Analysis
-
max time kernel
150s -
max time network
137s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
07-11-2020 21:55
Static task
static1
Behavioral task
behavioral1
Sample
lsass.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
lsass.exe
Resource
win10v20201028
General
-
Target
lsass.exe
-
Size
214KB
-
MD5
3a87a3c5abcdc92ef421700ac6f5d0d1
-
SHA1
70509f9eed0f90f62b804da75aa73b6a3f6390ec
-
SHA256
45dd162163830e078517e6afb39a1b472d5077394500f2b3f85fa3711eb742af
-
SHA512
f6ae90245715e6e0a1e640ab123fa2c47971517142a65ebd4960aefac3493cabd65686cdb99623ce06d586f76b1e12d93e238086e83beed0a6bf649eb2518a6f
Malware Config
Extracted
C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
tomriddle1337@cock.li
riddletom1337@protonmail.com
Signatures
-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
lsass.exelsass.exepid process 1448 lsass.exe 624 lsass.exe -
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
lsass.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\FindStep.tiff lsass.exe -
Deletes itself 1 IoCs
Processes:
notepad.exepid process 640 notepad.exe -
Loads dropped DLL 2 IoCs
Processes:
lsass.exepid process 1056 lsass.exe 1056 lsass.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
lsass.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" -start" lsass.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
lsass.exedescription ioc process File opened (read-only) \??\F: lsass.exe File opened (read-only) \??\R: lsass.exe File opened (read-only) \??\K: lsass.exe File opened (read-only) \??\I: lsass.exe File opened (read-only) \??\G: lsass.exe File opened (read-only) \??\B: lsass.exe File opened (read-only) \??\A: lsass.exe File opened (read-only) \??\Y: lsass.exe File opened (read-only) \??\X: lsass.exe File opened (read-only) \??\U: lsass.exe File opened (read-only) \??\S: lsass.exe File opened (read-only) \??\O: lsass.exe File opened (read-only) \??\N: lsass.exe File opened (read-only) \??\J: lsass.exe File opened (read-only) \??\E: lsass.exe File opened (read-only) \??\Z: lsass.exe File opened (read-only) \??\W: lsass.exe File opened (read-only) \??\T: lsass.exe File opened (read-only) \??\M: lsass.exe File opened (read-only) \??\L: lsass.exe File opened (read-only) \??\H: lsass.exe File opened (read-only) \??\V: lsass.exe File opened (read-only) \??\Q: lsass.exe File opened (read-only) \??\P: lsass.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 geoiptool.com -
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Drops file in Program Files directory 15048 IoCs
Processes:
lsass.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Dublin.E4B-88F-1D5 lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\plugin.properties.E4B-88F-1D5 lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00526_.WMF lsass.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Berlin lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Earthy.css.E4B-88F-1D5 lsass.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToNotesBackground_PAL.wmv lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_pt_BR.properties.E4B-88F-1D5 lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\local_policy.jar lsass.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\mn\LC_MESSAGES\vlc.mo lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCDCNCLL.ICO.E4B-88F-1D5 lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif.E4B-88F-1D5 lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Tarawa.E4B-88F-1D5 lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099193.GIF lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00453_.WMF lsass.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\stream_config_window.html lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00086_.WMF lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199279.WMF lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00656_.WMF lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Angles.xml.E4B-88F-1D5 lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FORM.JS lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CALENDAR.XML.E4B-88F-1D5 lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-execution.jar.E4B-88F-1D5 lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PSRETRO.WMF lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-progress-ui_zh_CN.jar.E4B-88F-1D5 lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0234000.WMF.E4B-88F-1D5 lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\feature.properties.E4B-88F-1D5 lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-modules-appui.jar.E4B-88F-1D5 lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02153_.WMF lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\RE00006_.WMF lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21302_.GIF lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Winamac.E4B-88F-1D5 lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-heapdump_zh_CN.jar.E4B-88F-1D5 lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01240_.GIF.E4B-88F-1D5 lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART15.BDR.E4B-88F-1D5 lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\SNEEZE.WAV lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsFormTemplate.html lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\San_Luis lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\LINEAR_RGB.pf lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\mailapi.jar.E4B-88F-1D5 lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvm_ja.jar lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00148_.WMF lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00350_.WMF lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Havana lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14514_.GIF lsass.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\selection_subpicture.png lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach_5.5.0.165303.jar lsass.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\MST7MDT lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_es.jar.E4B-88F-1D5 lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-spi-actions.xml lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0195248.WMF lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00723_.WMF lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Oriel.thmx.E4B-88F-1D5 lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CALENDAR.XML lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Vilnius lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\date-span-16.png lsass.exe File opened for modification C:\Program Files\7-Zip\Lang\hi.txt.E4B-88F-1D5 lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-autoupdate-ui.jar lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-actions.xml.E4B-88F-1D5 lsass.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Funafuti.E4B-88F-1D5 lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\license.html.E4B-88F-1D5 lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.preferences_3.5.200.v20140224-1527.jar.E4B-88F-1D5 lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB00673L.GIF lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR35F.GIF.E4B-88F-1D5 lsass.exe File opened for modification C:\Program Files\7-Zip\Lang\vi.txt.E4B-88F-1D5 lsass.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 2008 vssadmin.exe 1636 vssadmin.exe -
Processes:
lsass.exelsass.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 lsass.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 lsass.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 lsass.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e lsass.exe -
Suspicious behavior: EnumeratesProcesses 1204 IoCs
Processes:
lsass.exepid process 1448 lsass.exe 1448 lsass.exe 1448 lsass.exe 1448 lsass.exe 1448 lsass.exe 1448 lsass.exe 1448 lsass.exe 1448 lsass.exe 1448 lsass.exe 1448 lsass.exe 1448 lsass.exe 1448 lsass.exe 1448 lsass.exe 1448 lsass.exe 1448 lsass.exe 1448 lsass.exe 1448 lsass.exe 1448 lsass.exe 1448 lsass.exe 1448 lsass.exe 1448 lsass.exe 1448 lsass.exe 1448 lsass.exe 1448 lsass.exe 1448 lsass.exe 1448 lsass.exe 1448 lsass.exe 1448 lsass.exe 1448 lsass.exe 1448 lsass.exe 1448 lsass.exe 1448 lsass.exe 1448 lsass.exe 1448 lsass.exe 1448 lsass.exe 1448 lsass.exe 1448 lsass.exe 1448 lsass.exe 1448 lsass.exe 1448 lsass.exe 1448 lsass.exe 1448 lsass.exe 1448 lsass.exe 1448 lsass.exe 1448 lsass.exe 1448 lsass.exe 1448 lsass.exe 1448 lsass.exe 1448 lsass.exe 1448 lsass.exe 1448 lsass.exe 1448 lsass.exe 1448 lsass.exe 1448 lsass.exe 1448 lsass.exe 1448 lsass.exe 1448 lsass.exe 1448 lsass.exe 1448 lsass.exe 1448 lsass.exe 1448 lsass.exe 1448 lsass.exe 1448 lsass.exe 1448 lsass.exe -
Suspicious use of AdjustPrivilegeToken 91 IoCs
Processes:
lsass.exeWMIC.exeWMIC.exevssvc.exedescription pid process Token: SeDebugPrivilege 1056 lsass.exe Token: SeDebugPrivilege 1056 lsass.exe Token: SeIncreaseQuotaPrivilege 1940 WMIC.exe Token: SeSecurityPrivilege 1940 WMIC.exe Token: SeTakeOwnershipPrivilege 1940 WMIC.exe Token: SeLoadDriverPrivilege 1940 WMIC.exe Token: SeSystemProfilePrivilege 1940 WMIC.exe Token: SeSystemtimePrivilege 1940 WMIC.exe Token: SeProfSingleProcessPrivilege 1940 WMIC.exe Token: SeIncBasePriorityPrivilege 1940 WMIC.exe Token: SeCreatePagefilePrivilege 1940 WMIC.exe Token: SeBackupPrivilege 1940 WMIC.exe Token: SeRestorePrivilege 1940 WMIC.exe Token: SeShutdownPrivilege 1940 WMIC.exe Token: SeDebugPrivilege 1940 WMIC.exe Token: SeSystemEnvironmentPrivilege 1940 WMIC.exe Token: SeRemoteShutdownPrivilege 1940 WMIC.exe Token: SeUndockPrivilege 1940 WMIC.exe Token: SeManageVolumePrivilege 1940 WMIC.exe Token: 33 1940 WMIC.exe Token: 34 1940 WMIC.exe Token: 35 1940 WMIC.exe Token: SeIncreaseQuotaPrivilege 304 WMIC.exe Token: SeSecurityPrivilege 304 WMIC.exe Token: SeTakeOwnershipPrivilege 304 WMIC.exe Token: SeLoadDriverPrivilege 304 WMIC.exe Token: SeSystemProfilePrivilege 304 WMIC.exe Token: SeSystemtimePrivilege 304 WMIC.exe Token: SeProfSingleProcessPrivilege 304 WMIC.exe Token: SeIncBasePriorityPrivilege 304 WMIC.exe Token: SeCreatePagefilePrivilege 304 WMIC.exe Token: SeBackupPrivilege 304 WMIC.exe Token: SeRestorePrivilege 304 WMIC.exe Token: SeShutdownPrivilege 304 WMIC.exe Token: SeDebugPrivilege 304 WMIC.exe Token: SeSystemEnvironmentPrivilege 304 WMIC.exe Token: SeRemoteShutdownPrivilege 304 WMIC.exe Token: SeUndockPrivilege 304 WMIC.exe Token: SeManageVolumePrivilege 304 WMIC.exe Token: 33 304 WMIC.exe Token: 34 304 WMIC.exe Token: 35 304 WMIC.exe Token: SeBackupPrivilege 760 vssvc.exe Token: SeRestorePrivilege 760 vssvc.exe Token: SeAuditPrivilege 760 vssvc.exe Token: SeIncreaseQuotaPrivilege 304 WMIC.exe Token: SeSecurityPrivilege 304 WMIC.exe Token: SeTakeOwnershipPrivilege 304 WMIC.exe Token: SeLoadDriverPrivilege 304 WMIC.exe Token: SeSystemProfilePrivilege 304 WMIC.exe Token: SeSystemtimePrivilege 304 WMIC.exe Token: SeProfSingleProcessPrivilege 304 WMIC.exe Token: SeIncBasePriorityPrivilege 304 WMIC.exe Token: SeCreatePagefilePrivilege 304 WMIC.exe Token: SeBackupPrivilege 304 WMIC.exe Token: SeRestorePrivilege 304 WMIC.exe Token: SeShutdownPrivilege 304 WMIC.exe Token: SeDebugPrivilege 304 WMIC.exe Token: SeSystemEnvironmentPrivilege 304 WMIC.exe Token: SeRemoteShutdownPrivilege 304 WMIC.exe Token: SeUndockPrivilege 304 WMIC.exe Token: SeManageVolumePrivilege 304 WMIC.exe Token: 33 304 WMIC.exe Token: 34 304 WMIC.exe -
Suspicious use of WriteProcessMemory 62 IoCs
Processes:
lsass.exelsass.execmd.execmd.execmd.exedescription pid process target process PID 1056 wrote to memory of 1448 1056 lsass.exe lsass.exe PID 1056 wrote to memory of 1448 1056 lsass.exe lsass.exe PID 1056 wrote to memory of 1448 1056 lsass.exe lsass.exe PID 1056 wrote to memory of 1448 1056 lsass.exe lsass.exe PID 1056 wrote to memory of 640 1056 lsass.exe notepad.exe PID 1056 wrote to memory of 640 1056 lsass.exe notepad.exe PID 1056 wrote to memory of 640 1056 lsass.exe notepad.exe PID 1056 wrote to memory of 640 1056 lsass.exe notepad.exe PID 1056 wrote to memory of 640 1056 lsass.exe notepad.exe PID 1056 wrote to memory of 640 1056 lsass.exe notepad.exe PID 1056 wrote to memory of 640 1056 lsass.exe notepad.exe PID 1448 wrote to memory of 792 1448 lsass.exe cmd.exe PID 1448 wrote to memory of 792 1448 lsass.exe cmd.exe PID 1448 wrote to memory of 792 1448 lsass.exe cmd.exe PID 1448 wrote to memory of 792 1448 lsass.exe cmd.exe PID 1448 wrote to memory of 1904 1448 lsass.exe cmd.exe PID 1448 wrote to memory of 1904 1448 lsass.exe cmd.exe PID 1448 wrote to memory of 1904 1448 lsass.exe cmd.exe PID 1448 wrote to memory of 1904 1448 lsass.exe cmd.exe PID 1448 wrote to memory of 1612 1448 lsass.exe cmd.exe PID 1448 wrote to memory of 1612 1448 lsass.exe cmd.exe PID 1448 wrote to memory of 1612 1448 lsass.exe cmd.exe PID 1448 wrote to memory of 1612 1448 lsass.exe cmd.exe PID 1448 wrote to memory of 584 1448 lsass.exe cmd.exe PID 1448 wrote to memory of 584 1448 lsass.exe cmd.exe PID 1448 wrote to memory of 584 1448 lsass.exe cmd.exe PID 1448 wrote to memory of 584 1448 lsass.exe cmd.exe PID 1448 wrote to memory of 1704 1448 lsass.exe cmd.exe PID 1448 wrote to memory of 1704 1448 lsass.exe cmd.exe PID 1448 wrote to memory of 1704 1448 lsass.exe cmd.exe PID 1448 wrote to memory of 1704 1448 lsass.exe cmd.exe PID 1448 wrote to memory of 316 1448 lsass.exe cmd.exe PID 1448 wrote to memory of 316 1448 lsass.exe cmd.exe PID 1448 wrote to memory of 316 1448 lsass.exe cmd.exe PID 1448 wrote to memory of 316 1448 lsass.exe cmd.exe PID 1448 wrote to memory of 624 1448 lsass.exe lsass.exe PID 1448 wrote to memory of 624 1448 lsass.exe lsass.exe PID 1448 wrote to memory of 624 1448 lsass.exe lsass.exe PID 1448 wrote to memory of 624 1448 lsass.exe lsass.exe PID 792 wrote to memory of 1940 792 cmd.exe WMIC.exe PID 792 wrote to memory of 1940 792 cmd.exe WMIC.exe PID 792 wrote to memory of 1940 792 cmd.exe WMIC.exe PID 792 wrote to memory of 1940 792 cmd.exe WMIC.exe PID 1704 wrote to memory of 2008 1704 cmd.exe vssadmin.exe PID 1704 wrote to memory of 2008 1704 cmd.exe vssadmin.exe PID 1704 wrote to memory of 2008 1704 cmd.exe vssadmin.exe PID 1704 wrote to memory of 2008 1704 cmd.exe vssadmin.exe PID 316 wrote to memory of 304 316 cmd.exe WMIC.exe PID 316 wrote to memory of 304 316 cmd.exe WMIC.exe PID 316 wrote to memory of 304 316 cmd.exe WMIC.exe PID 316 wrote to memory of 304 316 cmd.exe WMIC.exe PID 316 wrote to memory of 1636 316 cmd.exe vssadmin.exe PID 316 wrote to memory of 1636 316 cmd.exe vssadmin.exe PID 316 wrote to memory of 1636 316 cmd.exe vssadmin.exe PID 316 wrote to memory of 1636 316 cmd.exe vssadmin.exe PID 1448 wrote to memory of 556 1448 lsass.exe notepad.exe PID 1448 wrote to memory of 556 1448 lsass.exe notepad.exe PID 1448 wrote to memory of 556 1448 lsass.exe notepad.exe PID 1448 wrote to memory of 556 1448 lsass.exe notepad.exe PID 1448 wrote to memory of 556 1448 lsass.exe notepad.exe PID 1448 wrote to memory of 556 1448 lsass.exe notepad.exe PID 1448 wrote to memory of 556 1448 lsass.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\lsass.exe"C:\Users\Admin\AppData\Local\Temp\lsass.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -start2⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -agent 03⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\notepad.exenotepad.exe3⤵
-
C:\Windows\SysWOW64\notepad.exenotepad.exe2⤵
- Deletes itself
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5981⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CBMD5
e5be8c65934ad0c00c584026d085108e
SHA16ce4c8bc54630bf9f70d3fe93ce91bf44004439f
SHA25668413df5f5923c0283167f5bf10bb7a65b1cdbea7602d263f64af49820efa315
SHA51250470648453a249e3ec06572fd418a123bd0500291a8b3bc0c7cde453ac36e027130f49f01c17ab21034d6033abe1f81402166ee80460b0fcb56856f20db2539
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEEMD5
3208da0c038576623565b095fcea4ad1
SHA1bc421f8eb4b9c6100aa444edece988c01dd63b26
SHA25616ca708624c0f83871bbb8349e31fba20e5591f298ee91ddf08faf2919041f4b
SHA51217fd810bdb400ce06167d6009a23cbdafdeb5eb0cb5c18456ec3a833546ad050429b003bdec753aa591d5b370cbb1290633abc1cc71f3ae29e81d58c56b8408c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
3bf227caeee1b07d47b29873a1640f1a
SHA161af6e587db89d7d7f518bb1e16c2d73451e5ed6
SHA25630becef61dd6dd9d8b0402aec82db12ebb3ef7b76d854ca1f8bd30fa50ab5980
SHA51229a3663efa62ccc6dce4e083b7e43e80560de48ebc0eebfff5aed1fc158f0ed65a009589046773cb3c97588005219f45ae414c53f7bffe5a0a2ec80b0c2a903e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CBMD5
3af6c18e97a627c61153484605c14c5a
SHA10ae7488ef2f85f745df8d01ded9238a5db9ad922
SHA256d48669fb76749a36eea78f3fa8bcf0bc7da23a2c783803a7ff0a3bac81a3bf39
SHA512694ec41db00f20feba29b76f179a4b48b44aa4170b6e2ecdc47b16675881ddaee50f1fc5f4cd2037902a4f2ed5e7af775ec79762cfcbda7c3a63a3733849afed
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEEMD5
17188c7f4d87d9c42ce97a5b2387afad
SHA1da50f3c62aed9782c35498c225b9fd121dca79ad
SHA256b47a5d8809fe0df50164d579d2399a3b6d303c4411136edc75b1d85d488c06d2
SHA5127326e3e18d16aeff08eacb48b3c71a5901a1eaa729a1ce7f78ccbcc9a7f58dacc69b821d2360586b115285bdcaeacc279e58db5f4b4fcbd43f5fa3d4a7a5f5c2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
0c5d29463eab2f688a7586fdec05fd61
SHA1239b9822af7c7befdec39334101222c2bf9f8dd5
SHA256fe4d476cbe6973edce783325639743be5842a9d1128468054fb0f3dc35ad20e8
SHA51298a2443de6c077c9a93667c743d4a8d75a9a1f7643d2049bfa1f724e130eed3d5851460b14cca406f34ce25155b9b4ce6c31f17d9cfc534cf667b1649262e32a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
fbf5bc2b76f81a5771949ec0cfe14172
SHA1ed6de5863898c978cad14ffd41a61ebe1f3aecb3
SHA25646e3be2c9bdb26c7f6b1a25fbb2c29bfeed141baa06c236a55829f9bffd6dd5e
SHA512ab95828fd7b798bbac512626f6eb408750d3209a900cddadc56c730f30e59b39c37f49856495a566e087819c2f21200d1217fde84deabe4bddafedd8fee7f956
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D73194RS\QZ84IDLQ.htmMD5
b1cd7c031debba3a5c77b39b6791c1a7
SHA1e5d91e14e9c685b06f00e550d9e189deb2075f76
SHA25657ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa
SHA512d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O1R1CL99\IEGDHP77.htmMD5
6b17a59cec1a7783febae9aa55c56556
SHA101d4581e2b3a6348679147a915a0b22b2a66643a
SHA25666987b14b90d41632be98836f9601b12e7f329ffab05595887889c9c5716fbeb
SHA5123337efd12b9c06b7768eb928a78caae243b75257c5aabe7a49e908a2f735af55f7257a40bd2330dc13865ead18ed805b54a6c5105740fdcbbaccacf7997bcbc3
-
C:\Users\Admin\AppData\Local\Temp\~temp001.batMD5
ef572e2c7b1bbd57654b36e8dcfdc37a
SHA1b84c4db6d0dfd415c289d0c8ae099aea4001e3b7
SHA256e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64
SHA512b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exeMD5
3a87a3c5abcdc92ef421700ac6f5d0d1
SHA170509f9eed0f90f62b804da75aa73b6a3f6390ec
SHA25645dd162163830e078517e6afb39a1b472d5077394500f2b3f85fa3711eb742af
SHA512f6ae90245715e6e0a1e640ab123fa2c47971517142a65ebd4960aefac3493cabd65686cdb99623ce06d586f76b1e12d93e238086e83beed0a6bf649eb2518a6f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exeMD5
3a87a3c5abcdc92ef421700ac6f5d0d1
SHA170509f9eed0f90f62b804da75aa73b6a3f6390ec
SHA25645dd162163830e078517e6afb39a1b472d5077394500f2b3f85fa3711eb742af
SHA512f6ae90245715e6e0a1e640ab123fa2c47971517142a65ebd4960aefac3493cabd65686cdb99623ce06d586f76b1e12d93e238086e83beed0a6bf649eb2518a6f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exeMD5
3a87a3c5abcdc92ef421700ac6f5d0d1
SHA170509f9eed0f90f62b804da75aa73b6a3f6390ec
SHA25645dd162163830e078517e6afb39a1b472d5077394500f2b3f85fa3711eb742af
SHA512f6ae90245715e6e0a1e640ab123fa2c47971517142a65ebd4960aefac3493cabd65686cdb99623ce06d586f76b1e12d93e238086e83beed0a6bf649eb2518a6f
-
C:\Users\Admin\Desktop\AssertConfirm.MTS.E4B-88F-1D5MD5
e1457df4ccc895c1139af3fedabdaa19
SHA1bdd503a23a68fa20b6d55df1158dd1f16fdd07fb
SHA256292e501302d048246242eb706f406bcfa6062b3359aaedf80b90669fde8a52e3
SHA51257323804479b16ea03454e3fa072c52c8bd40be2c2433e6caa7cb51c5425661dba41cf83aa386442cc82999dd4ad08c62b8be330f1ecc7868e2407165e756879
-
C:\Users\Admin\Desktop\CloseAdd.tmp.E4B-88F-1D5MD5
f5c61676a5ad7fc65e8ecda92c47a34a
SHA1e032ded928807648ed9131e83bb47cea82c30e82
SHA256223c8e44879d3452334f5bf32e86580d2b69a7707ad2d039338b6884ab8abd71
SHA5122dff01cd183f32883368a6c41c9bd42a506110db629c729260f4698387acc2ca87e1002960026b55ba80063d5072a7f8d9ae1fab019c84433e7da300cbd2182e
-
C:\Users\Admin\Desktop\CompareClose.m4a.E4B-88F-1D5MD5
90480a10d8a1a5bbe31363419188f6d2
SHA1d096ba22de3b7539d77eea982db0a7ecc4079774
SHA256512709ddef0efec6b30a747214f79ca9bcbf346edce9a3501185895d9ca1ec27
SHA5122fc649cf9ae63a6cda913f62b8f6f52b58af60fced402a74cf3280d57f6e300e51682213e2a86aaa6c49d3a8f32a5df9a60838070a6f571f2cde3ecc3e37159c
-
C:\Users\Admin\Desktop\CompareResize.wav.E4B-88F-1D5MD5
978865b2bfd14855049ae73dfb7c4b82
SHA1084bda6e0127002246c50383f5ce1dd92bc3cfc5
SHA25609601d7f74e2c456d96f8556fe5f6229976959918d54e3c53d02701fc6f15a33
SHA512276851c7cb89af0dcd71f16a727720ec00c7021aaff031c955d2c001aea00e44b54c11e3ee1e2a8a5ac472e5c239de03e7011854c78b32239a08a79b08e310d0
-
C:\Users\Admin\Desktop\CompressSubmit.wmf.E4B-88F-1D5MD5
979597dec68f455c2a8763b945ed3ff9
SHA1a319ab8cd9bf64c1107c9dd269529a852e236aaf
SHA256a6a8c4167447b0981a519842d2d5cf8e1f9218aa63abea72034f10225110d92f
SHA51225c3a00bb815659d7d01b9b04354343a3daea9ffafe5a9550093c2588ee1ceec83732ce73232a6af649bd7f1e1c8375592dd43a3f5e54a27bde244a4cb2b96da
-
C:\Users\Admin\Desktop\ConvertFromClear.rm.E4B-88F-1D5MD5
ff6e4c4bd68f4ad65be29d5167f72a9b
SHA1bee207ebc45d95a347f8052a1b57d38908bc2b03
SHA256d3c3981d15545155d660ca0ec9368bdd60c9546c48a651742125572c6bb125ce
SHA512a04659caabe4533433bf80007c8dbc355e4c4d3f032a8a1e9520ca65af9b7c77fca0e16d16a98e25462cebda7bfaa87d697485ca5aba0345eafc0a08746df939
-
C:\Users\Admin\Desktop\CopyExit.vssx.E4B-88F-1D5MD5
8fd15f211ce4b1eeb1c82a15d5112b19
SHA157e817f346659111797bc20396938155f68d0257
SHA256ef8af024ef684fd18a88b97f6dc1cdecd7b5cfc977f344147338741f44a4b679
SHA5125a4c0bdc975a534684b3351da2d49f18126d787d28f19138d41cf49633278e08aba5ab277c099f3a842fc55e8d3ab9ae56a823412f34763482117cf722990b10
-
C:\Users\Admin\Desktop\CopySplit.AAC.E4B-88F-1D5MD5
3dcfea301b4a8fc3f61a877ac08049ba
SHA107b150327cb8f6266ff8001e8778b116d45ece01
SHA2565a5e52720dd30a2d32da5785e3d14bfb8834791ffc49ff6ce6289698fc3c10ce
SHA512fcbfb604bf48cb2aa5d078a9a9ab340111217d773fe8745085ce6fc9a8f94306dce63f3d7e5cc359b39c8fe05a29dfd6e1b7ba3b7a1487cbdee713f132982138
-
C:\Users\Admin\Desktop\DenyConnect.3g2.E4B-88F-1D5MD5
f0b062f46dff314bba0d238fbf5cfbb9
SHA11ae5414dba9fc0df2e3d34086837c94158612a05
SHA2560ea716bfb0bf1c7ea4af140d7236e97ac9a047a203bc74d7533f7e002a3cf0c0
SHA51236baa61088b2d6f4cd80576a5d733dcf5eda3a146474335ac65e743275f80f75c16a14d5d646f3573c7bc1997ab946ea242b8c3981ac36257edbf7928d8b3e27
-
C:\Users\Admin\Desktop\DenyConnect.tif.E4B-88F-1D5MD5
ed469417ed4b793dd6ed0023319788fd
SHA1e682755b6f09db094159bd7dfc273239a781bfa6
SHA25628dc39fd015ace42b4241487239826b7b26f9fbf3410df69ab93bc7ed6773b10
SHA5127b49b0b3128a6bb7c50d295e337194b10e589367cf4f76bc4cc44f9ebfc5b5d54599a7f8e462cfb76f20387e781b7b4be4eafbb54f9f8ba0f202b34f99ac2cbe
-
C:\Users\Admin\Desktop\GrantDeny.rm.E4B-88F-1D5MD5
aa17a9c20e5b3bccc4477958e7bd782f
SHA13407fad4496c308f16ac4675b01ec35f9a6d1152
SHA256e1af895881783416151daca8e5b3e010ed5eb5aecc455e6881f9ad83e6bfc365
SHA51212d23ee96b2fef01168d5fe9d0214f8cecf2b21312dcf9d7d18cee66f33951efa50cfecc8022d97687a751e90710a7e98686606af9427f3b380e8daeb22ce0b3
-
C:\Users\Admin\Desktop\GrantUndo.iso.E4B-88F-1D5MD5
dcf4172b2111f3c788c96f8407a009ff
SHA1d2c749664ab0772fcbd382d604f8b76a7f3fc33d
SHA256d2df75b4399504d5d710dd0e3c2f552ce776e78aeae5bf89400a3ec63810043d
SHA512a2b60ccb4e93548d72c0ce313cef560b7f6f64f8c75a64e93dcaff26372cc53fbf78bc29800c7b3918787ad99a3cc035638f3a71bbccbabaf8f73116bf09bf59
-
C:\Users\Admin\Desktop\LimitBackup.ogg.E4B-88F-1D5MD5
37af0709e6e7c92387238b1d00799498
SHA1e14de75f6b5c74ee41cbafcc5e70023b9290593f
SHA2563541f574c1a7c4d87641fa73035aeb73976d96b7b1b13417f8e07f6ec56cfb52
SHA5126a80764df56921544e16a17981ecc527b1d84bf0a5e02308d19968fed67b3580eaf7f386b097a54784c5275361d06e1298ee54df1376130352bc89b4fab23c1a
-
C:\Users\Admin\Desktop\NewEnable.au.E4B-88F-1D5MD5
e4fae3786ecb43488e916596eb173c9e
SHA15468a0454d528dbf8d5cda74804bc5c438464226
SHA2564eeaf3a4ec5f429fa0615e77ca7c18082bae2d49f4d422b52f97049d0524b055
SHA5120aacfa72b97da5dc7fa23d1fd131c36cf6013bcd60d6b01dae9bfee2e8254f12f56ea6eccfb71cc33d7a5e7b99e1180c9a5d520c5137ab1e307f6f70c54ba382
-
C:\Users\Admin\Desktop\NewProtect.csv.E4B-88F-1D5MD5
112c4db4ddc2245ccac8f04cfd1b49fd
SHA126b7deaf9eacaaec80a97efbed60c21c1887d37f
SHA256a2091f1a22f082e387d369a6705b8bce53fbc75204b0ff185cb6f3ca85e96cf9
SHA512ad35568aabe1f07eaaf43cdaf02513e9e5b59f37d6d7e5f097d2e03c4daf45d247c94557297ce9eb7f1cb3439ff162363f8ebee76b506839bdc92ff3a3b0e935
-
C:\Users\Admin\Desktop\PublishJoin.aifc.E4B-88F-1D5MD5
efe6c7bc44f9a8123ee67f3c834378fb
SHA14f4cc02de31492edac706f63c2873d7b4f5540aa
SHA25667460a52ef63fb54a3a2d276fd38327970c6ec64a592768df2cc2bc754a2c8a9
SHA5125dceb618ad726f738e577cc21b5723254898c4712c4772a0e5336d43ea2e1a7f58de811ab33c3f8d821ab7dcce06b764b7588afe5dd8ee9cf048b8a84a8501f1
-
C:\Users\Admin\Desktop\PushSend.mpg.E4B-88F-1D5MD5
fcf468fc2d1312f4f08fbdac58cf77ed
SHA1d2fda9bf5219877d482cf774bf546e25ca28b6ea
SHA2561510a9b7f8e299e20bb6370bbd019975145fc2eee5fd1e3124c34017f8343b35
SHA51284b4594b82acec6921d531134a8439fd029272f21bb16da34ceba40436983273b8ca59944ff1ac210f9855a220c0a1b446002c6dac973b503279d4c6f638fc24
-
C:\Users\Admin\Desktop\SyncJoin.iso.E4B-88F-1D5MD5
3d21b6dad42b5cd15b171e8d7651c38f
SHA1869055b978654cd4e4e8f29964d8bda1f4dfe911
SHA2567e1124e67aa24ac894e4599cdc82cc311427c33807932c7ba429c7e7a6d6ceaa
SHA512b6c7c670f58b3d98a8690682fb64ef9f8faaed774e3f542ed7412d75f2da50861807a784717b44dcd2dcd7240430f03ba652164aa0871a01ef0f12a4a6308c67
-
C:\Users\Admin\Desktop\TraceUnregister.wmf.E4B-88F-1D5MD5
a4f59e6aa5378985af63e6b7a4bbeb83
SHA1ed67c746640e5a4313ef1ec3873572c01a426890
SHA256bfd76236524e7760d4891c3d860ae505ebb995a65f41a6e3827e5cad4b673051
SHA51279d777d478a3e5ca8996cd75b40e0ca21a10b6397d7a8b6dcca67a9c692174ceaaae110a88d2030f48cb3ebf4f38c25579d2edaf19e096153580d5944272526b
-
C:\Users\Admin\Desktop\UnblockConvertFrom.DVR.E4B-88F-1D5MD5
bbc98043051a1fb79cd86bbd970cac7c
SHA1e12e0a271e8c55a750fc81b52ddb708f22179094
SHA2566f1f847bcaebc2856b1e34696df418efa8fc2990015b4862355a661ebe2de51a
SHA51260a052154b672ae25d09435504fe1658dd13c98a696f030b9a266a37c1937f349e97eb951042147b3098fce7777da30a6c71696dc4a2587b7b6a204b7404bd5f
-
C:\Users\Admin\Desktop\UnblockSet.au.E4B-88F-1D5MD5
451e965f6dabe8dc1c547de0bb8da117
SHA1505434d7b789a0298cf5f6b1ac4323e437e74501
SHA256f0835ff4315a0e6a77c7c83dd63f757dbe253a4233e85399eeff4c7d1da06cfe
SHA5121ebc21868219edd1869d67e40009be4ff4660883eb80d368c7f413ba9551c93ba18d954180359e88633b11aa18cc712e9f96fdd36a529ffda4b1d03e99d675a4
-
C:\Users\Admin\Desktop\UninstallRestore.m1v.E4B-88F-1D5MD5
f5e5c95315588893835ccd7e75641588
SHA1c761fa903a9f7e9419c88a5562ab67a783a2168f
SHA256d516cb9bb10f4fb601b10dd3cf766edd68995aef2a171790129fd80eaf2bdd73
SHA512f0526f8ecba9fb291674c5ef15571248762bc760fd429b1bfd5280ce0cd53b555f124c6305baf61ced0a47be02819c3a4aca856b70298a7be61ade62958093ee
-
C:\Users\Admin\Desktop\UnlockBlock.avi.E4B-88F-1D5MD5
123a54db0778c933cce1d09a0aedcc37
SHA1826a71ddf6c4fbdca478c79d8d35daac43490002
SHA25674f83249aa2e333f607a5ef49a69daa0f076496c06329c7369ae4bec718beba7
SHA512078f02d510a45ebda66536b1206803cc7a6145d551f9db001e7c84ec6d25fd234d4d1d947b11c77f4141c1472cda59542b2cbe64b7bea2a4cd8722c933385fa3
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exeMD5
3a87a3c5abcdc92ef421700ac6f5d0d1
SHA170509f9eed0f90f62b804da75aa73b6a3f6390ec
SHA25645dd162163830e078517e6afb39a1b472d5077394500f2b3f85fa3711eb742af
SHA512f6ae90245715e6e0a1e640ab123fa2c47971517142a65ebd4960aefac3493cabd65686cdb99623ce06d586f76b1e12d93e238086e83beed0a6bf649eb2518a6f
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exeMD5
3a87a3c5abcdc92ef421700ac6f5d0d1
SHA170509f9eed0f90f62b804da75aa73b6a3f6390ec
SHA25645dd162163830e078517e6afb39a1b472d5077394500f2b3f85fa3711eb742af
SHA512f6ae90245715e6e0a1e640ab123fa2c47971517142a65ebd4960aefac3493cabd65686cdb99623ce06d586f76b1e12d93e238086e83beed0a6bf649eb2518a6f
-
memory/304-28-0x0000000000000000-mapping.dmp
-
memory/316-21-0x0000000000000000-mapping.dmp
-
memory/556-54-0x0000000000000000-mapping.dmp
-
memory/556-53-0x00000000000A0000-0x00000000000A1000-memory.dmpFilesize
4KB
-
memory/584-19-0x0000000000000000-mapping.dmp
-
memory/624-23-0x0000000000000000-mapping.dmp
-
memory/640-5-0x00000000000A0000-0x00000000000A1000-memory.dmpFilesize
4KB
-
memory/640-6-0x0000000000000000-mapping.dmp
-
memory/792-16-0x0000000000000000-mapping.dmp
-
memory/1448-3-0x0000000000000000-mapping.dmp
-
memory/1612-18-0x0000000000000000-mapping.dmp
-
memory/1632-0-0x000007FEF6930000-0x000007FEF6BAA000-memory.dmpFilesize
2.5MB
-
memory/1636-29-0x0000000000000000-mapping.dmp
-
memory/1704-20-0x0000000000000000-mapping.dmp
-
memory/1904-17-0x0000000000000000-mapping.dmp
-
memory/1940-25-0x0000000000000000-mapping.dmp
-
memory/2008-26-0x0000000000000000-mapping.dmp