Analysis
-
max time kernel
124s -
max time network
137s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
04-11-2020 10:54
Static task
static1
Behavioral task
behavioral1
Sample
hci0xn0zip.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
hci0xn0zip.exe
Resource
win10v20201028
General
-
Target
hci0xn0zip.exe
-
Size
3.3MB
-
MD5
d18bf81dbc8acce488abd633d8058cf5
-
SHA1
1d6dcade355b4867e9435961655a9b9caa373528
-
SHA256
4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a
-
SHA512
10a6b3994b1b0d37c9f3833e700baded6b89b0162078442b4de5a9747c23027d8943016c5941ba2e530ee5263b87c31a7714aa7bcb5051e5d63cf0a3cd88756f
Malware Config
Extracted
C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
kassmaster@danwin1210.me
kassmaster@tutanota.com
Signatures
-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 4 IoCs
Processes:
15sp.exemesager43.exelsass.exelsass.exepid process 3428 15sp.exe 1988 mesager43.exe 2260 lsass.exe 348 lsass.exe -
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
lsass.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\CompressInstall.tiff lsass.exe File opened for modification C:\Users\Admin\Pictures\UnblockFormat.tiff lsass.exe -
Processes:
resource yara_rule C:\ssd\onset\mesager43.exe upx C:\ssd\onset\mesager43.exe upx C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe upx C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe upx C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
mesager43.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run mesager43.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" -start" mesager43.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
lsass.exedescription ioc process File opened (read-only) \??\T: lsass.exe File opened (read-only) \??\P: lsass.exe File opened (read-only) \??\O: lsass.exe File opened (read-only) \??\M: lsass.exe File opened (read-only) \??\J: lsass.exe File opened (read-only) \??\U: lsass.exe File opened (read-only) \??\X: lsass.exe File opened (read-only) \??\N: lsass.exe File opened (read-only) \??\G: lsass.exe File opened (read-only) \??\E: lsass.exe File opened (read-only) \??\B: lsass.exe File opened (read-only) \??\Z: lsass.exe File opened (read-only) \??\S: lsass.exe File opened (read-only) \??\L: lsass.exe File opened (read-only) \??\H: lsass.exe File opened (read-only) \??\A: lsass.exe File opened (read-only) \??\V: lsass.exe File opened (read-only) \??\W: lsass.exe File opened (read-only) \??\R: lsass.exe File opened (read-only) \??\Q: lsass.exe File opened (read-only) \??\K: lsass.exe File opened (read-only) \??\I: lsass.exe File opened (read-only) \??\F: lsass.exe File opened (read-only) \??\Y: lsass.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 15 geoiptool.com -
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Drops file in Program Files directory 24139 IoCs
Processes:
lsass.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription1-pl.xrm-ms.478-E76-A52 lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\mscss7wre_en.dub lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\PersonaSpy.js.478-E76-A52 lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\SpreadsheetCompare.HxS lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_CatEye.png lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.3_1.3.23901.0_x86__8wekyb3d8bbwe\AppxSignature.p7x lsass.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\stopNetworkServer.478-E76-A52 lsass.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT lsass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\rhp_world_icon.png lsass.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-GoogleCloudCache-Dark.scale-140.png lsass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\Close2x.png.478-E76-A52 lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\cg_16x11.png lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-60_altform-fullcolor.png lsass.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Generic-Light.scale-100.png lsass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\it-it\ui-strings.js.478-E76-A52 lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_KMS_Client-ul.xrm-ms.478-E76-A52 lsass.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\vlc.mo lsass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nb-no\ui-strings.js.478-E76-A52 lsass.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-util.xml lsass.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-heapwalker.xml lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\1938_48x48x32.png lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\SkypeAppList.targetsize-32_contrast-black.png lsass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\de-de\PlayStore_icon.svg lsass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\zh-tw\ui-strings.js.478-E76-A52 lsass.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.ui.nl_zh_4.4.0.v20140623020002.jar lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ppd.xrm-ms lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PeopleAppList.scale-100.png lsass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-disabled.svg lsass.exe File opened for modification C:\Program Files\7-Zip\Lang\fy.txt lsass.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.properties lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\StoreManifest.xml lsass.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\RunningLate.scale-64.png lsass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\ReadMe.htm lsass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-gb\ui-strings.js.478-E76-A52 lsass.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423496939244.profile.gz.478-E76-A52 lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteReplayCrossHairIcon-2.png lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Wisp.thmx.478-E76-A52 lsass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\fr-fr\ui-strings.js lsass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\root\ui-strings.js.478-E76-A52 lsass.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT lsass.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml.478-E76-A52 lsass.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Yahoo-Light.scale-200.png lsass.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\plugins\rhp\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT lsass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\icons_ie8.gif.478-E76-A52 lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SKY\THMBNAIL.PNG.478-E76-A52 lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\shadow.png lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN105.XML.478-E76-A52 lsass.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\TXP_HotelReservation_Dark.png lsass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_sortedby_hover_18.svg.478-E76-A52 lsass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\zh-tw\ui-strings.js lsass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\fi-fi\ui-strings.js lsass.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluTSFrame.png lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-ul-oob.xrm-ms.478-E76-A52 lsass.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\LargeTile.scale-125.png lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedSmallTile.scale-100.png lsass.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemePreview\Themes\fable.mobile.jpg lsass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\icudt26l.dat lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-pl.xrm-ms.478-E76-A52 lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOUC.EXE.478-E76-A52 lsass.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\win32_CopyNoDrop32x32.gif lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial4-ppd.xrm-ms.478-E76-A52 lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-100.png lsass.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL027.XML.478-E76-A52 lsass.exe -
Delays execution with timeout.exe 4 IoCs
Processes:
timeout.exetimeout.exetimeout.exetimeout.exepid process 2648 timeout.exe 952 timeout.exe 2516 timeout.exe 3112 timeout.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 1784 vssadmin.exe 2212 vssadmin.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 2400 taskkill.exe 3948 taskkill.exe -
Modifies registry class 2 IoCs
Processes:
hci0xn0zip.execmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings hci0xn0zip.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings cmd.exe -
Processes:
mesager43.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 mesager43.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e mesager43.exe -
Suspicious use of AdjustPrivilegeToken 93 IoCs
Processes:
mesager43.exetaskkill.exetaskkill.exeWMIC.exeWMIC.exevssvc.exedescription pid process Token: SeDebugPrivilege 1988 mesager43.exe Token: SeDebugPrivilege 1988 mesager43.exe Token: SeDebugPrivilege 2400 taskkill.exe Token: SeDebugPrivilege 3948 taskkill.exe Token: SeIncreaseQuotaPrivilege 3256 WMIC.exe Token: SeSecurityPrivilege 3256 WMIC.exe Token: SeTakeOwnershipPrivilege 3256 WMIC.exe Token: SeLoadDriverPrivilege 3256 WMIC.exe Token: SeSystemProfilePrivilege 3256 WMIC.exe Token: SeSystemtimePrivilege 3256 WMIC.exe Token: SeProfSingleProcessPrivilege 3256 WMIC.exe Token: SeIncBasePriorityPrivilege 3256 WMIC.exe Token: SeCreatePagefilePrivilege 3256 WMIC.exe Token: SeBackupPrivilege 3256 WMIC.exe Token: SeRestorePrivilege 3256 WMIC.exe Token: SeShutdownPrivilege 3256 WMIC.exe Token: SeDebugPrivilege 3256 WMIC.exe Token: SeSystemEnvironmentPrivilege 3256 WMIC.exe Token: SeRemoteShutdownPrivilege 3256 WMIC.exe Token: SeUndockPrivilege 3256 WMIC.exe Token: SeManageVolumePrivilege 3256 WMIC.exe Token: 33 3256 WMIC.exe Token: 34 3256 WMIC.exe Token: 35 3256 WMIC.exe Token: 36 3256 WMIC.exe Token: SeIncreaseQuotaPrivilege 776 WMIC.exe Token: SeSecurityPrivilege 776 WMIC.exe Token: SeTakeOwnershipPrivilege 776 WMIC.exe Token: SeLoadDriverPrivilege 776 WMIC.exe Token: SeSystemProfilePrivilege 776 WMIC.exe Token: SeSystemtimePrivilege 776 WMIC.exe Token: SeProfSingleProcessPrivilege 776 WMIC.exe Token: SeIncBasePriorityPrivilege 776 WMIC.exe Token: SeCreatePagefilePrivilege 776 WMIC.exe Token: SeBackupPrivilege 776 WMIC.exe Token: SeRestorePrivilege 776 WMIC.exe Token: SeShutdownPrivilege 776 WMIC.exe Token: SeDebugPrivilege 776 WMIC.exe Token: SeSystemEnvironmentPrivilege 776 WMIC.exe Token: SeRemoteShutdownPrivilege 776 WMIC.exe Token: SeUndockPrivilege 776 WMIC.exe Token: SeManageVolumePrivilege 776 WMIC.exe Token: 33 776 WMIC.exe Token: 34 776 WMIC.exe Token: 35 776 WMIC.exe Token: 36 776 WMIC.exe Token: SeBackupPrivilege 3852 vssvc.exe Token: SeRestorePrivilege 3852 vssvc.exe Token: SeAuditPrivilege 3852 vssvc.exe Token: SeIncreaseQuotaPrivilege 3256 WMIC.exe Token: SeSecurityPrivilege 3256 WMIC.exe Token: SeTakeOwnershipPrivilege 3256 WMIC.exe Token: SeLoadDriverPrivilege 3256 WMIC.exe Token: SeSystemProfilePrivilege 3256 WMIC.exe Token: SeSystemtimePrivilege 3256 WMIC.exe Token: SeProfSingleProcessPrivilege 3256 WMIC.exe Token: SeIncBasePriorityPrivilege 3256 WMIC.exe Token: SeCreatePagefilePrivilege 3256 WMIC.exe Token: SeBackupPrivilege 3256 WMIC.exe Token: SeRestorePrivilege 3256 WMIC.exe Token: SeShutdownPrivilege 3256 WMIC.exe Token: SeDebugPrivilege 3256 WMIC.exe Token: SeSystemEnvironmentPrivilege 3256 WMIC.exe Token: SeRemoteShutdownPrivilege 3256 WMIC.exe -
Suspicious use of WriteProcessMemory 90 IoCs
Processes:
hci0xn0zip.exeWScript.execmd.exeWScript.execmd.exemesager43.exelsass.exedescription pid process target process PID 3304 wrote to memory of 3420 3304 hci0xn0zip.exe WScript.exe PID 3304 wrote to memory of 3420 3304 hci0xn0zip.exe WScript.exe PID 3304 wrote to memory of 3420 3304 hci0xn0zip.exe WScript.exe PID 3420 wrote to memory of 736 3420 WScript.exe cmd.exe PID 3420 wrote to memory of 736 3420 WScript.exe cmd.exe PID 3420 wrote to memory of 736 3420 WScript.exe cmd.exe PID 736 wrote to memory of 3428 736 cmd.exe 15sp.exe PID 736 wrote to memory of 3428 736 cmd.exe 15sp.exe PID 736 wrote to memory of 3428 736 cmd.exe 15sp.exe PID 736 wrote to memory of 3112 736 cmd.exe timeout.exe PID 736 wrote to memory of 3112 736 cmd.exe timeout.exe PID 736 wrote to memory of 3112 736 cmd.exe timeout.exe PID 736 wrote to memory of 2552 736 cmd.exe WScript.exe PID 736 wrote to memory of 2552 736 cmd.exe WScript.exe PID 736 wrote to memory of 2552 736 cmd.exe WScript.exe PID 736 wrote to memory of 2648 736 cmd.exe timeout.exe PID 736 wrote to memory of 2648 736 cmd.exe timeout.exe PID 736 wrote to memory of 2648 736 cmd.exe timeout.exe PID 2552 wrote to memory of 980 2552 WScript.exe cmd.exe PID 2552 wrote to memory of 980 2552 WScript.exe cmd.exe PID 2552 wrote to memory of 980 2552 WScript.exe cmd.exe PID 980 wrote to memory of 1512 980 cmd.exe attrib.exe PID 980 wrote to memory of 1512 980 cmd.exe attrib.exe PID 980 wrote to memory of 1512 980 cmd.exe attrib.exe PID 980 wrote to memory of 952 980 cmd.exe timeout.exe PID 980 wrote to memory of 952 980 cmd.exe timeout.exe PID 980 wrote to memory of 952 980 cmd.exe timeout.exe PID 980 wrote to memory of 1988 980 cmd.exe mesager43.exe PID 980 wrote to memory of 1988 980 cmd.exe mesager43.exe PID 980 wrote to memory of 1988 980 cmd.exe mesager43.exe PID 1988 wrote to memory of 2260 1988 mesager43.exe lsass.exe PID 1988 wrote to memory of 2260 1988 mesager43.exe lsass.exe PID 1988 wrote to memory of 2260 1988 mesager43.exe lsass.exe PID 1988 wrote to memory of 748 1988 mesager43.exe notepad.exe PID 1988 wrote to memory of 748 1988 mesager43.exe notepad.exe PID 1988 wrote to memory of 748 1988 mesager43.exe notepad.exe PID 1988 wrote to memory of 748 1988 mesager43.exe notepad.exe PID 1988 wrote to memory of 748 1988 mesager43.exe notepad.exe PID 1988 wrote to memory of 748 1988 mesager43.exe notepad.exe PID 980 wrote to memory of 2400 980 cmd.exe taskkill.exe PID 980 wrote to memory of 2400 980 cmd.exe taskkill.exe PID 980 wrote to memory of 2400 980 cmd.exe taskkill.exe PID 980 wrote to memory of 3948 980 cmd.exe taskkill.exe PID 980 wrote to memory of 3948 980 cmd.exe taskkill.exe PID 980 wrote to memory of 3948 980 cmd.exe taskkill.exe PID 980 wrote to memory of 2952 980 cmd.exe attrib.exe PID 980 wrote to memory of 2952 980 cmd.exe attrib.exe PID 980 wrote to memory of 2952 980 cmd.exe attrib.exe PID 980 wrote to memory of 2516 980 cmd.exe timeout.exe PID 980 wrote to memory of 2516 980 cmd.exe timeout.exe PID 980 wrote to memory of 2516 980 cmd.exe timeout.exe PID 2260 wrote to memory of 1300 2260 lsass.exe cmd.exe PID 2260 wrote to memory of 1300 2260 lsass.exe cmd.exe PID 2260 wrote to memory of 1300 2260 lsass.exe cmd.exe PID 2260 wrote to memory of 3624 2260 lsass.exe cmd.exe PID 2260 wrote to memory of 3624 2260 lsass.exe cmd.exe PID 2260 wrote to memory of 3624 2260 lsass.exe cmd.exe PID 2260 wrote to memory of 3652 2260 lsass.exe cmd.exe PID 2260 wrote to memory of 3652 2260 lsass.exe cmd.exe PID 2260 wrote to memory of 3652 2260 lsass.exe cmd.exe PID 2260 wrote to memory of 2428 2260 lsass.exe cmd.exe PID 2260 wrote to memory of 2428 2260 lsass.exe cmd.exe PID 2260 wrote to memory of 2428 2260 lsass.exe cmd.exe PID 2260 wrote to memory of 620 2260 lsass.exe cmd.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1512 attrib.exe 2952 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\hci0xn0zip.exe"C:\Users\Admin\AppData\Local\Temp\hci0xn0zip.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ssd\onset\goodram.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ssd\onset\81ldp.bat" "3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\ssd\onset\15sp.exe"15sp.exe" e -psion0811 01s.rar4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\timeout.exetimeout 54⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ssd\onset\Ztestram.vbs"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ssd\onset\sata1.bat" "5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\ssd\"6⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\timeout.exetimeout 26⤵
- Delays execution with timeout.exe
-
C:\ssd\onset\mesager43.exemesager43.exe /start6⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -start7⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete8⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete9⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet8⤵
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet9⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat8⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete9⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet9⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -agent 08⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\notepad.exenotepad.exe8⤵
-
C:\Windows\SysWOW64\notepad.exenotepad.exe7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im 15sp.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im 15sp.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\ssd\onset\mesager43.exe"6⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\timeout.exetimeout 46⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout 44⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Modify Existing Service
1Defense Evasion
File Deletion
2Hidden Files and Directories
2Modify Registry
3Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CBMD5
9d538c0560b32800760c81848d63c768
SHA10347de3203f816ec681476bad1ba61a9d617933d
SHA256ff250295947988215771c7277792f7678cbb6c8d0db006a034622ae50090cc07
SHA51214e728259be57440bf8b497884cb376c2f1b7bde2b9c8ffc3c9f3804dbe59f12899a57e434b2f8b3ca03a215eda40c434eec21064b93bdbbc75c4951ec7b3c45
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEEMD5
61faf9608aef25c78ecec385617c1fe5
SHA1475cb92095f1ee2c19a6eaa4615697b1b9f0c21e
SHA256efa2e7c480e2cdeb6834fd1afca56ceb66f814e2b8da59ba6df4569d2b397ef4
SHA5121b9226545cc39585a4a18b52227cdd7e6b8ff889dd40e9e186cce8d52c10abe1686fd8c799f52656f8b33ba47fa809d0f8369b1ef28207ebcc0d23e26a1d13dd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
f3b3ba3b8527743bfe3ae7feb9de6a4d
SHA165a5fc2851514d5867a6726768f03d956142185e
SHA25649a00de339c432d57e5ec170f091b5995fa8bc4eb4121344642d25d22408b0aa
SHA512961f899691646528b86bdea736ed59e7ea78137c2346b709aa0e98ed6ffad1466678efbccfc210be448634f979f5e97bde90cada0cf43f98f27c2afbd19562f3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CBMD5
c7279fdae28ce7a9c7f0274bea302ce9
SHA19f90fa1c22818e978a1a4e6d7aa95ceb5022328b
SHA2562ea6044df72bcc8a987523b88eda285ce7eaeb81dfaa268fab9cf767d0d478d0
SHA512c83a7bfff5a89c9b5bf87cb9f5690f1a23c6aacc435685282de10b7508a0dfa1ce43fa111b8b17bd17bda3a00201ab36874c3a69ea24f360400157bd6bc66b03
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEEMD5
879de9988924a584c35eee8baaeabde4
SHA1778a90a1c33f6b2436454f6c67715fca90aa1853
SHA2561e87dfb7a03a693231e25d6a7375b8a437846a001e396e43f14a2542a7df949d
SHA512782a1bfae5771d2e80e956cb5b28a53cd42c27aeceacde2e84a4a055ca149f70af62df9538010e330a82cc8e426c58a3cca5edca54dd108ccd695c72a809031d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
39c6a004a633e46615065dd06ea9418d
SHA1c51b2012f1b756409f4062f531881bddde4aa48c
SHA256effe5cae8c728b07f653b62a9106748f00d9e44620320a339097a15e101380b9
SHA5129f4cb5804009672124793f4df99bea2858a256dee2e0e0371d02c4276b7da31e242fca22555ade357a83b17e97f97d38a5e4440ff2722ae6311d3ea3f0410304
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RW8YYLAG\IY4QX4U3.htmMD5
b1cd7c031debba3a5c77b39b6791c1a7
SHA1e5d91e14e9c685b06f00e550d9e189deb2075f76
SHA25657ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa
SHA512d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UOAPEAJQ\16W0LC6B.htmMD5
8615e70875c2cc0b9db16027b9adf11d
SHA14ed62cf405311c0ff562a3c59334a15ddc4f1bf9
SHA256da96949ba6b0567343f144486505c8c8fa1d892fd88c9cbc3ef3d751a570724d
SHA512cd9dfc88dc2af9438b7d6b618d1b62029b3bdf739fc4daa5b37397afd12c4528561b3bf2fc3f3f2adf3fd1f582d5524332441fd30248fcd078e41aa91e17cb73
-
C:\Users\Admin\AppData\Local\Temp\~temp001.batMD5
ef572e2c7b1bbd57654b36e8dcfdc37a
SHA1b84c4db6d0dfd415c289d0c8ae099aea4001e3b7
SHA256e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64
SHA512b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exeMD5
3163bba8a4861d47aafa1667d3082fee
SHA132824014c8740b8fef306e742c891bec0ef068d3
SHA25639016358b939b83cf9997c447458ae2d13186c3f66e66784c9e8ff4031b60c7e
SHA512e25f77dd78df4a80ec02f01c8c6ed85fa0f9028ea87b899ffa0a5a87d211cb8c861d4e7912bb8d3cc3ee0a7240eb130f0abd6ffa0d3698b3d416c70de52eb450
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exeMD5
3163bba8a4861d47aafa1667d3082fee
SHA132824014c8740b8fef306e742c891bec0ef068d3
SHA25639016358b939b83cf9997c447458ae2d13186c3f66e66784c9e8ff4031b60c7e
SHA512e25f77dd78df4a80ec02f01c8c6ed85fa0f9028ea87b899ffa0a5a87d211cb8c861d4e7912bb8d3cc3ee0a7240eb130f0abd6ffa0d3698b3d416c70de52eb450
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exeMD5
3163bba8a4861d47aafa1667d3082fee
SHA132824014c8740b8fef306e742c891bec0ef068d3
SHA25639016358b939b83cf9997c447458ae2d13186c3f66e66784c9e8ff4031b60c7e
SHA512e25f77dd78df4a80ec02f01c8c6ed85fa0f9028ea87b899ffa0a5a87d211cb8c861d4e7912bb8d3cc3ee0a7240eb130f0abd6ffa0d3698b3d416c70de52eb450
-
C:\Users\Admin\Desktop\AddUnpublish.dxf.478-E76-A52MD5
e2578c66bca548aa83bc580c21e33e6a
SHA1e84adae5126543ecf1478c73977646bb9d265666
SHA256efded0a92b9305d2b36395efdc2b11f73c1fc7b35bf8b290eb7d88ad9ddd9be0
SHA5129dbd98a3dc1a50ae4ea99c00cf5c462629b951bea020a54471ba22f4d6c05de459cca30bac829a3b2dffeed43fccb699d489c00585322575b3e00921d71a0b5e
-
C:\Users\Admin\Desktop\CheckpointRepair.aifc.478-E76-A52MD5
afd6200c7ae230cf54ff169342ed6b1e
SHA14448f988deed74fb91aa66c0693e61d291ab3790
SHA256dad93bc062a3a0771595762d98341d16ba182599a259813022cb494d05913fcc
SHA512a551c62ef39354938a6853a8f280ce35427840712326ef10de845962fb7e9ac4eb13ece1c2e622299113903a8166351189165123ff6b6d90a3d40c5bcb28c192
-
C:\Users\Admin\Desktop\CheckpointSearch.potx.478-E76-A52MD5
f3fce5ce71370a67947f85242f016344
SHA16c158b27b059853db5ead2cc42d64d09c8ee4b1d
SHA2567bfb638d28b32c04cbd5748d1e13630185339ca151a8ef1540d97bf9bb75cada
SHA512504633a980ff2a44b382e1e206e74a91dd69dc9008a8bd74cad6ee86ca7fdbb05e6720797467cbad27a045067eb982b04cea047a5eb4effc182bb95b516be504
-
C:\Users\Admin\Desktop\CompleteSend.mov.478-E76-A52MD5
b70d23dbc149c96c3efdf1e75665f316
SHA15257be4a8bc6ca71280eb074ef7201ea4693db37
SHA256d49ac84160040e422f61d21d665063459bf4365a3395eff948f30abca0407b7f
SHA512c0cb97284ecc411b001523d8258a3b35e7c74134eeb78531782230c0e42027b0a6df2e118200191902397b760d9eacdb3d590f146797418f939e8244cab32b79
-
C:\Users\Admin\Desktop\ConvertFromProtect.tiff.478-E76-A52MD5
625eef858db5d643d341f5d91c05cd9b
SHA157e9f2afdc470f27594e8d5e50ff7ac041713059
SHA2568ff258ac475916ab7ca1f9819aaed0e309e2ba64e496e243ceff8b0e73466a9a
SHA512d5c0a7803e0a7a54638f05cf34fb1adea02a95425d2065675a1333fc53f25c6a805c1173bdfc852f4cf87bbf8908479bc3bb5c1c45dd63ba215b6fd0d72b79b5
-
C:\Users\Admin\Desktop\ConvertToRegister.edrwx.478-E76-A52MD5
00053c2dc4cd2b5ef48cdf015df65b46
SHA1b49b2b4c0b61d71ef9052bd599d4e722a6dd2506
SHA25657aec5e42e6b471aac966d867246d02eaf5af67da2c3d3f2e9e56c096ce22e6b
SHA5124848b409159cb2a110aabaf26efcbcacd4a0aad47707d71b065b51b8e6bb356537afb581445de504f39771360d513611943663d768fbb96ce875e66e9ebc4000
-
C:\Users\Admin\Desktop\DebugMeasure.jpeg.478-E76-A52MD5
fb35df8cc65cde9482abfbf9bc9393e7
SHA1adedd8f6b734b9635de71eab34914cb5b4a09b92
SHA25682afbe3b51df233e38106c3052289b651ad9ecfafa3371e9b93df62c5b87785f
SHA51211df8d61dbfc176c22b5591ca8768cb42def413eb7ce3020996967fa5a5ffe47c0f0695e20c5b0912b983588fc0cac50ce0d180d7b36ed0c3630f1a662318fe5
-
C:\Users\Admin\Desktop\EnableUse.txt.478-E76-A52MD5
75d60c745a3d585b0d0cdf8df30b01f3
SHA109dd9b0bf96bb5af0feb06ee8bcc550f6779d779
SHA256a496e9160424024ebe08be78204b2698b5d6c119109b7876c582aebec157e189
SHA512c7592519ba654f9da0cac620198b14ac64283e27ce640edc10fb347e962d2061ef0befe1b598e04c81cd41945e2a82bc89f752a85e638627e1437b5ed27b4381
-
C:\Users\Admin\Desktop\ExpandStop.3gp.478-E76-A52MD5
ff8f574ef785fe5e3fe93798b1fb47d4
SHA1d6d862109e84a141495c3a0a664db7f4436aeb2c
SHA2564ab2016a07f2c416ac7e20e3ee849bc647f1fd46a3542aa15b09f46a31f12230
SHA512a248ea0036e1c7f87013d50d2b4c9978a78d4d3e522b747ed09691dfa29e022e52c8297df625d3e02e545c7fee8dbd0a2006aa805bc7551bb4e6a93698201b83
-
C:\Users\Admin\Desktop\InstallEnter.wav.478-E76-A52MD5
d1867a6ef067d2e1dc16eb55587528b3
SHA19fb318a91a31638eb5caffeb274f3cd2cbbb6d26
SHA2567cb9a8e00b48046eefa3c0854c53173e389531e2d33382df7f4021e755b764d5
SHA5126eddf4c2055247bc838529569c9ee6f3c713a502da24accc19f3fff6008d0644473bed3e000445758cea65617ff6d64d75a50b029d641bbff346f11cf77781ca
-
C:\Users\Admin\Desktop\InstallSelect.bin.478-E76-A52MD5
5c9b98ea2c5ed2cf9ec9db80f77afac1
SHA1beb7682db7657ce89e3d2e71ccc23faa518cadf4
SHA256be3d9a1e8a8f6b36613c0c215f91e654c6547b28febbe50e9559dbf89c355d29
SHA512b9ab098a9b5c6920efe93e16d3a63170786f885e5256dd561e06ce93159626c8b4a4e45d541fa32b51efe0c46111ec4b620d2bfb01c4b1c7343311384381b78c
-
C:\Users\Admin\Desktop\InvokeAssert.ex_.478-E76-A52MD5
2fc92c21c50386bdfb360677023355bd
SHA1f8592e2cd00e163e1101885d2c40377740620b13
SHA256c2aa9751112f3b65ea120aa8a3c6bb5a573291f19d3ce4f01344940157095d44
SHA5129fc71a7b5b54472e78facc7a38eda8d42db8b98d6bbbcd2ef8dbb5683520b454831020e33ba1071a3dc0e5099545a7de0c5de9152da4ce844979fb6bdf638709
-
C:\Users\Admin\Desktop\LimitPublish.wdp.478-E76-A52MD5
bbe12a759be01d7d64be54b582dd8bc1
SHA1e13bf1d166a459b830dc6098da772e0e630830d5
SHA25686999d5a86dfcbebe1edc6c2fac9ae7d6bfe15e4fd9c831cbe5a994a49706a91
SHA5127f7f53b6cdf91e098eb869c55d2ccf2d061be8e2fef9eb40808dd3669481587710b4390bff59efc9ccae166c6ae17997e4ad5a94bb1a8e33f3fa38522c9ae436
-
C:\Users\Admin\Desktop\MergeConnect.potx.478-E76-A52MD5
3c145d2a1c949124543f80121c53c726
SHA12e2054b1305a8df2358a9b7c1aa82210073e9e57
SHA2567f3e3d057e38340f05032c6d62a26180fbfff6949cfae5404186d1084657d6df
SHA51263f8bd7f52daecbb049432f8fc0026a7aad9e7da352b7c791ee7e6d5f8d1661f08f09a51613e8870cfac446bc023e5e09c085173bb656be4333f4f7892d0cc74
-
C:\Users\Admin\Desktop\MergeShow.mid.478-E76-A52MD5
904b36124bf7100c57701b614a50a7cf
SHA145f99041cade7afa01f6b0253717bc03bf48a7ff
SHA2566a70f602a644491dfc6cc136dc5a7e323bc9a2d0d1c17ee262a6e359b258fe44
SHA512c041f7153ec64b0b1d3965939bca4dc62b784c8f0cdd277e6762aed7b0eac7be8f9af4d6b8ba81d00cfa74d000cf7f78b143630258d6a003fb511c803a670436
-
C:\Users\Admin\Desktop\OpenShow.bin.478-E76-A52MD5
2c241a37c1b4ab35a5020ec552d29859
SHA137fc18b921a5bfe95c7f97e3eb53f1f153f8983f
SHA2569d10880880b9beb753b9e5f80c31ead9973957d00c1784e88628637187f8af58
SHA5121d7a8c24bd3ed3e3292af73cb5126218cd5fa2d63c486094ae5c62e539d41cef910da9923255d2713831cc1f2579bea724b31cfb4d1bd3f7295293f6b6c29924
-
C:\Users\Admin\Desktop\PopRestore.tif.478-E76-A52MD5
e6d2191274eacebe86cb5d25f2a2ec9d
SHA1cb632c06d41413f75dace02e6a529a9bddcb96d2
SHA2569a95b4a2a4712507b7d9d166893d5d631a276a412364c47f02693993ebd3f72e
SHA512898510e1a17c97d5994e59d936871c716d991ebbb1ab2ca1ac2a4728fb6c4411a9c70c16b610fa1b07f168114d9f56b4368eb7e2b6929178961269930e38555f
-
C:\Users\Admin\Desktop\ReceiveConfirm.cr2.478-E76-A52MD5
e276805d1ec86ca8e811fd5e0f427c72
SHA1edda1ca7fad82aaf5b4506cff7e2f80a0dd5dedc
SHA2565bbb805686aa8591ee8cec22e5c2b754b1103a3de91503c283f584af7b84d642
SHA5120acff377d08d0f7d1df3f27e1d8818ec05348e3a5f71f1b87bc1b4fe6113870eaa2f431897026150a7157c8bba3f0fe70487ccd109834313345082a0262debb9
-
C:\Users\Admin\Desktop\ResizeRename.m4a.478-E76-A52MD5
53b489d3656a024075510996ae33459b
SHA1673bfdf1caf8714086536c2ee365913f23e2c063
SHA25674461d80424afa2c21c45b489bba90b1c69b5a410edbb3c22f630a05d279cbaa
SHA512ee796f996b774a106c0c6be6b2befc31b3645b9689b1cd557363503caa36af9ad3cf14eb9130969154be47fedfe84042256c71636f8b3967f5aed26c4f045ee3
-
C:\Users\Admin\Desktop\RestoreExport.vst.478-E76-A52MD5
603d9ca13835a758fa8b18eb328f3033
SHA1ad40d9371098ef3371cb197e87a93b2c219b81ea
SHA2564758747bd53b5e2619854fb467b6bb89e595e151c39836eb454a0842be29b37c
SHA51281e0c6266ddab943530794809355a83d6479b4f22782b19bbccf17b9019bbe64b64d66272e3fd3e38dd688179af523e1dcad4144ffbe2b9ea05acf561567f695
-
C:\Users\Admin\Desktop\RevokeAssert.WTV.478-E76-A52MD5
41f6d832a4f07a5901a9367a8cc7115b
SHA1a0d2349504e4692c21f5020834d258cda44b5756
SHA256bd1fd27fa9c654bb2df8ba2dbd4f2884335d94b2a2ad36d2e59f91efb9a6ef9a
SHA512ea6f5fce49345bf4c77a1487f5546f0f1a6298f04ee2dc8ab7a165a3856523154da38191ab517107086e255b2e3c1ecd1e5c8d0cf8c0b1fdea132d6f737af2ea
-
C:\Users\Admin\Desktop\SendInstall.vsdm.478-E76-A52MD5
7314465a899d9d97720b2fde3cc0f03c
SHA1804999e82c3fe3618f364b3dd48fb1f3774848c3
SHA256080ffcfe3b3da3e9ef3c4f3a46478a284ac40fd31bebf961f44fdd391fe012a3
SHA5120b4b564a0a40d385721d5abec5548422ee088b3576747bd385f3dbbfbd95b46bf12409e58106cdd0eeb3b5c4bde73d4d0c7bc475e02e583ad12a67b1b0812efa
-
C:\Users\Admin\Desktop\SwitchBlock.mpa.478-E76-A52MD5
884bdc8106cbd7565aeeffcc8aa5c43b
SHA15ba1acbbbb778405159a59dee6109eee09624569
SHA256c506b4dee31246e834235bf3705300c6c41beee4edcf708be37cd6c662c5f7b9
SHA5128cc365e315cc1fd632e232015e3d9c891681c068fb3be7d3b167e72998c30f4a6f86f6d061ce2c6db6466857e5d64a2f79ecf58e84572982788c0fb7a6f939e1
-
C:\Users\Admin\Desktop\TestRestart.ogg.478-E76-A52MD5
d69e26c7d54a1ec2812c19ba077aee6f
SHA1ad14af0e931859d247d3d6f82fd3e7f71865c9c5
SHA256934289bbbf937436a0e58a9b6e58ac3774451b181848b3a48003dc4752f4f80e
SHA512181eea388ffa553bec8d03319dd4c4e044f315f30f63b5bc04c05b479ca321efd7af34d1ebcdb3bfac8c94cc1e7455430f9364c10ffaca5232e718b3c3ab121d
-
C:\Users\Admin\Desktop\UnpublishEdit.dxf.478-E76-A52MD5
0154c0c3f42010130b92c799416407e3
SHA13260d9c9ec49d96d18b0c64f52190758b0c5d7f1
SHA2569b4796f9bd8484d1cbf64cfcf04862640a70a748aa68df6874e5948800ff3421
SHA512e33cbec520226e5990e9a6c8c312bca441dfbad9d6d9faf75b51fed77a5098186253b54ff2e2f21a4e3a540b9cc6c3ba8162246114eb3c55923b129ea63a4a60
-
C:\ssd\onset\15sp.exeMD5
061f64173293969577916832be29b90d
SHA1b05b80385de20463a80b6c9c39bd1d53123aab9b
SHA25634dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce
SHA51266e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da
-
C:\ssd\onset\15sp.exeMD5
061f64173293969577916832be29b90d
SHA1b05b80385de20463a80b6c9c39bd1d53123aab9b
SHA25634dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce
SHA51266e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da
-
C:\ssd\onset\58nfs.iniMD5
42f9b29cb18cec22cf1f68375685ddc2
SHA154de5fd042aa740be90f85d7887d41ebc0e00b4b
SHA2567aac762ca37c72400df369c6a25d81e758071e570f8dd68f136290923165d007
SHA512f4065bc2b1b5ef8577c22ee6fe3ee4e5ee9af413d7a693940e317d2ab23de4ac64079761469369b282665c5d19fd3beb9a9ecd0af64a40531df946c65f36ab5c
-
C:\ssd\onset\81ldp.batMD5
a5464805722aa29200eb97cb26605135
SHA180b2c57e6475325a89eaaba24db02685830018ea
SHA25603130577ed6032ec6fce61f3f4a52fbfd2e7eb69ca1901823682b392f89c0e8a
SHA512d99760c1a82e2bd46d4d400c60c2c7a1fdfa057b84c6de2e992e19c662f62aed357e67c6f326e989124ccf7b67b57e1157b124e9bee4765e4f6730fb57660aae
-
C:\ssd\onset\Ztestram.vbsMD5
b835e273fb843348db5f05d2ed0958e8
SHA18a5feab98df1ef7a898863e941e8bb07d007b9c1
SHA256066327629f90b617ff1980f80a69ff3f5d76b4b005bfe9ee1a52319bc5517c94
SHA5125438cd64586b1bfb6b555b9183e50cfae143306b163d7b4810383198cb8afcee3b5631a4f7cfb65561c2bb9babfaf70e8403937ae8d80cae93e9cd57e5c8331e
-
C:\ssd\onset\goodram.vbsMD5
1ed7cb327b190a41ed8aee89c9be87d1
SHA16bd8634e530a6911501f1ab1c23fa4282d3a9e4f
SHA256c31b950a44c81e1aaa37c495da1cf671ef730a5d1efbf5e68a875bf998c94663
SHA512a9b85159614d71f91f05d9f1a4f65085105591ef7ca6d4094e171121e4259ebeca65fe490c28846b8d5791ef15cd7c01d56c7114aab517bab64c2f262c3dfb7c
-
C:\ssd\onset\mesager43.exeMD5
3163bba8a4861d47aafa1667d3082fee
SHA132824014c8740b8fef306e742c891bec0ef068d3
SHA25639016358b939b83cf9997c447458ae2d13186c3f66e66784c9e8ff4031b60c7e
SHA512e25f77dd78df4a80ec02f01c8c6ed85fa0f9028ea87b899ffa0a5a87d211cb8c861d4e7912bb8d3cc3ee0a7240eb130f0abd6ffa0d3698b3d416c70de52eb450
-
C:\ssd\onset\mesager43.exeMD5
3163bba8a4861d47aafa1667d3082fee
SHA132824014c8740b8fef306e742c891bec0ef068d3
SHA25639016358b939b83cf9997c447458ae2d13186c3f66e66784c9e8ff4031b60c7e
SHA512e25f77dd78df4a80ec02f01c8c6ed85fa0f9028ea87b899ffa0a5a87d211cb8c861d4e7912bb8d3cc3ee0a7240eb130f0abd6ffa0d3698b3d416c70de52eb450
-
C:\ssd\onset\sata1.batMD5
03560667f8a4144f8d45f917fd522a95
SHA1df8ec645f2cbecb9388c87a63674b508a791433e
SHA25641e9529c2acd43b7a206ec80655016bb65ba6721acfd930d351399730e809ad1
SHA512215824afaaf96acef5977a7e6f48b2133cd969b1d809db333bf1b700176dfaa745141aade50fb4bec1151087a3deb2d64ae542b2405a17ec53d17fbc69052ad4
-
memory/348-42-0x0000000000000000-mapping.dmp
-
memory/620-40-0x0000000000000000-mapping.dmp
-
memory/736-3-0x0000000000000000-mapping.dmp
-
memory/748-22-0x0000000000000000-mapping.dmp
-
memory/748-21-0x0000000000650000-0x0000000000651000-memory.dmpFilesize
4KB
-
memory/776-46-0x0000000000000000-mapping.dmp
-
memory/952-14-0x0000000000000000-mapping.dmp
-
memory/980-12-0x0000000000000000-mapping.dmp
-
memory/1300-36-0x0000000000000000-mapping.dmp
-
memory/1512-13-0x0000000000000000-mapping.dmp
-
memory/1784-45-0x0000000000000000-mapping.dmp
-
memory/1880-75-0x0000000000000000-mapping.dmp
-
memory/1988-15-0x0000000000000000-mapping.dmp
-
memory/2212-48-0x0000000000000000-mapping.dmp
-
memory/2260-18-0x0000000000000000-mapping.dmp
-
memory/2400-31-0x0000000000000000-mapping.dmp
-
memory/2428-39-0x0000000000000000-mapping.dmp
-
memory/2516-34-0x0000000000000000-mapping.dmp
-
memory/2552-9-0x0000000000000000-mapping.dmp
-
memory/2648-10-0x0000000000000000-mapping.dmp
-
memory/2704-41-0x0000000000000000-mapping.dmp
-
memory/2952-33-0x0000000000000000-mapping.dmp
-
memory/3112-7-0x0000000000000000-mapping.dmp
-
memory/3256-47-0x0000000000000000-mapping.dmp
-
memory/3420-0-0x0000000000000000-mapping.dmp
-
memory/3428-5-0x0000000000000000-mapping.dmp
-
memory/3624-37-0x0000000000000000-mapping.dmp
-
memory/3652-38-0x0000000000000000-mapping.dmp
-
memory/3948-32-0x0000000000000000-mapping.dmp