buran | 0a49373e97366040658acf1971695740342c623beab93fc493cb2dadda5814e6

Analysis

max time kernel
151s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20220310-en
submitted
28-03-2022 18:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a49373e97366040658acf1971695740342c623beab93fc493cb2dadda5814e6.exe
Size

423KB
MD5

b8546e288ba47f4be8615e73d26f2215
SHA1

0204fc6d8f011efc4ba2fafe5bf5ba7bbb2be50e
SHA256

0a49373e97366040658acf1971695740342c623beab93fc493cb2dadda5814e6
SHA512

29f91d6b359eb9115414726d2444187864f13904efd0653a8500dfd608a9598b08b3cee86503dd2fee507f6e3aff98773b5c46bab14dbfa880c5aa47c79e32f4

Score

10^/10

buran persistence ransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Your personal ID: 239-D38-4A1 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 2 IoCs

Processes:

svchost.exesvchost.exe

pid	Process
1528	svchost.exe
3912	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0a49373e97366040658acf1971695740342c623beab93fc493cb2dadda5814e6.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	0a49373e97366040658acf1971695740342c623beab93fc493cb2dadda5814e6.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0a49373e97366040658acf1971695740342c623beab93fc493cb2dadda5814e6.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Windows\CurrentVersion\Run	0a49373e97366040658acf1971695740342c623beab93fc493cb2dadda5814e6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\svchost.exe\" -start"	0a49373e97366040658acf1971695740342c623beab93fc493cb2dadda5814e6.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	Process
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\F:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\A:	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
34	geoiptool.com

Drops file in Program Files directory 64 IoCs

Processes:

svchost.exe

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\classlist	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ppd.xrm-ms	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Grace-ppd.xrm-ms	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\org-openide-modules.jar.239-D38-4A1	svchost.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jjs.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\THIRDPARTYLICENSEREADME.txt	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-ul-oob.xrm-ms	svchost.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\management\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\org-netbeans-core-windows_visualvm.jar.239-D38-4A1	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-charts_ja.jar	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Grace-ppd.xrm-ms.239-D38-4A1	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessDemoR_BypassTrial365-ppd.xrm-ms	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-services.xml	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.services.nl_zh_4.4.0.v20140623020002.jar	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.views_3.7.0.v20140408-0703.jar.239-D38-4A1	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_KMS_Client_AE-ul-oob.xrm-ms	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ul-phn.xrm-ms.239-D38-4A1	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_es.jar.239-D38-4A1	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\epl-v10.html	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs-nio2_ja.jar	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiling.xml.239-D38-4A1	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O17EnterpriseVL_Bypass30-ppd.xrm-ms	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-pl.xrm-ms	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\hprof-16.png	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\ext\jhall-2.0_05.jar.239-D38-4A1	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html.239-D38-4A1	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.batik.util_1.7.0.v201011041433.jar	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-heapdump.jar.239-D38-4A1	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest2-ppd.xrm-ms.239-D38-4A1	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\epl-v10.html	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\ECLIPSE_.SF.239-D38-4A1	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.widgets_1.0.0.v20140514-1823.jar	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-lib-profiler-common.jar.239-D38-4A1	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt.239-D38-4A1	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\amd64\jvm.cfg.239-D38-4A1	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.commands_3.6.100.v20140528-1422.jar	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.theme_0.9.300.v20140424-2042.jar.239-D38-4A1	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.widgets.nl_ja_4.4.0.v20140623020002.jar	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.nl_ja_4.4.0.v20140623020002.jar.239-D38-4A1	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\prodbig.gif.239-D38-4A1	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-sa.jar	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\epl-v10.html.239-D38-4A1	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\doclib.gif	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Gill Sans MT.xml.239-D38-4A1	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-pl.xrm-ms.239-D38-4A1	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Grace-ppd.xrm-ms.239-D38-4A1	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Grace-ppd.xrm-ms.239-D38-4A1	svchost.exe
File opened for modification	C:\Program Files\ExpandResolve.mpeg3.239-D38-4A1	svchost.exe
File opened for modification	C:\Program Files\ReceiveFind.mpeg.239-D38-4A1	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.forms.nl_ja_4.4.0.v20140623020002.jar	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_KMS_Client-ul.xrm-ms	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\feature.properties.239-D38-4A1	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.natives.nl_zh_4.4.0.v20140623020002.jar	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-selector-ui.jar	svchost.exe
File created	C:\Program Files\Common Files\microsoft shared\.sys	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-api_ja.jar.239-D38-4A1	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\feature.xml	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-swing-tabcontrol_zh_CN.jar.239-D38-4A1	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Constantia-Franklin Gothic Book.xml	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe.239-D38-4A1	svchost.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 6 IoCs

Processes:

svchost.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceId = "001840067140DE42"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\ApplicationFlags = "1"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Property	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property\001840067140DE42 = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e00000000020000000000106600000001000020000000c35d423ceeb7e2bf9dd069e0e97f8bd1ad4e318af0d0dbbc775cc13605219bc6000000000e800000000200002000000055907cb9d94d83982b1f76d83ab0597728d6113575613c5ce47b79ada9fbccc78000000086d9426fb70f9e44054b4e36902f5643d82b72c4a556b24c74cf021964971b29f7e66622a4f055f10bce6013d373aab3d939372529fd1090f626a7a0d5795e0a61d24507d07abea78caeab3ac15d4bdbf238929c52723f1ff9baedae2028ed5128985603c74c7a6d61430b1f02e872d1de89a6049878f4236f69216a36ab459240000000676a0b8b4643d4c279962309c4d19f7c4e9547ea29629ba57aac641bcf87a129e9654ea8ae47c33eb264b3523ded28d6acc1d33e7173c830cd6c46da63ee25ee	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e00000000020000000000106600000001000020000000893fdaccb6a77f4d6f2cf0747cfaf6672a522d90c703714d10bc2ff066df4748000000000e80000000020000200000004a326ab18bbb5c8539699826567939dbf7ff45d85ad32b5dd30db727718493f4100d00006abd840226729beb85bfffe3b77209788eefb79711df234fd61def34813359d09a97bc0200ce5332a95be82abde230ef05252eda19a83d5abde490775fe8cbaad01710af0f7568d21b27f5202198d09d81fcbe539e23aa70662932ddb172eac2974586ea25aad595188126d0776c8d0e0eb119d937097c3cafcb2bb654c893fe223eb023ceaa60befb08d8bea095f6f337bae847d0055c3b3f1eb63564e37d4a998ee42580b8301238cf7fee85ac497cd1540e8f1dbb420f8343218015ad533758641c4dfd68a84fca3318b489f672e408d13e226176dd7fb54ae36f48c15c34cd8aa22c4bc8d395b1043890f29219c32975f98c66102b7e5f0c2c701b8748310ae70680da6ade4d6da04be3c5fa536b7016a7a200f342cd203fc511fa2f34630f53a20836d5dfc1efefe409b76e65e970744ad833ff63c6fb7644fca0c8c8a8b40340bda1f61f2c067d0e5f9fcbd07c8cecce955af77e19e2fa718d0f35f12cf4dc2316938988448e9ee633354cd9526b026919bf33e59b956cf3c61a22ac45dfb741b2d33d26438a28aa51033b44207b10d31e58212b16605e6aa62278601b554ea35c46a8ea3301d12f39c10f50912e2bacbdbcd5c77643edd9099c08073e4ef4934216b8046688529a9fa0b1c2d1939abfbfdf693d6963957e098a687286ae7b3be9b5f915fa03b5ff43538852f6e934dd7d0af546cba592325ff436be00b2c085175727375ec51e5268f9744cb8f85c22a8920b8fd066ae813840b8a97e4dbb5ee270b53705f7b9313b689296bf69a58d2213c269913c2e93d36fec5d36fa1c765968b0a238afad6616d390c5ca3006404e2b2f94e991c672058c0eb01bd6ef31cc14f8d11954fe0175bc3dc9bbf05c968456e25d613a29302a40a00a9318335b730c9efe3d8374a97959e4d77135f22940e3866d3c1d59ffa58b9071e0e5dca94a5bc340848315bf71ba1eed3d1832a87ca4f57b6c27c004dcf5beaf979a253950cc91dcf679e62def79120f36381754fadbded58177080b93e3896764f7c7ec4591e63663d5e0232ab67b167f739524a3189ed58dd5a7eee54eac948303fa29cc5ba95cc014af24ba346584e8342285b0b092c31165dc5799c31095129f0de5d12a4a3e271c98a6d17705ee2c22fbd3edbc58d13c0a2a20f8936d4aa0d533f3ce8e5ad4b73b10fb505307246fc410ed88a5ea040b3e8717f0e761e20f2e4704097edeb95b1e915b5a0e0ccf51f74429ebeac3ed42ed6a7ffcc0f032c646208ee73e68240901eb7acf5949123f8c7428d3aa25b203e3d08893fab92c9ffb8d1c18493cea1004a33472242c2d5d30fa65bbf37c6ff0434b6e3597a82d8967cdea0ec19f8bc1d8d93dda2855727b826f98e4decadf0f1a0d59577f48dcdbb62cc0934594a550e2fe871ca6521973d3c6071b75f52524ed1b0bb89d8ac53c80a6c7c594b6f73462e583ad200ab636ef6178703342b7837db8d36630553da678f45da9235e0f7269b42895019ed8d823e5d9917a214c3419addad910e8c2781e7b913adecb4c2672ef6ea3255bfd9d978b7367986de0c2585159e38c73f31fdb54962257d680d106b8ca32304833ec61aa15c97f0070086f393a6ace386ba87dc3ebd4198f666af046b610655ed629a81b3a1c649b68d11339bae86ac1714b811369d2ca6e825b34be310369c94e59e4fad2f5b71b654f60d8313fc9e498f52f58d1c652da9b0ef7c696ec894797ce925a057182cb98b86dfbe8ea524f4b5e3f3a47ad3ab1a445ea85446303043ec0cd14d8f9b9deec13eb61fa25017218e4b65412ce11a39ffe29dc761675ed4cc6e7d9bd3913dee1c91e194e8b28fd81443daf80217e277c2f40850b6b805e595786bf62227e72dd231487a7ecd16a0850461b9e0351442df0df42d6b87513aa65661ef128de3109d17158a1b1733e08aa850b413d69be5d0ed37afc15791d8b7e7475742aa2cac7d4fde5badb8ed366871cb9115a2682f3b4ede7d06c494bb1d14687685c4b69b39397fec29fffd1cea8fdc18c30fc8b2c7ff48cfbac26cb3625fe8d1ea0bcd0161a996f7f04dc0718762628d8fb2c89a6552aadcac5e3244bd9561f795e38bf12318266f09408a80269c82f2c7da62dafaefa0ac0828ccd86c9c792f3bf7866c3bc8d6abedf4252c94fc67aadc9f7aa9eeb62c6a27b8868f5ae0e0a481551f07af0a0cfc3465ce6767916be9c7fbcfbaaa8e8b5c2133dd95eef420a056bb49922c48da8193b58d0a7e240fb795072e923989bf1aefb1ff23f692012d06f446adb11e4c8c5b2be952f4b2b3b3b385182d4457e86c5255a3874151c2c5b16d35286a961c64bee22576cb0b1c0a71c3052cf46477cff8aef3e329f6fbf02ee547e3784fa93e083ca538c7c2b003cabf2c15b56b79730a4000897d66167b20823f7318cb795a9bb8145c5360eb6159bf0c89dc3d79871288c6d25a35fb4c41c578133eaa5e31c0ec904b97b02d8b8bae58508ed5f61164f62b81b76382420f043542a952eaa3da6a4f46adba050683a8910ccc3e3c6162bbd1ef2e0ce46aa58487263d07be01ceb2f77dd70e35e8afbd2d582433c0465d0c18d8ff10bbfa3981bbc85bee73aed91d89a87e05e2c63ca780b064c0e5774bc3bf406ff4264c195b9e67c106ce2947a2f3f67fc540a6639241c03b051c381c53ab39dc1ac30579dd5e321793554c19262b7a2eace5fb37c7dd441babc3a743ebde713aab1ee821ca0837ad76d0986790efd8c3391c4daa5fbfffc36edb1b99e980e10a7f3090084eb20b5dc9180dd15a0d7cf3b4ac97182e68436c68f78419e67499956522d8160347db054a561fe89a783a39a8a7ce5b5ecc7ac9daadcc60f3a8619a888b0bc0875d2e362a8ca70777d367c86c079012d70df14a7cfdfd451b6136b81a5dbfa09e502539b579ec1171268842282302684d9e8ac34e409134c4588eb9cd19cb22a2ee1ea8821000a3b9bda5e409ba5312233f0325771d580163cf3a2c23ecda6b274b909a678d4a0456bcf03c6c8756c1c96096868c8a1941a43257c13daaf6ccde76398d3e02e6cef174219c4e33813ef75e62d1eaad17f9a40a07d9e066c32b8367743d4b7af7d33c161fc27dd3b8dbcebd846ecc5c604be8742579d4cd32264daf51a772e92a3fd8147007f86570dc76d15099c8a9afb43e9663439431c2d31e9d2282dc593b7e39af83a3c362e6da0abf8e873b426d46d9509039fbd762fee9128b905b52d77aa31b6c6c36bba61c33a9efd5f556e6de5673fcf2cc9427e36fd71550acf883ed905f865756637df94e924a10e47e5d410f61950ab8e679606cbc2edfd5887e972c4e244f64bb0d70b0872c1caeabfd47449bee3067fa0c19a75c32bfc75c03ea87937db765fafd956fd0c86a7b38398257bbd8e7ea6df1e08d302a6096f553d70afb192cda1d5418840b999f658cdff2f8c1c51d182cde554ae9cbb8318ca0fc94ce5422399f893213640467bbecef0be5a1f7f7554067a632f2754ba38f8d8834bb82b0eb83b00614627758550f5a8b96bd4eee7803368e7be612fc969b4296081472a68f046aef28c75bf4d841bb1b6bb26aad3e2b814aa9af57b20c2062194f521962a6b3a2d14b487492205fee81aea1f638ce1bb9636cfbedb60e643b89f8a5c1d181a97dd0d2df06deaee48ccb53e870ade7e3dbfa80044c1ddbcc3ec574ee21d0100b3bfc04b51a0d080d7a3544e655cd00623533bef74b09cd803063801077625ecfe6c6d8cf70d3beed684de4070fb497681b56d76f2e038860c1516959ef4f2c2d8ee52c4a415a78b400e32464657134c38ac9656f5f162490152b34029b698c701256f6239ebeea6939d98c8da623409b59598aacf8464cd1c5aa257792997de93dd33bbaa69b470ceb329d81fddfdeb54fd572f59b1a67b3c599076a21a4795516e041c684149573624525753f61e7eff4bde2c77cfd05894a9f16dd0fe4681dee46366dcfd37e7bc1389b40f9b3dac4fc8ac0d485f0f53aa2703e1d0661d8c2808d5da8781cec0c1dd4b2af496e87e8317257f625daebfd653a3d47c99c5cbea6dfbe914dce0e02cb4de4f1ca257c59a298e2377b30fcdf5c1d20a41ea1387b772270c60b8a0b2604ff86f8e11bffba3a7e7e02a682ea6dac145877813b9c8b6dae27520b9e8ce754d9de93620636a46b89b7123491a706977146e69f52f78af9e20c1075fc9eb02712085b3b6ecc3758cfc66dc4c75b389ef3cde3cd0c537df02fc5a8a7932572eefcf1112f4231817cd8d0f4c6445a583b3d98931d81326995b3036675811fadf69ad276f765409dac18e33100513149dc26f662a381b80f6ee3bca3a39339fcf0d0263a51fcf12d35524c7f47796c0ea2834872b9925ff707f3fbee4754c43fe9d96e70b03d82537279eeb8ada619927165a56b6a65a3bf17b41c4477aa7050d3934a9356d25236041985603fed51306746f04a8aa4d2a9eafe724a4a8ffe0faa3d2a22cae162a457a03bd7e63f049364a2fa14f9349fd4d1caab70ebba8327d9fd71f7700ef77a0020a858f6c0170ec052183d5bf0999b34cb27b6fc46a2aac676f88351c933734037a0b53cbb9d6ee44b4eeb9c8f57c3daec5c261314b464fa042b1e14cb23173e52db9aafa46fa4da2e14e000e9ffb60566a58918ba9ae443543a5dcb8660a6894fe033fb9b5c140b733488923f87ec5b80201dbaf9df8fd4a4a69b82f60400000002f55396c72a25c1b3a6bb1c461d47437d921a0c0511f9396c06789a082140696b8b6f7d245b62d3f4c25be5463f5df666a94be66f88c55998ab63e1e79c803a0	svchost.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

0a49373e97366040658acf1971695740342c623beab93fc493cb2dadda5814e6.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	0a49373e97366040658acf1971695740342c623beab93fc493cb2dadda5814e6.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	0a49373e97366040658acf1971695740342c623beab93fc493cb2dadda5814e6.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

svchost.exe

pid	Process
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

0a49373e97366040658acf1971695740342c623beab93fc493cb2dadda5814e6.exeWMIC.exeWMIC.exe

description	pid	Process
Token: SeDebugPrivilege	3512	0a49373e97366040658acf1971695740342c623beab93fc493cb2dadda5814e6.exe
Token: SeDebugPrivilege	3512	0a49373e97366040658acf1971695740342c623beab93fc493cb2dadda5814e6.exe
Token: SeIncreaseQuotaPrivilege	1480	WMIC.exe
Token: SeSecurityPrivilege	1480	WMIC.exe
Token: SeTakeOwnershipPrivilege	1480	WMIC.exe
Token: SeLoadDriverPrivilege	1480	WMIC.exe
Token: SeSystemProfilePrivilege	1480	WMIC.exe
Token: SeSystemtimePrivilege	1480	WMIC.exe
Token: SeProfSingleProcessPrivilege	1480	WMIC.exe
Token: SeIncBasePriorityPrivilege	1480	WMIC.exe
Token: SeCreatePagefilePrivilege	1480	WMIC.exe
Token: SeBackupPrivilege	1480	WMIC.exe
Token: SeRestorePrivilege	1480	WMIC.exe
Token: SeShutdownPrivilege	1480	WMIC.exe
Token: SeDebugPrivilege	1480	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1480	WMIC.exe
Token: SeRemoteShutdownPrivilege	1480	WMIC.exe
Token: SeUndockPrivilege	1480	WMIC.exe
Token: SeManageVolumePrivilege	1480	WMIC.exe
Token: 33	1480	WMIC.exe
Token: 34	1480	WMIC.exe
Token: 35	1480	WMIC.exe
Token: 36	1480	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3492	WMIC.exe
Token: SeSecurityPrivilege	3492	WMIC.exe
Token: SeTakeOwnershipPrivilege	3492	WMIC.exe
Token: SeLoadDriverPrivilege	3492	WMIC.exe
Token: SeSystemProfilePrivilege	3492	WMIC.exe
Token: SeSystemtimePrivilege	3492	WMIC.exe
Token: SeProfSingleProcessPrivilege	3492	WMIC.exe
Token: SeIncBasePriorityPrivilege	3492	WMIC.exe
Token: SeCreatePagefilePrivilege	3492	WMIC.exe
Token: SeBackupPrivilege	3492	WMIC.exe
Token: SeRestorePrivilege	3492	WMIC.exe
Token: SeShutdownPrivilege	3492	WMIC.exe
Token: SeDebugPrivilege	3492	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3492	WMIC.exe
Token: SeRemoteShutdownPrivilege	3492	WMIC.exe
Token: SeUndockPrivilege	3492	WMIC.exe
Token: SeManageVolumePrivilege	3492	WMIC.exe
Token: 33	3492	WMIC.exe
Token: 34	3492	WMIC.exe
Token: 35	3492	WMIC.exe
Token: 36	3492	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1480	WMIC.exe
Token: SeSecurityPrivilege	1480	WMIC.exe
Token: SeTakeOwnershipPrivilege	1480	WMIC.exe
Token: SeLoadDriverPrivilege	1480	WMIC.exe
Token: SeSystemProfilePrivilege	1480	WMIC.exe
Token: SeSystemtimePrivilege	1480	WMIC.exe
Token: SeProfSingleProcessPrivilege	1480	WMIC.exe
Token: SeIncBasePriorityPrivilege	1480	WMIC.exe
Token: SeCreatePagefilePrivilege	1480	WMIC.exe
Token: SeBackupPrivilege	1480	WMIC.exe
Token: SeRestorePrivilege	1480	WMIC.exe
Token: SeShutdownPrivilege	1480	WMIC.exe
Token: SeDebugPrivilege	1480	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1480	WMIC.exe
Token: SeRemoteShutdownPrivilege	1480	WMIC.exe
Token: SeUndockPrivilege	1480	WMIC.exe
Token: SeManageVolumePrivilege	1480	WMIC.exe
Token: 33	1480	WMIC.exe
Token: 34	1480	WMIC.exe
Token: 35	1480	WMIC.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

0a49373e97366040658acf1971695740342c623beab93fc493cb2dadda5814e6.exesvchost.execmd.execmd.exe

description	pid	Process	procid_target
PID 3512 wrote to memory of 1528	3512	0a49373e97366040658acf1971695740342c623beab93fc493cb2dadda5814e6.exe	88
PID 3512 wrote to memory of 1528	3512	0a49373e97366040658acf1971695740342c623beab93fc493cb2dadda5814e6.exe	88
PID 3512 wrote to memory of 1528	3512	0a49373e97366040658acf1971695740342c623beab93fc493cb2dadda5814e6.exe	88
PID 3512 wrote to memory of 4472	3512	0a49373e97366040658acf1971695740342c623beab93fc493cb2dadda5814e6.exe	89
PID 3512 wrote to memory of 4472	3512	0a49373e97366040658acf1971695740342c623beab93fc493cb2dadda5814e6.exe	89
PID 3512 wrote to memory of 4472	3512	0a49373e97366040658acf1971695740342c623beab93fc493cb2dadda5814e6.exe	89
PID 3512 wrote to memory of 4472	3512	0a49373e97366040658acf1971695740342c623beab93fc493cb2dadda5814e6.exe	89
PID 3512 wrote to memory of 4472	3512	0a49373e97366040658acf1971695740342c623beab93fc493cb2dadda5814e6.exe	89
PID 3512 wrote to memory of 4472	3512	0a49373e97366040658acf1971695740342c623beab93fc493cb2dadda5814e6.exe	89
PID 1528 wrote to memory of 4508	1528	svchost.exe	103
PID 1528 wrote to memory of 4508	1528	svchost.exe	103
PID 1528 wrote to memory of 4508	1528	svchost.exe	103
PID 1528 wrote to memory of 4616	1528	svchost.exe	105
PID 1528 wrote to memory of 4616	1528	svchost.exe	105
PID 1528 wrote to memory of 4616	1528	svchost.exe	105
PID 1528 wrote to memory of 4672	1528	svchost.exe	104
PID 1528 wrote to memory of 4672	1528	svchost.exe	104
PID 1528 wrote to memory of 4672	1528	svchost.exe	104
PID 1528 wrote to memory of 5020	1528	svchost.exe	106
PID 1528 wrote to memory of 5020	1528	svchost.exe	106
PID 1528 wrote to memory of 5020	1528	svchost.exe	106
PID 1528 wrote to memory of 444	1528	svchost.exe	112
PID 1528 wrote to memory of 444	1528	svchost.exe	112
PID 1528 wrote to memory of 444	1528	svchost.exe	112
PID 1528 wrote to memory of 4236	1528	svchost.exe	110
PID 1528 wrote to memory of 4236	1528	svchost.exe	110
PID 1528 wrote to memory of 4236	1528	svchost.exe	110
PID 1528 wrote to memory of 3912	1528	svchost.exe	115
PID 1528 wrote to memory of 3912	1528	svchost.exe	115
PID 1528 wrote to memory of 3912	1528	svchost.exe	115
PID 4508 wrote to memory of 1480	4508	cmd.exe	116
PID 4508 wrote to memory of 1480	4508	cmd.exe	116
PID 4508 wrote to memory of 1480	4508	cmd.exe	116
PID 4236 wrote to memory of 3492	4236	cmd.exe	117
PID 4236 wrote to memory of 3492	4236	cmd.exe	117
PID 4236 wrote to memory of 3492	4236	cmd.exe	117

C:\Users\Admin\AppData\Local\Temp\0a49373e97366040658acf1971695740342c623beab93fc493cb2dadda5814e6.exe
"C:\Users\Admin\AppData\Local\Temp\0a49373e97366040658acf1971695740342c623beab93fc493cb2dadda5814e6.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3512
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe" -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1528
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4508
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1480
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:4672
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    PID:4616
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    PID:5020
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4236
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3492
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    PID:444
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:3912
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  PID:4472

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
- Modifies data under HKEY_USERS
PID:632

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:4692

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

Filesize
728B

MD5
a115ab8dafff2ba9ef773c5c4c282723

SHA1
c0391d76dbba79176905fdffdd865053e7892ac7

SHA256
2b14412e5c2bed1e3c8a3414a403366a9ad377d228434d147ab16aba1124cbd4

SHA512
d7df5525ee4b6ee6796f005c1146634f122043183e6bf901d5575f82197f6d876bb01e29c02c7d7171cdddb1fa96ed5b15bcbb32b78d7c780d7cf0b0dec70599

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_8AE57F9FAAC778EA4099F469BEEE4C46

Filesize
472B

MD5
451c60aee59ebd445876be838648d763

SHA1
8b14d0202ca7666f6419ebec052777632880d15c

SHA256
3aead2c16852aa9b1307ee68ebf5579c568c0f776bae0a0262b42b8b1056dc44

SHA512
80d955ef97db08f8cb5d073600fc725fe9c2b65753b299430de2a2acee9aa8573772418e0a3f3908b05f3e5d45ffed399ec3012cb424378a2d45f96ba102a486

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
471B

MD5
ddb0f5f29483e3a5e3a152893bc363a9

SHA1
36c603ad11d23f33041039d3bd9eee47db013768

SHA256
4fab56d7bc76e0393be1bca6d52b7cb778424bf99e1efbc1725b44cdd557764b

SHA512
580401ebbe4eab757884badb51e5f650ec558bc09b2ae92cc47669061c13f9389a9a951ead537a79382b13d066515ced1c3a8557da6a8d287fc1bb16ee23a9bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

Filesize
398B

MD5
026b33309bcee97b4bb917acb99b27b7

SHA1
890608c0fa936905ec6cffb2f026946f8531a691

SHA256
ae4df3d6dc417f4af91b82ec28489960513723076ae1d350194c29a556f2709b

SHA512
d760f0f291d6fbbdd6b124647f2874465635e4b3e4083c3a550a506f07b7c31b53456b6b8c8dec4d5f7d859ace2b8ea6c36e868036b07450326d5d792e4c6b76

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_8AE57F9FAAC778EA4099F469BEEE4C46

Filesize
402B

MD5
8d2865c5e9b8db5ae1570cd5f587fedb

SHA1
98de8f255e43f393ae8d063457092de1c38a19a5

SHA256
784f1732f71f230b4da395057f52e89a30151c03b603a35ff29b80c43d6ddabf

SHA512
ee1352d28d7f743f96cf56e14faf71ca48bbacc3a697b069e4b409af8bf1c5f14028b8e3667ad8d0d9d0fa3c295a7435eaab7a7ab75ab61b2d09ab89d71541b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
396B

MD5
bfcca107730a79b8f0401764cc7a0c29

SHA1
8a1994f4fa55f1b7f0c4075e3aff6e8effca4aad

SHA256
b2bfb608720ff211bc21fe259392d89feea1b3bb2e1fdfcc9475c0fecf680d8e

SHA512
584252eddb101a488023ababb6de451a44ae3225b910631e3124fe695f3667be35df7c5f28cdb71c8ee8d34429b3be561580822cd0b7c561ff8a6ce70dce20bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1RDBARVA\5RKAGGDM.htm

Filesize
184B

MD5
b1cd7c031debba3a5c77b39b6791c1a7

SHA1
e5d91e14e9c685b06f00e550d9e189deb2075f76

SHA256
57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

SHA512
d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\558DW1ID\DDU48KUI.htm

Filesize
18KB

MD5
8615e70875c2cc0b9db16027b9adf11d

SHA1
4ed62cf405311c0ff562a3c59334a15ddc4f1bf9

SHA256
da96949ba6b0567343f144486505c8c8fa1d892fd88c9cbc3ef3d751a570724d

SHA512
cd9dfc88dc2af9438b7d6b618d1b62029b3bdf739fc4daa5b37397afd12c4528561b3bf2fc3f3f2adf3fd1f582d5524332441fd30248fcd078e41aa91e17cb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat

Filesize
406B

MD5
ef572e2c7b1bbd57654b36e8dcfdc37a

SHA1
b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

SHA256
e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

SHA512
b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe

Filesize
423KB

MD5
b8546e288ba47f4be8615e73d26f2215

SHA1
0204fc6d8f011efc4ba2fafe5bf5ba7bbb2be50e

SHA256
0a49373e97366040658acf1971695740342c623beab93fc493cb2dadda5814e6

SHA512
29f91d6b359eb9115414726d2444187864f13904efd0653a8500dfd608a9598b08b3cee86503dd2fee507f6e3aff98773b5c46bab14dbfa880c5aa47c79e32f4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe

Filesize
423KB

MD5
b8546e288ba47f4be8615e73d26f2215

SHA1
0204fc6d8f011efc4ba2fafe5bf5ba7bbb2be50e

SHA256
0a49373e97366040658acf1971695740342c623beab93fc493cb2dadda5814e6

SHA512
29f91d6b359eb9115414726d2444187864f13904efd0653a8500dfd608a9598b08b3cee86503dd2fee507f6e3aff98773b5c46bab14dbfa880c5aa47c79e32f4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe

Filesize
423KB

MD5
b8546e288ba47f4be8615e73d26f2215

SHA1
0204fc6d8f011efc4ba2fafe5bf5ba7bbb2be50e

SHA256
0a49373e97366040658acf1971695740342c623beab93fc493cb2dadda5814e6

SHA512
29f91d6b359eb9115414726d2444187864f13904efd0653a8500dfd608a9598b08b3cee86503dd2fee507f6e3aff98773b5c46bab14dbfa880c5aa47c79e32f4

Download Submit
memory/444-154-0x0000000000000000-mapping.dmp

Download
memory/1480-158-0x0000000000000000-mapping.dmp

Download
memory/1528-140-0x00000000024D0000-0x000000000267A000-memory.dmp

Filesize
1.7MB

Download
memory/1528-136-0x0000000000000000-mapping.dmp

Download
memory/1528-142-0x0000000000400000-0x00000000005B0000-memory.dmp

Filesize
1.7MB

Download
memory/3492-160-0x0000000000000000-mapping.dmp

Download
memory/3512-134-0x0000000002520000-0x00000000026CA000-memory.dmp

Filesize
1.7MB

Download
memory/3512-135-0x0000000000400000-0x00000000005B0000-memory.dmp

Filesize
1.7MB

Download
memory/3912-156-0x0000000000000000-mapping.dmp

Download
memory/3912-161-0x0000000000400000-0x00000000005B0000-memory.dmp

Filesize
1.7MB

Download
memory/4236-155-0x0000000000000000-mapping.dmp

Download
memory/4472-139-0x0000000000000000-mapping.dmp

Download
memory/4508-150-0x0000000000000000-mapping.dmp

Download
memory/4616-151-0x0000000000000000-mapping.dmp

Download
memory/4672-152-0x0000000000000000-mapping.dmp

Download
memory/5020-153-0x0000000000000000-mapping.dmp

Download