buran | 1016366f5a33b98470c591bda8b65c421c2bfc690aa9fd51d8049abd605c0070

Analysis

max time kernel
4294206s
max time network
129s
platform
windows7_x64
resource
win7-20220223-en
submitted
05-03-2022 20:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1016366f5a33b98470c591bda8b65c421c2bfc690aa9fd51d8049abd605c0070.exe
Size

2.7MB
MD5

4301b4d1cb937816ffe288401d8938bf
SHA1

14126bcc7b1a7ec96114fb28a74c6a4d7e008246
SHA256

1016366f5a33b98470c591bda8b65c421c2bfc690aa9fd51d8049abd605c0070
SHA512

82b0ebf62016f0b578384858b4d88fa97c70022a6e5e67871d93da5de2777553f949d40e6968ab9755cec4b48c8e40bdbc2ef4a1bd7a2db3ce52070e12b292bd

Score

10^/10

buran persistence ransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Your personal ID: 4E0-601-754 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 2 IoCs

Processes:

taskeng.exetaskeng.exe

pid process

1968 taskeng.exe
452 taskeng.exe

pid	process
1968	taskeng.exe
452	taskeng.exe

Loads dropped DLL 2 IoCs

Processes:

1016366f5a33b98470c591bda8b65c421c2bfc690aa9fd51d8049abd605c0070.exe

pid	process
1076	1016366f5a33b98470c591bda8b65c421c2bfc690aa9fd51d8049abd605c0070.exe
1076	1016366f5a33b98470c591bda8b65c421c2bfc690aa9fd51d8049abd605c0070.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1016366f5a33b98470c591bda8b65c421c2bfc690aa9fd51d8049abd605c0070.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	1016366f5a33b98470c591bda8b65c421c2bfc690aa9fd51d8049abd605c0070.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskeng.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\taskeng.exe\" -start"	1016366f5a33b98470c591bda8b65c421c2bfc690aa9fd51d8049abd605c0070.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskeng.exe

description	ioc	process
File opened (read-only)	\??\T:	taskeng.exe
File opened (read-only)	\??\S:	taskeng.exe
File opened (read-only)	\??\M:	taskeng.exe
File opened (read-only)	\??\L:	taskeng.exe
File opened (read-only)	\??\Y:	taskeng.exe
File opened (read-only)	\??\X:	taskeng.exe
File opened (read-only)	\??\V:	taskeng.exe
File opened (read-only)	\??\U:	taskeng.exe
File opened (read-only)	\??\K:	taskeng.exe
File opened (read-only)	\??\H:	taskeng.exe
File opened (read-only)	\??\F:	taskeng.exe
File opened (read-only)	\??\A:	taskeng.exe
File opened (read-only)	\??\Z:	taskeng.exe
File opened (read-only)	\??\W:	taskeng.exe
File opened (read-only)	\??\Q:	taskeng.exe
File opened (read-only)	\??\N:	taskeng.exe
File opened (read-only)	\??\J:	taskeng.exe
File opened (read-only)	\??\I:	taskeng.exe
File opened (read-only)	\??\G:	taskeng.exe
File opened (read-only)	\??\E:	taskeng.exe
File opened (read-only)	\??\B:	taskeng.exe
File opened (read-only)	\??\R:	taskeng.exe
File opened (read-only)	\??\P:	taskeng.exe
File opened (read-only)	\??\O:	taskeng.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 geoiptool.com

flow	ioc
4	geoiptool.com

Drops file in Program Files directory 64 IoCs

Processes:

taskeng.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL.DEV_F_COL.HXK	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\OutSyncPC.ico	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\FDFFile_8.ico	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN00965_.WMF.4E0-601-754	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\+NewSQLServerConnection.odc.4E0-601-754	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR46B.GIF	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099162.JPG	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0149627.WMF.4E0-601-754	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SHARING.CFG.4E0-601-754	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_mid.gif	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy.jar	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Pohnpei.4E0-601-754	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-search.xml	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01138_.WMF	taskeng.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt.4E0-601-754	taskeng.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationRight_SelectionSubpicture.png	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvmstat_zh_CN.jar.4E0-601-754	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01182_.WMF	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.property.nl_zh_4.4.0.v20140623020002.jar.4E0-601-754	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Apothecary.xml.4E0-601-754	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR51B.GIF	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\splash.gif.4E0-601-754	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107282.WMF.4E0-601-754	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLOOK_COL.HXC.4E0-601-754	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\Hiring Requisition - Customized.fdt	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe.4E0-601-754	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ru.jar	taskeng.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\fonts\FreeSansBold.ttf.4E0-601-754	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216874.WMF.4E0-601-754	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\UnformattedNumeric.jpg	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FORM.JS.4E0-601-754	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00234_.WMF.4E0-601-754	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\PRODIGY.NET.XML.4E0-601-754	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\SynchronizationEula.rtf.4E0-601-754	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh001.htm	taskeng.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\EST5EDT.4E0-601-754	taskeng.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\newgrounds.luac.4E0-601-754	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00078_.WMF.4E0-601-754	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0103402.WMF.4E0-601-754	taskeng.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app_1.0.300.v20140228-1829.jar	taskeng.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\WET	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099199.GIF.4E0-601-754	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\GostTitle.XSL.4E0-601-754	taskeng.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt.4E0-601-754	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.console.nl_zh_4.4.0.v20140623020002.jar	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-core-kit.xml.4E0-601-754	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287415.WMF.4E0-601-754	taskeng.exe
File opened for modification	C:\Program Files\DVD Maker\rtstreamsink.ax	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21331_.GIF	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-progress_ja.jar.4E0-601-754	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\SpiderSolitaire.exe.mui.4E0-601-754	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0103812.WMF.4E0-601-754	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\GostName.XSL	taskeng.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\vlc.mo	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN02724_.WMF	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\YST9YDT	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02437_.WMF.4E0-601-754	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR23F.GIF.4E0-601-754	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\PAB.SAM.4E0-601-754	taskeng.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-options-api.xml.4E0-601-754	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-editor-mimelookup-impl.xml	taskeng.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

868 748 WerFault.exe notepad.exe
1828 592 WerFault.exe notepad.exe
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

840 vssadmin.exe
1664 vssadmin.exe

pid	pid_target	process	target process
868	748	WerFault.exe	notepad.exe
1828	592	WerFault.exe	notepad.exe

pid	process
840	vssadmin.exe
1664	vssadmin.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

1016366f5a33b98470c591bda8b65c421c2bfc690aa9fd51d8049abd605c0070.exetaskeng.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	1016366f5a33b98470c591bda8b65c421c2bfc690aa9fd51d8049abd605c0070.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	1016366f5a33b98470c591bda8b65c421c2bfc690aa9fd51d8049abd605c0070.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	1016366f5a33b98470c591bda8b65c421c2bfc690aa9fd51d8049abd605c0070.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	taskeng.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	taskeng.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

1016366f5a33b98470c591bda8b65c421c2bfc690aa9fd51d8049abd605c0070.exeWMIC.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1076	1016366f5a33b98470c591bda8b65c421c2bfc690aa9fd51d8049abd605c0070.exe
Token: SeDebugPrivilege	1076	1016366f5a33b98470c591bda8b65c421c2bfc690aa9fd51d8049abd605c0070.exe
Token: SeIncreaseQuotaPrivilege	972	WMIC.exe
Token: SeSecurityPrivilege	972	WMIC.exe
Token: SeTakeOwnershipPrivilege	972	WMIC.exe
Token: SeLoadDriverPrivilege	972	WMIC.exe
Token: SeSystemProfilePrivilege	972	WMIC.exe
Token: SeSystemtimePrivilege	972	WMIC.exe
Token: SeProfSingleProcessPrivilege	972	WMIC.exe
Token: SeIncBasePriorityPrivilege	972	WMIC.exe
Token: SeCreatePagefilePrivilege	972	WMIC.exe
Token: SeBackupPrivilege	972	WMIC.exe
Token: SeRestorePrivilege	972	WMIC.exe
Token: SeShutdownPrivilege	972	WMIC.exe
Token: SeDebugPrivilege	972	WMIC.exe
Token: SeSystemEnvironmentPrivilege	972	WMIC.exe
Token: SeRemoteShutdownPrivilege	972	WMIC.exe
Token: SeUndockPrivilege	972	WMIC.exe
Token: SeManageVolumePrivilege	972	WMIC.exe
Token: 33	972	WMIC.exe
Token: 34	972	WMIC.exe
Token: 35	972	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1488	WMIC.exe
Token: SeSecurityPrivilege	1488	WMIC.exe
Token: SeTakeOwnershipPrivilege	1488	WMIC.exe
Token: SeLoadDriverPrivilege	1488	WMIC.exe
Token: SeSystemProfilePrivilege	1488	WMIC.exe
Token: SeSystemtimePrivilege	1488	WMIC.exe
Token: SeProfSingleProcessPrivilege	1488	WMIC.exe
Token: SeIncBasePriorityPrivilege	1488	WMIC.exe
Token: SeCreatePagefilePrivilege	1488	WMIC.exe
Token: SeBackupPrivilege	1488	WMIC.exe
Token: SeRestorePrivilege	1488	WMIC.exe
Token: SeShutdownPrivilege	1488	WMIC.exe
Token: SeDebugPrivilege	1488	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1488	WMIC.exe
Token: SeRemoteShutdownPrivilege	1488	WMIC.exe
Token: SeUndockPrivilege	1488	WMIC.exe
Token: SeManageVolumePrivilege	1488	WMIC.exe
Token: 33	1488	WMIC.exe
Token: 34	1488	WMIC.exe
Token: 35	1488	WMIC.exe
Token: SeBackupPrivilege	1896	vssvc.exe
Token: SeRestorePrivilege	1896	vssvc.exe
Token: SeAuditPrivilege	1896	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1488	WMIC.exe
Token: SeSecurityPrivilege	1488	WMIC.exe
Token: SeTakeOwnershipPrivilege	1488	WMIC.exe
Token: SeLoadDriverPrivilege	1488	WMIC.exe
Token: SeSystemProfilePrivilege	1488	WMIC.exe
Token: SeSystemtimePrivilege	1488	WMIC.exe
Token: SeProfSingleProcessPrivilege	1488	WMIC.exe
Token: SeIncBasePriorityPrivilege	1488	WMIC.exe
Token: SeCreatePagefilePrivilege	1488	WMIC.exe
Token: SeBackupPrivilege	1488	WMIC.exe
Token: SeRestorePrivilege	1488	WMIC.exe
Token: SeShutdownPrivilege	1488	WMIC.exe
Token: SeDebugPrivilege	1488	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1488	WMIC.exe
Token: SeRemoteShutdownPrivilege	1488	WMIC.exe
Token: SeUndockPrivilege	1488	WMIC.exe
Token: SeManageVolumePrivilege	1488	WMIC.exe
Token: 33	1488	WMIC.exe
Token: 34	1488	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1016366f5a33b98470c591bda8b65c421c2bfc690aa9fd51d8049abd605c0070.exenotepad.exetaskeng.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1076 wrote to memory of 1968	1076	1016366f5a33b98470c591bda8b65c421c2bfc690aa9fd51d8049abd605c0070.exe	taskeng.exe
PID 1076 wrote to memory of 1968	1076	1016366f5a33b98470c591bda8b65c421c2bfc690aa9fd51d8049abd605c0070.exe	taskeng.exe
PID 1076 wrote to memory of 1968	1076	1016366f5a33b98470c591bda8b65c421c2bfc690aa9fd51d8049abd605c0070.exe	taskeng.exe
PID 1076 wrote to memory of 1968	1076	1016366f5a33b98470c591bda8b65c421c2bfc690aa9fd51d8049abd605c0070.exe	taskeng.exe
PID 1076 wrote to memory of 748	1076	1016366f5a33b98470c591bda8b65c421c2bfc690aa9fd51d8049abd605c0070.exe	notepad.exe
PID 1076 wrote to memory of 748	1076	1016366f5a33b98470c591bda8b65c421c2bfc690aa9fd51d8049abd605c0070.exe	notepad.exe
PID 1076 wrote to memory of 748	1076	1016366f5a33b98470c591bda8b65c421c2bfc690aa9fd51d8049abd605c0070.exe	notepad.exe
PID 1076 wrote to memory of 748	1076	1016366f5a33b98470c591bda8b65c421c2bfc690aa9fd51d8049abd605c0070.exe	notepad.exe
PID 1076 wrote to memory of 748	1076	1016366f5a33b98470c591bda8b65c421c2bfc690aa9fd51d8049abd605c0070.exe	notepad.exe
PID 1076 wrote to memory of 748	1076	1016366f5a33b98470c591bda8b65c421c2bfc690aa9fd51d8049abd605c0070.exe	notepad.exe
PID 1076 wrote to memory of 748	1076	1016366f5a33b98470c591bda8b65c421c2bfc690aa9fd51d8049abd605c0070.exe	notepad.exe
PID 748 wrote to memory of 868	748	notepad.exe	WerFault.exe
PID 748 wrote to memory of 868	748	notepad.exe	WerFault.exe
PID 748 wrote to memory of 868	748	notepad.exe	WerFault.exe
PID 748 wrote to memory of 868	748	notepad.exe	WerFault.exe
PID 1968 wrote to memory of 872	1968	taskeng.exe	cmd.exe
PID 1968 wrote to memory of 872	1968	taskeng.exe	cmd.exe
PID 1968 wrote to memory of 872	1968	taskeng.exe	cmd.exe
PID 1968 wrote to memory of 872	1968	taskeng.exe	cmd.exe
PID 1968 wrote to memory of 1996	1968	taskeng.exe	cmd.exe
PID 1968 wrote to memory of 1996	1968	taskeng.exe	cmd.exe
PID 1968 wrote to memory of 1996	1968	taskeng.exe	cmd.exe
PID 1968 wrote to memory of 1996	1968	taskeng.exe	cmd.exe
PID 1968 wrote to memory of 108	1968	taskeng.exe	cmd.exe
PID 1968 wrote to memory of 108	1968	taskeng.exe	cmd.exe
PID 1968 wrote to memory of 108	1968	taskeng.exe	cmd.exe
PID 1968 wrote to memory of 108	1968	taskeng.exe	cmd.exe
PID 1968 wrote to memory of 1692	1968	taskeng.exe	cmd.exe
PID 1968 wrote to memory of 1692	1968	taskeng.exe	cmd.exe
PID 1968 wrote to memory of 1692	1968	taskeng.exe	cmd.exe
PID 1968 wrote to memory of 1692	1968	taskeng.exe	cmd.exe
PID 1968 wrote to memory of 1340	1968	taskeng.exe	cmd.exe
PID 1968 wrote to memory of 1340	1968	taskeng.exe	cmd.exe
PID 1968 wrote to memory of 1340	1968	taskeng.exe	cmd.exe
PID 1968 wrote to memory of 1340	1968	taskeng.exe	cmd.exe
PID 1968 wrote to memory of 1372	1968	taskeng.exe	cmd.exe
PID 1968 wrote to memory of 1372	1968	taskeng.exe	cmd.exe
PID 1968 wrote to memory of 1372	1968	taskeng.exe	cmd.exe
PID 1968 wrote to memory of 1372	1968	taskeng.exe	cmd.exe
PID 1968 wrote to memory of 452	1968	taskeng.exe	taskeng.exe
PID 1968 wrote to memory of 452	1968	taskeng.exe	taskeng.exe
PID 1968 wrote to memory of 452	1968	taskeng.exe	taskeng.exe
PID 1968 wrote to memory of 452	1968	taskeng.exe	taskeng.exe
PID 872 wrote to memory of 972	872	cmd.exe	WMIC.exe
PID 872 wrote to memory of 972	872	cmd.exe	WMIC.exe
PID 872 wrote to memory of 972	872	cmd.exe	WMIC.exe
PID 872 wrote to memory of 972	872	cmd.exe	WMIC.exe
PID 1340 wrote to memory of 840	1340	cmd.exe	vssadmin.exe
PID 1340 wrote to memory of 840	1340	cmd.exe	vssadmin.exe
PID 1340 wrote to memory of 840	1340	cmd.exe	vssadmin.exe
PID 1340 wrote to memory of 840	1340	cmd.exe	vssadmin.exe
PID 1372 wrote to memory of 1488	1372	cmd.exe	WMIC.exe
PID 1372 wrote to memory of 1488	1372	cmd.exe	WMIC.exe
PID 1372 wrote to memory of 1488	1372	cmd.exe	WMIC.exe
PID 1372 wrote to memory of 1488	1372	cmd.exe	WMIC.exe
PID 1372 wrote to memory of 1664	1372	cmd.exe	vssadmin.exe
PID 1372 wrote to memory of 1664	1372	cmd.exe	vssadmin.exe
PID 1372 wrote to memory of 1664	1372	cmd.exe	vssadmin.exe
PID 1372 wrote to memory of 1664	1372	cmd.exe	vssadmin.exe
PID 1968 wrote to memory of 592	1968	taskeng.exe	notepad.exe
PID 1968 wrote to memory of 592	1968	taskeng.exe	notepad.exe
PID 1968 wrote to memory of 592	1968	taskeng.exe	notepad.exe
PID 1968 wrote to memory of 592	1968	taskeng.exe	notepad.exe
PID 1968 wrote to memory of 592	1968	taskeng.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\1016366f5a33b98470c591bda8b65c421c2bfc690aa9fd51d8049abd605c0070.exe
"C:\Users\Admin\AppData\Local\Temp\1016366f5a33b98470c591bda8b65c421c2bfc690aa9fd51d8049abd605c0070.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1076

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe" -start
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
3⤵
- Suspicious use of WriteProcessMemory
PID:872

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:972

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
3⤵
PID:1996

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe" -agent 0
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:452

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:1372

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1488

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:1664

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
3⤵
- Suspicious use of WriteProcessMemory
PID:1340

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:840

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
3⤵
PID:1692

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
PID:108

C:\Windows\SysWOW64\notepad.exe
notepad.exe
3⤵
PID:592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 592 -s 196
4⤵
- Program crash
PID:1828

C:\Windows\SysWOW64\notepad.exe
notepad.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 748 -s 196
3⤵
- Program crash
PID:868

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1896

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
MD5
0af9873e7d694b6af100acc5d66d625f

SHA1
4e382572f28043136ff10d6e80f09ea2153a8ec1

SHA256
983ea452db6d000be67b0e2d5ddf8beb2d42454e9108adcdfec5fdb04afcdc60

SHA512
b8ece43a58a5004a74fc888ab9f2140f10ffbefed2bdc3e78a586aa05e396486be67f6035e1c21eff48717651647fcf107937c2365b023280faeaff719d905e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
MD5
637481df32351129e60560d5a5c100b5

SHA1
a46aee6e5a4a4893fba5806bcc14fc7fb3ce80ae

SHA256
1f1029d94ca4656a577d554cedd79d447658f475af08620084897a5523587052

SHA512
604bfd0a78a57dfddd45872803501ad89491e37e89e0778b0f13644fa9164ff509955a57469dfdd65a05bbedaf0acb669f68430e84800d17efe7d360a70569e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B1230D967FD647CD5194F3FFA6C7E7E4
MD5
0f96cf32580efc867ff48db74bc92e4b

SHA1
2d16ce1151807b1cc5445db9bd511d0a2c90cf01

SHA256
7176b87dd59195a7e0fb8624010b143d1ca991161748e2cd38a88a4eec91a8da

SHA512
9d9e74180ef53053ebcfe25dd50659b002a4422c9253b82c78804b97329b57ea1ee19edf9eadec09d45f1b034270a15a7da5e5943406415dc259ca58fa459dbe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
aa4b7669eef55fc7705d31672b88980d

SHA1
131a6930acf0f1e90ffe67faa4e68055cc525118

SHA256
f964c248ccfb020296430658f3cdf78b18f7904611c5a4f67ce9b3bb3c7464f8

SHA512
414a578a7141ac0c0b28d894ea942baee758c362aceb81724baeb59abf4d0bfc1486c7ef9206a08ffad243cb543abfe2a70947223f7a58831070734056c36cac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
MD5
d4f20ad8d03848846352061c85b98cd5

SHA1
2a6d4930695ccc81722e143cd343971963d6f40e

SHA256
1779822ec120f73e7377316ff9f18ca632287d87a024ddc330a660c8dc3f1a5f

SHA512
851a5a57db3a066bc6a5e6b9c420f76c831b5e563cdd46319cd10d36bde37695504ad336718c7efcb0542fe953f9b1403c4bbdab21d2a528157d2393af53cd84

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
MD5
176b5b81f963ac57228769832febee66

SHA1
407e26c9f60298fdf12abacb964f9d999be45615

SHA256
f17f885099255c8812645c04f05db18a368d7516ec7fcc1159fd3ea761a287b7

SHA512
96dcab8f47a25b91bd05a93fbb5fb0443cea82f26de14cfde5c090005d3db1a0fa76e72f21f9d7820ac91cd362bdecaa906479026e003fd7e569bb9a49f628a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
124ddbceec5fc0cce066f629e82d0580

SHA1
3235a6ce3df4c6921b75ee5154257ccdbe7c55df

SHA256
e8619aff6195512d0b4f6578c6f107f7971d333e77538c8598aead9edd2a42b5

SHA512
5b1159a44589d9cc21c72ca1b831734d26dbeec38e3c405c7663231ef7b4f6f3edf750d7d72458dd57b4325f07c5bd696e69d8b2fc739b02523fd81f315f14fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B1230D967FD647CD5194F3FFA6C7E7E4
MD5
6abfb06ae36238983ebb091b2c8fd162

SHA1
0c1bb2f0c0b7c969f7a308b416d1432598f19e60

SHA256
d3aae93a607f386323d1f4e9756e9b0dba5954e75dacb258e84d5b7e8b917d7c

SHA512
f975ec1a7fa40b35a9904a460e4c3f25c16661a6a1361d3dd0cf7a54fe18b3aaf5da126d937de9e3cf10e3b1192cba9a15ac9a0320bc42fab1d71bc0b7556af1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
bd6b6f6e38c3e683bab20ac77634d743

SHA1
b66f96faae79353a7e1b524dcfce0409cc07ad7b

SHA256
3b661d48d7a965d4c96663dfed7ec3889ba361ad86c5adabf4d8edf398c10712

SHA512
7d04f2606f94b50b274b2e33f877c978875030c708385ef4f3dc892ceafc3c751d924665a22a118bee6fb28cc6e745761ed871b8132a99d12352f2c918a05288

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z12QDLN4\ORTBBYY1.htm
MD5
b1cd7c031debba3a5c77b39b6791c1a7

SHA1
e5d91e14e9c685b06f00e550d9e189deb2075f76

SHA256
57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

SHA512
d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat
MD5
ef572e2c7b1bbd57654b36e8dcfdc37a

SHA1
b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

SHA256
e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

SHA512
b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
MD5
4301b4d1cb937816ffe288401d8938bf

SHA1
14126bcc7b1a7ec96114fb28a74c6a4d7e008246

SHA256
1016366f5a33b98470c591bda8b65c421c2bfc690aa9fd51d8049abd605c0070

SHA512
82b0ebf62016f0b578384858b4d88fa97c70022a6e5e67871d93da5de2777553f949d40e6968ab9755cec4b48c8e40bdbc2ef4a1bd7a2db3ce52070e12b292bd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
MD5
4301b4d1cb937816ffe288401d8938bf

SHA1
14126bcc7b1a7ec96114fb28a74c6a4d7e008246

SHA256
1016366f5a33b98470c591bda8b65c421c2bfc690aa9fd51d8049abd605c0070

SHA512
82b0ebf62016f0b578384858b4d88fa97c70022a6e5e67871d93da5de2777553f949d40e6968ab9755cec4b48c8e40bdbc2ef4a1bd7a2db3ce52070e12b292bd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
MD5
4301b4d1cb937816ffe288401d8938bf

SHA1
14126bcc7b1a7ec96114fb28a74c6a4d7e008246

SHA256
1016366f5a33b98470c591bda8b65c421c2bfc690aa9fd51d8049abd605c0070

SHA512
82b0ebf62016f0b578384858b4d88fa97c70022a6e5e67871d93da5de2777553f949d40e6968ab9755cec4b48c8e40bdbc2ef4a1bd7a2db3ce52070e12b292bd

Download Submit
C:\Users\Admin\Desktop\AssertExit.svgz.4E0-601-754
MD5
46328044b48c3d615511c0b409dcb334

SHA1
bb7ff70d52e76ad9c8bdbe5e9af301eccf10e849

SHA256
5791be2c28afb7d2a8e7738b637c8521d907cbd89075a740b4747040c4a1e10f

SHA512
0e60f448cf493ae4325e85df11da468d1dd2e00fb956921de14ba18eb95873e5930b6dd9ff8bb5f86f7fc6479fca507b22800cf25dc7073f844a7ed1138538a4

Download Submit
C:\Users\Admin\Desktop\CompressMerge.wma.4E0-601-754
MD5
0803d1df67c8041aabb61e17eb9cb242

SHA1
4631377f2752e11f83d771214a0fa120015966a3

SHA256
11ddfdf8a358b69e31314204621f97343bf69773b386901b2c972898a113d0fc

SHA512
350fc05ef91ea1ed0d7d8ef8ab21bad5bad3c0a77c9cc2b74bb97c0ba9aacc88c4f6d91f4e39d89cfe0f34ae79e60f7de4e8d306ee9c10227ef80c539783d08e

Download Submit
C:\Users\Admin\Desktop\ConvertFromCheckpoint.ods.4E0-601-754
MD5
931480a1d4b8ae6a2e2aa511ea582f0c

SHA1
d230d19c1daf7a92511358f01b6c5b452b05149e

SHA256
1577192c5deb5c04520f772e35078ff7077dd6df71daf4b42f3b7c2c904d2b34

SHA512
e65d4cc56f13bd3b88b2172d9d96c10026578def14235e125ad59b5f2b7797173c7528ec4a894348c74b2ffceff7cde55adc2cd142f024a2eb84326b3eea5c03

Download Submit
C:\Users\Admin\Desktop\DisableInvoke.midi.4E0-601-754
MD5
81efc1bf4c63f3fd2980db3b62208eb2

SHA1
85ed931ecc4edefa674ee3627342bd0bfcee1a00

SHA256
0d4b2345480eb54730cb9f3256e26deb3731a9e1f3251aac8676af5744ee1e1c

SHA512
41bbe0beefcfba34235672df31de6634efb44bd539fa6758cbf690e1e67f184d055565ac91cc8b75736af9fd46d6e2a6be91515a5eb1ef5fcda700aacf23bc31

Download Submit
C:\Users\Admin\Desktop\DismountPublish.aiff.4E0-601-754
MD5
401669205493fb804f2a8d67eb4c834a

SHA1
2aef0632a7d6cc15e72fa09dc42b29ff02726745

SHA256
2abc5b045a35b65c81a2dccb591a027574b1a7c248609825f6e5efb1f100cf9f

SHA512
bc41aac269d3c838ab42a70aac3362857315646ec0125819b038c0934b7eaf2393e63148b152bb623024c9ee285315c2c465077ccdc63ef9beb19fe6f9945067

Download Submit
C:\Users\Admin\Desktop\DismountResolve.search-ms.4E0-601-754
MD5
7ef181aeaf486dbda3a25e275a15b914

SHA1
2df7f4660e0c806be256a5318ee2d02a9531eada

SHA256
7b7322328aca796c108e5aea22596ce41c94eb68f66d841de5d3917c50e590ab

SHA512
48d098e39ecdd230ccbe838ef67b62e45fe18b12f346f50de305864b969d38f9a03145dd7df7b9c928f7bcf88ebc3b9d2f4cecda7808d3ef75723d667b205a41

Download Submit
C:\Users\Admin\Desktop\ExportFormat.pdf.4E0-601-754
MD5
36a412db14aa4ae6da7c42bee5f38b8c

SHA1
4590da4a272103d0713b2b8cfd1f2d6018b4c40f

SHA256
1a7fc0f655fa8bca84b05a2ce2114b63dc134ab4a4544f25d144bbe14ebff50b

SHA512
9321626b0ba0c99c9d23808ddc23685ccfd46d6e6ac09bf22783fee825779c6af691419982fa1f8d58f953fc94ee430341a808591d5c422fc3eb1485872ec6b7

Download Submit
C:\Users\Admin\Desktop\InitializeSplit.ocx.4E0-601-754
MD5
51eef654dc8169f455360f2b45df9552

SHA1
83bb43aa87f3937f4bbceba3fe404db1fffc64ca

SHA256
7cdffc39c6d92e5127be8e5dc4eb16a16d97f1be08b500230bbef91950b2ced2

SHA512
a7fb74bb2305fd2877147b65cb163a482ba2a1225c23d53dcfbd4730ead1ba4ba70c326fcf05a3b9aeb006a8594dd3c74fe2eef0eb2f6d9bc2b9619095fefce3

Download Submit
C:\Users\Admin\Desktop\InvokeCompare.shtml.4E0-601-754
MD5
aa478f1f378fc544cdbbabe360031e70

SHA1
628660a20ca8aa2398607c4ae4d313e4678dd718

SHA256
b2b8e34fbf18246ea934b29c264f0beada919638f16d37e199c52d2cc8186600

SHA512
868a4f73f7276e9152f22aeea196d5c90e40117a000eaa0aa1ef4de617a94c97f07ca496fc07cd9e376ce379f5c150bc1fe3607d129bbc555d621b472e99030d

Download Submit
C:\Users\Admin\Desktop\InvokeProtect.3gp2.4E0-601-754
MD5
ad5631279de4550ad1dec20b4e34185e

SHA1
9b208e95eb4870d6a00bb718702a271369c01a0e

SHA256
a7201a6ca6dbec2e6a063527673278879b14e442a94ff82b3e06c0b5ac9a5c63

SHA512
3f137322fec30e02384a9f158c16b00f4e9cf9e5cc56b0d5adc4eca9e045bae591ec0198f481fb53c36a968b7bc2ad7d133f39c5dc8fb95ba7f6b11791dda82e

Download Submit
C:\Users\Admin\Desktop\MoveRequest.ini.4E0-601-754
MD5
9f031475b774d743c6f32c144fa50fca

SHA1
69eb7a496fade26c819af44ab2df25a2d0dac751

SHA256
19dbd9eb7fe39e04f33a907d0bb467de5670f877a8cfd1cb14ea4978cee1fc03

SHA512
4a67d748f31beb0cff487b0eb16317ff2904166466d47e503c013620e56f8a8a03c18c77b248ac5c099b740debd42b40a2a7885148e2d676be24e466c841833b

Download Submit
C:\Users\Admin\Desktop\ResetEnable.dib.4E0-601-754
MD5
528e3bc4f5e70e1530fe24ceba3091a2

SHA1
94604ffffcd7069f7a325bb484e5dc84a2d8467b

SHA256
13abd35bea6a24e1c8ceb8909038caa5ec6333ef3afa8df378fc75a686228eec

SHA512
8fd643a66e6ef78c4e5def234753a4ad83faad64a94b81d596a774762b12bc83215e6a1d1de6653fb58599cbae1ed72b241f5f03de82b62545f54a462e3d8714

Download Submit
C:\Users\Admin\Desktop\SearchSuspend.ini.4E0-601-754
MD5
4e0c49a9e4dab449be3e3b477ba45174

SHA1
59a2a900d5acabec71f732f904e96a01f45fa99e

SHA256
d1054c2180f8a3adacb37f57435c62d998fcfb42f1bde6381b6be668b00d9bd5

SHA512
ce2bc6c44a85f559239fc48d79ef47def22d26d53768ea9190109c4c677cd6d49ba196a72e5a9da5e0b517aa4dd9933a7eb15533972630683702fe43c9167d0b

Download Submit
C:\Users\Admin\Desktop\StartOpen.vsdm.4E0-601-754
MD5
623b20b55e457c2f8949e6d61fc2f57c

SHA1
588307b31d3a7dcad2da23bcb8046f40bd3edb42

SHA256
96b00f0b65df80b7f2e7f507a508c2ed2fe12afb64322a09a8e7a5e937a58db5

SHA512
947f33281e90c0d44ac61ab860a8eb1dc8de553f7106dc7bd328f922933bd47b209fdf461fffee72db5c5b8589c754eb657e39326fe350b99ef914893bd8b4ac

Download Submit
C:\Users\Admin\Desktop\StepPop.ico.4E0-601-754
MD5
003c5072cba736754f91e70c06274081

SHA1
2a7f080dd6f58490ce537392bb9e11e2dce334ab

SHA256
995f82220137dedb2495ec53709dc8ad905c8cb3e1149b62650f9346582032e0

SHA512
952a6d0eaf01ed595c090b4131c568c621a673009e9d4edeb9bf306b35fb7b5a31c5c1e5f96dcc699b873bd29f092d15985f7ee68cafcf7625d5954e37db0214

Download Submit
C:\Users\Admin\Desktop\SubmitWatch.mpp.4E0-601-754
MD5
6ec0a625cd6f46be46a3da5d90e28845

SHA1
263519d8177a40e6bb6391c900e3eb3fb9e2cb72

SHA256
2effdc68dee2708209a81b15e54b1278f9f70b25b6d85ccf8d346aa8f9a905b4

SHA512
bb23803f09fd1026f6946dd2f48e2354a69fccc3745b55b1693b3721e5fca061e514849a1b4224fab83dcc52fd052471281f4f524eb226f63d6fe2a43c312cf6

Download Submit
C:\Users\Admin\Desktop\TestInitialize.ogg.4E0-601-754
MD5
5601c1bbd9bb257a7b8839ed9e939b57

SHA1
b855ece78149c10b310f4c4296ac1cdf47670c88

SHA256
8805695dcca97096a63c05b79e96cb6fe0f5fb1ef678c5cf9c9c58d4fd94f44a

SHA512
e25094586fd4c152b1799b01db45fed7826b1d6c29bf2949c5cdbed7c510bdb07412420beddbfe223d9645e5ce62d321ae2af6167ad9bf2f78a44144f4585a39

Download Submit
C:\Users\Admin\Desktop\TestLimit.mhtml.4E0-601-754
MD5
f2fa04ef6c7e2b9ec2ebcf3bf65236cd

SHA1
f710375d41fe5f91006349068c1e1a326c391ce8

SHA256
38756972d074fed2352373c43818983bfa4e351bf91121aeed7528b39d80bda5

SHA512
9ef048906785252097cbcacfcc0b344c550fd7883bef95fc321c55f7f16477374885ed15c7f1326b696240002f548ece9e16906cf9329908ac67199f686a667a

Download Submit
C:\Users\Admin\Desktop\UnregisterDisable.xml.4E0-601-754
MD5
6e9b2ff3507a335f93d24378326e1525

SHA1
52d0bac3eb4b8d783a11ecd1f17874b3fb25f861

SHA256
b77a939bbdd14b4fb1e43eb21d46dcc022494a27287af2442a07d8411faabd69

SHA512
2871743ac62bf40bd9ba03d76e48c88cd5089eaab78b7c24014744fef899a1352dd9575fc59bfa6bab79f8e7fb441269f3dc05e9609f75a751b809ca169ddcc4

Download Submit
C:\Users\Admin\Desktop\WatchRestart.asx.4E0-601-754
MD5
a46a1e6dae23a1a0492ed3a00b28d828

SHA1
ded46b91d7402ca3c69b228e2a2e42d9e31d0c78

SHA256
65d1e9bb013fbda370658a37eda5d7245edc30baefaa68b19d09e20d624f931e

SHA512
c2c2d84c25deb2d2e6a2ae71c64afa3ca971d99657f93f72bb34d0a3270f16b62aed3d50aea59d36f0e6b8b81dd533b6d20d51d3795dc41aea42164af62a0337

Download Submit
C:\Users\Admin\Desktop\WriteReceive.vsdm.4E0-601-754
MD5
b1908d52424752652ef6125473686f32

SHA1
a1133d634424f0c433872814f78e1932c91d2298

SHA256
d9315959141baf2f8b88a050277ba57ea85b3a0a37600fe34243af661dfd34a1

SHA512
bf41c783a5fdf7e8d75d474cc3007aea5d2356407f593103538b1f259da6d3172425513a745bdec1210f0edfeb6252f4421d5bb141bc0809665126370cf84b86

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
MD5
4301b4d1cb937816ffe288401d8938bf

SHA1
14126bcc7b1a7ec96114fb28a74c6a4d7e008246

SHA256
1016366f5a33b98470c591bda8b65c421c2bfc690aa9fd51d8049abd605c0070

SHA512
82b0ebf62016f0b578384858b4d88fa97c70022a6e5e67871d93da5de2777553f949d40e6968ab9755cec4b48c8e40bdbc2ef4a1bd7a2db3ce52070e12b292bd

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
MD5
4301b4d1cb937816ffe288401d8938bf

SHA1
14126bcc7b1a7ec96114fb28a74c6a4d7e008246

SHA256
1016366f5a33b98470c591bda8b65c421c2bfc690aa9fd51d8049abd605c0070

SHA512
82b0ebf62016f0b578384858b4d88fa97c70022a6e5e67871d93da5de2777553f949d40e6968ab9755cec4b48c8e40bdbc2ef4a1bd7a2db3ce52070e12b292bd

Download Submit
memory/748-59-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/1076-54-0x0000000075801000-0x0000000075803000-memory.dmp

Filesize
8KB

Download