Analysis
-
max time kernel
124s -
max time network
126s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
06-11-2020 15:29
Static task
static1
Behavioral task
behavioral1
Sample
66fc6e71a9c6be1f604c4a2d0650914f67c45d894fd1f76913e463079d47a8af.bin.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
66fc6e71a9c6be1f604c4a2d0650914f67c45d894fd1f76913e463079d47a8af.bin.exe
Resource
win10v20201028
General
-
Target
66fc6e71a9c6be1f604c4a2d0650914f67c45d894fd1f76913e463079d47a8af.bin.exe
-
Size
256KB
-
MD5
ada523db2c2418fa37398c41b370c125
-
SHA1
7c2c197b14447cbf4bd0d040a36493ec1d9d8bc7
-
SHA256
66fc6e71a9c6be1f604c4a2d0650914f67c45d894fd1f76913e463079d47a8af
-
SHA512
849e06f1308ef00d1cf5ac71d9deb5699bae0e3985bca11525d3a95879325d1c11ad30f7c1bf80ef51ccc71032ab793ac2bef305c051391c9cefd91253621343
Malware Config
Extracted
C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
uspex1@cock.li
uspex2@cock.li
Signatures
-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
explorer.exeexplorer.exepid process 340 explorer.exe 2012 explorer.exe -
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
explorer.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\ExitSet.tiff explorer.exe -
Loads dropped DLL 2 IoCs
Processes:
66fc6e71a9c6be1f604c4a2d0650914f67c45d894fd1f76913e463079d47a8af.bin.exepid process 484 66fc6e71a9c6be1f604c4a2d0650914f67c45d894fd1f76913e463079d47a8af.bin.exe 484 66fc6e71a9c6be1f604c4a2d0650914f67c45d894fd1f76913e463079d47a8af.bin.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
66fc6e71a9c6be1f604c4a2d0650914f67c45d894fd1f76913e463079d47a8af.bin.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run 66fc6e71a9c6be1f604c4a2d0650914f67c45d894fd1f76913e463079d47a8af.bin.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" -start" 66fc6e71a9c6be1f604c4a2d0650914f67c45d894fd1f76913e463079d47a8af.bin.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
explorer.exedescription ioc process File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\B: explorer.exe File opened (read-only) \??\U: explorer.exe File opened (read-only) \??\Q: explorer.exe File opened (read-only) \??\K: explorer.exe File opened (read-only) \??\I: explorer.exe File opened (read-only) \??\G: explorer.exe File opened (read-only) \??\X: explorer.exe File opened (read-only) \??\O: explorer.exe File opened (read-only) \??\J: explorer.exe File opened (read-only) \??\A: explorer.exe File opened (read-only) \??\H: explorer.exe File opened (read-only) \??\Y: explorer.exe File opened (read-only) \??\W: explorer.exe File opened (read-only) \??\T: explorer.exe File opened (read-only) \??\N: explorer.exe File opened (read-only) \??\M: explorer.exe File opened (read-only) \??\L: explorer.exe File opened (read-only) \??\E: explorer.exe File opened (read-only) \??\Z: explorer.exe File opened (read-only) \??\V: explorer.exe File opened (read-only) \??\S: explorer.exe File opened (read-only) \??\R: explorer.exe File opened (read-only) \??\P: explorer.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 geoiptool.com -
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe -
Drops file in Program Files directory 15066 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Recife explorer.exe File opened for modification C:\Program Files\Java\jre7\lib\security\cacerts.EFA-3F4-E9A explorer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Bogota explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00129_.GIF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107328.WMF.EFA-3F4-E9A explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Ojinaga explorer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Monaco.EFA-3F4-E9A explorer.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\vlc.mo explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099154.JPG.EFA-3F4-E9A explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18193_.WMF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR41F.GIF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\GrayCheck\TAB_OFF.GIF explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Yellowknife.EFA-3F4-E9A explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Equity.eftx.EFA-3F4-E9A explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt.nl_ja_4.4.0.v20140623020002.jar.EFA-3F4-E9A explorer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\El_Salvador explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18202_.WMF.EFA-3F4-E9A explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\GB.XSL explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-print_ja.jar explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15277_.GIF explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-execution.xml explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\TAB_ON.GIF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGPQUOT.DPV.EFA-3F4-E9A explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-queries.xml explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00444_.WMF explorer.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif.EFA-3F4-E9A explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_underline.gif explorer.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derby.jar.EFA-3F4-E9A explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\feature.properties explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01607U.BMP.EFA-3F4-E9A explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18234_.WMF.EFA-3F4-E9A explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101859.BMP.EFA-3F4-E9A explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02028K.JPG explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\gfserrorfromgroove.ico.EFA-3F4-E9A explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Pago_Pago.EFA-3F4-E9A explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-multitabs.xml.EFA-3F4-E9A explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-charts_ja.jar.EFA-3F4-E9A explorer.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\mset7fr.kic.EFA-3F4-E9A explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Novokuznetsk explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-tabcontrol.xml.EFA-3F4-E9A explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-openide-execution.xml_hidden explorer.exe File opened for modification C:\Program Files\Java\jre7\lib\ext\access-bridge-64.jar.EFA-3F4-E9A explorer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Kuala_Lumpur explorer.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist.xml explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\ChessIconImagesMask.bmp explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\MANIFEST.MF.EFA-3F4-E9A explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239953.WMF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME18.CSS explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Tijuana explorer.exe File opened for modification C:\Program Files\Java\jre7\lib\accessibility.properties.EFA-3F4-E9A explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach.ja_5.5.0.165303.jar.EFA-3F4-E9A explorer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Omsk.EFA-3F4-E9A explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00775_.WMF explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\WidescreenPresentation.potx.EFA-3F4-E9A explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14792_.GIF.EFA-3F4-E9A explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15277_.GIF.EFA-3F4-E9A explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21520_.GIF.EFA-3F4-E9A explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.HK.XML.EFA-3F4-E9A explorer.exe File opened for modification C:\Program Files\7-Zip\Lang\hi.txt.EFA-3F4-E9A explorer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\psfont.properties.ja explorer.exe File created C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT explorer.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\ResourceInternal.zip.EFA-3F4-E9A explorer.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 1996 vssadmin.exe 2032 vssadmin.exe -
Processes:
66fc6e71a9c6be1f604c4a2d0650914f67c45d894fd1f76913e463079d47a8af.bin.exeexplorer.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 66fc6e71a9c6be1f604c4a2d0650914f67c45d894fd1f76913e463079d47a8af.bin.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 66fc6e71a9c6be1f604c4a2d0650914f67c45d894fd1f76913e463079d47a8af.bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 explorer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 explorer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 66fc6e71a9c6be1f604c4a2d0650914f67c45d894fd1f76913e463079d47a8af.bin.exe -
Suspicious use of AdjustPrivilegeToken 85 IoCs
Processes:
WMIC.exeWMIC.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1052 WMIC.exe Token: SeSecurityPrivilege 1052 WMIC.exe Token: SeTakeOwnershipPrivilege 1052 WMIC.exe Token: SeLoadDriverPrivilege 1052 WMIC.exe Token: SeSystemProfilePrivilege 1052 WMIC.exe Token: SeSystemtimePrivilege 1052 WMIC.exe Token: SeProfSingleProcessPrivilege 1052 WMIC.exe Token: SeIncBasePriorityPrivilege 1052 WMIC.exe Token: SeCreatePagefilePrivilege 1052 WMIC.exe Token: SeBackupPrivilege 1052 WMIC.exe Token: SeRestorePrivilege 1052 WMIC.exe Token: SeShutdownPrivilege 1052 WMIC.exe Token: SeDebugPrivilege 1052 WMIC.exe Token: SeSystemEnvironmentPrivilege 1052 WMIC.exe Token: SeRemoteShutdownPrivilege 1052 WMIC.exe Token: SeUndockPrivilege 1052 WMIC.exe Token: SeManageVolumePrivilege 1052 WMIC.exe Token: 33 1052 WMIC.exe Token: 34 1052 WMIC.exe Token: 35 1052 WMIC.exe Token: SeIncreaseQuotaPrivilege 344 WMIC.exe Token: SeSecurityPrivilege 344 WMIC.exe Token: SeTakeOwnershipPrivilege 344 WMIC.exe Token: SeLoadDriverPrivilege 344 WMIC.exe Token: SeSystemProfilePrivilege 344 WMIC.exe Token: SeSystemtimePrivilege 344 WMIC.exe Token: SeProfSingleProcessPrivilege 344 WMIC.exe Token: SeIncBasePriorityPrivilege 344 WMIC.exe Token: SeCreatePagefilePrivilege 344 WMIC.exe Token: SeBackupPrivilege 344 WMIC.exe Token: SeRestorePrivilege 344 WMIC.exe Token: SeShutdownPrivilege 344 WMIC.exe Token: SeDebugPrivilege 344 WMIC.exe Token: SeSystemEnvironmentPrivilege 344 WMIC.exe Token: SeRemoteShutdownPrivilege 344 WMIC.exe Token: SeUndockPrivilege 344 WMIC.exe Token: SeManageVolumePrivilege 344 WMIC.exe Token: 33 344 WMIC.exe Token: 34 344 WMIC.exe Token: 35 344 WMIC.exe Token: SeBackupPrivilege 684 vssvc.exe Token: SeRestorePrivilege 684 vssvc.exe Token: SeAuditPrivilege 684 vssvc.exe Token: SeIncreaseQuotaPrivilege 1052 WMIC.exe Token: SeSecurityPrivilege 1052 WMIC.exe Token: SeTakeOwnershipPrivilege 1052 WMIC.exe Token: SeLoadDriverPrivilege 1052 WMIC.exe Token: SeSystemProfilePrivilege 1052 WMIC.exe Token: SeSystemtimePrivilege 1052 WMIC.exe Token: SeProfSingleProcessPrivilege 1052 WMIC.exe Token: SeIncBasePriorityPrivilege 1052 WMIC.exe Token: SeCreatePagefilePrivilege 1052 WMIC.exe Token: SeBackupPrivilege 1052 WMIC.exe Token: SeRestorePrivilege 1052 WMIC.exe Token: SeShutdownPrivilege 1052 WMIC.exe Token: SeDebugPrivilege 1052 WMIC.exe Token: SeSystemEnvironmentPrivilege 1052 WMIC.exe Token: SeRemoteShutdownPrivilege 1052 WMIC.exe Token: SeUndockPrivilege 1052 WMIC.exe Token: SeManageVolumePrivilege 1052 WMIC.exe Token: 33 1052 WMIC.exe Token: 34 1052 WMIC.exe Token: 35 1052 WMIC.exe Token: SeIncreaseQuotaPrivilege 344 WMIC.exe -
Suspicious use of WriteProcessMemory 55 IoCs
Processes:
66fc6e71a9c6be1f604c4a2d0650914f67c45d894fd1f76913e463079d47a8af.bin.exeexplorer.execmd.execmd.execmd.exedescription pid process target process PID 484 wrote to memory of 340 484 66fc6e71a9c6be1f604c4a2d0650914f67c45d894fd1f76913e463079d47a8af.bin.exe explorer.exe PID 484 wrote to memory of 340 484 66fc6e71a9c6be1f604c4a2d0650914f67c45d894fd1f76913e463079d47a8af.bin.exe explorer.exe PID 484 wrote to memory of 340 484 66fc6e71a9c6be1f604c4a2d0650914f67c45d894fd1f76913e463079d47a8af.bin.exe explorer.exe PID 484 wrote to memory of 340 484 66fc6e71a9c6be1f604c4a2d0650914f67c45d894fd1f76913e463079d47a8af.bin.exe explorer.exe PID 340 wrote to memory of 1772 340 explorer.exe cmd.exe PID 340 wrote to memory of 1772 340 explorer.exe cmd.exe PID 340 wrote to memory of 1772 340 explorer.exe cmd.exe PID 340 wrote to memory of 1772 340 explorer.exe cmd.exe PID 340 wrote to memory of 1708 340 explorer.exe cmd.exe PID 340 wrote to memory of 1708 340 explorer.exe cmd.exe PID 340 wrote to memory of 1708 340 explorer.exe cmd.exe PID 340 wrote to memory of 1708 340 explorer.exe cmd.exe PID 340 wrote to memory of 1612 340 explorer.exe cmd.exe PID 340 wrote to memory of 1612 340 explorer.exe cmd.exe PID 340 wrote to memory of 1612 340 explorer.exe cmd.exe PID 340 wrote to memory of 1612 340 explorer.exe cmd.exe PID 340 wrote to memory of 844 340 explorer.exe cmd.exe PID 340 wrote to memory of 844 340 explorer.exe cmd.exe PID 340 wrote to memory of 844 340 explorer.exe cmd.exe PID 340 wrote to memory of 844 340 explorer.exe cmd.exe PID 340 wrote to memory of 1384 340 explorer.exe cmd.exe PID 340 wrote to memory of 1384 340 explorer.exe cmd.exe PID 340 wrote to memory of 1384 340 explorer.exe cmd.exe PID 340 wrote to memory of 1384 340 explorer.exe cmd.exe PID 340 wrote to memory of 1504 340 explorer.exe cmd.exe PID 340 wrote to memory of 1504 340 explorer.exe cmd.exe PID 340 wrote to memory of 1504 340 explorer.exe cmd.exe PID 340 wrote to memory of 1504 340 explorer.exe cmd.exe PID 340 wrote to memory of 2012 340 explorer.exe explorer.exe PID 340 wrote to memory of 2012 340 explorer.exe explorer.exe PID 340 wrote to memory of 2012 340 explorer.exe explorer.exe PID 340 wrote to memory of 2012 340 explorer.exe explorer.exe PID 1772 wrote to memory of 1052 1772 cmd.exe WMIC.exe PID 1772 wrote to memory of 1052 1772 cmd.exe WMIC.exe PID 1772 wrote to memory of 1052 1772 cmd.exe WMIC.exe PID 1772 wrote to memory of 1052 1772 cmd.exe WMIC.exe PID 1384 wrote to memory of 1996 1384 cmd.exe vssadmin.exe PID 1384 wrote to memory of 1996 1384 cmd.exe vssadmin.exe PID 1384 wrote to memory of 1996 1384 cmd.exe vssadmin.exe PID 1384 wrote to memory of 1996 1384 cmd.exe vssadmin.exe PID 1504 wrote to memory of 344 1504 cmd.exe WMIC.exe PID 1504 wrote to memory of 344 1504 cmd.exe WMIC.exe PID 1504 wrote to memory of 344 1504 cmd.exe WMIC.exe PID 1504 wrote to memory of 344 1504 cmd.exe WMIC.exe PID 1504 wrote to memory of 2032 1504 cmd.exe vssadmin.exe PID 1504 wrote to memory of 2032 1504 cmd.exe vssadmin.exe PID 1504 wrote to memory of 2032 1504 cmd.exe vssadmin.exe PID 1504 wrote to memory of 2032 1504 cmd.exe vssadmin.exe PID 340 wrote to memory of 924 340 explorer.exe notepad.exe PID 340 wrote to memory of 924 340 explorer.exe notepad.exe PID 340 wrote to memory of 924 340 explorer.exe notepad.exe PID 340 wrote to memory of 924 340 explorer.exe notepad.exe PID 340 wrote to memory of 924 340 explorer.exe notepad.exe PID 340 wrote to memory of 924 340 explorer.exe notepad.exe PID 340 wrote to memory of 924 340 explorer.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\66fc6e71a9c6be1f604c4a2d0650914f67c45d894fd1f76913e463079d47a8af.bin.exe"C:\Users\Admin\AppData\Local\Temp\66fc6e71a9c6be1f604c4a2d0650914f67c45d894fd1f76913e463079d47a8af.bin.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" -start2⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" -agent 03⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\notepad.exenotepad.exe3⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CBMD5
94b4ad73963959e339923ddcabf6b331
SHA1aa2c6af08dd5478d326c90ef2146c3ee2a7b55b2
SHA2568945240c6d037d35d6124ac4b9815a8d74d785fa30c2c4b2fd54ed2fb68f58f4
SHA512aefafb7d184e5564bdc65311e52619950f603fb89259de2af3b8f9fa05c346bf9e3f33b9cbe05a01389ef97642c7e37299ce8b9b4f3cb9f6d4e9a6877c537126
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEEMD5
3208da0c038576623565b095fcea4ad1
SHA1bc421f8eb4b9c6100aa444edece988c01dd63b26
SHA25616ca708624c0f83871bbb8349e31fba20e5591f298ee91ddf08faf2919041f4b
SHA51217fd810bdb400ce06167d6009a23cbdafdeb5eb0cb5c18456ec3a833546ad050429b003bdec753aa591d5b370cbb1290633abc1cc71f3ae29e81d58c56b8408c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
c6f27d5d1ee450d3400bf13e0804fce6
SHA12d0505f90eca6a49ca15b742aa5ef9ef01c7af41
SHA2562c01ba329cfb39b6141b3c98d662ba24eb458e051fb7de79f975e681e8b4327a
SHA51275687ddffd7021a033d19049f0cc05bbccd97a1433c06738a04590ed660996f669838514fe9f3b7c4b2eb494cf8a594f54bab1446cc915da4a042c3a327adc3d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CBMD5
dd13eb7136c10f64c614302b65eba2b0
SHA19a634752e9410937a320f7f0a516f787936d5cbe
SHA256a3b8ab74e7ff30f80a05996283234b36a1e65202d101a7ac7824fb2dd7a9c8d2
SHA512d72dd1a92c64b7856a791f94c6a05ee93fad792bc5c69e77269439b47c014ec50b6326020fdf3a82d5ba576bd690113aa8ca8228353813994f65dbe97694d000
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEEMD5
be8da404527da141e865eedfaa117e28
SHA1d8146427d359e08a07790c89e2c41238e06b715e
SHA256fa23b95c08a1c988bf7fa2eefe4f2431e54c9556de4dbb221d7e9e0b3860c0d5
SHA512d78ca4152da8624f40b119334c5bc4d03ea04c3a124da2ccdaecab7136b8107d5354584dacdb69822d981a68925bfc5b18325bf0dc4b5eec42fb74007b0c8e40
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
885c02d5d2ed0fead8ffcdc437b5cf6d
SHA14400bdcb069fae8b8afec3680470f84840e5881e
SHA256a1c06ba3088fb6849d5da031a23102a9f773f2035e92ba63ec9644ad79bf257a
SHA512099805f5e1c9cedf19b8dd9286e0cb941ab3a620454b7a86afe909690c6586a2061c771811db41d7569ed5310467924eb92f46175779a3da841e08c6fc69b983
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
f95126d57175bfd597ec8b2a20908b71
SHA113d54ffa3b663452ced58093b586725cf1a69701
SHA25637a5adb952d6de79537847d00b6d666f433b7e22e75ef56e081b588cbd36e826
SHA512a8f4bcc2a1247d865e74bd48b0734236d4e0c93649109109786f92e2c07d02dc2637d79eea66b4b24614a123b278099ff90db4af516823a2654aed80cb15c21c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D73194RS\NA9WPOQQ.htmMD5
b1cd7c031debba3a5c77b39b6791c1a7
SHA1e5d91e14e9c685b06f00e550d9e189deb2075f76
SHA25657ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa
SHA512d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O1R1CL99\DZY8GMS0.htmMD5
6b17a59cec1a7783febae9aa55c56556
SHA101d4581e2b3a6348679147a915a0b22b2a66643a
SHA25666987b14b90d41632be98836f9601b12e7f329ffab05595887889c9c5716fbeb
SHA5123337efd12b9c06b7768eb928a78caae243b75257c5aabe7a49e908a2f735af55f7257a40bd2330dc13865ead18ed805b54a6c5105740fdcbbaccacf7997bcbc3
-
C:\Users\Admin\AppData\Local\Temp\~temp001.batMD5
ef572e2c7b1bbd57654b36e8dcfdc37a
SHA1b84c4db6d0dfd415c289d0c8ae099aea4001e3b7
SHA256e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64
SHA512b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exeMD5
ada523db2c2418fa37398c41b370c125
SHA17c2c197b14447cbf4bd0d040a36493ec1d9d8bc7
SHA25666fc6e71a9c6be1f604c4a2d0650914f67c45d894fd1f76913e463079d47a8af
SHA512849e06f1308ef00d1cf5ac71d9deb5699bae0e3985bca11525d3a95879325d1c11ad30f7c1bf80ef51ccc71032ab793ac2bef305c051391c9cefd91253621343
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exeMD5
ada523db2c2418fa37398c41b370c125
SHA17c2c197b14447cbf4bd0d040a36493ec1d9d8bc7
SHA25666fc6e71a9c6be1f604c4a2d0650914f67c45d894fd1f76913e463079d47a8af
SHA512849e06f1308ef00d1cf5ac71d9deb5699bae0e3985bca11525d3a95879325d1c11ad30f7c1bf80ef51ccc71032ab793ac2bef305c051391c9cefd91253621343
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exeMD5
ada523db2c2418fa37398c41b370c125
SHA17c2c197b14447cbf4bd0d040a36493ec1d9d8bc7
SHA25666fc6e71a9c6be1f604c4a2d0650914f67c45d894fd1f76913e463079d47a8af
SHA512849e06f1308ef00d1cf5ac71d9deb5699bae0e3985bca11525d3a95879325d1c11ad30f7c1bf80ef51ccc71032ab793ac2bef305c051391c9cefd91253621343
-
C:\Users\Admin\Desktop\BlockCompare.scf.EFA-3F4-E9AMD5
42dbf88bb6660c4b6c00cae75a888535
SHA17e86fe5a001a1840ab3ded5f23e6ca4c8c5db612
SHA2569747b601be59c20a05c9a39a94c7d2ce3193873414fb14e7ad05600f9b79575e
SHA51239f2b83550ad9e1547affe7a1ccbfe5f4bc715e8e39f8cbd48f948d682b958634ceb7482ad4880b867b82b932141870774175fdc415adfcb11e2e9f49b6a2131
-
C:\Users\Admin\Desktop\CheckpointSuspend.mp4.EFA-3F4-E9AMD5
d50ee5e4aa29c35570d3bac72bcbaa51
SHA1a436f0ece4104eb1a0f70eee8a8489e68be16a6c
SHA2568624e67f64c5f7e911631d7f7de22879194e6bd5dffa7b4cf55d27af56c3c6cb
SHA5122965192e084479933c66c931fbe273e8f53cbd91eaed0d9397fadc65288b05de9ee5664ee46ff860ccb31b51af3ad0e7418e54252a9c5e6cfb1f1e0d64889373
-
C:\Users\Admin\Desktop\ConvertFromSubmit.jpg.EFA-3F4-E9AMD5
04c2471287edca0c76ba2b2288a36cd4
SHA12391ee05ba74bc46143ddbfacea6ec929e5aeebf
SHA256348f9e6d7fd08fa14402b6a8054e5a555cfd0325a880a03d6b31bdeed0366ca5
SHA5125ad043aa6aec11f2eb7d4a805bcb263bcc90b7987deab8514206995f025740e7ee53b83b53e4379b1f0209c81bfd5ac487c6f79ca926c449c4388cc2d4b9a7c8
-
C:\Users\Admin\Desktop\ConvertWait.snd.EFA-3F4-E9AMD5
d45479016b1c07a2ae58eeb1d0fbe667
SHA1ba7aa7fbeb2470652f728c4b5c7fa14279fed7d1
SHA25623579addeb8a4f763dbf9a26d123f5124f057055bf0629969bfb8555d2822da6
SHA5128ad7c064990f731c79b66de01b3fcd8f41e016e0c3319ef3e86a082105f9fa3116c1c6292eb9242eef2cc9f938e22c83c8730d33b95dab118b571275a3545e2c
-
C:\Users\Admin\Desktop\DisconnectComplete.ppt.EFA-3F4-E9AMD5
03c71a368b3a41afdfb05c94f93cc339
SHA1d238455a3b941dfbb229314833ade5a6fc70bd86
SHA25631f7437970a715f7c82e8082f1ae0cc9db633411a496d0e40b4b74247532308d
SHA5122631f32574e7c53af9205a994df368715344043fcd4cf0f1194f7124a63e5d818bb0618ec71a82295b1ac4656bf6cb5779c3ab9b1aa84e4208796c7630c30f32
-
C:\Users\Admin\Desktop\EnableTrace.3g2.EFA-3F4-E9AMD5
8a81a36b133e96daa37613074641901d
SHA1eeca51e6a531dd55e44d569ddbfe7cdebb9f349a
SHA25653ea659bbed2f154716e0b1e1c66b3dd3a6fc633b3e87687a9fd63e9d43b2502
SHA512f65982a08ebcb55637283782be295b957aec86b24e2ee74584e4337c4af713553161ab539dfdeac18c836cd19e5bdb20397ba1039f22a7cf0f91f8c836c73474
-
C:\Users\Admin\Desktop\ExportNew.3gp2.EFA-3F4-E9AMD5
5ff34595c221ed9e63cc1f8ba6562136
SHA1a7acd8c38c69a1d2f96adee5d124d782043c1903
SHA2562ccffaf623e99eae9a8bd267134ed67cb3585478dac65d6f241a6950aa5ba8ca
SHA512f4dea0bd31d73783cd9e0fa1c3af4e2c310da068bab7b23c6c1fdb37e9a981efa8162926f9b80b2097dfa49767c6fb4f9e4ce2f8dc3bf12ea9bfd3d45a350afa
-
C:\Users\Admin\Desktop\GetReset.pptm.EFA-3F4-E9AMD5
1fb7caeaf2e98791cf8866fa36708b80
SHA1df394d27d403b6857b15daef5ff945d17cb6742d
SHA256822a85bf0c8a204493142bc3882044a56b241d618880a55ba00f71928fe19cf8
SHA512d80c989b76773260cc1b8ef6bb218901f4812129a4f12f0a9383a555a6c1f2a1ac782b32acef4b4615d2d8a2b2c1789a2c98b5b11f2a9be00f7f5e0f7d5cc846
-
C:\Users\Admin\Desktop\JoinEdit.xhtml.EFA-3F4-E9AMD5
3c606406a12f8f53e234d27acd5476cc
SHA145e8ab00e3b5b6a18e9c09d50adb77d607c3c293
SHA256752ea8134388eb2ef5d4ce91d04b0cd97b75da91f2090446240354f614d23dc7
SHA5121a1ff846470983ec6ecc5295f10169cc18c0ea8534843c5675d99b45f0d46883b92d7d6059aa0de0b40d15625e856f85dc8aa41fdb57b9a368ace7b16351ed74
-
C:\Users\Admin\Desktop\LimitConvert.temp.EFA-3F4-E9AMD5
530361d2d7419c1076f8e41533300d79
SHA185ff7647ff709cef6b307251185da51211a706f4
SHA256cab32aff943494e55d7a24f7767bc688e41088d5ea95284f605a5d2a69e48797
SHA51222aeb199cd8db3180b9bcf0b1642a1be051841fbf6ad516889e3b714da5d0e7d4b4cf51db1a2878dc1d1cf4d069df39e542ebffe985f67c27f54081a217f08d5
-
C:\Users\Admin\Desktop\MeasureConvertTo.MTS.EFA-3F4-E9AMD5
b95379552ef5a544cc5fc6ea858983d3
SHA12cde67a3131d45c0035301216a0ad3d8cc1faadf
SHA25680d97d79ce2131400a5b77e76725d8b383bbe64ad3ac13c018669a1b67aefb9b
SHA5126d57bf5ac0edd876b2eb5e9e9b15b616e2ef0a6d55cd9c75a7788c2ce7951749e45c6481222c6d08fadc638ca69be1e2c97f063600f71bbe3404a6f5f1a52e5f
-
C:\Users\Admin\Desktop\MountDisable.vst.EFA-3F4-E9AMD5
0551f50ad728b0185024d24539d14583
SHA1e7c0e80b72908cb456b039e87aaf0b875ea0afbd
SHA2567029f6af33201c5ddad172f45c830ff8066e1e9fa5c9ccd39c07b2053d86df94
SHA512db0b9c275d10101e0c67c00ab1b933622bc36f6725f171bfccfa457f95b90ebfea08a95bd4d18d6ea23549efa071aac8f60d3da1cb1190f35c8dd76dd1a3465d
-
C:\Users\Admin\Desktop\MountSend.ADTS.EFA-3F4-E9AMD5
7d1b2164440c31c1b38a5d401effcebd
SHA1f5a76cb233d1e332a50efd3f527b6e1ca7895ec6
SHA256738707578a30971823e7ab3eeb2de2b1c822b4ca5646820a8e0de52f9338d730
SHA51203753850f0cdd824527ce2c2154e4d2a742a77571c2d0937bbb785ee1bc101f2675f90a8011e7ad80fd43258ac6973fe708a6769037824a058b49fb2c5ca5e7a
-
C:\Users\Admin\Desktop\NewCompress.wav.EFA-3F4-E9AMD5
9f6d17610815a0739559d71788ad990b
SHA1cec6cdda58c6fb087590ad8076839c52df4bbd07
SHA256928b9ac9e6218788b03490a7db4c9d53ef561b60036394ffe760c4d4ea3805ad
SHA512ce1b22f691f1bc2e2b2d8b27ec5bacdd7169391c475e327f9a1e8547decc75300be7eec1c5e8f36c6790254327500793a430d95af43f895a2eaef004c385ca52
-
C:\Users\Admin\Desktop\OpenMerge.aif.EFA-3F4-E9AMD5
978af0f229884451ab3affdcf2185924
SHA1e3bc1a31ff6ab0bcf51488b4afa25c63f282d360
SHA256dac7d1d309991583d88c1f3ebc7ee7fb6e78e3d4c622885374a31909013e33f7
SHA512b6738d8cf9af64fbf02754cdad2aceaf6ed03ff5b4ef3131936e36dc4e81fc2cd03f18615da3b3b98d7f89ac780bf6c870be8af9d707f70a48fa82f6a6111cec
-
C:\Users\Admin\Desktop\PingTest.ps1.EFA-3F4-E9AMD5
4ff0f7aeef133d3e0a3ffb922851748c
SHA16b1952165ca19aa2a424039be629560c49e08bc0
SHA256fea0150b8c7a496972cf96dd5a317ea8eb0370a4ed585fd3f58995e9b04dd362
SHA512775719ff64aca912f9abb1d8a986c312a80eacd5a390ad60b6c004bcc45d3dec8702587fde0dfc5760bb962847827d012919e4b9e819f1b54b2270023a6d8432
-
C:\Users\Admin\Desktop\PopResize.vdw.EFA-3F4-E9AMD5
88a37242573c6891399c0e00247d800e
SHA152b265bad7922908c66d50ec730f7cf69c8061f8
SHA2567aa2521818763e39a2ac3f1e3a900e94957eb2b3dc13ab37fde130b6c2ccb048
SHA512098b666d81b7e2d4fb720c1085b33e9b44ae1824dc9d165642804953d0c975b347f7996e7f94e103103782224b6fd7218bdda9fc8dd9cf7a9f8db583ec9dea7b
-
C:\Users\Admin\Desktop\RedoRename.jfif.EFA-3F4-E9AMD5
0f93c3f1d0d47d627921724110dd703f
SHA19ad38810939a40477ecb230c65a8e1b8c56d66a5
SHA2562d919f2825c69060f229a8676a2b9e4dec993b95c272cc7ddbc19ab899836759
SHA512bc1c3660622270732bdb29d5df28e196e83447550de0d02b1019c538f8bbbf16646614cf82d0080ef1bb62d94c8ff676beb872df2dd9b97708eee441d3d059b9
-
C:\Users\Admin\Desktop\RemoveWait.wma.EFA-3F4-E9AMD5
54e43f7f1c9028e044ff51841b773d7e
SHA17b06309e8e482298b2289bd6905fe27465ff669e
SHA256dfdfa233339caab2691ecf423e1e8baa1fba9e804e186ee0e19540bac055138c
SHA512f8fba8c2f363f6ca816ec2623c6e88e441f9e45dbfbec402417986638e95b63538a5b6c84d8ee782f15de140f5a0726ac5432e1b47fb30738c99ff3df8fe776e
-
C:\Users\Admin\Desktop\RepairCopy.ram.EFA-3F4-E9AMD5
b735799ceb25498b437c6ef09f585362
SHA197f110ec111aab0dac7a51d9e50f7691dc585c64
SHA2569df7f68c86298f87c64bbc153c3471791798004224b75361b83c1f42853b04b5
SHA5126ee9144635fef8c060ef68b99ef23b49a0d70b0584d7821bf33ccd489204a029bc3c6ffaaf289d69d3766e87a138d61a951e6fb2cf28ee6bd8a014abb9fe33e7
-
C:\Users\Admin\Desktop\RepairRegister.cfg.EFA-3F4-E9AMD5
c1f4e35ce0a966b2ec42b313c70adb13
SHA16493a63ce477baeb2479e2ac24a7614700d4dc8b
SHA256f0a6083383b62c6f3aad6145d85f637adb3cc79472a0cf88f049f4913382580e
SHA5124a62eea65c415cd2ed87c9a05c75e39f50d8374d0ff28614903ba86f0a829c36b668787f937c7e31f11971a8e38e1427880f4e1baf37babf721f5c1b70307f8b
-
C:\Users\Admin\Desktop\RestartResolve.crw.EFA-3F4-E9AMD5
a1668cd6e4abe4f373a5d2bad7b1dd36
SHA11ca70d2d4b0eca4dcc121549a11f377f4b6e12d7
SHA256fb28ddfdcc9e156aa89c21db55697158db29139c8a7081f6761e6bcc4a2cd713
SHA512df229ca84916e30bf605014530ffb26c52f4499e117f963af4b69ee4cd3ff91a54655c100bc7ada708a97ec2d30cbd8e0c5876ae757eaf990b024fbb9a3702bd
-
C:\Users\Admin\Desktop\StartFormat.aiff.EFA-3F4-E9AMD5
948b66b2a5ad4e68c8719c77a388c051
SHA1f494a54959e41f1b3487063a3b71919a60fc8aac
SHA256820967f9e815fb41a4b2d35a378be1df964ce8579ba5fe7fc2501ab36e124a08
SHA512b64d4842b6ea68a329d0db2ad92bdf8ee09c07386cce6e3055100d70c7f54a9e601fcae858d61c74514fc2f4fe17a86e5f7ccc3b16f6dd5e2284bd76350a86ec
-
C:\Users\Admin\Desktop\SubmitDisconnect.pdf.EFA-3F4-E9AMD5
817d903600a860def05dcb46336fda56
SHA17f4ef59c26cc8c1fc22c6d6841b6b7635cdf45d4
SHA256ecd74f5938a89a403de0e00d8b2906a3d2e7e3211b739bb02a62864563be3c30
SHA512f972ddeebcbcec05d715596ee1563e52cbdbfd07aede2d6e9d873d7f480f20d6b4372de728ab0a7044324cc40206fa5b7685aea162633d88102cfd3fb8e317bd
-
C:\Users\Admin\Desktop\UseUninstall.cab.EFA-3F4-E9AMD5
deebe56af77ad224ecbfd84c15826df8
SHA1006f0cf76c14ab75bf33b6a1703fa34a6769aac6
SHA2562d2711e3563f7fce789e484a609e34f7f5af7ba0d27ec4b105357c58cb2aa745
SHA5120f76772ab1718663a27a14ca007f5838fe4b082195763753783f8b177d94162f0b3c583e79fe18e50da52b980c27a55a143f4f440997816aeb9952845f4d11af
-
C:\Users\Admin\Desktop\WaitShow.aifc.EFA-3F4-E9AMD5
4ac1695d9b674aec2d36f107ca2fba58
SHA13e435d169c4f7653687137d86a8db71a57b13b11
SHA25640440d759760594e61c88019133f23809e3e90c67bc73eddd19b3ebae24024f4
SHA51274e65ff44adcf2ef1a67c08890a8bdd9e17ee42dd53faa12c9414e4c6d5dcdda0a51616d5d5f0e77cad4f9f5587f41e34a0c3ecdf15fb273ad61f7a8870e4e12
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exeMD5
ada523db2c2418fa37398c41b370c125
SHA17c2c197b14447cbf4bd0d040a36493ec1d9d8bc7
SHA25666fc6e71a9c6be1f604c4a2d0650914f67c45d894fd1f76913e463079d47a8af
SHA512849e06f1308ef00d1cf5ac71d9deb5699bae0e3985bca11525d3a95879325d1c11ad30f7c1bf80ef51ccc71032ab793ac2bef305c051391c9cefd91253621343
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exeMD5
ada523db2c2418fa37398c41b370c125
SHA17c2c197b14447cbf4bd0d040a36493ec1d9d8bc7
SHA25666fc6e71a9c6be1f604c4a2d0650914f67c45d894fd1f76913e463079d47a8af
SHA512849e06f1308ef00d1cf5ac71d9deb5699bae0e3985bca11525d3a95879325d1c11ad30f7c1bf80ef51ccc71032ab793ac2bef305c051391c9cefd91253621343
-
memory/340-3-0x0000000000000000-mapping.dmp
-
memory/344-26-0x0000000000000000-mapping.dmp
-
memory/844-17-0x0000000000000000-mapping.dmp
-
memory/924-54-0x00000000000E0000-0x00000000000E1000-memory.dmpFilesize
4KB
-
memory/924-55-0x0000000000000000-mapping.dmp
-
memory/1052-23-0x0000000000000000-mapping.dmp
-
memory/1384-18-0x0000000000000000-mapping.dmp
-
memory/1504-19-0x0000000000000000-mapping.dmp
-
memory/1612-16-0x0000000000000000-mapping.dmp
-
memory/1708-15-0x0000000000000000-mapping.dmp
-
memory/1712-0-0x000007FEF63D0000-0x000007FEF664A000-memory.dmpFilesize
2.5MB
-
memory/1772-14-0x0000000000000000-mapping.dmp
-
memory/1996-25-0x0000000000000000-mapping.dmp
-
memory/2012-21-0x0000000000000000-mapping.dmp
-
memory/2032-27-0x0000000000000000-mapping.dmp