buran | cacd10b8c69270ec77d67d8b4d7fc1081ca247200e650f93a2a6e1b9c1c85e37

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
15-03-2024 05:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

caa499836c5e5fae87726b57d63cc554.exe
Size

334KB
MD5

caa499836c5e5fae87726b57d63cc554
SHA1

7a820dd7549516edbf6f333ff2e4b7a21b63da96
SHA256

cacd10b8c69270ec77d67d8b4d7fc1081ca247200e650f93a2a6e1b9c1c85e37
SHA512

e6c8074aa183e407f3054fc07528576379d1980e97f17e7c4c10673c700a0a2af1354eb7484f9b33bebaa7e7fc04a0bcd2831ba6dcaf62da8c461e2672359b10
SSDEEP

6144:igDsJ4kjHjjB0kATn3+65WffjAS0bBU4T3NY20hqYIyse5z:I6kjHjF0dnO6UXjUBPzNNGqJyLt

Score

10^/10

buran zeppelin persistence ransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. PAY FAST 590$=0.013 btc or the price will increase tomorrow bitcoin address bc1qqxnp9z0ff8x852dyflp5r9r6rzse8jl5hzmqz8 To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? [email protected] TELEGRAM @ payfast290 Your personal ID: 153-CFD-14C Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran

Detects Zeppelin payload 14 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2856-2-0x0000000000220000-0x0000000000257000-memory.dmp	family_zeppelin
behavioral1/memory/2856-3-0x0000000000400000-0x00000000023BE000-memory.dmp	family_zeppelin
behavioral1/memory/2856-15-0x0000000000400000-0x00000000023BE000-memory.dmp	family_zeppelin
behavioral1/memory/2616-19-0x0000000000400000-0x00000000023BE000-memory.dmp	family_zeppelin
behavioral1/memory/2616-82-0x0000000000400000-0x00000000023BE000-memory.dmp	family_zeppelin
behavioral1/memory/908-175-0x0000000000400000-0x00000000023BE000-memory.dmp	family_zeppelin
behavioral1/memory/612-305-0x0000000000400000-0x00000000023BE000-memory.dmp	family_zeppelin
behavioral1/memory/2616-3432-0x0000000000400000-0x00000000023BE000-memory.dmp	family_zeppelin
behavioral1/memory/612-10994-0x0000000000400000-0x00000000023BE000-memory.dmp	family_zeppelin
behavioral1/memory/612-23016-0x0000000000400000-0x00000000023BE000-memory.dmp	family_zeppelin
behavioral1/memory/612-25667-0x0000000000400000-0x00000000023BE000-memory.dmp	family_zeppelin
behavioral1/memory/612-29378-0x0000000000400000-0x00000000023BE000-memory.dmp	family_zeppelin
behavioral1/memory/612-30521-0x0000000000400000-0x00000000023BE000-memory.dmp	family_zeppelin
behavioral1/memory/2616-30545-0x0000000000400000-0x00000000023BE000-memory.dmp	family_zeppelin

Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
ransomware zeppelin
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (7357) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Executes dropped EXE 3 IoCs

Processes:

smss.exesmss.exesmss.exe

pid process

2616 smss.exe
612 smss.exe
908 smss.exe
Loads dropped DLL 2 IoCs

Processes:

caa499836c5e5fae87726b57d63cc554.exe

pid process

2856 caa499836c5e5fae87726b57d63cc554.exe
2856 caa499836c5e5fae87726b57d63cc554.exe

pid	process
2616	smss.exe
612	smss.exe
908	smss.exe

pid	process
2856	caa499836c5e5fae87726b57d63cc554.exe
2856	caa499836c5e5fae87726b57d63cc554.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

caa499836c5e5fae87726b57d63cc554.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\smss.exe\" -start"	caa499836c5e5fae87726b57d63cc554.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

smss.exe

description	ioc	process
File opened (read-only)	\??\Q:	smss.exe
File opened (read-only)	\??\J:	smss.exe
File opened (read-only)	\??\E:	smss.exe
File opened (read-only)	\??\G:	smss.exe
File opened (read-only)	\??\Z:	smss.exe
File opened (read-only)	\??\Y:	smss.exe
File opened (read-only)	\??\W:	smss.exe
File opened (read-only)	\??\U:	smss.exe
File opened (read-only)	\??\O:	smss.exe
File opened (read-only)	\??\B:	smss.exe
File opened (read-only)	\??\X:	smss.exe
File opened (read-only)	\??\T:	smss.exe
File opened (read-only)	\??\R:	smss.exe
File opened (read-only)	\??\P:	smss.exe
File opened (read-only)	\??\I:	smss.exe
File opened (read-only)	\??\K:	smss.exe
File opened (read-only)	\??\H:	smss.exe
File opened (read-only)	\??\A:	smss.exe
File opened (read-only)	\??\V:	smss.exe
File opened (read-only)	\??\S:	smss.exe
File opened (read-only)	\??\N:	smss.exe
File opened (read-only)	\??\M:	smss.exe
File opened (read-only)	\??\L:	smss.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

16 iplogger.org
18 iplogger.org
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 geoiptool.com

flow	ioc
16	iplogger.org
18	iplogger.org

flow	ioc
3	geoiptool.com

Drops file in Program Files directory 64 IoCs

Processes:

smss.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-ui.xml.payfast.153-CFD-14C	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099166.JPG.payfast.153-CFD-14C	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LTHD98SP.POC	smss.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground_PAL.wmv	smss.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\Passport_PAL.wmv	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe.payfast.153-CFD-14C	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.base_4.0.200.v20141007-2301.jar.payfast.153-CFD-14C	smss.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02404_.WMF.payfast.153-CFD-14C	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN011.XML.payfast.153-CFD-14C	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Contacts.accdt.payfast.153-CFD-14C	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00265_.WMF.payfast.153-CFD-14C	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0106958.WMF	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\meta-index.payfast.153-CFD-14C	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html	smss.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ckb\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01842_.GIF	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\POSTS.ICO.payfast.153-CFD-14C	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Guam	smss.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pa\LC_MESSAGES\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annots.api.payfast.153-CFD-14C	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Places\RADAR.WAV	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\.lastModified	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152610.WMF	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143752.GIF	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\PASSWORD.JPG.payfast.153-CFD-14C	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\COUPON.POC.payfast.153-CFD-14C	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\STORYVERTBB.DPV.payfast.153-CFD-14C	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.emf.common_2.10.1.v20140901-1043.jar	smss.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\Brisbane	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\ELPHRG01.WAV	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21314_.GIF	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14996_.GIF	smss.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonSubpicture.png	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\about.html	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\MANIFEST.MF	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Santarem	smss.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Jujuy	smss.exe
File created	C:\Program Files\Microsoft Games\More Games\fr-FR\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0212751.WMF	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00911_.WMF	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-remote.xml	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-charts_ja.jar.payfast.153-CFD-14C	smss.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\dailymotion.luac.payfast.153-CFD-14C	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\Hiring Requisition.fdt.payfast.153-CFD-14C	smss.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Chita	smss.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01473_.WMF	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153047.WMF	smss.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18228_.WMF.payfast.153-CFD-14C	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_choosefont.gif	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL048.XML	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Iqaluit.payfast.153-CFD-14C	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.forms.nl_zh_4.4.0.v20140623020002.jar.payfast.153-CFD-14C	smss.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\vlc.mo	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0086420.WMF.payfast.153-CFD-14C	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGMASTHD.DPV.payfast.153-CFD-14C	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-print_zh_CN.jar.payfast.153-CFD-14C	smss.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01329_.WMF.payfast.153-CFD-14C	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.services.nl_zh_4.4.0.v20140623020002.jar.payfast.153-CFD-14C	smss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02829J.JPG.payfast.153-CFD-14C	smss.exe

Drops file in Windows directory 1 IoCs

Processes:

smss.exe

description ioc process

File created C:\Windows\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT smss.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1172 vssadmin.exe

description	ioc	process
File created	C:\Windows\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe

pid	process
1172	vssadmin.exe

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

smss.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	smss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	smss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	smss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	smss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	smss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	smss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	smss.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

WMIC.exevssvc.exesmss.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	452	WMIC.exe
Token: SeSecurityPrivilege	452	WMIC.exe
Token: SeTakeOwnershipPrivilege	452	WMIC.exe
Token: SeLoadDriverPrivilege	452	WMIC.exe
Token: SeSystemProfilePrivilege	452	WMIC.exe
Token: SeSystemtimePrivilege	452	WMIC.exe
Token: SeProfSingleProcessPrivilege	452	WMIC.exe
Token: SeIncBasePriorityPrivilege	452	WMIC.exe
Token: SeCreatePagefilePrivilege	452	WMIC.exe
Token: SeBackupPrivilege	452	WMIC.exe
Token: SeRestorePrivilege	452	WMIC.exe
Token: SeShutdownPrivilege	452	WMIC.exe
Token: SeDebugPrivilege	452	WMIC.exe
Token: SeSystemEnvironmentPrivilege	452	WMIC.exe
Token: SeRemoteShutdownPrivilege	452	WMIC.exe
Token: SeUndockPrivilege	452	WMIC.exe
Token: SeManageVolumePrivilege	452	WMIC.exe
Token: 33	452	WMIC.exe
Token: 34	452	WMIC.exe
Token: 35	452	WMIC.exe
Token: SeIncreaseQuotaPrivilege	452	WMIC.exe
Token: SeSecurityPrivilege	452	WMIC.exe
Token: SeTakeOwnershipPrivilege	452	WMIC.exe
Token: SeLoadDriverPrivilege	452	WMIC.exe
Token: SeSystemProfilePrivilege	452	WMIC.exe
Token: SeSystemtimePrivilege	452	WMIC.exe
Token: SeProfSingleProcessPrivilege	452	WMIC.exe
Token: SeIncBasePriorityPrivilege	452	WMIC.exe
Token: SeCreatePagefilePrivilege	452	WMIC.exe
Token: SeBackupPrivilege	452	WMIC.exe
Token: SeRestorePrivilege	452	WMIC.exe
Token: SeShutdownPrivilege	452	WMIC.exe
Token: SeDebugPrivilege	452	WMIC.exe
Token: SeSystemEnvironmentPrivilege	452	WMIC.exe
Token: SeRemoteShutdownPrivilege	452	WMIC.exe
Token: SeUndockPrivilege	452	WMIC.exe
Token: SeManageVolumePrivilege	452	WMIC.exe
Token: 33	452	WMIC.exe
Token: 34	452	WMIC.exe
Token: 35	452	WMIC.exe
Token: SeBackupPrivilege	1304	vssvc.exe
Token: SeRestorePrivilege	1304	vssvc.exe
Token: SeAuditPrivilege	1304	vssvc.exe
Token: SeDebugPrivilege	2616	smss.exe
Token: SeDebugPrivilege	2616	smss.exe

Suspicious use of WriteProcessMemory 47 IoCs

Processes:

caa499836c5e5fae87726b57d63cc554.exesmss.execmd.execmd.exe

description	pid	process	target process
PID 2856 wrote to memory of 2616	2856	caa499836c5e5fae87726b57d63cc554.exe	smss.exe
PID 2856 wrote to memory of 2616	2856	caa499836c5e5fae87726b57d63cc554.exe	smss.exe
PID 2856 wrote to memory of 2616	2856	caa499836c5e5fae87726b57d63cc554.exe	smss.exe
PID 2856 wrote to memory of 2616	2856	caa499836c5e5fae87726b57d63cc554.exe	smss.exe
PID 2616 wrote to memory of 2068	2616	smss.exe	cmd.exe
PID 2616 wrote to memory of 2068	2616	smss.exe	cmd.exe
PID 2616 wrote to memory of 2068	2616	smss.exe	cmd.exe
PID 2616 wrote to memory of 2068	2616	smss.exe	cmd.exe
PID 2616 wrote to memory of 1704	2616	smss.exe	cmd.exe
PID 2616 wrote to memory of 1704	2616	smss.exe	cmd.exe
PID 2616 wrote to memory of 1704	2616	smss.exe	cmd.exe
PID 2616 wrote to memory of 1704	2616	smss.exe	cmd.exe
PID 2616 wrote to memory of 2776	2616	smss.exe	cmd.exe
PID 2616 wrote to memory of 2776	2616	smss.exe	cmd.exe
PID 2616 wrote to memory of 2776	2616	smss.exe	cmd.exe
PID 2616 wrote to memory of 2776	2616	smss.exe	cmd.exe
PID 2616 wrote to memory of 348	2616	smss.exe	cmd.exe
PID 2616 wrote to memory of 348	2616	smss.exe	cmd.exe
PID 2616 wrote to memory of 348	2616	smss.exe	cmd.exe
PID 2616 wrote to memory of 348	2616	smss.exe	cmd.exe
PID 2616 wrote to memory of 2364	2616	smss.exe	cmd.exe
PID 2616 wrote to memory of 2364	2616	smss.exe	cmd.exe
PID 2616 wrote to memory of 2364	2616	smss.exe	cmd.exe
PID 2616 wrote to memory of 2364	2616	smss.exe	cmd.exe
PID 2616 wrote to memory of 612	2616	smss.exe	smss.exe
PID 2616 wrote to memory of 612	2616	smss.exe	smss.exe
PID 2616 wrote to memory of 612	2616	smss.exe	smss.exe
PID 2616 wrote to memory of 612	2616	smss.exe	smss.exe
PID 2616 wrote to memory of 908	2616	smss.exe	smss.exe
PID 2616 wrote to memory of 908	2616	smss.exe	smss.exe
PID 2616 wrote to memory of 908	2616	smss.exe	smss.exe
PID 2616 wrote to memory of 908	2616	smss.exe	smss.exe
PID 2068 wrote to memory of 452	2068	cmd.exe	WMIC.exe
PID 2068 wrote to memory of 452	2068	cmd.exe	WMIC.exe
PID 2068 wrote to memory of 452	2068	cmd.exe	WMIC.exe
PID 2068 wrote to memory of 452	2068	cmd.exe	WMIC.exe
PID 2364 wrote to memory of 1172	2364	cmd.exe	vssadmin.exe
PID 2364 wrote to memory of 1172	2364	cmd.exe	vssadmin.exe
PID 2364 wrote to memory of 1172	2364	cmd.exe	vssadmin.exe
PID 2364 wrote to memory of 1172	2364	cmd.exe	vssadmin.exe
PID 2616 wrote to memory of 2200	2616	smss.exe	notepad.exe
PID 2616 wrote to memory of 2200	2616	smss.exe	notepad.exe
PID 2616 wrote to memory of 2200	2616	smss.exe	notepad.exe
PID 2616 wrote to memory of 2200	2616	smss.exe	notepad.exe
PID 2616 wrote to memory of 2200	2616	smss.exe	notepad.exe
PID 2616 wrote to memory of 2200	2616	smss.exe	notepad.exe
PID 2616 wrote to memory of 2200	2616	smss.exe	notepad.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\caa499836c5e5fae87726b57d63cc554.exe
"C:\Users\Admin\AppData\Local\Temp\caa499836c5e5fae87726b57d63cc554.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2068
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:452
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    PID:1704
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:2776
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    PID:348
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2364
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:1172
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    PID:612
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -agent 1
    3⤵
    - Executes dropped EXE
    PID:908
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2200

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Filesize
1KB

MD5
d7e516d8689191c81bd7d3769c7aa1e7

SHA1
98b9546b375571239d3d7222e4458b39b6e808bd

SHA256
ea5238c9116a31c5dae31224d274c94d02aebb5ae45a8e09a40ff398bb579c79

SHA512
a360ed66a9c20317dc062bb7fba426a34dca2c057e54b482018af7d89e7e1b1b870cd77f615cfe6f43b8218e08e335966b156511af5e6fe620165088a3bdad2f

Download Submit
C:\MSOCache\.Zeppelin

Filesize
513B

MD5
3500e12e6042b08a719fc254b8d4b5a7

SHA1
c40897902d66861587afbbb129cd27817d06c2cb

SHA256
55c8fb194089135ca59bcbaa227d3b1ed7d60cf8cf643378779aa63302cf982a

SHA512
ed0f692ba5d2f25298e5e08c5dbd39c081b074683326c1cbfb3e5558fb9ce898c33364896c0842b3ed1529c6074c35aa238facdc8bcea0ff997408feb712540b

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\Vdk10.lng

Filesize
23KB

MD5
57353f718aebc6acceee61258c45a3b8

SHA1
9019026a105009d07fd7d5d505595af6500bda74

SHA256
652cf47578563c0472ad65ecbec4bc7d7ee58cfa70de0d03a534b50315328566

SHA512
9ea423356d464932aef0af5ec5b65ba69c2541f9973533600370110d9c1ad08dbca5005c49e618c795d5ff063fa00954839ab6e4860f2468b530699e6edef30d

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt

Filesize
29KB

MD5
fae2df1f44ff79696d6b7571e07eb461

SHA1
e6a348680c6948ab1bdce4334ecb81ca7dc0e28d

SHA256
1c3ac61c8363f539193bf2c45b5a7d8302e505f17c550ca0966b8a7eb749dd63

SHA512
23010d8310f49a5bb3af7779eadb8b67e0c4b64296907cfd790e093473a71400f78d2d9ba58fdc4b509387c9b5a86f28bf02bfd835d414f88264d2b5749a2fcf

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca

Filesize
6KB

MD5
acc1ab7536c494edbc102264ba1dbe92

SHA1
1f2cc356938c636c262052491fbae5ff1433e0f8

SHA256
b954ee1d0f3e7fa5120048544ee5247026b664c4c413e0439beddd68affd0f6d

SHA512
99d32017cfae7c8e42055fc662a1ece055e8d7668fded63c76591cf1a5e652dac790b641fc246be09b9c078e2f5e7f591745963eaf9e606e4f408a896f65d75a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME39.CSS

Filesize
122KB

MD5
6529cee40d4eeabf16c09cf223eb6536

SHA1
5185efbec4d683a4badf348618972a4aabe7cd3c

SHA256
6ea84fa9af96e2a011beb3efb1128d3994b4dc32f8ba101c4c7c25aba7396528

SHA512
6101ddae16a1d5b175a5220f64e49d7377c97efd07f5695b345f4e1b0a196ea5138c8cb06ed098a3122b23c4637db53d01d10e0a62cabbdbc88576ef80e3203d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\ISO690.XSL

Filesize
258KB

MD5
99de544e14e587516198703e20e93fa4

SHA1
7546736bd1805c624c849b928a8796a410aa7a5b

SHA256
e4399c7bbdcdf77b68a8c2587a7ed07bac432845a03c464a4a8696036cb1bf55

SHA512
b688ae4c8fa51e374238d80aca493909bffa21850a6914a736d648af805b2062da144eca111da3fdc3ac72991f994c01eb1db12763f559dd184705095aad77be

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\EXLIRMV.XML

Filesize
78KB

MD5
d96a66d9965bb04a4ab55aa2377b4bf9

SHA1
a1ea574ce00c5d3f9f84ed6d94216b37e1e7d221

SHA256
bbfcaeddc2b3e1792282698de8535b4d20f4e71d749bd4269903094a28f13e35

SHA512
32f2d01d50fc3db276b6817bda64b42be5f7e587c7570cdd1c26f3b390f342a66ecd66a038357c5d8ef5bb120d4fa16f4e65fbec69af38169b624dfa8063b923

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataViewIconImages.jpg

Filesize
7KB

MD5
592c609bb3f64947c0ef6bcea45bd89f

SHA1
cedd47292fab5282acc97fe5c0dc0ac0ff5108be

SHA256
1d7cc90569e01ba4ad84006b5c34980b5314fc1fed26af82b83013e6cc94f986

SHA512
4f4f42a52d17578c9db75874c779efd665f74335084f83e9a3761ddc9dc797f2d73e7f4931b481c4fce5439131616124f5633e5bf3c7f397da700ae1c35bccf7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_OffMask.bmp

Filesize
8KB

MD5
a2d5cbc739c99c67ea4e04ca7dfc1cc6

SHA1
431286381245e1b577a6102f35d4b46f0db8482b

SHA256
7350e7a75594e57bde3433f71972ee918ab2f29a7844b1b79e38891a4347964f

SHA512
432890f502e2efefc1866d538da849fdc8a754627fede0e69e6093a5d8326278c0598533370dca30fc615fd620db9bf0874f9a71186187027161c9d1d85c3df4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\IPIRMV.XML

Filesize
78KB

MD5
6d236448a6ada265516c91548b745baa

SHA1
d718257731cd585dafde7cf733e93f2e00f35749

SHA256
7e4bc7546efb113d7e0e636116879c0860ceb284a2cd9c540415e84d8e873d2c

SHA512
0fc3d94418acbc4afc04d1470834cdacf24bf223a394ec641c3578479e13368a645cc3189b878a9a9e1fb7415401c6d4b1893600e98bc9f2113e4894a5ce8f3b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\Microsoft.Office.InfoPath.xml

Filesize
249KB

MD5
1069cb21b887b57a57c698d5b38a39d4

SHA1
e540b93097413d5a6237b2a521fa8c90ddc93345

SHA256
165d11c6680261d0d292d518b079b7abad88f091d60709acc20f85b7ca035bd6

SHA512
980544d68e435a2ea90b1c9aa8e51f0132a6c443f2c74e559fc71867dc8ae94843f00ab20879b1fe2183b24d974d5d84961a72f356e1ccb49c54d748fb7514ff

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OLKIRMV.XML

Filesize
78KB

MD5
419c6798c6ba8435f65264e077821e68

SHA1
79230d991a258df2bc493770dfaebd7fcdf8ea5b

SHA256
0a76e33b72cbdfedcef9756a783d03f0f9a3f33a48ac1c59836cab1a3c347058

SHA512
81ebe6a717eee55286a72a469410e2d9ce90d81ad4587095ead2b872b02302c9599258524da0a637a1bca716743001f5e0862856c077b1093a83c387732dcb97

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\PPTIRMV.XML

Filesize
78KB

MD5
cc32b5a7732ca8d863576e263befc8b2

SHA1
90859259a4817527f74974328093e099918b383b

SHA256
10e6d62c0fb7a1f35a9c0f22d34070c83b56faecdda55b96250618652d458ff6

SHA512
2474a933655a6e4b97030fd406b1024ef399f3959eebb1e39be94aa44338f8e9c1a8178dd5047ccea7f694fcf7786992e19eeef5eb6ff8c7d7089d232bbaa7af

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\WORDIRMV.XML

Filesize
78KB

MD5
9fbae1fd05eb7422c52bd65914489c87

SHA1
9d914fcae67a1462f6b120fae6999bb4ce02ce08

SHA256
44404ce70f595b9d4d12473a057765775c8629d48b7c4ece4c13c7c4c0ddf67a

SHA512
a7db1870acf4dd83e51d24c2a17c9c6e585861447a0dec8a47daf6fa7905a5cb0144eed7b34bb478972946008d3362c8eacb3bb9d8cdb7aa76f1123e4c609e82

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\epl-v10.html

Filesize
17KB

MD5
7b31b1e1aa4d6e7f4c36648cd9120150

SHA1
cf272ee1d620d4e90df55386ef7acc0cba47403d

SHA256
50f9a23cf4dd385b0d9b3ad2aa1d6b4e1cd5d2625211e1b3a012be89152acbcd

SHA512
66bad83b5f1af7817b4b4f6f6ee1ea1e69574c73c7029ae8209da339fae7a0587087c853cd8b459f9ed6a825bab71ca3f255c64b3ea243cd30fe7364a1e5c78a

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\feature.properties

Filesize
7KB

MD5
4e1f6eba2928aed5cdeac8766aac59cf

SHA1
b767930b72234555d67e21345b4e349aacbbb54b

SHA256
86ba06854b9446c892e2acae12c39d4d700ea5a4d01bcff79e40c486844dffcc

SHA512
c63b7395c89a53691b17df93f82bdfa2a77f09714ad0436016a6c05b4f05208143076bd703cbd1ca442a457f7f9d28beba012b712f0e3ab86e433ef63f03974e

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\license.html

Filesize
7KB

MD5
e8f9239a3396c9c1c1b5e4bac68c73bf

SHA1
54956832d5b3ebd3ff6a52319d9133d0c52988f2

SHA256
a20cd39b1ff2cd4971ecedb566621cb89716f357eb66bb1c543f2858142cbe60

SHA512
41a6e3973e223cd6c29e08ec494d5722dee8b86ef65c8f1597c38e8bbbd2d375daf5bcfc9f9cad2960a74ae4ebf408d183d20daee5d95027e2c5f8a68ce55532

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\license.html

Filesize
10KB

MD5
dd188f156b0c164d9ef1b010c8059a08

SHA1
de042ff72b7032a4074225b4f5fe855f28a9f201

SHA256
e5835420f66f1dde43a56e2a4f1781caafab71b4f9f9bd10169a7355fb18e943

SHA512
8bb586dba682c2aa2621d8de66c3541a39af2b46cc21cb3932a6d954c4771b011728707763f66219cfeb134cdbb4beea07a52e955e46d113605d19f6e3c807ff

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
13KB

MD5
94de63cfb9a76938fbd2caedb1810769

SHA1
60ddf97c3d88cb5808c2c6074a0aa3b2d0e6e504

SHA256
c967b19f048b04a0494b4ff6268d7ccc0f4c18e0861b74e10bd5449e3897ebf6

SHA512
81bcf6cd2dd6f46fb92822d835767f3d4848e72acc6bf658ef7e712947b1c4a00f8be2cfe6b37b1a7cadaff68b08342b9a38e74ef7d0c1f98724318395a4c227

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\license.html

Filesize
10KB

MD5
1ad2f8ba47b88882159fd1f10256d4fd

SHA1
24932361b785e329adc932f692db89dcb279d15e

SHA256
a75f51daf749b7270a2450b1484cac0b02a239d3acd5c89556af2576782f19e5

SHA512
055c41e88c75781df636fc5bea7c354360e4bae34d88d93a03e883fbf97d0c0a9ac16459577042144e626a86723313a9b3f4ae1a64674f6b85f30edbe7f96c44

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html

Filesize
13KB

MD5
5037552ddcdc897d6a008f47a6b519ac

SHA1
35f7296d4db93224f13e60fa07d97a455d52d10b

SHA256
4d8b8e8a6d7b249d3cff6d28f3a633b483ab89143d1b8f4dc5c8c5ebbae5d96a

SHA512
9e21b6f9039af15b0bfc71e231948ed9f9eeed6c65bb00972e4983d39e5850d9dc4e3356da8d5d3038375fd8adc2954acfb448b3dfa3875d79843c9774e8422d

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\epl-v10.html

Filesize
13KB

MD5
f92088d2ad9454574076d0e675c176fd

SHA1
1b2a4d6879e3e9e5af06c4d884183b6e28d0965d

SHA256
ba987665b7f49b92302919a009b75d24c587ceffeee1075fdff82eca9e650430

SHA512
697b4071957e00b2bdcb4fe52a29fdf7b7decca1765f396492fd45e6418ba8b5847011c7dae1c2ae0e4cb2fb183357daeb1749f1df902e055cd036fd8242ea87

Download Submit
C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\vlc.mo

Filesize
604KB

MD5
b514018aaed90c03d705b233e5ef5bc3

SHA1
1823f42a623434a4c53fa1cdf235b423d8db18f7

SHA256
d1fb245cbc9437e7aa8a4d74e09488ae5c919e362449bba5d9907041f0c86857

SHA512
4d1a91b8aac13f4e719ead378f612d5ae18cb7a6ed317477ee14abb6d7052fe3890b29ddc52c43907688308c46458ebcc741766e15bc1d699b2fd2d205d3bb08

Download Submit
C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\vlc.mo

Filesize
605KB

MD5
8b09774d8028c32e9096792f3036ee69

SHA1
24aa804d3a56322b1860b5cf2b87d6d6b856488d

SHA256
522247272ac3f1cf10f7dd8f9e837e6ec2645fe30a543d741f39c2bdf1fe3bc2

SHA512
dfd54355371c1128320bf36a56ebd7e2cd31f1708a6bacade27307411b1fa1a2f4fb91e2f25c8044c08e1644f70ef61d9fb4be87c3a3fb83e07135cd39760f40

Download Submit
C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\vlc.mo

Filesize
606KB

MD5
fb7223a1da84e573e7acd82fff13ba77

SHA1
a886e7a3cffaf560529f2f573c644a1a1ef052a2

SHA256
801e9516ebb9790921b92b1b7aedbe90d7f7122af88e627ae3d859e1a9163676

SHA512
38c36146a24ab7789246d970b64ca65a6cc7946982dfd2472f929a112a41ed4aa987515adb6f1af54b74cb2e55316c949d0774f92d315997522481dee8512170

Download Submit
C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\vlc.mo

Filesize
785KB

MD5
5dbd17ef0146d7712fa28ca93dcd12a2

SHA1
947f8b72ca646ddae02930777c71b7b533101177

SHA256
0ea8e029e037c633e7714382bbf41a9f3bab61bd15f01cd50df58af5b5df70ff

SHA512
1e075f3e87e106d1597e0ae0e3a672a63bfef09aae093d3bca6ce8e4d5a6a2b9b47e056d03f53a10a8c33b2e90f0ae1d0479e221688b73b4e7e55c744a1b31ee

Download Submit
C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\vlc.mo

Filesize
587KB

MD5
7628127564f6ce2e547544c3592395c9

SHA1
94c4563d20706f38221748859e51948aafda8f11

SHA256
ac1a1ee2364be297957ebcb1517e58283b6098d157e752f8baea47acbaa8f51c

SHA512
85b908a04580a86fe08042f02e7af1bdcfefaf6265ee48336959e77cba36e88e848135ff445f87a995d135bb38d9dfd969126c27882195799886e8e7ef52add7

Download Submit
C:\Program Files\VideoLAN\VLC\locale\oc\LC_MESSAGES\vlc.mo

Filesize
527KB

MD5
f49d2eb09794132b8e09c3c9d96d6eac

SHA1
ba1dda0f167f51dca1f30d0456602d1443c52279

SHA256
c4f69d27f0d9b749e0d15a0d215b2c5189c1650f132833d7850a31aebcf8b8f2

SHA512
8b72de515b36f653192d979f7187c95bdf14b5bd4ab5425f2c3406478f0f5e054cefbe67025fc3e2634ee1b437cb9b6d299bd32cf04d86f3ebcb341ed3afdbbc

Download Submit
C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\vlc.mo

Filesize
764KB

MD5
630bb0b827fbadc5a1dc8cb728f14339

SHA1
eb27960f9b8fa2d25e7c704fd67c4402a4b9eefe

SHA256
776ecf15294402b7577093ae4619b452e0188865e28bb639a798c49b7d97771c

SHA512
264e5493f2cd57dfcd220114d6bd1f2d27609faa4bd70aba32f24f5d425a25b0be768f41e94082ec45573655bfa6f530d200fd2013c7fe9e8867abcf8b104a10

Download Submit
C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\vlc.mo

Filesize
771KB

MD5
c6391efa5f5aed31201029af42f51ae0

SHA1
66d2123e6544d6f6219ffc1438af2c6e6bb381e6

SHA256
45d6ab886d807459c4bbb3191ef3503418fe1c4cfb9877c358e90039d9334b96

SHA512
94f30244fb6582d02930cd2c64ab604fa786b63c3b5e16df6e92f3ba80f6b0d69bd09b25aa36e81e1765e9ac7f1fe663f8ea2bd54a38a650728a770c7eabe2d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
48213408f24d6c07ee871f70e50bb127

SHA1
0aebdcb9c8a0d5c30189943a4bf296a015ca4deb

SHA256
fac10b3ddd86eeef4e73c87f950f1c96efbf9a4336ec83c6ce389b27f7ce3a40

SHA512
3e3a49f3d7fbf0293a33db38c631641ca2103276a95fdf32d64e15d3128c9a9df004c5ccc769a251f6c27e7a6948c91aa2967fd9a939876ba1b34d7f86f10fbd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c345eedf54b107a8f920b08f3a918b53

SHA1
d23219e55e959700e12d98946c7803e5ad88af36

SHA256
ebd83b460316c0db3ae90377b69c8ef840cb9cc3cc36317fe9a4e3335d314e1c

SHA512
2b5e3f3322433a3947abbd7f2ff1785f00bd74304eb35127385d507f0ffbb33df99e9effd9b70565573b0de7f341c9b6dfb5ddaf81454f4ec9bbf778ad4de278

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3940.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe

Filesize
256KB

MD5
8287915ec2f651c34b2df9a2d15d494b

SHA1
82184edb68895afb689f76dfb4565ff941edce80

SHA256
4288bce045ce15fbaf56a8d9e0a9fbc104c266cfb782efdf10ee62b4d43a2b36

SHA512
6be71c3c5c45d7e30f75a19e251df1cfe9eb31e176c29f39a64027796f7fc5c64659dda82fb81a479552451f316adec3575db10f9db13cc2ca6e67c9a57105f3

Download Submit
C:\Users\Admin\Desktop\ApproveUnblock.ps1.payfast.153-CFD-14C

Filesize
960KB

MD5
44d85eec5b6c222c821b18fd8d0cb984

SHA1
7d4aa16267f021daed17da20ade11fa18af1d992

SHA256
f221e1918ca1db3310240645705b07f00860fa5598152e19ba1ad1864f73cf0a

SHA512
317272c15b4407a508071216076e5bd654115f8e2552f060d50846d137d09668f6f46382ca54af9bf26e3020faa333a3e0a3a404f443cb056362dbb7f116d432

Download Submit
C:\Users\Admin\Desktop\DenyApprove.snd.payfast.153-CFD-14C

Filesize
928KB

MD5
640eb74bfb49a55ffee2592d0074b67c

SHA1
cc3214a99223fb217da6d4477656a463af212f20

SHA256
dee4d894426df4f3ec29bf405a3861cfddb5acf96cfc24b83fb813d3b4352d34

SHA512
c04ecbfe8a2dcb851677372dd250aba7c235a5dbbf2221b3b7c729aac542f8b97935af6d38d845ebb99f3055e080cc8709f324bab620765dd0b20ad134593439

Download Submit
C:\Users\Admin\Desktop\DenyConfirm.mp4.payfast.153-CFD-14C

Filesize
375KB

MD5
7f52af9a239aa0f8c641f283f4dec93f

SHA1
a72285edb012fbbbb000039b3c83c24e803c608e

SHA256
c434abb0a03ea61463ecb0a474da67af1a439101ec5342bbfaa2593bc146be26

SHA512
2af7d434f0fa9eb83c9f3f1f2edb5c2a59b4fc6df0f38d3f857787bfed29201c6a3266076f88a27e89a475c63efec93ac857d9c5797c4acaeccb0dece43fdc4a

Download Submit
C:\Users\Admin\Desktop\DismountConvert.mov.payfast.153-CFD-14C

Filesize
765KB

MD5
0808c12ab812538612197128c53b7520

SHA1
1ab1cb66ec3b8746f912d242aba0f01f158af62a

SHA256
e9809c002fd41a9d7ed1c66847dbcd0ba0d888e2785a85eff2de09b8fedecdbb

SHA512
bd1a99fa189061da3b029d1d2bc5dc89e5856479958a2e5075095a9a337c2bc54b7183aab6b56aba4c72f2db0de1e71634939b9c7562efbf0fbe2d67a365085f

Download Submit
C:\Users\Admin\Desktop\EditRegister.mht.payfast.153-CFD-14C

Filesize
505KB

MD5
47991ca0027e0455e0fb0519c39f938c

SHA1
fc8ec6a86de5f56c20fb966a1830f7a53ca7950f

SHA256
1469e5ecceeebe960b540877dab06226685bcf67c33660eb74afd4f7092838bb

SHA512
a5fd7c34f4bf4985afc0e03b9722b4994a3e607a1198b6ca18eb118780c60bc9f5c8f30db870b5bdd0091f9cb1c1c715ead32f284c04fd68a48702c2dfa4c631

Download Submit
C:\Users\Admin\Desktop\ExpandDisable.raw.payfast.153-CFD-14C

Filesize
895KB

MD5
defc1129eb02397cadb8091f9da65f3a

SHA1
b79b4118f39f303a3baa79cda88e78ba999cd4c2

SHA256
109d9be8b28e3f0edadc35d28c5f318437b4fd7e92a9863ba5299c93e2e4a3e8

SHA512
937759bb45a0538d434b508e5aa019f6e5b4367f28cb178029c5fd1b698efb84c1677c7f99242be763f92d10b2bc62005991bd8bf36a97e91b618822459a1dd9

Download Submit
C:\Users\Admin\Desktop\GroupInstall.3gp.payfast.153-CFD-14C

Filesize
635KB

MD5
ea9929973bf47d85491cdf888c84c296

SHA1
6fe0a5af60b778c1338a700b119b2fd6af66d8f4

SHA256
7e6f58a64d1557cea05f66c170c1bdaaf1c52f0f1b5d16de9cf87e846d5c9a4c

SHA512
ce380f3616bb1f0ef818ac190c5f8a8382200a1c91c54617c01856ea77fa0124d2d7a7d41f963f8078b961912eb55b94877be3e6d6c3ae9ef83282c766863106

Download Submit
C:\Users\Admin\Desktop\GroupPing.dib.payfast.153-CFD-14C

Filesize
603KB

MD5
5f74db28cb9de5b53f9c7cc8c3f4e604

SHA1
04abc7f12c1e915742081b9bfedebbcac611a6d8

SHA256
1fcfbe088492d5aa24e82fed241b99ab28de6c6c33800bf0ccb1b6a17fa8c88c

SHA512
6c285df4591e535253d0ccc4fd8e40745b089b4e04d930d98cb2c0f2a1875b6d366f6def9292c8725a9d5c54da668ecbb66e7324d2d87e718694e70cdb43d7db

Download Submit
C:\Users\Admin\Desktop\ImportCheckpoint.au.payfast.153-CFD-14C

Filesize
1.3MB

MD5
2f4b4f9704e97310dde28019ba8e1760

SHA1
c8439c53b5b4dee79414e299d0e17472e245b45c

SHA256
14c145217a6be642f811b96b18d4c1f6427b7d515aef76446ae8fe0c7ee7f2bc

SHA512
7fb7e3ee1de090d20fac6d69a05ad1662a1df9e3588b50f13614184a41e68c5bca1ebb1bef3f0386a61a12a81ed881f5a26b5296b2e70b1c772f7b915a0f44fb

Download Submit
C:\Users\Admin\Desktop\ImportRepair.xltx.payfast.153-CFD-14C

Filesize
700KB

MD5
cc3965e13649fff1f7db03788d0cc84a

SHA1
b356ae344d2d8cddeff8ff8213f33ae332b7fc05

SHA256
0069fa2cc87bf12c1752dbead84b738c1a61fcc643909b71dfe89929a4214c59

SHA512
b076e9ff890f01562c4d37909aeeb342fee88ba6dc0c0392588207c1d38cdbe63426e727b93eff1351ce746151cc8071f59fe9bca4388cef0ea6d2e64ea2cb10

Download Submit
C:\Users\Admin\Desktop\PingRepair.xltm.payfast.153-CFD-14C

Filesize
570KB

MD5
f1852b9c20182f5ba7b5e8d33b81a758

SHA1
bccc25acff554b5235386b9a99cf0d2345e8a375

SHA256
031b4bad2b4b6108276a487326437a175a0259aef9704b516b0cc20a39c726c4

SHA512
20b32a59daa17aa2295f2ede9948bcc525dfb9bb874a727601c96890331573924a69d2d0f02abd961a19f88a09cd2c8d69e330d02160da3cfd009411e8cc3b19

Download Submit
C:\Users\Admin\Desktop\ProtectEdit.rmi.payfast.153-CFD-14C

Filesize
472KB

MD5
b6358434ae40e758c8fa5203e74beb12

SHA1
eff170273b195034e038e209bbf8a3913d0e5c4c

SHA256
126e228eed61aecb410d0dcef060948a9678fd8bebb64702b2b8bc5c2c2796e1

SHA512
9192cb226009f3289945389d3bc64ef739cf8beb3b022e7e5e12feffdb5a4d0c613b9174d96450ad20b7bc6ff479044131708c1c94f20599dbe2a2a3d5b24228

Download Submit
C:\Users\Admin\Desktop\ProtectWatch.emz.payfast.153-CFD-14C

Filesize
342KB

MD5
624ab903026a9ba58ae02bdf7fee90a9

SHA1
80df0d7761f749e3c252dfc766b40fc0bbc33ad6

SHA256
888fa72ebe9ca4a9e3958d4617ec6d5354b2c7fc3824b57d4d0ecdba85a5090e

SHA512
1d95205f0342b58300c3beb848537595d3a02dcd2ef24fc6ca26ae677a7a44352ad1ae285d18db9053727e2c3116a94423ef603058e2f6b96425b71dc0c88d7c

Download Submit
C:\Users\Admin\Desktop\ResetSubmit.inf.payfast.153-CFD-14C

Filesize
668KB

MD5
3a0e38065489f7f3dea40135ba7c4589

SHA1
05ddcd9fd12078ef90610d48a8d0fdee4edf2b07

SHA256
13f976d8a5714b19a9b3c2876859a3675dd318f39d2476d480c3ad72b95a60cf

SHA512
1b975aecf211db4b69c4e815cda0a5291d622c64b6dd6b04ff915391b50396cc939fb70a31930bb0384a5bd58c9eee6afc43b88a2215ce9b32f4ddf0063f8f8f

Download Submit
C:\Users\Admin\Desktop\SendMeasure.mpv2.payfast.153-CFD-14C

Filesize
863KB

MD5
b91b02642ae62185fe57213807cc56e6

SHA1
6fa1adde7f75bb5edd28bbc6e4801358d592961d

SHA256
adb03a67eaca88506775005f65ddc2a155daa15dd708a255c4dedc7033b3fe05

SHA512
1ccdc8f9fc892d84bf2bc8825d4717f5fa99ca6b92fc5aab433140fc692f0c75e4d338c8bb031eb3d7e0190842dc1dfbe8d6490a5bedbdaff93c5f7888db40b8

Download Submit
C:\Users\Admin\Desktop\SubmitComplete.aiff.payfast.153-CFD-14C

Filesize
537KB

MD5
19eb50683f6fcf030119017217f7a8b5

SHA1
d2e9b47667caff4afee66ab6ce8e26a19ecc0ae1

SHA256
f79e090f52cae6ca60ce30e582f54669ddd2dd1b2839a3695381ba9ec0237eeb

SHA512
83a006d8b2e3049b70f20d723a2c3b9b1a7a98bea94ee69d88b1724b0fef1f763817c2bbabd51580244af1a272bd1908610fb8905c9e865a609845683b77574d

Download Submit
C:\Users\Admin\Desktop\SwitchBlock.ADTS.payfast.153-CFD-14C

Filesize
733KB

MD5
4ef057062f9e9a2d9ff0b963711aa786

SHA1
cd9202580fc524078e9a351220ed402db28c585b

SHA256
7ce7e660a48a735de8e181019fd43a4f50f95c5a6697ffb1994d6393cb82d024

SHA512
40a49600f8bf5a17b641a7548a642cc1da046012826596d8e1c3c3fb06f3a60d79c8f156316b2417bd6dbcf2932869da517dbfd2b78071ec05e6c596a28ddca9

Download Submit
C:\Users\Admin\Desktop\UninstallWait.mpeg3.payfast.153-CFD-14C

Filesize
407KB

MD5
dc9f83fbf84e3f08ad8d9a0f88c1c2f7

SHA1
17e61439c9203971ee772658b9f7a993b1d16f78

SHA256
c0db48f4a2fde41f066152c6bbb13da209d6962ca69b3b552de0994e10db4bf4

SHA512
33cb1eb46422a9f53eced130adadf22402cbbd2f907b0c255d19bc6f1c616dab170abd3112e83fc29b3ac0bce703873426829ce641387733fcfad599a9f55a94

Download Submit
C:\Users\Admin\Desktop\UseConvertTo.bmp.payfast.153-CFD-14C

Filesize
440KB

MD5
bcf002c3e9a2cb93d94822a987a93dcd

SHA1
003590e2c6e3434e54472581de2d18e7805e9023

SHA256
87bfa72a3bab717a5cf6914dfef8259e2f40b8b033581a12749edc12c0aa1014

SHA512
3d9431ac472f77bb68308f075d19f0e0f3ef1af1caf154b29852d4888f8b06f70c35790782f3395e6ec4e2035d7f4bc5c5a96f8b2afb4edfbcf8e6c8bcd01882

Download Submit
C:\vcredist2010_x86.log.html

Filesize
83KB

MD5
5dd8c6f15dc9e430d3e665cfc7367329

SHA1
4b6568a782967fffae18f8c2036eb64cc3b91322

SHA256
d5d09700975c7b4f05ece7fea4445555d16e0d5ab3c30a85f1bc69ead2761642

SHA512
83918842f10d081a876e1673587505ed6ca3ac2b23290075a7f969d7b822a06c061574afe25cf57f1f435600470332b36e8e8cfed0450f0c942f8b5838d85618

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe

Filesize
334KB

MD5
caa499836c5e5fae87726b57d63cc554

SHA1
7a820dd7549516edbf6f333ff2e4b7a21b63da96

SHA256
cacd10b8c69270ec77d67d8b4d7fc1081ca247200e650f93a2a6e1b9c1c85e37

SHA512
e6c8074aa183e407f3054fc07528576379d1980e97f17e7c4c10673c700a0a2af1354eb7484f9b33bebaa7e7fc04a0bcd2831ba6dcaf62da8c461e2672359b10

Download Submit
memory/612-23016-0x0000000000400000-0x00000000023BE000-memory.dmp

Filesize
31.7MB

Download
memory/612-30521-0x0000000000400000-0x00000000023BE000-memory.dmp

Filesize
31.7MB

Download
memory/612-10994-0x0000000000400000-0x00000000023BE000-memory.dmp

Filesize
31.7MB

Download
memory/612-29378-0x0000000000400000-0x00000000023BE000-memory.dmp

Filesize
31.7MB

Download
memory/612-25667-0x0000000000400000-0x00000000023BE000-memory.dmp

Filesize
31.7MB

Download
memory/612-379-0x0000000002480000-0x0000000002580000-memory.dmp

Filesize
1024KB

Download
memory/612-305-0x0000000000400000-0x00000000023BE000-memory.dmp

Filesize
31.7MB

Download
memory/612-27435-0x0000000002480000-0x0000000002580000-memory.dmp

Filesize
1024KB

Download
memory/908-171-0x0000000002580000-0x0000000002680000-memory.dmp

Filesize
1024KB

Download
memory/908-25315-0x0000000000400000-0x00000000023BE000-memory.dmp

Filesize
31.7MB

Download
memory/908-175-0x0000000000400000-0x00000000023BE000-memory.dmp

Filesize
31.7MB

Download
memory/2200-30541-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2200-30544-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2616-19-0x0000000000400000-0x00000000023BE000-memory.dmp

Filesize
31.7MB

Download
memory/2616-18-0x0000000002470000-0x0000000002570000-memory.dmp

Filesize
1024KB

Download
memory/2616-82-0x0000000000400000-0x00000000023BE000-memory.dmp

Filesize
31.7MB

Download
memory/2616-163-0x0000000002470000-0x0000000002570000-memory.dmp

Filesize
1024KB

Download
memory/2616-3432-0x0000000000400000-0x00000000023BE000-memory.dmp

Filesize
31.7MB

Download
memory/2616-30545-0x0000000000400000-0x00000000023BE000-memory.dmp

Filesize
31.7MB

Download
memory/2616-30550-0x0000000002470000-0x0000000002570000-memory.dmp

Filesize
1024KB

Download
memory/2856-17-0x0000000002480000-0x0000000002580000-memory.dmp

Filesize
1024KB

Download
memory/2856-15-0x0000000000400000-0x00000000023BE000-memory.dmp

Filesize
31.7MB

Download
memory/2856-3-0x0000000000400000-0x00000000023BE000-memory.dmp

Filesize
31.7MB

Download
memory/2856-1-0x0000000002480000-0x0000000002580000-memory.dmp

Filesize
1024KB

Download
memory/2856-2-0x0000000000220000-0x0000000000257000-memory.dmp

Filesize
220KB

Download