Analysis
-
max time kernel
92s -
max time network
103s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
27-08-2020 18:32
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Generic.mg.e26982b170856ca8.24043.exe
Resource
win7v200722
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Generic.mg.e26982b170856ca8.24043.exe
Resource
win10
General
-
Target
SecuriteInfo.com.Generic.mg.e26982b170856ca8.24043.exe
-
Size
437KB
-
MD5
e26982b170856ca8ca96a2f41b2306fb
-
SHA1
e467f2bc6f01f2a13effaf8f6283d616ccf40e2e
-
SHA256
8d44fdbedd0ec9ae59fad78bdb12d15d6903470eb1046b45c227193b233adda6
-
SHA512
80a636ae53f5049e1ec34e092d91be8f8cc11d1f96eb919bfabd814c677c1e68a773c102b4fd28f2335427173f76203815b60f133d1d4cf0834bded85931af0e
Malware Config
Extracted
C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
crioso@protonmail.com
wiruxa@airmail.cc
Signatures
-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
taskeng.exetaskeng.exepid process 1908 taskeng.exe 1584 taskeng.exe -
Deletes itself 1 IoCs
Processes:
notepad.exepid process 1892 notepad.exe -
Loads dropped DLL 1 IoCs
Processes:
SecuriteInfo.com.Generic.mg.e26982b170856ca8.24043.exepid process 1108 SecuriteInfo.com.Generic.mg.e26982b170856ca8.24043.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
SecuriteInfo.com.Generic.mg.e26982b170856ca8.24043.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Windows\CurrentVersion\Run SecuriteInfo.com.Generic.mg.e26982b170856ca8.24043.exe Set value (str) \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskeng.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\taskeng.exe\" -start" SecuriteInfo.com.Generic.mg.e26982b170856ca8.24043.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
taskeng.exedescription ioc process File opened (read-only) \??\W: taskeng.exe File opened (read-only) \??\Q: taskeng.exe File opened (read-only) \??\N: taskeng.exe File opened (read-only) \??\E: taskeng.exe File opened (read-only) \??\Z: taskeng.exe File opened (read-only) \??\T: taskeng.exe File opened (read-only) \??\P: taskeng.exe File opened (read-only) \??\O: taskeng.exe File opened (read-only) \??\J: taskeng.exe File opened (read-only) \??\B: taskeng.exe File opened (read-only) \??\A: taskeng.exe File opened (read-only) \??\Y: taskeng.exe File opened (read-only) \??\X: taskeng.exe File opened (read-only) \??\V: taskeng.exe File opened (read-only) \??\U: taskeng.exe File opened (read-only) \??\K: taskeng.exe File opened (read-only) \??\H: taskeng.exe File opened (read-only) \??\S: taskeng.exe File opened (read-only) \??\R: taskeng.exe File opened (read-only) \??\M: taskeng.exe File opened (read-only) \??\L: taskeng.exe File opened (read-only) \??\I: taskeng.exe File opened (read-only) \??\G: taskeng.exe File opened (read-only) \??\F: taskeng.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 geoiptool.com -
Drops file in Program Files directory 64 IoCs
Processes:
taskeng.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-tabcontrol_ja.jar.195-83A-216 taskeng.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00444_.WMF.195-83A-216 taskeng.exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18190_.WMF taskeng.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-lib-uihandler.xml_hidden taskeng.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0281640.WMF.195-83A-216 taskeng.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Americana\TAB_ON.GIF.195-83A-216 taskeng.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\vlc.mo taskeng.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Guyana taskeng.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Halifax taskeng.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Andorra.195-83A-216 taskeng.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0099172.WMF.195-83A-216 taskeng.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\vlc16x16.png taskeng.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-11 taskeng.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_justify.gif taskeng.exe File created C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT taskeng.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\SystemV\PST8PDT taskeng.exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21301_.GIF.195-83A-216 taskeng.exe File opened for modification C:\Program Files\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.CN.XML taskeng.exe File opened for modification C:\Program Files\Microsoft Office\Templates\1033\ExecutiveNewsletter.dotx.195-83A-216 taskeng.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\MANIFEST.MF.195-83A-216 taskeng.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0188511.WMF.195-83A-216 taskeng.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PE05930_.WMF taskeng.exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\OFFICE14\LINES\BD15301_.GIF taskeng.exe File opened for modification C:\Program Files\Microsoft Office\Office14\GROOVEMN.EXE.195-83A-216 taskeng.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\CONTACT.JPG.195-83A-216 taskeng.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-windows_ja.jar.195-83A-216 taskeng.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\HH00681_.WMF taskeng.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0145904.JPG taskeng.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0238333.WMF.195-83A-216 taskeng.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH01478U.BMP taskeng.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00192_.WMF.195-83A-216 taskeng.exe File opened for modification C:\Program Files\Microsoft Office\Office14\FORMS\1033\TASKACCS.ICO.195-83A-216 taskeng.exe File opened for modification C:\Program Files\VideoLAN\VLC\New_Skins.url taskeng.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Nome taskeng.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0287020.WMF taskeng.exe File opened for modification C:\Program Files\Microsoft Office\Office14\FORMS\1033\DOCL.ICO.195-83A-216 taskeng.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-autoupdate-ui.jar.195-83A-216 taskeng.exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\OFFICE14\LINES\BD10219_.GIF taskeng.exe File opened for modification C:\Program Files\Microsoft Office\Office14\FORMS\1033\RECS.ICO.195-83A-216 taskeng.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\mobile_equalizer.html.195-83A-216 taskeng.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Ceuta.195-83A-216 taskeng.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\com-sun-tools-visualvm-modules-startup_ja.jar.195-83A-216 taskeng.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\GRAPH_K_COL.HXK taskeng.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR24F.GIF taskeng.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Thunder_Bay.195-83A-216 taskeng.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\com.jrockit.mc.rcp.product_root_5.5.0.165303.195-83A-216 taskeng.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\DD00255_.WMF.195-83A-216 taskeng.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0239953.WMF taskeng.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectStatusIconsMask.bmp taskeng.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt_0.12.1.v20140903-1023.jar.195-83A-216 taskeng.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\jfluid-server_zh_CN.jar taskeng.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0182888.WMF taskeng.exe File opened for modification C:\Program Files\Microsoft Office\Office14\PUBWIZ\SIGN.DPV taskeng.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Magadan.195-83A-216 taskeng.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PE00608_.WMF.195-83A-216 taskeng.exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\J0205582.WMF taskeng.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\VIEWBY.GIF taskeng.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe.195-83A-216 taskeng.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-attach.jar taskeng.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\EET taskeng.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Yakutsk taskeng.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolIcons\OFFLINE.ICO taskeng.exe File opened for modification C:\Program Files\Microsoft Office\Office14\PUBWIZ\INVITE11.POC taskeng.exe File opened for modification C:\Program Files\Microsoft Office\Stationery\1033\JUNGLE.HTM.195-83A-216 taskeng.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 1884 vssadmin.exe 972 vssadmin.exe -
Processes:
taskeng.exeSecuriteInfo.com.Generic.mg.e26982b170856ca8.24043.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 taskeng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 SecuriteInfo.com.Generic.mg.e26982b170856ca8.24043.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e SecuriteInfo.com.Generic.mg.e26982b170856ca8.24043.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e SecuriteInfo.com.Generic.mg.e26982b170856ca8.24043.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e SecuriteInfo.com.Generic.mg.e26982b170856ca8.24043.exe Key created \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C SecuriteInfo.com.Generic.mg.e26982b170856ca8.24043.exe Set value (data) \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c190000000100000010000000ea6089055218053dd01e37e1d806eedf040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf91400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95 SecuriteInfo.com.Generic.mg.e26982b170856ca8.24043.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 taskeng.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
SecuriteInfo.com.Generic.mg.e26982b170856ca8.24043.exeWMIC.exeWMIC.exevssvc.exedescription pid process Token: SeDebugPrivilege 1108 SecuriteInfo.com.Generic.mg.e26982b170856ca8.24043.exe Token: SeDebugPrivilege 1108 SecuriteInfo.com.Generic.mg.e26982b170856ca8.24043.exe Token: SeIncreaseQuotaPrivilege 1560 WMIC.exe Token: SeSecurityPrivilege 1560 WMIC.exe Token: SeTakeOwnershipPrivilege 1560 WMIC.exe Token: SeLoadDriverPrivilege 1560 WMIC.exe Token: SeSystemProfilePrivilege 1560 WMIC.exe Token: SeSystemtimePrivilege 1560 WMIC.exe Token: SeProfSingleProcessPrivilege 1560 WMIC.exe Token: SeIncBasePriorityPrivilege 1560 WMIC.exe Token: SeCreatePagefilePrivilege 1560 WMIC.exe Token: SeBackupPrivilege 1560 WMIC.exe Token: SeRestorePrivilege 1560 WMIC.exe Token: SeShutdownPrivilege 1560 WMIC.exe Token: SeDebugPrivilege 1560 WMIC.exe Token: SeSystemEnvironmentPrivilege 1560 WMIC.exe Token: SeRemoteShutdownPrivilege 1560 WMIC.exe Token: SeUndockPrivilege 1560 WMIC.exe Token: SeManageVolumePrivilege 1560 WMIC.exe Token: 33 1560 WMIC.exe Token: 34 1560 WMIC.exe Token: 35 1560 WMIC.exe Token: SeIncreaseQuotaPrivilege 1976 WMIC.exe Token: SeSecurityPrivilege 1976 WMIC.exe Token: SeTakeOwnershipPrivilege 1976 WMIC.exe Token: SeLoadDriverPrivilege 1976 WMIC.exe Token: SeSystemProfilePrivilege 1976 WMIC.exe Token: SeSystemtimePrivilege 1976 WMIC.exe Token: SeProfSingleProcessPrivilege 1976 WMIC.exe Token: SeIncBasePriorityPrivilege 1976 WMIC.exe Token: SeCreatePagefilePrivilege 1976 WMIC.exe Token: SeBackupPrivilege 1976 WMIC.exe Token: SeRestorePrivilege 1976 WMIC.exe Token: SeShutdownPrivilege 1976 WMIC.exe Token: SeDebugPrivilege 1976 WMIC.exe Token: SeSystemEnvironmentPrivilege 1976 WMIC.exe Token: SeRemoteShutdownPrivilege 1976 WMIC.exe Token: SeUndockPrivilege 1976 WMIC.exe Token: SeManageVolumePrivilege 1976 WMIC.exe Token: 33 1976 WMIC.exe Token: 34 1976 WMIC.exe Token: 35 1976 WMIC.exe Token: SeBackupPrivilege 1524 vssvc.exe Token: SeRestorePrivilege 1524 vssvc.exe Token: SeAuditPrivilege 1524 vssvc.exe Token: SeIncreaseQuotaPrivilege 1976 WMIC.exe Token: SeSecurityPrivilege 1976 WMIC.exe Token: SeTakeOwnershipPrivilege 1976 WMIC.exe Token: SeLoadDriverPrivilege 1976 WMIC.exe Token: SeSystemProfilePrivilege 1976 WMIC.exe Token: SeSystemtimePrivilege 1976 WMIC.exe Token: SeProfSingleProcessPrivilege 1976 WMIC.exe Token: SeIncBasePriorityPrivilege 1976 WMIC.exe Token: SeCreatePagefilePrivilege 1976 WMIC.exe Token: SeBackupPrivilege 1976 WMIC.exe Token: SeRestorePrivilege 1976 WMIC.exe Token: SeShutdownPrivilege 1976 WMIC.exe Token: SeDebugPrivilege 1976 WMIC.exe Token: SeSystemEnvironmentPrivilege 1976 WMIC.exe Token: SeRemoteShutdownPrivilege 1976 WMIC.exe Token: SeUndockPrivilege 1976 WMIC.exe Token: SeIncreaseQuotaPrivilege 1560 WMIC.exe Token: SeManageVolumePrivilege 1976 WMIC.exe Token: 33 1976 WMIC.exe -
Suspicious use of WriteProcessMemory 62 IoCs
Processes:
SecuriteInfo.com.Generic.mg.e26982b170856ca8.24043.exetaskeng.execmd.execmd.execmd.exedescription pid process target process PID 1108 wrote to memory of 1908 1108 SecuriteInfo.com.Generic.mg.e26982b170856ca8.24043.exe taskeng.exe PID 1108 wrote to memory of 1908 1108 SecuriteInfo.com.Generic.mg.e26982b170856ca8.24043.exe taskeng.exe PID 1108 wrote to memory of 1908 1108 SecuriteInfo.com.Generic.mg.e26982b170856ca8.24043.exe taskeng.exe PID 1108 wrote to memory of 1908 1108 SecuriteInfo.com.Generic.mg.e26982b170856ca8.24043.exe taskeng.exe PID 1108 wrote to memory of 1892 1108 SecuriteInfo.com.Generic.mg.e26982b170856ca8.24043.exe notepad.exe PID 1108 wrote to memory of 1892 1108 SecuriteInfo.com.Generic.mg.e26982b170856ca8.24043.exe notepad.exe PID 1108 wrote to memory of 1892 1108 SecuriteInfo.com.Generic.mg.e26982b170856ca8.24043.exe notepad.exe PID 1108 wrote to memory of 1892 1108 SecuriteInfo.com.Generic.mg.e26982b170856ca8.24043.exe notepad.exe PID 1108 wrote to memory of 1892 1108 SecuriteInfo.com.Generic.mg.e26982b170856ca8.24043.exe notepad.exe PID 1108 wrote to memory of 1892 1108 SecuriteInfo.com.Generic.mg.e26982b170856ca8.24043.exe notepad.exe PID 1108 wrote to memory of 1892 1108 SecuriteInfo.com.Generic.mg.e26982b170856ca8.24043.exe notepad.exe PID 1908 wrote to memory of 816 1908 taskeng.exe cmd.exe PID 1908 wrote to memory of 816 1908 taskeng.exe cmd.exe PID 1908 wrote to memory of 816 1908 taskeng.exe cmd.exe PID 1908 wrote to memory of 816 1908 taskeng.exe cmd.exe PID 1908 wrote to memory of 1864 1908 taskeng.exe cmd.exe PID 1908 wrote to memory of 1864 1908 taskeng.exe cmd.exe PID 1908 wrote to memory of 1864 1908 taskeng.exe cmd.exe PID 1908 wrote to memory of 1864 1908 taskeng.exe cmd.exe PID 1908 wrote to memory of 1652 1908 taskeng.exe cmd.exe PID 1908 wrote to memory of 1652 1908 taskeng.exe cmd.exe PID 1908 wrote to memory of 1652 1908 taskeng.exe cmd.exe PID 1908 wrote to memory of 1652 1908 taskeng.exe cmd.exe PID 1908 wrote to memory of 1520 1908 taskeng.exe cmd.exe PID 1908 wrote to memory of 1520 1908 taskeng.exe cmd.exe PID 1908 wrote to memory of 1520 1908 taskeng.exe cmd.exe PID 1908 wrote to memory of 1520 1908 taskeng.exe cmd.exe PID 1908 wrote to memory of 832 1908 taskeng.exe cmd.exe PID 1908 wrote to memory of 832 1908 taskeng.exe cmd.exe PID 1908 wrote to memory of 832 1908 taskeng.exe cmd.exe PID 1908 wrote to memory of 832 1908 taskeng.exe cmd.exe PID 1908 wrote to memory of 1500 1908 taskeng.exe cmd.exe PID 1908 wrote to memory of 1500 1908 taskeng.exe cmd.exe PID 1908 wrote to memory of 1500 1908 taskeng.exe cmd.exe PID 1908 wrote to memory of 1500 1908 taskeng.exe cmd.exe PID 1908 wrote to memory of 1584 1908 taskeng.exe taskeng.exe PID 1908 wrote to memory of 1584 1908 taskeng.exe taskeng.exe PID 1908 wrote to memory of 1584 1908 taskeng.exe taskeng.exe PID 1908 wrote to memory of 1584 1908 taskeng.exe taskeng.exe PID 816 wrote to memory of 1560 816 cmd.exe WMIC.exe PID 816 wrote to memory of 1560 816 cmd.exe WMIC.exe PID 816 wrote to memory of 1560 816 cmd.exe WMIC.exe PID 816 wrote to memory of 1560 816 cmd.exe WMIC.exe PID 832 wrote to memory of 1884 832 cmd.exe vssadmin.exe PID 832 wrote to memory of 1884 832 cmd.exe vssadmin.exe PID 832 wrote to memory of 1884 832 cmd.exe vssadmin.exe PID 832 wrote to memory of 1884 832 cmd.exe vssadmin.exe PID 1500 wrote to memory of 1976 1500 cmd.exe WMIC.exe PID 1500 wrote to memory of 1976 1500 cmd.exe WMIC.exe PID 1500 wrote to memory of 1976 1500 cmd.exe WMIC.exe PID 1500 wrote to memory of 1976 1500 cmd.exe WMIC.exe PID 1500 wrote to memory of 972 1500 cmd.exe vssadmin.exe PID 1500 wrote to memory of 972 1500 cmd.exe vssadmin.exe PID 1500 wrote to memory of 972 1500 cmd.exe vssadmin.exe PID 1500 wrote to memory of 972 1500 cmd.exe vssadmin.exe PID 1908 wrote to memory of 432 1908 taskeng.exe notepad.exe PID 1908 wrote to memory of 432 1908 taskeng.exe notepad.exe PID 1908 wrote to memory of 432 1908 taskeng.exe notepad.exe PID 1908 wrote to memory of 432 1908 taskeng.exe notepad.exe PID 1908 wrote to memory of 432 1908 taskeng.exe notepad.exe PID 1908 wrote to memory of 432 1908 taskeng.exe notepad.exe PID 1908 wrote to memory of 432 1908 taskeng.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Generic.mg.e26982b170856ca8.24043.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Generic.mg.e26982b170856ca8.24043.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe" -start2⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe" -agent 03⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\notepad.exenotepad.exe3⤵
-
C:\Windows\SysWOW64\notepad.exenotepad.exe2⤵
- Deletes itself
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CBMD5
90061c0fe3983bf5a61e7f1ecfffd3e3
SHA16a4245a302f8cff5bec5aacaeb2a029eeec4ba1a
SHA2563118edda0b78684c8db584c4929f050d921cbcbc506ae58ee584f2e5b85d5a3e
SHA5128b81e4c8ba32a64d40c71dd015374c373253af7a992669e6a0994532c905b92701916c96c84709e26db86b1e5bc1492552cb92e0c352ae1f6135ed33181f64df
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEEMD5
821ac3c30e3b835b926263e532902014
SHA101667121b734a1d2a6ed5c770bf8f5f402db1bc3
SHA2565e420896fdbdcb98c99d35b9df4cbb3bacc7ff57b97f2029c4d520875ad6fc59
SHA5126092157f74da5a3609afc44f3c5ea0250c7fff9994b4e0e89b38bddd688c285c16e0340200bca13059a087e053c49e351ad2ed24053af7772022dd27d7eb7d00
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015MD5
01d84333430bc95a1e992cc960bbbf8f
SHA1289caa9484d82cd60c91a38db4f1132c7bfb8234
SHA256ffae3c311e042ca760af80800e48e36efb11ee5145db0465b413e64f9a674eaf
SHA5120d8ecdaeecc5de269b225efacb56c451714924404cc139688b5e6e56292bd5ee7776750a8f5023cad1befd6e68fb0ea8235ea29b3cdf7affc92ac1558e1ed5d0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
bd71ea17c9a676ad7b24c05304943174
SHA1cf268ef60a47aa268d43ac919554ac06b419f376
SHA2560bc662dcad4193684c2e84963adc46384b85f2ce229ba87be105fcb22988c4ee
SHA5123c1d928c9d893e4ce1bf94b46fb1133d0692ef3bd93402ce9552a24ca5e8951e674799fe4f7ca3f1409257ee963d048d3eba12b110adc17803eb9e3059d581e6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CBMD5
be7814b1180f969619d8572aafd56885
SHA111954c14c776530ee4ee93dfe5c6a1ecec88b15c
SHA2566db70d63a824585099cae5ca7992a7975e68e0c415a01cda06669ffab00fb62b
SHA512feca70bb11ee8ddad2170530baa9294284155b96ea5d4dd93aa11ec14ebc882e6d4fb0ee9ad72631fd69bf86c14aaf74e06cd65a4e1126d20605883f741072fd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEEMD5
b81984f7aeb9d110f2d8350ea23ff614
SHA1e7370be9701adfaa1c754c94b29072568e79ae44
SHA256b5d32511935984307cd354f1b289a204be963dfe497a834d5a627dd779e611ed
SHA5129dc719394fd7036bbdb183bdc4d1e855369cb9d47542cc0cfa9ee19113da177249176022eb427a6d6ccc336e4f57c1b77a87e1d39fe1f4739d5d8f52c65543d8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
7cc44eecc6045bedd4a99cdf5335b8db
SHA18dadcd2be37c8c0dc0165bf07d048bf2613e9fd6
SHA256c3113171605938dd239b66bb56bc09147e1240c50de00872e7e2cc96daca582b
SHA512e6ed06391630956a7b06858ed89286c0b8967b0c277d65ab84ffe1e4e96bcfbd5665dc03cb20c063a7d35545c8113f815f5f93528b2b906985c7250e8bee06fe
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
f1fbdea05423068df12760d1fb7d0664
SHA119601ae9e2a803e11f215f869ccb7631ea9a1653
SHA2561a065c4ff121028d2158d9df8ee6f7fe6d2b16bced7388ecb91d3d06c4645662
SHA512a3b50aaf82d306dca43e7865edc5164e5c17798311391a45703646fb3de8d7df9ed7d76a04b47af5236cdc2fb0b2b61651aded33db6134703090ce2def0cb553
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EAP7GNEB\CWEVN1EA.htmMD5
8615e70875c2cc0b9db16027b9adf11d
SHA14ed62cf405311c0ff562a3c59334a15ddc4f1bf9
SHA256da96949ba6b0567343f144486505c8c8fa1d892fd88c9cbc3ef3d751a570724d
SHA512cd9dfc88dc2af9438b7d6b618d1b62029b3bdf739fc4daa5b37397afd12c4528561b3bf2fc3f3f2adf3fd1f582d5524332441fd30248fcd078e41aa91e17cb73
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UJFO0ABC\FK3B61CX.htmMD5
b1cd7c031debba3a5c77b39b6791c1a7
SHA1e5d91e14e9c685b06f00e550d9e189deb2075f76
SHA25657ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa
SHA512d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72
-
C:\Users\Admin\AppData\Local\Temp\~temp001.batMD5
ef572e2c7b1bbd57654b36e8dcfdc37a
SHA1b84c4db6d0dfd415c289d0c8ae099aea4001e3b7
SHA256e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64
SHA512b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exeMD5
e26982b170856ca8ca96a2f41b2306fb
SHA1e467f2bc6f01f2a13effaf8f6283d616ccf40e2e
SHA2568d44fdbedd0ec9ae59fad78bdb12d15d6903470eb1046b45c227193b233adda6
SHA51280a636ae53f5049e1ec34e092d91be8f8cc11d1f96eb919bfabd814c677c1e68a773c102b4fd28f2335427173f76203815b60f133d1d4cf0834bded85931af0e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exeMD5
e26982b170856ca8ca96a2f41b2306fb
SHA1e467f2bc6f01f2a13effaf8f6283d616ccf40e2e
SHA2568d44fdbedd0ec9ae59fad78bdb12d15d6903470eb1046b45c227193b233adda6
SHA51280a636ae53f5049e1ec34e092d91be8f8cc11d1f96eb919bfabd814c677c1e68a773c102b4fd28f2335427173f76203815b60f133d1d4cf0834bded85931af0e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exeMD5
e26982b170856ca8ca96a2f41b2306fb
SHA1e467f2bc6f01f2a13effaf8f6283d616ccf40e2e
SHA2568d44fdbedd0ec9ae59fad78bdb12d15d6903470eb1046b45c227193b233adda6
SHA51280a636ae53f5049e1ec34e092d91be8f8cc11d1f96eb919bfabd814c677c1e68a773c102b4fd28f2335427173f76203815b60f133d1d4cf0834bded85931af0e
-
C:\Users\Admin\Desktop\AddDisable.bin.195-83A-216MD5
5471e61bc70de8e5d8a6b366a3deb3ff
SHA1fc8d79893a7e0220547fdf5b2771004f96cc40e2
SHA25649f35e6835f0a0fe2f2500e6a7d03633c30f3c377eb2ead7c535f0f29d552f80
SHA512efd6c8161f0f8b8733615d4835efc14e8aaaa8ea6357c11e665e5319c961e9eb01f9986ab575b88060f9b1717993a66bd9b3b8b73edd0464377578fdb1fefee4
-
C:\Users\Admin\Desktop\ApproveReset.rar.195-83A-216MD5
09866bc1d2eebe94a5f417c19c118d58
SHA10dfea2c1ab03c9faa3c3010e4313f7304332255b
SHA256d2edbfeaf04e2db8739c9ead86d0f355a19a58f15890056a1c8786fc9385cec7
SHA51272a1edf76774c99d116fc635b57bc15c8528549fc52cc653e2a0181f8b153a9dfcaae8588bc7c18e8f00799b5bcda248c54c83c8a274993a33ec5ee8f1cd5597
-
C:\Users\Admin\Desktop\BackupDeny.xps.195-83A-216MD5
101aacd51f5f1bc2fd4c15ff849bdb89
SHA10b9d058a484fd1423710b3caebe55e45ecb9c7da
SHA25640631bde2c17cfb75df1b2775581074bf3ab45eee89d5bf0246efe4ffdf15b2e
SHA51260abfcede47d4fbb53d849352008e5cf99fea25dcd0c44cd6ae0413487e9cb757684821da0bafa65b27fbd88d72de89fce188d73157b3afd82c66cdd12f21cdc
-
C:\Users\Admin\Desktop\CloseLimit.3gpp.195-83A-216MD5
2f375be15276a7b590412aed255531ff
SHA107db9c8bac0b7b54393a4706e6a75168df97b3d9
SHA256aabc1aab700606c6761acc3d92810d5b0501222830f9b00168bca074ac60fabe
SHA5123e3fa82d3fb1bb635ee26df49c89d695800fb9e308554a78ebcf35c50021443498490705c2767e7e59226023f3a98275caf74ad2f9b8c574fb4884540cd55546
-
C:\Users\Admin\Desktop\ConfirmUse.7z.195-83A-216MD5
b38df548067d9c4e08370204d401a102
SHA18e0dad31b1dd9b45bb636a0dd7f8b39ff37cb170
SHA2563b06f62c0bdfe6aa3378309120535ef1948ded8895fef8243528f1c6bb6937a6
SHA5127f0d1b1e272021deee10fb21b5ebdce8ffe89215cd4b02f1815eb6047d7343164ccbf0b3647899dd4cb9e594735e0986d8524d2331c67d7de62d70e4bf35aaca
-
C:\Users\Admin\Desktop\ConvertConvertFrom.odp.195-83A-216MD5
939ecec547dea272e305ddc90f7032b6
SHA1477deac3f201de63b2fb78937d9f3441a7db6744
SHA256ebaf44da93c2ed15c4aca3a133bc54b47e4441afa1e1eabaec964adab2575354
SHA51209a2891af125bae67ed4ef1889899720cc689b0579586789ca869718fdd905ccfeba35042d8dfb06a3fa595428c92a3c9e652229d7178fb89b3f8f3b24074b34
-
C:\Users\Admin\Desktop\ConvertDisable.potx.195-83A-216MD5
0b277a83fd1d8b38bc3989d08149ca59
SHA160576fac1027ffe8dccc7178153b27f1e2e7dfeb
SHA256c1716ed2cffbaa6fb4e49f8c6445aa178d1bc0bb3fdf6a8861fc680af2c08ad1
SHA51248eb402b24c715e06314bce0b7da457a52b30bb143321d19a5c3d35a150bacae2526ded325c0c517b4a437e5e6209273de6fc521470d09787d4944964133e694
-
C:\Users\Admin\Desktop\DenyClear.xht.195-83A-216MD5
a0f0a314cd0dc2952e47f8d025f1cc41
SHA12b6ce31bf5232354ad6f3f43f1eca59e13bae853
SHA25625022b1df84fc1cc7d0b8386f5bfcb253c80bf00caa3d098c692ff08da5b9310
SHA512463ccbf6d6291f990cfb78addeb45c183ef4f359c870a6453895c112f885aa44cda775c390efbb797dbb997a91a400661704aa18d0cc85b5dbec729cf6236fec
-
C:\Users\Admin\Desktop\DisableOptimize.png.195-83A-216MD5
3af8653956fc24d9b4bf7fb1da215765
SHA15f39c68bd7910b9de20f2b12e103712b6e4809d2
SHA2564c805c7cb5f8561e1e569e5a034c5c1e4f3e7c5c17d76feea34661ce9ce33f83
SHA512e9eaf9a89e909d5d46724ee77098f843aa87a5ea888ddacec1d9b9a37ddb331dd49a27ee2931e61534d207684bbcd29945247d77a4773f5574a57a8198ad9f3d
-
C:\Users\Admin\Desktop\DisableRename.rtf.195-83A-216MD5
08183fd0b97938c26c4a2c23f366ad9c
SHA1db5935a99c8d796dc19d191d1a380fcc5fe00e2f
SHA256f23d1717af056a02ae008ab694da02f4fc249a35df2ce75facf2d2b8e590043e
SHA51236a91bfe28964cc1ff5ac2551e0dc17c271fedc7f582c12aef4d9d5de5eda3f1e282304e7f2080dfc41c35837b9b5222083a8c70a033d54614c808551d45dcce
-
C:\Users\Admin\Desktop\EnableRestore.wav.195-83A-216MD5
528d5f5c94ca69f81a658e420da9bc3b
SHA1e19709c73a320fbb93ec15049d1303cd12d0c61d
SHA256ff9d31449e9af251174612abe6084f55a8499608d59e0c31dcf7fb40676f7106
SHA512ae308d07a392d2532db2daac145faf14974fbb7abcd043353c8c68453bd9752baef09cc851bb6950aa3438e07f18c7a218418eac4110b3b2baedc572bc22f24a
-
C:\Users\Admin\Desktop\GetOut.vsd.195-83A-216MD5
997b7c5d2b6c4ea51a6d0aba5b7d029a
SHA18ab333a0e520576f2922ba696116789589db1efa
SHA256b0d7864d7a5c9e886ee50fb55209bb91521dcecacd18fca0ec2db47f9bff45f3
SHA512d4884ac8939b04d9a87d03fb4f0faaad36d11701abee4380a78be22a235028af6e2515be8f7f38390af0ef1c054a4b1b217393ac4147365c255af2e175e6b8a2
-
C:\Users\Admin\Desktop\GrantResolve.asx.195-83A-216MD5
55933faf1dfcf9e6cb76d3f58a106d00
SHA1b5820a93def6becc34a2093504d940b66add3e16
SHA2566804d6dd29471f64d1e2f0397cfce6ab971fdd6468509ddde5e5030565d9ebd5
SHA51263dfb0dce4635db4596c4e2b8039e79d132c07d304e147060b3b3e1c375bb4a59f08c57ec5411ad82b0b7b29550ddc1ed30753842d2f7dd4c0d05328dc59e788
-
C:\Users\Admin\Desktop\GroupConvert.vsd.195-83A-216MD5
3ac316e10fe5d1e41926aa753068a1ec
SHA196fd5f7fcaa3308fcc18c3e4cddfb2e929897958
SHA2560e96f0cd0adfb7cc9a9b98581cf50bb42851bf0d1dfd2a01ede7e476a3a1f1d4
SHA5122ca7014833075f15acd752a0de8be03b717bb61adde0e50cf8bec3706ee57bc1c93300b6e2982d1cd601a5da42d7d9a6097eb503cd10dfe75ead66bfbf94c984
-
C:\Users\Admin\Desktop\HideExit.dotx.195-83A-216MD5
7345d5035628c560edc8df2aeba47e0d
SHA1a1405f8efe32398fa360268658c06c29e383ddf0
SHA2561b6208a6df2d5f6ebf7db154ae0fde1286da2f8e0a5f436549dae7f074ebe12f
SHA512303d61aa72230c705c32be9fac6ef929708c5acd0d9e03bb577fc84c2f2eaebfa7c47fa72f1c1f39aff5be79d1c64e053465a9128709dcf31cccd8287840041a
-
C:\Users\Admin\Desktop\ImportMerge.ppsx.195-83A-216MD5
126f2a182d2237a5811d59cd34159955
SHA13825d687394a23d652b5e7a8ed34c39aaef0fd50
SHA256adfc6e3a44d080ea877c45ba5d4341d6b3effa53a135d5fbd40b7e7669413d09
SHA5120b1286896e366efb726ca61f6bfce0a03741c530e84953722364125f7a49477560b8079d2d3beb686c18aa9d0b989d58cb2de924729856527b4fa5d1080441c4
-
C:\Users\Admin\Desktop\MeasureRename.mpe.195-83A-216MD5
aa959e184a8fdc4e7df43b9df78544b4
SHA16f012867e737f0f0b306300a7835c5b06cceb1b8
SHA2564e449c0490df552d3d342e0cc252d43a03d52c4f4f1bb5c9632a4e3a10e0b884
SHA512f7fb09f91c9b38dab8eb09cbc41c2a1834ae186a2afcd48fd1ddf44cb4e768c1c443f8ad5649504ed265e657be997bd05c2aa5373ac1a930ae5704d6f91a56e1
-
C:\Users\Admin\Desktop\OptimizeBackup.otf.195-83A-216MD5
c260bf27bfd1dab481e89774657ce020
SHA11c9377224a6cb32d798bb97c2da45f7c28986512
SHA256bd177adf9f0a80f79ae5fb5ee77b0360ee8d77f5a054dec947ece41118ec8f72
SHA512ff8c7520813502430728f16ec849aa79e22445e6a892fe1c0e44540123e060fd5bc48edb5634d526e229bc8a2da9ac30546217a1f39ec556d0fb818320872412
-
C:\Users\Admin\Desktop\PublishMerge.htm.195-83A-216MD5
4b1d5da8359d4804e9808cad4a5bfeec
SHA1c50d8aee1ba7a2d05c4484c9034284204f904ec9
SHA25658d498749d55d08be493da69b51975741b1604e64ea7aaac9282074855222f8e
SHA512aae1399018f555432022d04e91ab7135da71d52942d6430a43159d2bd3707097ea57c0a784b4c07e38bf69e023b5603793c437d8f9c79819f487249c5a99b0bd
-
C:\Users\Admin\Desktop\ReceiveAssert.odp.195-83A-216MD5
40924a15e3f48cfaf797a6750893fcd1
SHA145d1396c392c5ab572b826ceff9c5e331be03996
SHA2564262a85a7f8d53ca86061227779835e376041f655a8702efe88f0138a5dca564
SHA51219b41e8263c7426921a73acaf7d55d9283fb09e05bbb9e9952fb7734a1e8a94aa68cc365ae213806dbf00a6418d54cfb66639380f9389f601f16efc11778626e
-
C:\Users\Admin\Desktop\ResizeConvertTo.emf.195-83A-216MD5
15d10221d24a2b3f0f5ac2bdf34e36a5
SHA18e66a8dc00cf4aeda6153e10b56da0f05b8ef430
SHA256ac51e6dac46f09597892c44b3f4acd7acc815ee9c119767fb184a32f5f6a7c5b
SHA512ba775cec13c992f20c057474db9d199fe6d76cc58dbcc73d0f0608bf5b303139816f752aa3094f51e29524e3d3204853d9f5f825c2a781639e0cda606136ceff
-
C:\Users\Admin\Desktop\SendTest.iso.195-83A-216MD5
ca8d999b75941cf647b0b9ba5b974eb6
SHA1bfb8800c8f8de9c55670cde1dc68ab309b0f9c90
SHA2563b55fc6f9b7c7e36617c5c56c18d23be353d883462fcf4c9d598e0caf99c5055
SHA5126819c07b40036808fe0aaebc2c98671b1b6c95819973dec4738ccb5ae66f35050e778f44a2188050359dda4c31204eab25171dc93f6ae43cb4317a6cdf3d33f1
-
C:\Users\Admin\Desktop\StartUpdate.rm.195-83A-216MD5
99388b9d2e9e44ae9e238b70318e5f94
SHA132b2ef23847e7a56b23d08b3fbfaad9c93520f3c
SHA2564b3c0a66714d3f94d6eac8943d955475b31d0115b09a603aa8277138fa4f246e
SHA5123010888537ae7e1c616a85b8d9cf373da40d38c2c12274c6f05a77ea2455e433700d170725f2b802ce79bb0f205250f18fb6374a2fb33d23ab39dc7bbdc7ac35
-
C:\Users\Admin\Desktop\StepSearch.txt.195-83A-216MD5
3a506c3c748822b36111d28304a049eb
SHA123fc48692155dc2042e97a16a9ce8011e110cf8a
SHA2566a6f56dbb7a2be3110d011c1d759af1349a306237b8894b0734cbd588aaf746b
SHA51269e1e2d78277f76f26fe92bb8b4b759bd5d248ed496d823c1237fafcdfeea27c17c49387713a936f98046d8411fe4597564b1fc99a52c734cb7677695985d7c3
-
C:\Users\Admin\Desktop\SwitchSubmit.dib.195-83A-216MD5
db8997ddc2f7312ed677678b3b5c3c1d
SHA120ca6fa3de539592eca9061802def7170822fc67
SHA256d511bebc4077c551bc8d5abea688da06beef7879d5cd3b6e9c6bf64837860035
SHA5122e0ef22d188feb9857d09ffc5a978a4783821db2735870815a934daa8a2912b10fbdf91f0266935fca45856c6615c90f822dc9f019fda6983ba12571bd5ea81f
-
C:\Users\Admin\Desktop\SyncUnpublish.js.195-83A-216MD5
46e4c8c03c35c9a7d2db6f5f76f08a13
SHA10c4242bb6e8cb35651527a9c12aa1e6914f6c7a2
SHA2566d245bd2d37e9f00389a652e5c8c851c16ff6f77bf7f0f79f86a2f328f5b0f83
SHA512474982ea840ca9e9b3edd10b8b736fa93de11d9573d8d34cc020725ddabc6e21b4a52c02a291b868ae131825b95bb6d115f419df73af8aa516a2c75e882783c4
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exeMD5
e26982b170856ca8ca96a2f41b2306fb
SHA1e467f2bc6f01f2a13effaf8f6283d616ccf40e2e
SHA2568d44fdbedd0ec9ae59fad78bdb12d15d6903470eb1046b45c227193b233adda6
SHA51280a636ae53f5049e1ec34e092d91be8f8cc11d1f96eb919bfabd814c677c1e68a773c102b4fd28f2335427173f76203815b60f133d1d4cf0834bded85931af0e
-
memory/432-56-0x0000000000000000-mapping.dmp
-
memory/816-16-0x0000000000000000-mapping.dmp
-
memory/832-20-0x0000000000000000-mapping.dmp
-
memory/972-28-0x0000000000000000-mapping.dmp
-
memory/1008-0-0x000007FEF7770000-0x000007FEF79EA000-memory.dmpFilesize
2.5MB
-
memory/1500-21-0x0000000000000000-mapping.dmp
-
memory/1520-19-0x0000000000000000-mapping.dmp
-
memory/1560-24-0x0000000000000000-mapping.dmp
-
memory/1584-22-0x0000000000000000-mapping.dmp
-
memory/1652-18-0x0000000000000000-mapping.dmp
-
memory/1864-17-0x0000000000000000-mapping.dmp
-
memory/1884-25-0x0000000000000000-mapping.dmp
-
memory/1892-4-0x00000000000A0000-0x00000000000A1000-memory.dmpFilesize
4KB
-
memory/1892-5-0x0000000000000000-mapping.dmp
-
memory/1908-2-0x0000000000000000-mapping.dmp
-
memory/1976-27-0x0000000000000000-mapping.dmp