buran | 60e2ff67f5e92eebcdca4b22343d4cd663e9c63e6259d9f4563e68da38b330e1

Analysis

max time kernel
4294211s
max time network
130s
platform
windows7_x64
resource
win7-20220223-en
submitted
06-03-2022 05:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

60e2ff67f5e92eebcdca4b22343d4cd663e9c63e6259d9f4563e68da38b330e1.exe
Size

214KB
MD5

7f5669e4d89b5a1636f05b52b7c0f9b7
SHA1

12d7b1fb828cea1b1abb568bcc9d0e29e78ecdb6
SHA256

60e2ff67f5e92eebcdca4b22343d4cd663e9c63e6259d9f4563e68da38b330e1
SHA512

2010a75f1c8634480a42a2c995874459f4ab983fa90ae7fe7d12f0a6d53a34eb68622241f2a43c9218cb8290edb9ca6484991a7811d7e54ead7da5cb8ee3d220

Score

10^/10

buran persistence ransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Your personal ID: F53-C6F-8B9 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 2 IoCs

Processes:

smss.exesmss.exe

pid process

1212 smss.exe
2012 smss.exe
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
ransomware

Processes:

smss.exe

description ioc process

File opened for modification C:\Users\Admin\Pictures\UnprotectPublish.tiff smss.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\UnprotectPublish.tiff	smss.exe

Loads dropped DLL 2 IoCs

Processes:

60e2ff67f5e92eebcdca4b22343d4cd663e9c63e6259d9f4563e68da38b330e1.exe

pid	process
1124	60e2ff67f5e92eebcdca4b22343d4cd663e9c63e6259d9f4563e68da38b330e1.exe
1124	60e2ff67f5e92eebcdca4b22343d4cd663e9c63e6259d9f4563e68da38b330e1.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

60e2ff67f5e92eebcdca4b22343d4cd663e9c63e6259d9f4563e68da38b330e1.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	60e2ff67f5e92eebcdca4b22343d4cd663e9c63e6259d9f4563e68da38b330e1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\smss.exe\" -start"	60e2ff67f5e92eebcdca4b22343d4cd663e9c63e6259d9f4563e68da38b330e1.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

smss.exe

description	ioc	process
File opened (read-only)	\??\Z:	smss.exe
File opened (read-only)	\??\V:	smss.exe
File opened (read-only)	\??\R:	smss.exe
File opened (read-only)	\??\K:	smss.exe
File opened (read-only)	\??\F:	smss.exe
File opened (read-only)	\??\A:	smss.exe
File opened (read-only)	\??\S:	smss.exe
File opened (read-only)	\??\P:	smss.exe
File opened (read-only)	\??\N:	smss.exe
File opened (read-only)	\??\J:	smss.exe
File opened (read-only)	\??\I:	smss.exe
File opened (read-only)	\??\L:	smss.exe
File opened (read-only)	\??\E:	smss.exe
File opened (read-only)	\??\Y:	smss.exe
File opened (read-only)	\??\W:	smss.exe
File opened (read-only)	\??\U:	smss.exe
File opened (read-only)	\??\T:	smss.exe
File opened (read-only)	\??\Q:	smss.exe
File opened (read-only)	\??\M:	smss.exe
File opened (read-only)	\??\B:	smss.exe
File opened (read-only)	\??\X:	smss.exe
File opened (read-only)	\??\O:	smss.exe
File opened (read-only)	\??\H:	smss.exe
File opened (read-only)	\??\G:	smss.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 geoiptool.com

flow	ioc
4	geoiptool.com

Drops file in Program Files directory 64 IoCs

Processes:

smss.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-sendopts.jar	smss.exe
File opened for modification	C:\Program Files\Java\jre7\lib\management\management.properties.F53-C6F-8B9	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107456.WMF.F53-C6F-8B9	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE.F53-C6F-8B9	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\eclipse.inf	smss.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Riga	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0186002.WMF	smss.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\WMM2CLIP.dll.mui	smss.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Atlantic\Madeira	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR9B.GIF.F53-C6F-8B9	smss.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Riyadh88	smss.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\vlc.mo.F53-C6F-8B9	smss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach.ja_5.5.0.165303.jar	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.commons.logging_1.1.1.v201101211721.jar	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-text_zh_CN.jar	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif.F53-C6F-8B9	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe.F53-C6F-8B9	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\splash.gif.F53-C6F-8B9	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN01218_.WMF.F53-C6F-8B9	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\javaws.jar.F53-C6F-8B9	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\rightnav.gif.F53-C6F-8B9	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107528.WMF.F53-C6F-8B9	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0285782.WMF	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.IT.XML.F53-C6F-8B9	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\SIDEBARBB.DPV	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Chisinau.F53-C6F-8B9	smss.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\de-DE\Chess.exe.mui	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00720_.WMF.F53-C6F-8B9	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE05869_.WMF.F53-C6F-8B9	smss.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Rangoon.F53-C6F-8B9	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01123_.WMF.F53-C6F-8B9	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0215086.WMF	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18207_.WMF	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18253_.WMF.F53-C6F-8B9	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR44F.GIF	smss.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Kabul.F53-C6F-8B9	smss.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tet\LC_MESSAGES\vlc.mo	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0216724.WMF.F53-C6F-8B9	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\ONINTL.REST.IDX_DLL	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD_COL.HXT	smss.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe.F53-C6F-8B9	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02141_.WMF	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN065.XML	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkHandle.png.F53-C6F-8B9	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-heapdump.xml	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD09194_.WMF.F53-C6F-8B9	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01145_.WMF.F53-C6F-8B9	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\MP00132_.WMF	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.operations.nl_ja_4.4.0.v20140623020002.jar	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\feedback.gif	smss.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Matamoros	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01468_.WMF	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15056_.GIF.F53-C6F-8B9	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multitabs_ja.jar.F53-C6F-8B9	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT.F53-C6F-8B9	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD.DEV_F_COL.HXK	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR35F.GIF	smss.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsScenesBackground.wmv	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe.F53-C6F-8B9	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.jobs_3.6.0.v20140424-0053.jar	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt.nl_ja_4.4.0.v20140623020002.jar.F53-C6F-8B9	smss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1640 1916 WerFault.exe notepad.exe
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

1604 vssadmin.exe
1052 vssadmin.exe

pid	pid_target	process	target process
1640	1916	WerFault.exe	notepad.exe

pid	process
1604	vssadmin.exe
1052	vssadmin.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

smss.exe60e2ff67f5e92eebcdca4b22343d4cd663e9c63e6259d9f4563e68da38b330e1.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	60e2ff67f5e92eebcdca4b22343d4cd663e9c63e6259d9f4563e68da38b330e1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	60e2ff67f5e92eebcdca4b22343d4cd663e9c63e6259d9f4563e68da38b330e1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	60e2ff67f5e92eebcdca4b22343d4cd663e9c63e6259d9f4563e68da38b330e1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	smss.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

smss.exe

pid	process
1212	smss.exe
1212	smss.exe
1212	smss.exe
1212	smss.exe
1212	smss.exe
1212	smss.exe
1212	smss.exe
1212	smss.exe
1212	smss.exe
1212	smss.exe
1212	smss.exe
1212	smss.exe
1212	smss.exe
1212	smss.exe
1212	smss.exe
1212	smss.exe
1212	smss.exe
1212	smss.exe
1212	smss.exe
1212	smss.exe
1212	smss.exe
1212	smss.exe
1212	smss.exe
1212	smss.exe
1212	smss.exe
1212	smss.exe
1212	smss.exe
1212	smss.exe
1212	smss.exe
1212	smss.exe
1212	smss.exe
1212	smss.exe
1212	smss.exe
1212	smss.exe
1212	smss.exe
1212	smss.exe
1212	smss.exe
1212	smss.exe
1212	smss.exe
1212	smss.exe
1212	smss.exe
1212	smss.exe
1212	smss.exe
1212	smss.exe
1212	smss.exe
1212	smss.exe
1212	smss.exe
1212	smss.exe
1212	smss.exe
1212	smss.exe
1212	smss.exe
1212	smss.exe
1212	smss.exe
1212	smss.exe
1212	smss.exe
1212	smss.exe
1212	smss.exe
1212	smss.exe
1212	smss.exe
1212	smss.exe
1212	smss.exe
1212	smss.exe
1212	smss.exe
1212	smss.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

60e2ff67f5e92eebcdca4b22343d4cd663e9c63e6259d9f4563e68da38b330e1.exeWMIC.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1124	60e2ff67f5e92eebcdca4b22343d4cd663e9c63e6259d9f4563e68da38b330e1.exe
Token: SeDebugPrivilege	1124	60e2ff67f5e92eebcdca4b22343d4cd663e9c63e6259d9f4563e68da38b330e1.exe
Token: SeIncreaseQuotaPrivilege	1608	WMIC.exe
Token: SeSecurityPrivilege	1608	WMIC.exe
Token: SeTakeOwnershipPrivilege	1608	WMIC.exe
Token: SeLoadDriverPrivilege	1608	WMIC.exe
Token: SeSystemProfilePrivilege	1608	WMIC.exe
Token: SeSystemtimePrivilege	1608	WMIC.exe
Token: SeProfSingleProcessPrivilege	1608	WMIC.exe
Token: SeIncBasePriorityPrivilege	1608	WMIC.exe
Token: SeCreatePagefilePrivilege	1608	WMIC.exe
Token: SeBackupPrivilege	1608	WMIC.exe
Token: SeRestorePrivilege	1608	WMIC.exe
Token: SeShutdownPrivilege	1608	WMIC.exe
Token: SeDebugPrivilege	1608	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1608	WMIC.exe
Token: SeRemoteShutdownPrivilege	1608	WMIC.exe
Token: SeUndockPrivilege	1608	WMIC.exe
Token: SeManageVolumePrivilege	1608	WMIC.exe
Token: 33	1608	WMIC.exe
Token: 34	1608	WMIC.exe
Token: 35	1608	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1712	WMIC.exe
Token: SeSecurityPrivilege	1712	WMIC.exe
Token: SeTakeOwnershipPrivilege	1712	WMIC.exe
Token: SeLoadDriverPrivilege	1712	WMIC.exe
Token: SeSystemProfilePrivilege	1712	WMIC.exe
Token: SeSystemtimePrivilege	1712	WMIC.exe
Token: SeProfSingleProcessPrivilege	1712	WMIC.exe
Token: SeIncBasePriorityPrivilege	1712	WMIC.exe
Token: SeCreatePagefilePrivilege	1712	WMIC.exe
Token: SeBackupPrivilege	1712	WMIC.exe
Token: SeRestorePrivilege	1712	WMIC.exe
Token: SeShutdownPrivilege	1712	WMIC.exe
Token: SeDebugPrivilege	1712	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1712	WMIC.exe
Token: SeRemoteShutdownPrivilege	1712	WMIC.exe
Token: SeUndockPrivilege	1712	WMIC.exe
Token: SeManageVolumePrivilege	1712	WMIC.exe
Token: 33	1712	WMIC.exe
Token: 34	1712	WMIC.exe
Token: 35	1712	WMIC.exe
Token: SeBackupPrivilege	1284	vssvc.exe
Token: SeRestorePrivilege	1284	vssvc.exe
Token: SeAuditPrivilege	1284	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1712	WMIC.exe
Token: SeSecurityPrivilege	1712	WMIC.exe
Token: SeTakeOwnershipPrivilege	1712	WMIC.exe
Token: SeLoadDriverPrivilege	1712	WMIC.exe
Token: SeSystemProfilePrivilege	1712	WMIC.exe
Token: SeSystemtimePrivilege	1712	WMIC.exe
Token: SeProfSingleProcessPrivilege	1712	WMIC.exe
Token: SeIncBasePriorityPrivilege	1712	WMIC.exe
Token: SeCreatePagefilePrivilege	1712	WMIC.exe
Token: SeBackupPrivilege	1712	WMIC.exe
Token: SeRestorePrivilege	1712	WMIC.exe
Token: SeShutdownPrivilege	1712	WMIC.exe
Token: SeDebugPrivilege	1712	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1712	WMIC.exe
Token: SeRemoteShutdownPrivilege	1712	WMIC.exe
Token: SeUndockPrivilege	1712	WMIC.exe
Token: SeManageVolumePrivilege	1712	WMIC.exe
Token: 33	1712	WMIC.exe
Token: 34	1712	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

60e2ff67f5e92eebcdca4b22343d4cd663e9c63e6259d9f4563e68da38b330e1.exesmss.execmd.execmd.execmd.exenotepad.exe

description	pid	process	target process
PID 1124 wrote to memory of 1212	1124	60e2ff67f5e92eebcdca4b22343d4cd663e9c63e6259d9f4563e68da38b330e1.exe	smss.exe
PID 1124 wrote to memory of 1212	1124	60e2ff67f5e92eebcdca4b22343d4cd663e9c63e6259d9f4563e68da38b330e1.exe	smss.exe
PID 1124 wrote to memory of 1212	1124	60e2ff67f5e92eebcdca4b22343d4cd663e9c63e6259d9f4563e68da38b330e1.exe	smss.exe
PID 1124 wrote to memory of 1212	1124	60e2ff67f5e92eebcdca4b22343d4cd663e9c63e6259d9f4563e68da38b330e1.exe	smss.exe
PID 1124 wrote to memory of 1288	1124	60e2ff67f5e92eebcdca4b22343d4cd663e9c63e6259d9f4563e68da38b330e1.exe	notepad.exe
PID 1124 wrote to memory of 1288	1124	60e2ff67f5e92eebcdca4b22343d4cd663e9c63e6259d9f4563e68da38b330e1.exe	notepad.exe
PID 1124 wrote to memory of 1288	1124	60e2ff67f5e92eebcdca4b22343d4cd663e9c63e6259d9f4563e68da38b330e1.exe	notepad.exe
PID 1124 wrote to memory of 1288	1124	60e2ff67f5e92eebcdca4b22343d4cd663e9c63e6259d9f4563e68da38b330e1.exe	notepad.exe
PID 1124 wrote to memory of 1288	1124	60e2ff67f5e92eebcdca4b22343d4cd663e9c63e6259d9f4563e68da38b330e1.exe	notepad.exe
PID 1124 wrote to memory of 1288	1124	60e2ff67f5e92eebcdca4b22343d4cd663e9c63e6259d9f4563e68da38b330e1.exe	notepad.exe
PID 1212 wrote to memory of 280	1212	smss.exe	cmd.exe
PID 1212 wrote to memory of 280	1212	smss.exe	cmd.exe
PID 1212 wrote to memory of 280	1212	smss.exe	cmd.exe
PID 1212 wrote to memory of 280	1212	smss.exe	cmd.exe
PID 1212 wrote to memory of 1116	1212	smss.exe	cmd.exe
PID 1212 wrote to memory of 1116	1212	smss.exe	cmd.exe
PID 1212 wrote to memory of 1116	1212	smss.exe	cmd.exe
PID 1212 wrote to memory of 1116	1212	smss.exe	cmd.exe
PID 1212 wrote to memory of 1924	1212	smss.exe	cmd.exe
PID 1212 wrote to memory of 1924	1212	smss.exe	cmd.exe
PID 1212 wrote to memory of 1924	1212	smss.exe	cmd.exe
PID 1212 wrote to memory of 1924	1212	smss.exe	cmd.exe
PID 1212 wrote to memory of 328	1212	smss.exe	cmd.exe
PID 1212 wrote to memory of 328	1212	smss.exe	cmd.exe
PID 1212 wrote to memory of 328	1212	smss.exe	cmd.exe
PID 1212 wrote to memory of 328	1212	smss.exe	cmd.exe
PID 1212 wrote to memory of 320	1212	smss.exe	cmd.exe
PID 1212 wrote to memory of 320	1212	smss.exe	cmd.exe
PID 1212 wrote to memory of 320	1212	smss.exe	cmd.exe
PID 1212 wrote to memory of 320	1212	smss.exe	cmd.exe
PID 1212 wrote to memory of 596	1212	smss.exe	cmd.exe
PID 1212 wrote to memory of 596	1212	smss.exe	cmd.exe
PID 1212 wrote to memory of 596	1212	smss.exe	cmd.exe
PID 1212 wrote to memory of 596	1212	smss.exe	cmd.exe
PID 1212 wrote to memory of 2012	1212	smss.exe	smss.exe
PID 1212 wrote to memory of 2012	1212	smss.exe	smss.exe
PID 1212 wrote to memory of 2012	1212	smss.exe	smss.exe
PID 1212 wrote to memory of 2012	1212	smss.exe	smss.exe
PID 280 wrote to memory of 1608	280	cmd.exe	WMIC.exe
PID 280 wrote to memory of 1608	280	cmd.exe	WMIC.exe
PID 280 wrote to memory of 1608	280	cmd.exe	WMIC.exe
PID 280 wrote to memory of 1608	280	cmd.exe	WMIC.exe
PID 596 wrote to memory of 1712	596	cmd.exe	WMIC.exe
PID 596 wrote to memory of 1712	596	cmd.exe	WMIC.exe
PID 596 wrote to memory of 1712	596	cmd.exe	WMIC.exe
PID 596 wrote to memory of 1712	596	cmd.exe	WMIC.exe
PID 320 wrote to memory of 1604	320	cmd.exe	vssadmin.exe
PID 320 wrote to memory of 1604	320	cmd.exe	vssadmin.exe
PID 320 wrote to memory of 1604	320	cmd.exe	vssadmin.exe
PID 320 wrote to memory of 1604	320	cmd.exe	vssadmin.exe
PID 596 wrote to memory of 1052	596	cmd.exe	vssadmin.exe
PID 596 wrote to memory of 1052	596	cmd.exe	vssadmin.exe
PID 596 wrote to memory of 1052	596	cmd.exe	vssadmin.exe
PID 596 wrote to memory of 1052	596	cmd.exe	vssadmin.exe
PID 1212 wrote to memory of 1916	1212	smss.exe	notepad.exe
PID 1212 wrote to memory of 1916	1212	smss.exe	notepad.exe
PID 1212 wrote to memory of 1916	1212	smss.exe	notepad.exe
PID 1212 wrote to memory of 1916	1212	smss.exe	notepad.exe
PID 1212 wrote to memory of 1916	1212	smss.exe	notepad.exe
PID 1212 wrote to memory of 1916	1212	smss.exe	notepad.exe
PID 1212 wrote to memory of 1916	1212	smss.exe	notepad.exe
PID 1916 wrote to memory of 1640	1916	notepad.exe	WerFault.exe
PID 1916 wrote to memory of 1640	1916	notepad.exe	WerFault.exe
PID 1916 wrote to memory of 1640	1916	notepad.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\60e2ff67f5e92eebcdca4b22343d4cd663e9c63e6259d9f4563e68da38b330e1.exe
"C:\Users\Admin\AppData\Local\Temp\60e2ff67f5e92eebcdca4b22343d4cd663e9c63e6259d9f4563e68da38b330e1.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1124

C:\Windows\SysWOW64\notepad.exe
notepad.exe
2⤵
PID:1288

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -start
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1212

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
3⤵
- Suspicious use of WriteProcessMemory
PID:280

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1608

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
PID:1924

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
3⤵
PID:1116

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -agent 0
3⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops file in Program Files directory
PID:2012

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:596

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:1052

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
3⤵
- Suspicious use of WriteProcessMemory
PID:320

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:1604

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
3⤵
PID:328

C:\Windows\SysWOW64\notepad.exe
notepad.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 196
4⤵
- Program crash
PID:1640

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1284

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
MD5
0af9873e7d694b6af100acc5d66d625f

SHA1
4e382572f28043136ff10d6e80f09ea2153a8ec1

SHA256
983ea452db6d000be67b0e2d5ddf8beb2d42454e9108adcdfec5fdb04afcdc60

SHA512
b8ece43a58a5004a74fc888ab9f2140f10ffbefed2bdc3e78a586aa05e396486be67f6035e1c21eff48717651647fcf107937c2365b023280faeaff719d905e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
MD5
637481df32351129e60560d5a5c100b5

SHA1
a46aee6e5a4a4893fba5806bcc14fc7fb3ce80ae

SHA256
1f1029d94ca4656a577d554cedd79d447658f475af08620084897a5523587052

SHA512
604bfd0a78a57dfddd45872803501ad89491e37e89e0778b0f13644fa9164ff509955a57469dfdd65a05bbedaf0acb669f68430e84800d17efe7d360a70569e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B1230D967FD647CD5194F3FFA6C7E7E4
MD5
0f96cf32580efc867ff48db74bc92e4b

SHA1
2d16ce1151807b1cc5445db9bd511d0a2c90cf01

SHA256
7176b87dd59195a7e0fb8624010b143d1ca991161748e2cd38a88a4eec91a8da

SHA512
9d9e74180ef53053ebcfe25dd50659b002a4422c9253b82c78804b97329b57ea1ee19edf9eadec09d45f1b034270a15a7da5e5943406415dc259ca58fa459dbe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
aa4b7669eef55fc7705d31672b88980d

SHA1
131a6930acf0f1e90ffe67faa4e68055cc525118

SHA256
f964c248ccfb020296430658f3cdf78b18f7904611c5a4f67ce9b3bb3c7464f8

SHA512
414a578a7141ac0c0b28d894ea942baee758c362aceb81724baeb59abf4d0bfc1486c7ef9206a08ffad243cb543abfe2a70947223f7a58831070734056c36cac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
MD5
949e3389b043d3e34aaff60a95a6ea1d

SHA1
16a5742985aa7c54a60bae4a34ef4e8f5d0fc4f3

SHA256
7bb93abb6c67307364b86e09d4cd5a961604ac0056ce23931976e8548bd61f83

SHA512
2d237365a6898e14a5c036308fc6b2080c31cbcdae469f5d21f0d26bf2e88b587191d0feb6b57086999bb94eee8e547646cc96724b33fd9f82ecd18437db9ec3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
MD5
c040c1effab2167a62204002c270a70e

SHA1
297a0f81157580bac89053595f12cc1c60ff9f8f

SHA256
8203d7095c43c1991675c66bb0b53b61ca2d636cb45743981475def947a44ae0

SHA512
3bec8da6910dacef13c4e37f1c777a982832f3a7b72f2eaca8a56a227a90ecf3f56fea6f10d1d9f14b0fb735d59110abd7da076f877bafc0d8fe3e35fb58e4d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
fbbfe4d958b414bc65971ff2efefc65e

SHA1
11faae7bec9781e05776affd3da81f44711d19ce

SHA256
a61049cd68b204781639b98bc10e38e3fdb0551dc7ca4622d5599d399b894362

SHA512
575c38dca9e2c1ddbe5cbb3c8c6920deb06365b52c81e48806c9f5c6327e65420b7867bc87827d50c3ec8cad0c0748a70534108b2a1870a92f8c27d2375d1d22

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B1230D967FD647CD5194F3FFA6C7E7E4
MD5
4ce454833d86675e4e56231b845aff8f

SHA1
d0e4db5d11c0b0fecbe4b43cf5b9a67e463a0910

SHA256
0b52fe3e73668827d79aef17f36eb8722face8824211da6ca5607e86cfbf494f

SHA512
d83b02e870b126f9ff709501b7eeb8b9f845c31657029c8f95184361f89fd4ffc77aa4726c4cac69cbca617c5cb9a3eb41735ebc1ea3570d0d1fa6a1a59f190c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
c051bddb15505ac62ae253bc503244d5

SHA1
d55c03a104ff997da4827b66969a11eae6f53c62

SHA256
125c668527a7a3ea5c3a7e96926a5e8a474a135218475b795a5174fde82ecf05

SHA512
7f5a03be4848118e4e9f99c34469747468881747cd4d143ab3cf5ce8569783ac666f3c7f48fd3b2c0f60e385b3e7c477ae8a1817449a694fe173076abf35784d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z12QDLN4\HOQZOJ4C.htm
MD5
b1cd7c031debba3a5c77b39b6791c1a7

SHA1
e5d91e14e9c685b06f00e550d9e189deb2075f76

SHA256
57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

SHA512
d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat
MD5
ef572e2c7b1bbd57654b36e8dcfdc37a

SHA1
b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

SHA256
e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

SHA512
b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
MD5
7f5669e4d89b5a1636f05b52b7c0f9b7

SHA1
12d7b1fb828cea1b1abb568bcc9d0e29e78ecdb6

SHA256
60e2ff67f5e92eebcdca4b22343d4cd663e9c63e6259d9f4563e68da38b330e1

SHA512
2010a75f1c8634480a42a2c995874459f4ab983fa90ae7fe7d12f0a6d53a34eb68622241f2a43c9218cb8290edb9ca6484991a7811d7e54ead7da5cb8ee3d220

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
MD5
7f5669e4d89b5a1636f05b52b7c0f9b7

SHA1
12d7b1fb828cea1b1abb568bcc9d0e29e78ecdb6

SHA256
60e2ff67f5e92eebcdca4b22343d4cd663e9c63e6259d9f4563e68da38b330e1

SHA512
2010a75f1c8634480a42a2c995874459f4ab983fa90ae7fe7d12f0a6d53a34eb68622241f2a43c9218cb8290edb9ca6484991a7811d7e54ead7da5cb8ee3d220

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
MD5
7f5669e4d89b5a1636f05b52b7c0f9b7

SHA1
12d7b1fb828cea1b1abb568bcc9d0e29e78ecdb6

SHA256
60e2ff67f5e92eebcdca4b22343d4cd663e9c63e6259d9f4563e68da38b330e1

SHA512
2010a75f1c8634480a42a2c995874459f4ab983fa90ae7fe7d12f0a6d53a34eb68622241f2a43c9218cb8290edb9ca6484991a7811d7e54ead7da5cb8ee3d220

Download Submit
C:\Users\Admin\Desktop\BlockReceive.contact.F53-C6F-8B9
MD5
26c7fc436d13a20d0a73cdfb3a3732bd

SHA1
fb220a4f5e0b978c12add01016c5917ebe891290

SHA256
7ef3aee0281c2756829c1a2853feee112c1a557c40d8e8b8ba2420a57b40ca40

SHA512
862094daa32eba74618e332d48c6a909e19ed43b673d367b2d5128206963f3608da060069672caf21e52ac67e1f98697d5906422b0459ae7712372d324af9731

Download Submit
C:\Users\Admin\Desktop\CompareInvoke.ADT.F53-C6F-8B9
MD5
51ae623c50aec6ccf2b5d1e40eb7a11d

SHA1
bbda29a5d3aa70eca58b2813dcccf07697c82a6f

SHA256
2924b87d5d9a9251a0de89ff7b23a891eda771dd746568ea8722d779e22347c9

SHA512
b37de403936618079e2e1c95f7bf7c3698b1177082af2c6efba1b337444c5a3352fe974d3bff7c57ceb4aa84dafc72576adb9362736607be8724a9244a5e1fc2

Download Submit
C:\Users\Admin\Desktop\ConnectFormat.dwfx.F53-C6F-8B9
MD5
abab73591a2e3b15c2f2fbdd9fb62ecd

SHA1
e79bd8345efa6fa70d95d3cdbfa7c645be278d1d

SHA256
db742f88136f88bfea425d9c1274cd66a45d469554fa511770f092399b89a363

SHA512
849f8e1fcff73d248f28c49c9063bc5e79af69bce8b2a607bfe5ff5e0ea464f28b7d4cd599a6c15333259d8a41ddfefcb0bb62dcd21d8d47eab86c9812d46df2

Download Submit
C:\Users\Admin\Desktop\ConnectJoin.rar.F53-C6F-8B9
MD5
ee42b5d724a7a70af0def11eeeb40347

SHA1
732c77fe4c69dcf5debed050cc2b7890b5c3cc2e

SHA256
50d65e27486f7e311b6aa37ef46e91e9076b7a4dfcbd3bc56fd3f65dd511e5b7

SHA512
fb75926fe4678e4e0d53a31a52f0c3ef37bf6fc9653c1bce340e9dd6ba0285066c1f2041d7298c082f3e226245f0ef5ff2c72d8da4c08967ec01359efbb6a71d

Download Submit
C:\Users\Admin\Desktop\ConvertSplit.ps1.F53-C6F-8B9
MD5
2e01860f05993bb8e8e0b37f4b5d7ee1

SHA1
9867d6a128a2becccc14ebf16aba9005241fc84a

SHA256
1a447f5e522021f874020ff7a758223af52ba60164da3423c83025e5510f6e1a

SHA512
bb01db1cc5c5d223143e6c48fb20732bfc6e5c04ae978563ccf82dfc69684e1bcc84565cc2a1feda6be9893f71096f1f04f686d788ae592b7748153765280e0e

Download Submit
C:\Users\Admin\Desktop\CopyMeasure.ADT.F53-C6F-8B9
MD5
b03a01aac859dacb213f20c4069e4a10

SHA1
3c78a90826ead15813d766951a752c1e9cbf9a32

SHA256
3120c627bd82f97e3a82c7839a0dc4c347f38adce1208e418f76cd33e1e6f854

SHA512
a710628192457bf583261b76c71d52b93c238781402ed55451e2f47350f8fe2ac6e8736e4a0d5981629aa84fa9527f46724a37934155717122fd6756bbb8345a

Download Submit
C:\Users\Admin\Desktop\DisableClose.mp2.F53-C6F-8B9
MD5
9dad74d05ab6884dda08b0ce6aac3dcc

SHA1
38cd1213641d9cc9398d7bbc9dcbe312273adae8

SHA256
f7aef2f2428892d9213aa03ea2f86321ee3b0fbd6def178054c53e666b5851fd

SHA512
33e97e4b317b0b3283cbf36e968c5b6b44b70862796decb723bdbd132a109bcc00515925dc97184a77b0805f3e116d4e12e14aed7bb5fb7a7335dd8aebe815e5

Download Submit
C:\Users\Admin\Desktop\ExitImport.TTS.F53-C6F-8B9
MD5
d983eb83ee89b375b5c9894b9fb12475

SHA1
9253d0edc66cf1a543965d42adb4e513dafe3f95

SHA256
4aeb5a804e1a21c8b9e6e5c7a6dcae3400f51b9e98112742d989e62f5270e315

SHA512
5a5e22003e5b1b710cb77c4d4dc26ae4f85d9329f802c41d7e0ebdff7c5365343932306c5625db8d62c2fc30abf4f5c2536abc23f5a2d48e43254e725baa0a53

Download Submit
C:\Users\Admin\Desktop\MoveGet.dib.F53-C6F-8B9
MD5
c6adc0a93c5b7be2ab1a1dda756ce30b

SHA1
34862383ff16bc74dfa766753f249b2e34b8d6a3

SHA256
bdc55c25bde38231a0b60f99ad587e7455e2619239671bc71d7f032701ce5f31

SHA512
24aaa39770a78a699d49eccbc9bdc666fa57a28f22129ce9767a348bd406210a2d19c3bd067909a42fd200076d2f213add7c3e971f24abaf90e9205a3ff4756c

Download Submit
C:\Users\Admin\Desktop\PingUnprotect.wm.F53-C6F-8B9
MD5
972eefa3cffcb22999dd86fe44806d9b

SHA1
19d5877a164130d5b3dfa4b6473b59a762724d69

SHA256
a9fe8a1df3bc948742041956f9ad6718914fc74a1a58bf60448a9c3fcb87b655

SHA512
1f783c7b894275fd3368ef9ef3e6121df3392972c9fc940ef31d3dcf93a298268ec564efa984045ff9522987cc9d20fa9efcc4a8026be274d9fb06798c7297a0

Download Submit
C:\Users\Admin\Desktop\PopRedo.ex_.F53-C6F-8B9
MD5
1c9113be759208395e79e32b2dad7c05

SHA1
23a027f1ce6c202622c0a3e1de69edb59d00c2d8

SHA256
5a4ae4e838418f5bafd8d322ee69e37e2e51d3e4ad52c04dcda6be0396064af1

SHA512
c0cc6ed2b9bebe248153e933d563b7673f705e98eafabd0e29afc6e4ca4e0db617011016babe1ed4fa429cdca50bce8a678a277fa1b1fac8d335bbd233fd6fe8

Download Submit
C:\Users\Admin\Desktop\RedoImport.xps.F53-C6F-8B9
MD5
ba11cd00fdf9fff269a7fa2b1dee7f0f

SHA1
344beaa0c4bfa915573dbfba109f74e4b6355d1e

SHA256
301461b21d87d23bd31c9967af2cac34ef1511f34a19a9ccff8b2f4f55f8e2e0

SHA512
beebc621436306445c37c130cff14071bdfbd713199fdbfbe2e90190a931e37e40c0a2879bac56613453edb318009ebd74a7b8e89498aeb8fc012d2da9283574

Download Submit
C:\Users\Admin\Desktop\RepairCompare.ps1.F53-C6F-8B9
MD5
f26ecebe6f46fb27203b3b13630e8091

SHA1
e0721f2b9ba0373786ad22960b2f4d0ac626a322

SHA256
f6b13e82669fd05b9927aa99b752e0846bbc631c7fae7811377d60cac47ce233

SHA512
54bb84aa0dc936500638326a42d051b853b30a2a19122121a974d8545ffd6a15df8bba889ece82c449bf0b8ca97b52c788597138ae21037a53cdfa31bf72046d

Download Submit
C:\Users\Admin\Desktop\RepairStep.3g2.F53-C6F-8B9
MD5
0d3d6b038fba8b42ffdbf49adb565f77

SHA1
62c4e3afea69420cc3ad0cde0a967eb72266f175

SHA256
bc5f2dfa63162fb94b3203585825b6c284a1d0b9a9c3b48c901faa0cdc9c1d7f

SHA512
88d9f136b66ba49cc742eef1fd6b0ea27e28ab26b7978a63de01ebb3ba7c9cbe05cff7b5b9a4801c22ff032bb7d782514193bc5982d26701946ee076f7e7eef2

Download Submit
C:\Users\Admin\Desktop\ResolveConvert.vssx.F53-C6F-8B9
MD5
bec786a54d1630eaf755f88ed993f0ec

SHA1
e3ae81f7fca5eae02dbb32ac05d63e942c12f6c6

SHA256
bafc38b4e252e801c22ce630e9fe888260ebaea3d46de92e5afcf653695f2b70

SHA512
a44686e4b0a570bb267c221d01fcea8ffff3401883d33e31e5af08455a51cf83b2296809e346ee078b582105994cff08d83fd5ad84ea9f2540bd6843d803ff32

Download Submit
C:\Users\Admin\Desktop\RestoreLimit.ico.F53-C6F-8B9
MD5
d89cb2ab132d369276a036e6d20b5766

SHA1
0d18e0411406404aeb0147591cfe27a9816a3522

SHA256
92ebc5c300fd6f687057387e2a4aa1251d5b3afc83a5bdf3544d663361bcea59

SHA512
a0c10cedc62b66469c2ee1e3f27b94245d2f9b7381fe0f99025a493c932dc31cf61b76bc26a98e14c0183d9e7800039845f9e9645573235654986c373f3a56fa

Download Submit
C:\Users\Admin\Desktop\SplitSync.png.F53-C6F-8B9
MD5
c07360a7fe5aaba836c1642c0ad0e71e

SHA1
0b7fe03b0e21256fc08abd5bb1f8f7efb6a35291

SHA256
66ad1b0ecae480e9e95fcfe41a25b54ddf042ed3f37be903d366169515f58fa9

SHA512
de38ca137c34e3dd524afa3251c6a597b188046e4703e830c69fd2af42acbe452add9f49fc689a40e0c5d21f9acae4a6e6dcf030f7c0a8be6edea8e66bdd9073

Download Submit
C:\Users\Admin\Desktop\SuspendClear.3g2.F53-C6F-8B9
MD5
06873117dfda5983298991c42787751c

SHA1
6318f2e47036ba91ac0da244b9c3f052fdff3c9c

SHA256
985e696ddc7b6974b8bfc9ff02c2afdab710a7eac8eda7deb2ac8a1fc8d18d63

SHA512
b3cab3e6600c75a8d06d005edda68f1b9669c09e9d50353c253238e12dfba1b1d7bc963430f71dab731151eb0b2c3bde59fa37de9e36cc121cc4cb95c7ef16f6

Download Submit
C:\Users\Admin\Desktop\TraceMeasure.pcx.F53-C6F-8B9
MD5
66104e90a49c7bf97025673c8b566b24

SHA1
d698be6ff48178bf474e58bead1c7b8c1dc5fee3

SHA256
ef7fe4110ecdba0af52875adc9590990adc839e04d63f6721b7c796e8e883f1f

SHA512
150b4604256a624bfbddeed93abcaa01e08a34ff8623010c00cd2b4fd20bc5d9793398185446c8d5eb20789dd6925168704539fe2f86bdfc009fc30cb0b50e13

Download Submit
C:\Users\Admin\Desktop\TraceOut.svg.F53-C6F-8B9
MD5
1764308a5dc9b1dc055fc5ef49a78960

SHA1
cd1d5dd5a28550f534e358e2e653786aa9dc3324

SHA256
2cf6b49d826602a0297f0c1045e43980b67a3b27a2512302ae9d93b88301e21e

SHA512
ccaf34c428d4c37eaa56a75c468d3d76d0ba10334bc96ae7a04e8a1b9e8d42cd194ab41071fc6f6057a87ac2ad466fe807f9cf7257cb759b0e7c4522379b5162

Download Submit
C:\Users\Admin\Desktop\UnprotectRestart.cfg.F53-C6F-8B9
MD5
b2b29720c4f1414189eee606b44cf6f9

SHA1
5cf7c805f4f5a9b49d78729e3c3029fcbae3d37a

SHA256
e52b7751b02b37397372e2c61d4bc179bb3a7acb794712619dfa169a113648a9

SHA512
1c03bbd58a2ef3b4cf34de0bb50bcbf5455dfaf95d9fefe95d87dc6d34b97834e0424278d0ecddf19a78113c1036c58478f7210a92393d0406f0a30e7fc8d25f

Download Submit
C:\Users\Admin\Desktop\WaitCopy.asp.F53-C6F-8B9
MD5
22c6eddf375e82e5633aa57381a6f6d1

SHA1
df1f6ab5efce72ff77e180b1d3e780a186137df4

SHA256
ce58da49efa79d67d278c7cff75b7b76fd6550b63ee808c8c9de36dac5ef00eb

SHA512
8653e99b70cd3972157b89a9b37a20e24cfca627e8bb0a361151ae44e5303ae13c81fae63f8f421ad642017f5763a62095d97eece61a34ae314cb6b76a7b3e26

Download Submit
C:\Users\Admin\Desktop\WaitRevoke.edrwx.F53-C6F-8B9
MD5
b560f7325a2c3f81b290df3e6fbc0144

SHA1
039e6cad2d8584ec090185af75f685941bb50cd5

SHA256
75c83d0c7c2e8c966fad68dcc716d2a9de749f1b80845e16152b42dc60c26cfc

SHA512
aa5d2e1a7b592c9ba4ed7e3706f5581dbade61c89346bae49c05215fa3c591380d958baeb370226887ca66860da1e2aaf2ab5f0c394a298c6dc553cab0b0f377

Download Submit
C:\Users\Admin\Desktop\WriteWatch.jtx.F53-C6F-8B9
MD5
dc533fe5d9e1296c44d6e8bcbbca748f

SHA1
b44ab3ef720d52503c67ee8bae8280aedd3916e2

SHA256
87e5c42e9869220f752844e2064e9105ae22b309ad0e8841eeb8b3e6db250614

SHA512
8e8217d091efb9b896e11519d4af4199200567f0d36afbd3abb3fc3297cf97cfe095db67c1e3a7bb0ed1f5cb383cb5f1659b8b140bfbd0aeb0589abf0a8de666

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
MD5
7f5669e4d89b5a1636f05b52b7c0f9b7

SHA1
12d7b1fb828cea1b1abb568bcc9d0e29e78ecdb6

SHA256
60e2ff67f5e92eebcdca4b22343d4cd663e9c63e6259d9f4563e68da38b330e1

SHA512
2010a75f1c8634480a42a2c995874459f4ab983fa90ae7fe7d12f0a6d53a34eb68622241f2a43c9218cb8290edb9ca6484991a7811d7e54ead7da5cb8ee3d220

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
MD5
7f5669e4d89b5a1636f05b52b7c0f9b7

SHA1
12d7b1fb828cea1b1abb568bcc9d0e29e78ecdb6

SHA256
60e2ff67f5e92eebcdca4b22343d4cd663e9c63e6259d9f4563e68da38b330e1

SHA512
2010a75f1c8634480a42a2c995874459f4ab983fa90ae7fe7d12f0a6d53a34eb68622241f2a43c9218cb8290edb9ca6484991a7811d7e54ead7da5cb8ee3d220

Download Submit
memory/1124-54-0x0000000074FF1000-0x0000000074FF3000-memory.dmp

Filesize
8KB

Download
memory/1288-59-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download