b8d3b977f32641314207bb24126741b71d13

SHA256
005b00d41740f7b0327d4d5fe0402dcfc84ae0df44a2231a89a59909eeb30b23

SHA512
f5a0380cf6c7f3c14bd0efefeec1be88d0d92257ace44a97360e17c88e27c59cb424cd7283e2085431ba95d62eac30d017e3f41d7c1ccb4468a0bcaa3984d6d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
MD5
c14d403c9e9d6b6054e09ceee047fbf1

SHA1
2155b8d3b977f32641314207bb24126741b71d13

SHA256
005b00d41740f7b0327d4d5fe0402dcfc84ae0df44a2231a89a59909eeb30b23

SHA512
f5a0380cf6c7f3c14bd0efefeec1be88d0d92257ace44a97360e17c88e27c59cb424cd7283e2085431ba95d62eac30d017e3f41d7c1ccb4468a0bcaa3984d6d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
MD5
c14d403c9e9d6b6054e09ceee047fbf1

SHA1
2155b8d3b977f32641314207bb24126741b71d13

SHA256
005b00d41740f7b0327d4d5fe0402dcfc84ae0df44a2231a89a59909eeb30b23

SHA512
f5a0380cf6c7f3c14bd0efefeec1be88d0d92257ace44a97360e17c88e27c59cb424cd7283e2085431ba95d62eac30d017e3f41d7c1ccb4468a0bcaa3984d6d3

Download Submit
C:\Users\Admin\Desktop\AssertWait.xml.kd8eby0.E89-070-E57
MD5
b504d9dc18a219baa96f91f2a03f1375

SHA1
22175cba4479aa9d838cd0c8a226c705acb9d173

SHA256
6ff3c4659ed17fecbb8a4e4367a4d4c693ccb3833a65eae88e9499b542c2a08a

SHA512
119a10b7d47187e942a025cb164b8ae68aeb1d37b10def4bc9a5ab409e0da1e715013d08a4440b659a24adceac3c571be55aff492058a598670b95a81da61864

Download Submit
C:\Users\Admin\Desktop\BlockDisable.svg.kd8eby0.E89-070-E57
MD5
4412510ff141641576375d5d04a32de2

SHA1
b0dc3a4e0ab6dd77105f27bc96540e7a9faed8e1

SHA256
01ee282d3f49eae413b00c0451a0e38792c961eaa4507c00cdb725b4f291b9d4

SHA512
0eee5e6f5a86b60b0ed4116aad941e0be31e289015659b4558fdce3c0201daefa05716e38a09c981c8c985182b55a8e3286e219a0ee3e56273aca129eb3091f9

Download Submit
C:\Users\Admin\Desktop\ConvertFromUnprotect.xht.kd8eby0.E89-070-E57
MD5
fc68db3bda24f4ae0d5b6bb1af4a9747

SHA1
d18e6c81bab9a6bc0ee0bf8fd632d98c9bbf0ccc

SHA256
73c3528a391fe18f2e378fbed99e186b60104d77c0c2e4d1d71449d604132197

SHA512
0af1af0e37e9db4b536ad885029b2ff2a26afb71235ee7e268c0651eae606e5495dad612b8ab1cb34f4d3f62efc5529e5e1428afbb55bae2fa0256d4de16a562

Download Submit
C:\Users\Admin\Desktop\ConvertRepair.wmx.kd8eby0.E89-070-E57
MD5
773228e680b01081851723179cfb9b57

SHA1
43aaa1b642c7af210258ac1613d3b95badb84efc

SHA256
b328cb02daa891d6de7bc0055107da5d6cea3b62324cc7c8b3d20b966783b5c0

SHA512
04249255eece31d8b8abcf80f292be33c2181229bcda1b3fc82c7356228605e2548d13e95180f0ef96fc54d083a5f7f0cb1579121d4cbdd76e361eed56a9ba0b

Download Submit
C:\Users\Admin\Desktop\DenySelect.ex_.kd8eby0.E89-070-E57
MD5
4708e94b5bb9b2e4106b606ede3b08c8

SHA1
3fd4a339d54408f14574782ade3d996d6716f149

SHA256
d0c56ee0083dfca21605788b8d76506fe3b3dbab3f22b252830784eeee7c7f7f

SHA512
2786b6f67566ab9095db636c32acc1c5b1904e900fbb159429543e95a4602d8b18ba4a5c7aad7b375605d18a4c4ec586d6ca8bb48d2140d260129465b70a3fff

Download Submit
C:\Users\Admin\Desktop\EditPublish.potx.kd8eby0.E89-070-E57
MD5
35b00aa0d37325e0bdd8596d6330fe9f

SHA1
6d64bb88fc9ed9e82dcd9071614d0f9d61801161

SHA256
8418e97d1e8c19475923108f7d34e01033b03f85ec91a50d5af5a8d3ad0ead22

SHA512
0198ab5d5631efd761eb950684c9a802832e6f171c6bff776373f268849586d354c2cde05e16bae200d5f18b67e9dd365ae813fddc93c1ac6a2aad30002d1b8d

Download Submit
C:\Users\Admin\Desktop\EnableConfirm.eps.kd8eby0.E89-070-E57
MD5
1cbf4c892698027770f951e01068d52d

SHA1
c4cf182b57112026edf71dace0b420adf6fc8759

SHA256
7a3a87a176e0204e72ac147982f615f11990d43c99edb5ac86ee7b000f404286

SHA512
50e9543f57a815b516c1880da8f7cdc72f151368e8506f209b94accb67d96414c1e2c745a15feac7ab5dc9afa9a568a0b1b2a234adc8667e1ca0d57f1554836e

Download Submit
C:\Users\Admin\Desktop\ExpandExit.xls.kd8eby0.E89-070-E57
MD5
c81789827b23adf2c478c2b904285bac

SHA1
6d392b6805369f806dbe77696f3dccdfd8e28953

SHA256
6f96af41adffce644450809984ef562ce14a8c3726667433c5340f0d0e0ff963

SHA512
b14ae6ff52e897cb3766913b8b14b5e225c28411731c41d41d8be3af94f12b9114856f4387775fa96b31b762511de0f0a9c09587cdc77bf1bcc7b3d433edbcca

Download Submit
C:\Users\Admin\Desktop\ExpandUpdate.au3.kd8eby0.E89-070-E57
MD5
33069ad18a257aa87a97e7eb38a893ea

SHA1
3d35ea36b5fe41f3dd345693e9728acff45ae427

SHA256
f35cab1d61c970324347a7af616e17e7193c5443c29a29bbbb8b1ea2edbe6fc2

SHA512
79d1831eb3931f5f012eb805964d32e3f4e42b3f2a89c57d41db713c36322a2e594d6eff0713993124e1fa184be5413ab4f4373ff46cd197c7cfa66fc9a92ce9

Download Submit
C:\Users\Admin\Desktop\MountRevoke.xml.kd8eby0.E89-070-E57
MD5
4112926f828d31e2ca6bea760c8418b1

SHA1
dac5348bb986433cc9f70de3d552d5a0f9b43ed9

SHA256
45d90a118ccf66c47d01e7de1951472e74a08af37e01c53d096aa6ef14fd4053

SHA512
001ef032357ee603dbd3eda9a75bbe21e0c06f4869f48f5a2f0b4f794ecc3152fcaba5a38f7b4529a84112e06979548a987ccddcf72bf4b0f1489295de43ddfe

Download Submit
C:\Users\Admin\Desktop\MoveSwitch.wmf.kd8eby0.E89-070-E57
MD5
e1dfdcdee4e5c226fd1922f793c26f65

SHA1
7849abfaa129e9dde86e6e6fc441e43b7ceea53a

SHA256
e6b8a5dcc91a4134ddd40e937c33cef8364f97a88aec3735d25c95a33e8bb574

SHA512
21d0c0308ede0035024ff6f8a45631b5dad787f1d1e08c47f2f5c46c572a64d90c35c859d9c41185047221cc6874ba197d1d61e175ba4d7f729ab1e29e36dd5f

Download Submit
C:\Users\Admin\Desktop\NewSync.xps.kd8eby0.E89-070-E57
MD5
b583133f739476cd356d7da44626adee

SHA1
aba67d4814f1fadc402090caae0f2741a621cb6d

SHA256
96648140f1b9e9ce80108a660bcf64e9379eb4597a3d1d7e0f76e6ed875c3eae

SHA512
83a93c57e4b039e0f87181949965d3356fcf0b6fa51245fbac4b154851303c95893e9f564acdd2e654ed04736273537da9d8ca9692ee0b314ae0e4c3851c0ac4

Download Submit
C:\Users\Admin\Desktop\PopApprove.docx.kd8eby0.E89-070-E57
MD5
a54ef0a72744112e8c5cb0203ee8feb0

SHA1
3338672e2fa3b7697e1b7ba21e61312cf59ec561

SHA256
82c83e24c6dd374ed32c55ae907a3cddf8183438da3264f5c6b3ca687c2a1375

SHA512
d56f3837ccca13694811147ddc04bfefa5abbcd040cb9f104f63022634f63f5621408d3991fa712145f2ecbae1ef4df94e0c549b394a474c2f46234c96b543fd

Download Submit
C:\Users\Admin\Desktop\PublishOut.aifc.kd8eby0.E89-070-E57
MD5
383a12ee5e02cfa6f37031a5b4094a59

SHA1
83e0a8a716b8feb4fd5dfd7bad43a1cd4b7ea005

SHA256
c151e3a0866c26da9861008799ae2859713e0e479ac486d638f617d88c751d2f

SHA512
15387dcdf05484838c1cabcad028c76a69f4d204e2cf398082a4eeffdf76b962b7635a737749ca7973bd22e23a0ed8a6745ff9f231b0e6f608668dd7b656492b

Download Submit
C:\Users\Admin\Desktop\RenameOut.iso.kd8eby0.E89-070-E57
MD5
fd375a8816a5809af386c9ca3f5afebd

SHA1
ad13b5d788755c600e2b47b42a8165f5596ac5b7

SHA256
dd8f939f8157a6ec5eff8e3390babd68aa2679a49e056edd349f91186f5b9841

SHA512
6bbcdf7d9a9ccaaf38e4b6627b9a6753e7b8b61a054ccc0cbe378324019abdd9013de24d178e166d8963c134fdcafa4166e9a12f12a785b228ee8c0fb9f607c7

Download Submit
C:\Users\Admin\Desktop\RepairReset.raw.kd8eby0.E89-070-E57
MD5
0e6bfedf06927bd3a943c56f53519505

SHA1
fadaaa9da19e6daa52732fcd561aef8f626b4013

SHA256
2a6fe5c541bec31410d518f250a9b8c12d1f1927504ecffe65ae9b50118d44b5

SHA512
f329ae5077b2292c7b65380d88c4ee09f6cb20b3e5d99ec36c47b5a27081a6043f210aca97ae2b2eea2b3e239cdb5572903f46b320490796fe483bc247d1ca5b

Download Submit
C:\Users\Admin\Desktop\RepairSwitch.mpg.kd8eby0.E89-070-E57
MD5
d02b92af6c7aded6d0ce3cd57f8a1e92

SHA1
61d12eb36b64977be6ed84236d9a39cbdf09f5e7

SHA256
134211a9a0603550616dbad01c3776eb969ccc2fd9f72828395ce8a71f86924a

SHA512
94a049e2d98a90fff0446fe6913dcb50dc2adab43080e514d8a263b69485413f8c535930c48b1e9429865a4e8178825673f535644b6fca0413ed23e38a462f3a

Download Submit
C:\Users\Admin\Desktop\UninstallReceive.dib.kd8eby0.E89-070-E57
MD5
05cc8680e33144815b9737c7f9bb8bc5

SHA1
7cf0c5e072bef5abdb1131b421ec3166a4833c0a

SHA256
48b6d2cd59e91b90d550393be47fe60d57c2efb6ad32d674ed61c06c2b50e8f5

SHA512
99c5350bf6f78a2f1de5e0d0831ed2f215de0adbe099bb9cf57e2366ffc7d1e07637e7aaeb53414683fc94153bc469f704d29b1d5f73b53947acaba546a5944c

Download Submit
C:\Users\Admin\Desktop\UnprotectRename.pcx.kd8eby0.E89-070-E57
MD5
dd6d1791ab0b1effdd4e63d89fb69f6c

SHA1
44c2f2db85fd68d29e1a0c60659b15165b3f8f34

SHA256
9f0f9fa61c1a3230b2e924693ad4cf166dc581b5f5bd61a5b0472b68c883c29f

SHA512
a8783a8a794c4c05b3640486582feddcfca6b60e87b901f64fd9c4eb16cadecbfd4c4d6a05817bdc34b735819f1055739864dfe77fa144f1139061051fe8d503

Download Submit
C:\Users\Admin\Desktop\UnprotectUnpublish.wm.kd8eby0.E89-070-E57
MD5
b3b94d22d2bda183eefb1bdc45712d33

SHA1
0cd204e6fef7a304e0378d8dfe4ffb3a5fd2a9ec

SHA256
fa4356e66b3329c82653eff84a81c74c4a1b3f989aa8a8d0da7384f196655329

SHA512
8eee796643fdc5cd9f6bb8c0c427acccdd56533c76098d9c55cbf8b2886b4c4d027caffcc0c151ad4194c0bf73f52f357ac328dc1ff2c0e611488e09090d9608

Download Submit
C:\Users\Admin\Desktop\UnpublishResize.DVR.kd8eby0.E89-070-E57
MD5
0fb6b02bdeb66a4db5b426802216e782

SHA1
11f8674f0775c350b579115bfa7951ed0d88c5a6

SHA256
c6a65c7c9d78003fd9d2e4d5b2dee7453a83c25c84d590572faeb4d3dd81bc46

SHA512
67cd5413e1148b9bc9fbf0aed9146651b7ba467a0c429d94ac242cfdf1294963a616d3c2b76a8a72f3dde799f4143ea16e6b733cae12aaad009b7dc19f108b1a

Download Submit
C:\Users\Admin\Desktop\UnregisterDismount.xlsm.kd8eby0.E89-070-E57
MD5
50314009112556cd0e6bf3af362855ed

SHA1
f77671bf3677bd84a8b6b6001f027a272eef59a5

SHA256
e0a48ce885e98e9c746aff4193ea8600becb4b54b10856d4701b4a6248c0f2a6

SHA512
f67f2368ea80390cf6b41803c20dd4ff7303251fb341193a4f77b29229854ee1693c256a4d7811682ba499ab1e8537662ab04ccbcfb6d2645fdc38bca42568a9

Download Submit
C:\Users\Public\Videos\hgfdfds.exe
MD5
c14d403c9e9d6b6054e09ceee047fbf1

SHA1
2155b8d3b977f32641314207bb24126741b71d13

SHA256
005b00d41740f7b0327d4d5fe0402dcfc84ae0df44a2231a89a59909eeb30b23

SHA512
f5a0380cf6c7f3c14bd0efefeec1be88d0d92257ace44a97360e17c88e27c59cb424cd7283e2085431ba95d62eac30d017e3f41d7c1ccb4468a0bcaa3984d6d3

Download Submit
C:\Users\Public\Videos\hgfdfds.exe
MD5
c14d403c9e9d6b6054e09ceee047fbf1

SHA1
2155b8d3b977f32641314207bb24126741b71d13

SHA256
005b00d41740f7b0327d4d5fe0402dcfc84ae0df44a2231a89a59909eeb30b23

SHA512
f5a0380cf6c7f3c14bd0efefeec1be88d0d92257ace44a97360e17c88e27c59cb424cd7283e2085431ba95d62eac30d017e3f41d7c1ccb4468a0bcaa3984d6d3

Download Submit
memory/640-118-0x0000000000000000-mapping.dmp

Download
memory/904-194-0x00000000027D0000-0x00000000027D1000-memory.dmp

Filesize
4KB

Download
memory/904-130-0x0000000002610000-0x0000000002611000-memory.dmp

Filesize
4KB

Download
memory/904-121-0x0000000000000000-mapping.dmp

Download
memory/904-193-0x0000000000000000-mapping.dmp

Download
memory/1040-142-0x0000000000000000-mapping.dmp

Download
memory/1156-134-0x0000000000000000-mapping.dmp

Download
memory/1196-151-0x0000000007690000-0x0000000007691000-memory.dmp

Filesize
4KB

Download
memory/1196-149-0x0000000007480000-0x0000000007481000-memory.dmp

Filesize
4KB

Download
memory/1196-165-0x00000000095E0000-0x00000000095E1000-memory.dmp

Filesize
4KB

Download
memory/1196-168-0x00000000042B0000-0x00000000042B1000-memory.dmp

Filesize
4KB

Download
memory/1196-141-0x0000000000000000-mapping.dmp

Download
memory/1196-170-0x0000000004383000-0x0000000004384000-memory.dmp

Filesize
4KB

Download
memory/1196-163-0x0000000008CD0000-0x0000000008CD1000-memory.dmp

Filesize
4KB

Download
memory/1196-162-0x0000000009030000-0x0000000009031000-memory.dmp

Filesize
4KB

Download
memory/1196-156-0x00000000042B0000-0x00000000042B1000-memory.dmp

Filesize
4KB

Download
memory/1196-155-0x0000000007E50000-0x0000000007E51000-memory.dmp

Filesize
4KB

Download
memory/1196-154-0x0000000008010000-0x0000000008011000-memory.dmp

Filesize
4KB

Download
memory/1196-153-0x0000000006A70000-0x0000000006A71000-memory.dmp

Filesize
4KB

Download
memory/1196-152-0x0000000007700000-0x0000000007701000-memory.dmp

Filesize
4KB

Download
memory/1196-144-0x00000000042B0000-0x00000000042B1000-memory.dmp

Filesize
4KB

Download
memory/1196-150-0x0000000007520000-0x0000000007521000-memory.dmp

Filesize
4KB

Download
memory/1196-164-0x0000000008D00000-0x0000000008D01000-memory.dmp

Filesize
4KB

Download
memory/1196-148-0x0000000004382000-0x0000000004383000-memory.dmp

Filesize
4KB

Download
memory/1196-147-0x0000000004380000-0x0000000004381000-memory.dmp

Filesize
4KB

Download
memory/1196-146-0x0000000006DA0000-0x0000000006DA1000-memory.dmp

Filesize
4KB

Download
memory/1196-145-0x00000000043D0000-0x00000000043D1000-memory.dmp

Filesize
4KB

Download
memory/1196-143-0x00000000042B0000-0x00000000042B1000-memory.dmp

Filesize
4KB

Download
memory/1380-139-0x0000000000000000-mapping.dmp

Download
memory/1444-136-0x0000000000000000-mapping.dmp

Download
memory/2636-135-0x0000000000000000-mapping.dmp

Download
memory/2748-137-0x0000000000000000-mapping.dmp

Download
memory/3484-133-0x0000000000000000-mapping.dmp

Download
memory/3532-115-0x0000000000000000-mapping.dmp

Download
memory/3596-169-0x0000000000000000-mapping.dmp

Download
memory/3628-132-0x0000000000000000-mapping.dmp

Download
memory/3744-131-0x0000000000000000-mapping.dmp

Download