buran | 332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a

Analysis

max time kernel
4294211s
max time network
130s
platform
windows7_x64
resource
win7-20220223-en
submitted
06-03-2022 06:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe
Size

214KB
MD5

42ea94ee3adca8b82fba15ecdde25f26
SHA1

ca17412cd44d186db91c4b2fa7df03363533ffd2
SHA256

332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a
SHA512

cbec5875fdbcd1182ce9cb87728f36f9a36da032589394b20418229780a2182f6641519fd7545bd812257492a0fd9a68ebfd487d6ec5ebb9e3f666558bb81874

Score

10^/10

buran persistence ransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] telegram:uspex12345 Your personal ID: 822-7B1-847 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 2 IoCs

Processes:

svchost.exesvchost.exe

pid process

272 svchost.exe
1480 svchost.exe

pid	process
272	svchost.exe
1480	svchost.exe

Loads dropped DLL 2 IoCs

Processes:

332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe

pid	process
1620	332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe
1620	332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\svchost.exe\" -start"	332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\F:	svchost.exe
File opened (read-only)	\??\A:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 geoiptool.com

flow	ioc
4	geoiptool.com

Drops file in Program Files directory 64 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-heapdump_ja.jar.822-7B1-847	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198494.WMF	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\COMBOBOX.JPG.822-7B1-847	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe.822-7B1-847	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Easter	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffffff_256x240.png	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01139_.WMF.822-7B1-847	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0199727.WMF	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\MST7MDT.822-7B1-847	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp_5.5.0.165303.jar.822-7B1-847	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\POWERPNT_K_COL.HXK.822-7B1-847	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\speaker-32.png	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21316_.GIF	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Atlantic\Azores.822-7B1-847	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0086384.WMF	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL011.XML	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Lisbon.822-7B1-847	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Module.xml	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Servers\RELAY.CER	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Maroon.css.822-7B1-847	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0281008.WMF.822-7B1-847	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02082_.GIF.822-7B1-847	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\ACT3R.SAM	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt.822-7B1-847	svchost.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\security\java.policy	svchost.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\de-DE\Solitaire.exe.mui	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLPERF.H	svchost.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\OmdProject.dll.mui	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs-nio2.xml.822-7B1-847	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\DELETE.GIF	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Shanghai	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf_1.1.0.v20140408-1354.jar.822-7B1-847	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Pangnirtung.822-7B1-847	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif.822-7B1-847	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341559.JPG	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0217872.WMF.822-7B1-847	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\ACTIP10.HLP	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePage.gif	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02120_.WMF.822-7B1-847	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\messageboxinfo.ico.822-7B1-847	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Tell_City	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GreenTea.css.822-7B1-847	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.JP.XML	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CALENDAR.DPV	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00269_.WMF.822-7B1-847	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02413_.WMF	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01734_.GIF	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14800_.GIF	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\CLNTWRAP.HTM.822-7B1-847	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\ct.sym	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Port_Moresby.822-7B1-847	svchost.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\it-IT\Hearts.exe.mui.822-7B1-847	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN00932_.WMF.822-7B1-847	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Adjacency.eftx	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21314_.GIF.822-7B1-847	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-api_zh_CN.jar	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00236_.WMF.822-7B1-847	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0228823.WMF.822-7B1-847	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\UnreadIcon.jpg	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\Attachments.jpg.822-7B1-847	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\ext\dnsns.jar.822-7B1-847	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1672 1988 WerFault.exe notepad.exe
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

1980 vssadmin.exe
1092 vssadmin.exe

pid	pid_target	process	target process
1672	1988	WerFault.exe	notepad.exe

pid	process
1980	vssadmin.exe
1092	vssadmin.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

svchost.exe332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1620	332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe
Token: SeDebugPrivilege	1620	332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe
Token: SeIncreaseQuotaPrivilege	1596	WMIC.exe
Token: SeSecurityPrivilege	1596	WMIC.exe
Token: SeTakeOwnershipPrivilege	1596	WMIC.exe
Token: SeLoadDriverPrivilege	1596	WMIC.exe
Token: SeSystemProfilePrivilege	1596	WMIC.exe
Token: SeSystemtimePrivilege	1596	WMIC.exe
Token: SeProfSingleProcessPrivilege	1596	WMIC.exe
Token: SeIncBasePriorityPrivilege	1596	WMIC.exe
Token: SeCreatePagefilePrivilege	1596	WMIC.exe
Token: SeBackupPrivilege	1596	WMIC.exe
Token: SeRestorePrivilege	1596	WMIC.exe
Token: SeShutdownPrivilege	1596	WMIC.exe
Token: SeDebugPrivilege	1596	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1596	WMIC.exe
Token: SeRemoteShutdownPrivilege	1596	WMIC.exe
Token: SeUndockPrivilege	1596	WMIC.exe
Token: SeManageVolumePrivilege	1596	WMIC.exe
Token: 33	1596	WMIC.exe
Token: 34	1596	WMIC.exe
Token: 35	1596	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2004	WMIC.exe
Token: SeSecurityPrivilege	2004	WMIC.exe
Token: SeTakeOwnershipPrivilege	2004	WMIC.exe
Token: SeLoadDriverPrivilege	2004	WMIC.exe
Token: SeSystemProfilePrivilege	2004	WMIC.exe
Token: SeSystemtimePrivilege	2004	WMIC.exe
Token: SeProfSingleProcessPrivilege	2004	WMIC.exe
Token: SeIncBasePriorityPrivilege	2004	WMIC.exe
Token: SeCreatePagefilePrivilege	2004	WMIC.exe
Token: SeBackupPrivilege	2004	WMIC.exe
Token: SeRestorePrivilege	2004	WMIC.exe
Token: SeShutdownPrivilege	2004	WMIC.exe
Token: SeDebugPrivilege	2004	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2004	WMIC.exe
Token: SeRemoteShutdownPrivilege	2004	WMIC.exe
Token: SeUndockPrivilege	2004	WMIC.exe
Token: SeManageVolumePrivilege	2004	WMIC.exe
Token: 33	2004	WMIC.exe
Token: 34	2004	WMIC.exe
Token: 35	2004	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1596	WMIC.exe
Token: SeSecurityPrivilege	1596	WMIC.exe
Token: SeTakeOwnershipPrivilege	1596	WMIC.exe
Token: SeLoadDriverPrivilege	1596	WMIC.exe
Token: SeSystemProfilePrivilege	1596	WMIC.exe
Token: SeSystemtimePrivilege	1596	WMIC.exe
Token: SeProfSingleProcessPrivilege	1596	WMIC.exe
Token: SeIncBasePriorityPrivilege	1596	WMIC.exe
Token: SeCreatePagefilePrivilege	1596	WMIC.exe
Token: SeBackupPrivilege	1596	WMIC.exe
Token: SeRestorePrivilege	1596	WMIC.exe
Token: SeShutdownPrivilege	1596	WMIC.exe
Token: SeDebugPrivilege	1596	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1596	WMIC.exe
Token: SeRemoteShutdownPrivilege	1596	WMIC.exe
Token: SeUndockPrivilege	1596	WMIC.exe
Token: SeManageVolumePrivilege	1596	WMIC.exe
Token: 33	1596	WMIC.exe
Token: 34	1596	WMIC.exe
Token: 35	1596	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2004	WMIC.exe
Token: SeSecurityPrivilege	2004	WMIC.exe

Suspicious use of WriteProcessMemory 59 IoCs

Processes:

332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exenotepad.exesvchost.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1620 wrote to memory of 272	1620	332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe	svchost.exe
PID 1620 wrote to memory of 272	1620	332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe	svchost.exe
PID 1620 wrote to memory of 272	1620	332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe	svchost.exe
PID 1620 wrote to memory of 272	1620	332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe	svchost.exe
PID 1620 wrote to memory of 1988	1620	332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe	notepad.exe
PID 1620 wrote to memory of 1988	1620	332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe	notepad.exe
PID 1620 wrote to memory of 1988	1620	332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe	notepad.exe
PID 1620 wrote to memory of 1988	1620	332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe	notepad.exe
PID 1620 wrote to memory of 1988	1620	332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe	notepad.exe
PID 1620 wrote to memory of 1988	1620	332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe	notepad.exe
PID 1620 wrote to memory of 1988	1620	332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe	notepad.exe
PID 1988 wrote to memory of 1672	1988	notepad.exe	WerFault.exe
PID 1988 wrote to memory of 1672	1988	notepad.exe	WerFault.exe
PID 1988 wrote to memory of 1672	1988	notepad.exe	WerFault.exe
PID 1988 wrote to memory of 1672	1988	notepad.exe	WerFault.exe
PID 272 wrote to memory of 1380	272	svchost.exe	cmd.exe
PID 272 wrote to memory of 1380	272	svchost.exe	cmd.exe
PID 272 wrote to memory of 1380	272	svchost.exe	cmd.exe
PID 272 wrote to memory of 1380	272	svchost.exe	cmd.exe
PID 272 wrote to memory of 916	272	svchost.exe	cmd.exe
PID 272 wrote to memory of 916	272	svchost.exe	cmd.exe
PID 272 wrote to memory of 916	272	svchost.exe	cmd.exe
PID 272 wrote to memory of 916	272	svchost.exe	cmd.exe
PID 272 wrote to memory of 456	272	svchost.exe	cmd.exe
PID 272 wrote to memory of 456	272	svchost.exe	cmd.exe
PID 272 wrote to memory of 456	272	svchost.exe	cmd.exe
PID 272 wrote to memory of 456	272	svchost.exe	cmd.exe
PID 272 wrote to memory of 1472	272	svchost.exe	cmd.exe
PID 272 wrote to memory of 1472	272	svchost.exe	cmd.exe
PID 272 wrote to memory of 1472	272	svchost.exe	cmd.exe
PID 272 wrote to memory of 1472	272	svchost.exe	cmd.exe
PID 272 wrote to memory of 1504	272	svchost.exe	cmd.exe
PID 272 wrote to memory of 1504	272	svchost.exe	cmd.exe
PID 272 wrote to memory of 1504	272	svchost.exe	cmd.exe
PID 272 wrote to memory of 1504	272	svchost.exe	cmd.exe
PID 272 wrote to memory of 612	272	svchost.exe	cmd.exe
PID 272 wrote to memory of 612	272	svchost.exe	cmd.exe
PID 272 wrote to memory of 612	272	svchost.exe	cmd.exe
PID 272 wrote to memory of 612	272	svchost.exe	cmd.exe
PID 272 wrote to memory of 1480	272	svchost.exe	svchost.exe
PID 272 wrote to memory of 1480	272	svchost.exe	svchost.exe
PID 272 wrote to memory of 1480	272	svchost.exe	svchost.exe
PID 272 wrote to memory of 1480	272	svchost.exe	svchost.exe
PID 1380 wrote to memory of 1596	1380	cmd.exe	WMIC.exe
PID 1380 wrote to memory of 1596	1380	cmd.exe	WMIC.exe
PID 1380 wrote to memory of 1596	1380	cmd.exe	WMIC.exe
PID 1380 wrote to memory of 1596	1380	cmd.exe	WMIC.exe
PID 1504 wrote to memory of 1980	1504	cmd.exe	vssadmin.exe
PID 1504 wrote to memory of 1980	1504	cmd.exe	vssadmin.exe
PID 1504 wrote to memory of 1980	1504	cmd.exe	vssadmin.exe
PID 1504 wrote to memory of 1980	1504	cmd.exe	vssadmin.exe
PID 612 wrote to memory of 2004	612	cmd.exe	WMIC.exe
PID 612 wrote to memory of 2004	612	cmd.exe	WMIC.exe
PID 612 wrote to memory of 2004	612	cmd.exe	WMIC.exe
PID 612 wrote to memory of 2004	612	cmd.exe	WMIC.exe
PID 612 wrote to memory of 1092	612	cmd.exe	vssadmin.exe
PID 612 wrote to memory of 1092	612	cmd.exe	vssadmin.exe
PID 612 wrote to memory of 1092	612	cmd.exe	vssadmin.exe
PID 612 wrote to memory of 1092	612	cmd.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe
"C:\Users\Admin\AppData\Local\Temp\332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe" -start
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:272

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
3⤵
- Suspicious use of WriteProcessMemory
PID:1380

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1596

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
3⤵
PID:916

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
PID:456

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe" -agent 0
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1480

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:612

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2004

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:1092

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
3⤵
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:1980

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
3⤵
PID:1472

C:\Windows\SysWOW64\notepad.exe
notepad.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 196
3⤵
- Program crash
PID:1672

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1448

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

MD5
1c7207d15a7f303c73d5d89d6aae43be

SHA1
19fe550a31cf89ab706e3ebcd6fcc78ca57bdeac

SHA256
52a8f1b16a9d4bcec89850a5f6d30488cd8390d0e6bc19eaea5a138d5dc64dc9

SHA512
d6216aa45ffcd9345139792c94a55d53fe40f775d42a6d6127fc2cb066c653bdc005d133ed85d73aa34f1bcf634c221c7624a7e840c2424cf1f29a2bcd088342

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5
637481df32351129e60560d5a5c100b5

SHA1
a46aee6e5a4a4893fba5806bcc14fc7fb3ce80ae

SHA256
1f1029d94ca4656a577d554cedd79d447658f475af08620084897a5523587052

SHA512
604bfd0a78a57dfddd45872803501ad89491e37e89e0778b0f13644fa9164ff509955a57469dfdd65a05bbedaf0acb669f68430e84800d17efe7d360a70569e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B1230D967FD647CD5194F3FFA6C7E7E4

MD5
0f96cf32580efc867ff48db74bc92e4b

SHA1
2d16ce1151807b1cc5445db9bd511d0a2c90cf01

SHA256
7176b87dd59195a7e0fb8624010b143d1ca991161748e2cd38a88a4eec91a8da

SHA512
9d9e74180ef53053ebcfe25dd50659b002a4422c9253b82c78804b97329b57ea1ee19edf9eadec09d45f1b034270a15a7da5e5943406415dc259ca58fa459dbe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
c167da7b8b4c7fcda6675c7e0088f400

SHA1
994596505635ae1ea5d515c3812bde4da71453da

SHA256
393c90d40294d1f9e4875acc639b3c1b0207a68c7ca49aaf715f97746c128062

SHA512
8fbb72b5d58e34709eb545ab324112d4392f3af389b68b1e184d885ea210f529dede92167578687f47c1b40e49341cbbd62eaf8d71dc09397b5d44a4c9b767f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

MD5
df11f60c99660e0f3c18219ac6895d4d

SHA1
48557bccad64d790260c9a54b7da53cedca59264

SHA256
d564d9c1619d57a750ff9b1abb77243762a241be2b7e522e76d5ec9b5f0aef9f

SHA512
2a8e92ab42bc66dba988f4d0c22660a586bebe4f432c6bfbd39888e0a6d8daf084c19facb832c1edefcc515d1fe6db15eb0a8aed3ed27c16f78e04666f120beb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE

MD5
4d5e6b72ea8cbcfecc5ed2b559b7592a

SHA1
78fe98d962ea819f10f0587159be39d1e165e836

SHA256
ee5bfb791cb2c81ae849e4d5c04d32a2f146538cda065343f660c5abb5a1dc58

SHA512
27fc2c3563d8a00f35e3ec34eecc8f32d8148b582fdcc19b877bfb6e9acf9ab3c52ee3445d939c54d27537ed5c7f62a914f319e52550658f560b3d4488d64686

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5
0e590cdf32cf927048e86f07e3355f1e

SHA1
9179cdf36b337082cd753109f194115c6ee7ae65

SHA256
083bdf51ae117948b80ccdedf1f6764431df465de903fe4dab1fb2240c698d07

SHA512
90adbe65c26c1c33757bc9778f8cc2ae5a0cee60e399b8d49bdcb3673a272c66b16355f678efaa36eee57aff5c8bfcf42e64944777e85e94d253ac86cf3fed2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B1230D967FD647CD5194F3FFA6C7E7E4

MD5
bf51e4ccb5c6ef38fc1f2fb1bfdc4a4b

SHA1
b6fcb32b035a0b033dd2a923a5cbba35c54a9c31

SHA256
af6a047e8ae74bb157a5c6d9263b700848e80996065255089735da5c1822f09c

SHA512
f16cbb9adfdd728b569a2580193e742f30b895075629121e81756d11e67e2ac04bba2dc62d803c01a5546355ab9d21f46a577590f59e4fd57cbc9cd0dffbbbe0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
157a16117ddc2466c0eb9137e921c46d

SHA1
a54644a23b9a80e1743bf9913156fa76792217d9

SHA256
4897a9afbfa9ddbb017cabf6d8df16d4730e56eeb1aefcaed7c24b8bf9f93031

SHA512
6b9b36573b7e4a69f5840cee2a533fa51972ee5c04006ddd67c78c609ec81c073d75de209b4f18abca32003352cae35bca6ec01496a6c36582f672ceadedcacf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z12QDLN4\J6390Z7V.htm

MD5
b1cd7c031debba3a5c77b39b6791c1a7

SHA1
e5d91e14e9c685b06f00e550d9e189deb2075f76

SHA256
57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

SHA512
d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat

MD5
ef572e2c7b1bbd57654b36e8dcfdc37a

SHA1
b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

SHA256
e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

SHA512
b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe

MD5
42ea94ee3adca8b82fba15ecdde25f26

SHA1
ca17412cd44d186db91c4b2fa7df03363533ffd2

SHA256
332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a

SHA512
cbec5875fdbcd1182ce9cb87728f36f9a36da032589394b20418229780a2182f6641519fd7545bd812257492a0fd9a68ebfd487d6ec5ebb9e3f666558bb81874

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe

MD5
42ea94ee3adca8b82fba15ecdde25f26

SHA1
ca17412cd44d186db91c4b2fa7df03363533ffd2

SHA256
332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a

SHA512
cbec5875fdbcd1182ce9cb87728f36f9a36da032589394b20418229780a2182f6641519fd7545bd812257492a0fd9a68ebfd487d6ec5ebb9e3f666558bb81874

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe

MD5
42ea94ee3adca8b82fba15ecdde25f26

SHA1
ca17412cd44d186db91c4b2fa7df03363533ffd2

SHA256
332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a

SHA512
cbec5875fdbcd1182ce9cb87728f36f9a36da032589394b20418229780a2182f6641519fd7545bd812257492a0fd9a68ebfd487d6ec5ebb9e3f666558bb81874

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe

MD5
42ea94ee3adca8b82fba15ecdde25f26

SHA1
ca17412cd44d186db91c4b2fa7df03363533ffd2

SHA256
332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a

SHA512
cbec5875fdbcd1182ce9cb87728f36f9a36da032589394b20418229780a2182f6641519fd7545bd812257492a0fd9a68ebfd487d6ec5ebb9e3f666558bb81874

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe

MD5
42ea94ee3adca8b82fba15ecdde25f26

SHA1
ca17412cd44d186db91c4b2fa7df03363533ffd2

SHA256
332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a

SHA512
cbec5875fdbcd1182ce9cb87728f36f9a36da032589394b20418229780a2182f6641519fd7545bd812257492a0fd9a68ebfd487d6ec5ebb9e3f666558bb81874

Download Submit
memory/1620-54-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

Filesize
8KB

Download
memory/1988-59-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download