buran | b0fa28ac0f0657906df6312a22baf99111cbf27afeaab98c92eeba4b07fddeaa

Analysis

max time kernel
152s
max time network
140s
platform
windows7_x64
resource
win7-20220414-en
submitted
20-05-2022 23:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b0fa28ac0f0657906df6312a22baf99111cbf27afeaab98c92eeba4b07fddeaa.exe
Size

212KB
MD5

3ac926d3bca5450ce48d10c253700ae4
SHA1

0a918e434b1f8e125fb23a71c7317e6b16f3df23
SHA256

b0fa28ac0f0657906df6312a22baf99111cbf27afeaab98c92eeba4b07fddeaa
SHA512

ef62bc011a2fdff15b466f798bcbe5c4308e925fb1240d7621f65ede89432a329e00c80a917cc5be401b7029a2c5a497a9bc09436c3f1c05259a2e3479c581c5

Score

10^/10

buran persistence ransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Your personal ID: 410-0DD-8DB Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 2 IoCs

Processes:

smss.exesmss.exe

pid process

432 smss.exe
1748 smss.exe
Deletes itself 1 IoCs

Processes:

notepad.exe

pid process

1336 notepad.exe

pid	process
1336	notepad.exe

Loads dropped DLL 2 IoCs

Processes:

b0fa28ac0f0657906df6312a22baf99111cbf27afeaab98c92eeba4b07fddeaa.exe

pid	process
1976	b0fa28ac0f0657906df6312a22baf99111cbf27afeaab98c92eeba4b07fddeaa.exe
1976	b0fa28ac0f0657906df6312a22baf99111cbf27afeaab98c92eeba4b07fddeaa.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

b0fa28ac0f0657906df6312a22baf99111cbf27afeaab98c92eeba4b07fddeaa.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run	b0fa28ac0f0657906df6312a22baf99111cbf27afeaab98c92eeba4b07fddeaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\smss.exe\" -start"	b0fa28ac0f0657906df6312a22baf99111cbf27afeaab98c92eeba4b07fddeaa.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

smss.exe

description	ioc	process
File opened (read-only)	\??\G:	smss.exe
File opened (read-only)	\??\Y:	smss.exe
File opened (read-only)	\??\X:	smss.exe
File opened (read-only)	\??\O:	smss.exe
File opened (read-only)	\??\K:	smss.exe
File opened (read-only)	\??\J:	smss.exe
File opened (read-only)	\??\S:	smss.exe
File opened (read-only)	\??\Q:	smss.exe
File opened (read-only)	\??\I:	smss.exe
File opened (read-only)	\??\F:	smss.exe
File opened (read-only)	\??\E:	smss.exe
File opened (read-only)	\??\H:	smss.exe
File opened (read-only)	\??\A:	smss.exe
File opened (read-only)	\??\Z:	smss.exe
File opened (read-only)	\??\W:	smss.exe
File opened (read-only)	\??\T:	smss.exe
File opened (read-only)	\??\N:	smss.exe
File opened (read-only)	\??\M:	smss.exe
File opened (read-only)	\??\B:	smss.exe
File opened (read-only)	\??\V:	smss.exe
File opened (read-only)	\??\U:	smss.exe
File opened (read-only)	\??\R:	smss.exe
File opened (read-only)	\??\P:	smss.exe
File opened (read-only)	\??\L:	smss.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 geoiptool.com

flow	ioc
3	geoiptool.com

Drops file in Program Files directory 64 IoCs

Processes:

smss.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench_1.2.1.v20140901-1244.jar.410-0DD-8DB	smss.exe
File opened for modification	C:\Program Files\Java\jre7\lib\security\trusted.libraries	smss.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File created	C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\youtube.luac.410-0DD-8DB	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105276.WMF	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Ndjamena	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Fortaleza	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\PST8PDT	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099169.WMF.410-0DD-8DB	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0232803.WMF.410-0DD-8DB	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\cursors.properties.410-0DD-8DB	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Panama.410-0DD-8DB	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD06200_.WMF.410-0DD-8DB	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00252_.WMF	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105388.WMF	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107494.WMF	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-progress_ja.jar	smss.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\YST9	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\day-of-week-16.png	smss.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382970.JPG	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\Xusage.txt.410-0DD-8DB	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\EST5EDT	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-5.410-0DD-8DB	smss.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01143_.WMF.410-0DD-8DB	smss.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMain.wmv	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185774.WMF.410-0DD-8DB	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.http.registry_1.1.300.v20130402-1529.jar	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239063.WMF	smss.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\bear_formatted_rgb6.wmv	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\New_York	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198372.WMF.410-0DD-8DB	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\org.eclipse.equinox.p2.artifact.repository.prefs.410-0DD-8DB	smss.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Bangkok.410-0DD-8DB	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata.zh_CN_5.5.0.165303.jar.410-0DD-8DB	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar.410-0DD-8DB	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00046_.WMF.410-0DD-8DB	smss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	smss.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\videowall.png	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099195.GIF.410-0DD-8DB	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185834.WMF	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.updatechecker.nl_ja_4.4.0.v20140623020002.jar	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD00173_.WMF	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0233665.WMF.410-0DD-8DB	smss.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-templates_zh_CN.jar.410-0DD-8DB	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107482.WMF	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0297229.WMF.410-0DD-8DB	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans.nl_ja_4.4.0.v20140623020002.jar	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-api-caching.xml.410-0DD-8DB	smss.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Detroit.410-0DD-8DB	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00135_.GIF.410-0DD-8DB	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-nodes.xml.410-0DD-8DB	smss.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\updater_ja.jar.410-0DD-8DB	smss.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Antarctica\Rothera.410-0DD-8DB	smss.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Enderbury	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04326_.WMF	smss.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\WMM2CLIP.dll.mui	smss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

2024 vssadmin.exe
1548 vssadmin.exe

pid	process
2024	vssadmin.exe
1548	vssadmin.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

smss.exeb0fa28ac0f0657906df6312a22baf99111cbf27afeaab98c92eeba4b07fddeaa.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	smss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	b0fa28ac0f0657906df6312a22baf99111cbf27afeaab98c92eeba4b07fddeaa.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	b0fa28ac0f0657906df6312a22baf99111cbf27afeaab98c92eeba4b07fddeaa.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	b0fa28ac0f0657906df6312a22baf99111cbf27afeaab98c92eeba4b07fddeaa.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

smss.exe

pid	process
432	smss.exe
432	smss.exe
432	smss.exe
432	smss.exe
432	smss.exe
432	smss.exe
432	smss.exe
432	smss.exe
432	smss.exe
432	smss.exe
432	smss.exe
432	smss.exe
432	smss.exe
432	smss.exe
432	smss.exe
432	smss.exe
432	smss.exe
432	smss.exe
432	smss.exe
432	smss.exe
432	smss.exe
432	smss.exe
432	smss.exe
432	smss.exe
432	smss.exe
432	smss.exe
432	smss.exe
432	smss.exe
432	smss.exe
432	smss.exe
432	smss.exe
432	smss.exe
432	smss.exe
432	smss.exe
432	smss.exe
432	smss.exe
432	smss.exe
432	smss.exe
432	smss.exe
432	smss.exe
432	smss.exe
432	smss.exe
432	smss.exe
432	smss.exe
432	smss.exe
432	smss.exe
432	smss.exe
432	smss.exe
432	smss.exe
432	smss.exe
432	smss.exe
432	smss.exe
432	smss.exe
432	smss.exe
432	smss.exe
432	smss.exe
432	smss.exe
432	smss.exe
432	smss.exe
432	smss.exe
432	smss.exe
432	smss.exe
432	smss.exe
432	smss.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

b0fa28ac0f0657906df6312a22baf99111cbf27afeaab98c92eeba4b07fddeaa.exeWMIC.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1976	b0fa28ac0f0657906df6312a22baf99111cbf27afeaab98c92eeba4b07fddeaa.exe
Token: SeDebugPrivilege	1976	b0fa28ac0f0657906df6312a22baf99111cbf27afeaab98c92eeba4b07fddeaa.exe
Token: SeIncreaseQuotaPrivilege	1996	WMIC.exe
Token: SeSecurityPrivilege	1996	WMIC.exe
Token: SeTakeOwnershipPrivilege	1996	WMIC.exe
Token: SeLoadDriverPrivilege	1996	WMIC.exe
Token: SeSystemProfilePrivilege	1996	WMIC.exe
Token: SeSystemtimePrivilege	1996	WMIC.exe
Token: SeProfSingleProcessPrivilege	1996	WMIC.exe
Token: SeIncBasePriorityPrivilege	1996	WMIC.exe
Token: SeCreatePagefilePrivilege	1996	WMIC.exe
Token: SeBackupPrivilege	1996	WMIC.exe
Token: SeRestorePrivilege	1996	WMIC.exe
Token: SeShutdownPrivilege	1996	WMIC.exe
Token: SeDebugPrivilege	1996	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1996	WMIC.exe
Token: SeRemoteShutdownPrivilege	1996	WMIC.exe
Token: SeUndockPrivilege	1996	WMIC.exe
Token: SeManageVolumePrivilege	1996	WMIC.exe
Token: 33	1996	WMIC.exe
Token: 34	1996	WMIC.exe
Token: 35	1996	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1136	WMIC.exe
Token: SeSecurityPrivilege	1136	WMIC.exe
Token: SeTakeOwnershipPrivilege	1136	WMIC.exe
Token: SeLoadDriverPrivilege	1136	WMIC.exe
Token: SeSystemProfilePrivilege	1136	WMIC.exe
Token: SeSystemtimePrivilege	1136	WMIC.exe
Token: SeProfSingleProcessPrivilege	1136	WMIC.exe
Token: SeIncBasePriorityPrivilege	1136	WMIC.exe
Token: SeCreatePagefilePrivilege	1136	WMIC.exe
Token: SeBackupPrivilege	1136	WMIC.exe
Token: SeRestorePrivilege	1136	WMIC.exe
Token: SeShutdownPrivilege	1136	WMIC.exe
Token: SeDebugPrivilege	1136	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1136	WMIC.exe
Token: SeRemoteShutdownPrivilege	1136	WMIC.exe
Token: SeUndockPrivilege	1136	WMIC.exe
Token: SeManageVolumePrivilege	1136	WMIC.exe
Token: 33	1136	WMIC.exe
Token: 34	1136	WMIC.exe
Token: 35	1136	WMIC.exe
Token: SeBackupPrivilege	1948	vssvc.exe
Token: SeRestorePrivilege	1948	vssvc.exe
Token: SeAuditPrivilege	1948	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1996	WMIC.exe
Token: SeSecurityPrivilege	1996	WMIC.exe
Token: SeTakeOwnershipPrivilege	1996	WMIC.exe
Token: SeLoadDriverPrivilege	1996	WMIC.exe
Token: SeSystemProfilePrivilege	1996	WMIC.exe
Token: SeSystemtimePrivilege	1996	WMIC.exe
Token: SeProfSingleProcessPrivilege	1996	WMIC.exe
Token: SeIncBasePriorityPrivilege	1996	WMIC.exe
Token: SeCreatePagefilePrivilege	1996	WMIC.exe
Token: SeBackupPrivilege	1996	WMIC.exe
Token: SeRestorePrivilege	1996	WMIC.exe
Token: SeShutdownPrivilege	1996	WMIC.exe
Token: SeDebugPrivilege	1996	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1996	WMIC.exe
Token: SeRemoteShutdownPrivilege	1996	WMIC.exe
Token: SeUndockPrivilege	1996	WMIC.exe
Token: SeManageVolumePrivilege	1996	WMIC.exe
Token: 33	1996	WMIC.exe
Token: 34	1996	WMIC.exe

Suspicious use of WriteProcessMemory 55 IoCs

Processes:

b0fa28ac0f0657906df6312a22baf99111cbf27afeaab98c92eeba4b07fddeaa.exesmss.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1976 wrote to memory of 432	1976	b0fa28ac0f0657906df6312a22baf99111cbf27afeaab98c92eeba4b07fddeaa.exe	smss.exe
PID 1976 wrote to memory of 432	1976	b0fa28ac0f0657906df6312a22baf99111cbf27afeaab98c92eeba4b07fddeaa.exe	smss.exe
PID 1976 wrote to memory of 432	1976	b0fa28ac0f0657906df6312a22baf99111cbf27afeaab98c92eeba4b07fddeaa.exe	smss.exe
PID 1976 wrote to memory of 432	1976	b0fa28ac0f0657906df6312a22baf99111cbf27afeaab98c92eeba4b07fddeaa.exe	smss.exe
PID 1976 wrote to memory of 1336	1976	b0fa28ac0f0657906df6312a22baf99111cbf27afeaab98c92eeba4b07fddeaa.exe	notepad.exe
PID 1976 wrote to memory of 1336	1976	b0fa28ac0f0657906df6312a22baf99111cbf27afeaab98c92eeba4b07fddeaa.exe	notepad.exe
PID 1976 wrote to memory of 1336	1976	b0fa28ac0f0657906df6312a22baf99111cbf27afeaab98c92eeba4b07fddeaa.exe	notepad.exe
PID 1976 wrote to memory of 1336	1976	b0fa28ac0f0657906df6312a22baf99111cbf27afeaab98c92eeba4b07fddeaa.exe	notepad.exe
PID 1976 wrote to memory of 1336	1976	b0fa28ac0f0657906df6312a22baf99111cbf27afeaab98c92eeba4b07fddeaa.exe	notepad.exe
PID 1976 wrote to memory of 1336	1976	b0fa28ac0f0657906df6312a22baf99111cbf27afeaab98c92eeba4b07fddeaa.exe	notepad.exe
PID 1976 wrote to memory of 1336	1976	b0fa28ac0f0657906df6312a22baf99111cbf27afeaab98c92eeba4b07fddeaa.exe	notepad.exe
PID 432 wrote to memory of 1944	432	smss.exe	cmd.exe
PID 432 wrote to memory of 1944	432	smss.exe	cmd.exe
PID 432 wrote to memory of 1944	432	smss.exe	cmd.exe
PID 432 wrote to memory of 1944	432	smss.exe	cmd.exe
PID 432 wrote to memory of 1060	432	smss.exe	cmd.exe
PID 432 wrote to memory of 1060	432	smss.exe	cmd.exe
PID 432 wrote to memory of 1060	432	smss.exe	cmd.exe
PID 432 wrote to memory of 1060	432	smss.exe	cmd.exe
PID 432 wrote to memory of 1484	432	smss.exe	cmd.exe
PID 432 wrote to memory of 1484	432	smss.exe	cmd.exe
PID 432 wrote to memory of 1484	432	smss.exe	cmd.exe
PID 432 wrote to memory of 1484	432	smss.exe	cmd.exe
PID 432 wrote to memory of 1012	432	smss.exe	cmd.exe
PID 432 wrote to memory of 1012	432	smss.exe	cmd.exe
PID 432 wrote to memory of 1012	432	smss.exe	cmd.exe
PID 432 wrote to memory of 1012	432	smss.exe	cmd.exe
PID 432 wrote to memory of 1604	432	smss.exe	cmd.exe
PID 432 wrote to memory of 1604	432	smss.exe	cmd.exe
PID 432 wrote to memory of 1604	432	smss.exe	cmd.exe
PID 432 wrote to memory of 1604	432	smss.exe	cmd.exe
PID 432 wrote to memory of 888	432	smss.exe	cmd.exe
PID 432 wrote to memory of 888	432	smss.exe	cmd.exe
PID 432 wrote to memory of 888	432	smss.exe	cmd.exe
PID 432 wrote to memory of 888	432	smss.exe	cmd.exe
PID 432 wrote to memory of 1748	432	smss.exe	smss.exe
PID 432 wrote to memory of 1748	432	smss.exe	smss.exe
PID 432 wrote to memory of 1748	432	smss.exe	smss.exe
PID 432 wrote to memory of 1748	432	smss.exe	smss.exe
PID 1604 wrote to memory of 2024	1604	cmd.exe	vssadmin.exe
PID 1604 wrote to memory of 2024	1604	cmd.exe	vssadmin.exe
PID 1604 wrote to memory of 2024	1604	cmd.exe	vssadmin.exe
PID 1604 wrote to memory of 2024	1604	cmd.exe	vssadmin.exe
PID 1944 wrote to memory of 1996	1944	cmd.exe	WMIC.exe
PID 1944 wrote to memory of 1996	1944	cmd.exe	WMIC.exe
PID 1944 wrote to memory of 1996	1944	cmd.exe	WMIC.exe
PID 1944 wrote to memory of 1996	1944	cmd.exe	WMIC.exe
PID 888 wrote to memory of 1136	888	cmd.exe	WMIC.exe
PID 888 wrote to memory of 1136	888	cmd.exe	WMIC.exe
PID 888 wrote to memory of 1136	888	cmd.exe	WMIC.exe
PID 888 wrote to memory of 1136	888	cmd.exe	WMIC.exe
PID 888 wrote to memory of 1548	888	cmd.exe	vssadmin.exe
PID 888 wrote to memory of 1548	888	cmd.exe	vssadmin.exe
PID 888 wrote to memory of 1548	888	cmd.exe	vssadmin.exe
PID 888 wrote to memory of 1548	888	cmd.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\b0fa28ac0f0657906df6312a22baf99111cbf27afeaab98c92eeba4b07fddeaa.exe
"C:\Users\Admin\AppData\Local\Temp\b0fa28ac0f0657906df6312a22baf99111cbf27afeaab98c92eeba4b07fddeaa.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1976

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -start
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:432

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
3⤵
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1996

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
PID:1484

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
3⤵
PID:1060

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -agent 0
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1748

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:888

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:1548

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
3⤵
- Suspicious use of WriteProcessMemory
PID:1604

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
3⤵
PID:1012

C:\Windows\SysWOW64\notepad.exe
notepad.exe
2⤵
- Deletes itself
PID:1336

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1136

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
1⤵
- Interacts with shadow copies
PID:2024

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1948

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
Filesize
728B

MD5
a8575668e1372b390fc48b66572a8037

SHA1
4485fa56ac88b088be6b6227c8373ca8123801f4

SHA256
9b6a9dc08bd9e4d17dccce4dbfb5e36ded90bfd9dbf3df5fdd150f1a42f2e129

SHA512
4e7495f9c3fb716f314991f98a93b424917f619e05bec0ee33af952d3b1f13253d8ba506178522ffb104e2704832653346055f36dbf4d06657d6c74f325b33dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_8AE57F9FAAC778EA4099F469BEEE4C46
Filesize
472B

MD5
d3b21910cf775269669c13b1efd05bb9

SHA1
f88bc10b19fe1ba6ff79cdade3d1982c89b93415

SHA256
b74112546a623ecc82f35e55948c75034dcef590be00d112fc4650de8ffd0a1b

SHA512
e888e10841f0f9083c4a475022df388ddb7a42a817cb9fc46cdce4a9a349d67cdd2cc8a65d471b6cd0efd1ccc913a8d0f92c91c364d3c0d9f0bf03be8dc45dac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
60KB

MD5
b9f21d8db36e88831e5352bb82c438b3

SHA1
4a3c330954f9f65a2f5fd7e55800e46ce228a3e2

SHA256
998e0209690a48ed33b79af30fc13851e3e3416bed97e3679b6030c10cab361e

SHA512
d4a2ac7c14227fbaf8b532398fb69053f0a0d913273f6917027c8cadbba80113fdbec20c2a7eb31b7bb57c99f9fdeccf8576be5f39346d8b564fc72fb1699476

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
471B

MD5
c04f441d0220712231531a90823834db

SHA1
68dd18f1e0c51f1fdc4621394091a2dad08e4a08

SHA256
055641d3987ae98e2dd627d3214ea8084ae773a3df9592191b86977c752a29e7

SHA512
3156cf79585a45d919d4b27da4fe860f06e3206961fe1d20347ad74ef17de81c47857f35acd5cda3fae5ade28ab9747529ea3e8e79ca80aaf98e1f0e852bed53

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
Filesize
398B

MD5
e04f73bb9dbf89a18f40007200b963e9

SHA1
8ecab4cb9fde54fe28d95c83e917310fe20b0cf8

SHA256
bf22892db78123522eacf411937de8b793d349239db3bebfca05af3c8d8b51cc

SHA512
d6fff74f5858f9d4fa5068ac6073bd707592b2c33e59a78216d33d9e8fa5e5ae79fc0ff4b24e31143f8b936cd5de90cf72cf0c2dcf103bd52d281d0e720d79ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_8AE57F9FAAC778EA4099F469BEEE4C46
Filesize
402B

MD5
79a8861d23f1eaccd73dda90042514ff

SHA1
d9b57418b358893b1d580e057896b2eb051e57e0

SHA256
5522d216934499b3ac24ce987d33f886eab6ba9c811372c4aa87d2ae65dac8ed

SHA512
dc45f615260d6145f4a3c37fab1ba1c4293024f35c8d58bda5cd4de0f9f751c56c721c26830d484b5f4f9cd804a0113616217e2132d7a1272d4ed56ef69eb224

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
53a0e50c7321583eed33f54802763209

SHA1
01fd8add730fb5717b59fa866625d4ade5a6df28

SHA256
273bc855e22124ad5255a057b822ffb7c051732c83416e28fbacfb387c607c02

SHA512
1f89612fe7dfd14eb2d05128aeacffe405b71bc4ced634da1789aeb688b0feed396e669ab00c60969e8c21ff348041ecb83b856a8aef56090f0e24992f05613d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
396B

MD5
38677a27cfb8628c1cfcfd64735aed55

SHA1
d4d82c2172a21e5bf9aef8ca169fa6343f5c48e5

SHA256
5aafaf609e452351069465d9205eaa2e2edfaec78c1c2538822ab1e7c6e44010

SHA512
92b0a4fcc9f68cfdd9c2d1ad44350c7e0f2e14ac8cf0a5854cda124caf90529aaaef879cbb22208afdab15f954710b663bea18c4a3d9735733fc89365a50677a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J2W67U9P\5USRIEZA.htm
Filesize
184B

MD5
b1cd7c031debba3a5c77b39b6791c1a7

SHA1
e5d91e14e9c685b06f00e550d9e189deb2075f76

SHA256
57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

SHA512
d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TXH4GM54\IED8J72Y.htm
Filesize
18KB

MD5
19cb5295e21160d78213d3ccc33b8f75

SHA1
d70bc890627b2dd33479eff5d2ffc8aff40a534b

SHA256
7810c957fdddcb7e1477957c0b1f6e90cbaf2bec084ede2a9aa5190d131084c8

SHA512
5b437b9055cdb29e0074fe493c2281af5f6bc4697e6f60d22329fa606c09bd4ffe8c0e50f98c2a12233eac00c480bc38ded1d8431ed771a4495955d865607c5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat
Filesize
406B

MD5
ef572e2c7b1bbd57654b36e8dcfdc37a

SHA1
b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

SHA256
e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

SHA512
b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
Filesize
212KB

MD5
3ac926d3bca5450ce48d10c253700ae4

SHA1
0a918e434b1f8e125fb23a71c7317e6b16f3df23

SHA256
b0fa28ac0f0657906df6312a22baf99111cbf27afeaab98c92eeba4b07fddeaa

SHA512
ef62bc011a2fdff15b466f798bcbe5c4308e925fb1240d7621f65ede89432a329e00c80a917cc5be401b7029a2c5a497a9bc09436c3f1c05259a2e3479c581c5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
Filesize
212KB

MD5
3ac926d3bca5450ce48d10c253700ae4

SHA1
0a918e434b1f8e125fb23a71c7317e6b16f3df23

SHA256
b0fa28ac0f0657906df6312a22baf99111cbf27afeaab98c92eeba4b07fddeaa

SHA512
ef62bc011a2fdff15b466f798bcbe5c4308e925fb1240d7621f65ede89432a329e00c80a917cc5be401b7029a2c5a497a9bc09436c3f1c05259a2e3479c581c5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
Filesize
212KB

MD5
3ac926d3bca5450ce48d10c253700ae4

SHA1
0a918e434b1f8e125fb23a71c7317e6b16f3df23

SHA256
b0fa28ac0f0657906df6312a22baf99111cbf27afeaab98c92eeba4b07fddeaa

SHA512
ef62bc011a2fdff15b466f798bcbe5c4308e925fb1240d7621f65ede89432a329e00c80a917cc5be401b7029a2c5a497a9bc09436c3f1c05259a2e3479c581c5

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
Filesize
212KB

MD5
3ac926d3bca5450ce48d10c253700ae4

SHA1
0a918e434b1f8e125fb23a71c7317e6b16f3df23

SHA256
b0fa28ac0f0657906df6312a22baf99111cbf27afeaab98c92eeba4b07fddeaa

SHA512
ef62bc011a2fdff15b466f798bcbe5c4308e925fb1240d7621f65ede89432a329e00c80a917cc5be401b7029a2c5a497a9bc09436c3f1c05259a2e3479c581c5

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
Filesize
212KB

MD5
3ac926d3bca5450ce48d10c253700ae4

SHA1
0a918e434b1f8e125fb23a71c7317e6b16f3df23

SHA256
b0fa28ac0f0657906df6312a22baf99111cbf27afeaab98c92eeba4b07fddeaa

SHA512
ef62bc011a2fdff15b466f798bcbe5c4308e925fb1240d7621f65ede89432a329e00c80a917cc5be401b7029a2c5a497a9bc09436c3f1c05259a2e3479c581c5

Download Submit
memory/432-57-0x0000000000000000-mapping.dmp

Download
memory/888-77-0x0000000000000000-mapping.dmp

Download
memory/1012-75-0x0000000000000000-mapping.dmp

Download
memory/1060-73-0x0000000000000000-mapping.dmp

Download
memory/1136-85-0x0000000000000000-mapping.dmp

Download
memory/1336-60-0x0000000000000000-mapping.dmp

Download
memory/1484-74-0x0000000000000000-mapping.dmp

Download
memory/1548-86-0x0000000000000000-mapping.dmp

Download
memory/1604-76-0x0000000000000000-mapping.dmp

Download
memory/1748-79-0x0000000000000000-mapping.dmp

Download
memory/1944-72-0x0000000000000000-mapping.dmp

Download
memory/1976-54-0x00000000750C1000-0x00000000750C3000-memory.dmp

Filesize
8KB

Download
memory/1996-84-0x0000000000000000-mapping.dmp

Download
memory/2024-82-0x0000000000000000-mapping.dmp

Download