Analysis
-
max time kernel
151s -
max time network
127s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
07-11-2020 21:28
Static task
static1
Behavioral task
behavioral1
Sample
lsass.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
lsass.exe
Resource
win10v20201028
General
-
Target
lsass.exe
-
Size
214KB
-
MD5
3a87a3c5abcdc92ef421700ac6f5d0d1
-
SHA1
70509f9eed0f90f62b804da75aa73b6a3f6390ec
-
SHA256
45dd162163830e078517e6afb39a1b472d5077394500f2b3f85fa3711eb742af
-
SHA512
f6ae90245715e6e0a1e640ab123fa2c47971517142a65ebd4960aefac3493cabd65686cdb99623ce06d586f76b1e12d93e238086e83beed0a6bf649eb2518a6f
Malware Config
Extracted
C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
tomriddle1337@cock.li
riddletom1337@protonmail.com
Signatures
-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
svchost.exesvchost.exepid process 1212 svchost.exe 1648 svchost.exe -
Deletes itself 1 IoCs
Processes:
notepad.exepid process 1636 notepad.exe -
Loads dropped DLL 2 IoCs
Processes:
lsass.exepid process 744 lsass.exe 744 lsass.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
lsass.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\svchost.exe\" -start" lsass.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
svchost.exedescription ioc process File opened (read-only) \??\U: svchost.exe File opened (read-only) \??\J: svchost.exe File opened (read-only) \??\O: svchost.exe File opened (read-only) \??\M: svchost.exe File opened (read-only) \??\E: svchost.exe File opened (read-only) \??\R: svchost.exe File opened (read-only) \??\Q: svchost.exe File opened (read-only) \??\P: svchost.exe File opened (read-only) \??\N: svchost.exe File opened (read-only) \??\H: svchost.exe File opened (read-only) \??\B: svchost.exe File opened (read-only) \??\A: svchost.exe File opened (read-only) \??\Y: svchost.exe File opened (read-only) \??\W: svchost.exe File opened (read-only) \??\S: svchost.exe File opened (read-only) \??\T: svchost.exe File opened (read-only) \??\L: svchost.exe File opened (read-only) \??\K: svchost.exe File opened (read-only) \??\I: svchost.exe File opened (read-only) \??\G: svchost.exe File opened (read-only) \??\Z: svchost.exe File opened (read-only) \??\X: svchost.exe File opened (read-only) \??\V: svchost.exe File opened (read-only) \??\F: svchost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 geoiptool.com -
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Drops file in Program Files directory 13766 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\about.html.285-093-7AC svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-keyring-impl.jar.285-093-7AC svchost.exe File opened for modification C:\Program Files\Java\jre7\lib\images\cursors\win32_CopyNoDrop32x32.gif.285-093-7AC svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\PDFFile_8.ico svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0296279.WMF.285-093-7AC svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kathmandu.285-093-7AC svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Adelaide.285-093-7AC svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\com-sun-tools-visualvm-modules-startup.jar.285-093-7AC svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\vlc.mo.285-093-7AC svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185796.WMF svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WSSFilesToolIconImages.jpg svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200377.WMF.285-093-7AC svchost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Notes_content-background.png svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Lindeman.285-093-7AC svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21299_.GIF.285-093-7AC svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataListIconImages.jpg svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\WhiteboxMask.bmp svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\intf\modules\httprequests.luac.285-093-7AC svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\AdobePDF417.pmp.285-093-7AC svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02120_.WMF svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\about.html.285-093-7AC svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02470U.BMP.285-093-7AC svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\mscss7wre_es.dub.285-093-7AC svchost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationRight_SelectionSubpicture.png svchost.exe File created C:\Program Files\Java\jre7\lib\images\cursors\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\SUBMIT.JS svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0215709.WMF svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14829_.GIF.285-093-7AC svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\New_Skins.url svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR21F.GIF.285-093-7AC svchost.exe File opened for modification C:\Program Files\7-Zip\Lang\pl.txt svchost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMain_PAL.wmv svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Palau svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.security_1.2.0.v20130424-1801.jar svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DiscussionToolIconImages.jpg.285-093-7AC svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro.zh_CN_5.5.0.165303.jar.285-093-7AC svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185798.WMF.285-093-7AC svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0321179.JPG svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341475.JPG.285-093-7AC svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FORM.ICO.285-093-7AC svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01461_.WMF svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105526.WMF.285-093-7AC svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14578_.GIF.285-093-7AC svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\THIRDPARTYLICENSEREADME.txt svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0195248.WMF svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0232393.WMF svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\ELPHRG01.WAV svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14583_.GIF.285-093-7AC svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\sql90.xsl svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00775_.WMF.285-093-7AC svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt.285-093-7AC svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01954_.WMF.285-093-7AC svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME19.CSS svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Athens svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\feature.xml svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.nl_ja_4.4.0.v20140623020002.jar svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup-impl_ja.jar.285-093-7AC svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105974.WMF.285-093-7AC svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\about.html.285-093-7AC svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0103402.WMF svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21327_.GIF svchost.exe File opened for modification C:\Program Files\7-Zip\Lang\fi.txt svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.nl_zh_4.4.0.v20140623020002.jar.285-093-7AC svchost.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 1588 vssadmin.exe 1636 vssadmin.exe -
Processes:
svchost.exelsass.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 svchost.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 svchost.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 lsass.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e lsass.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e lsass.exe -
Suspicious behavior: EnumeratesProcesses 1224 IoCs
Processes:
svchost.exepid process 1212 svchost.exe 1212 svchost.exe 1212 svchost.exe 1212 svchost.exe 1212 svchost.exe 1212 svchost.exe 1212 svchost.exe 1212 svchost.exe 1212 svchost.exe 1212 svchost.exe 1212 svchost.exe 1212 svchost.exe 1212 svchost.exe 1212 svchost.exe 1212 svchost.exe 1212 svchost.exe 1212 svchost.exe 1212 svchost.exe 1212 svchost.exe 1212 svchost.exe 1212 svchost.exe 1212 svchost.exe 1212 svchost.exe 1212 svchost.exe 1212 svchost.exe 1212 svchost.exe 1212 svchost.exe 1212 svchost.exe 1212 svchost.exe 1212 svchost.exe 1212 svchost.exe 1212 svchost.exe 1212 svchost.exe 1212 svchost.exe 1212 svchost.exe 1212 svchost.exe 1212 svchost.exe 1212 svchost.exe 1212 svchost.exe 1212 svchost.exe 1212 svchost.exe 1212 svchost.exe 1212 svchost.exe 1212 svchost.exe 1212 svchost.exe 1212 svchost.exe 1212 svchost.exe 1212 svchost.exe 1212 svchost.exe 1212 svchost.exe 1212 svchost.exe 1212 svchost.exe 1212 svchost.exe 1212 svchost.exe 1212 svchost.exe 1212 svchost.exe 1212 svchost.exe 1212 svchost.exe 1212 svchost.exe 1212 svchost.exe 1212 svchost.exe 1212 svchost.exe 1212 svchost.exe 1212 svchost.exe -
Suspicious use of AdjustPrivilegeToken 85 IoCs
Processes:
lsass.exeWMIC.exeWMIC.exevssvc.exedescription pid process Token: SeDebugPrivilege 744 lsass.exe Token: SeDebugPrivilege 744 lsass.exe Token: SeIncreaseQuotaPrivilege 1412 WMIC.exe Token: SeSecurityPrivilege 1412 WMIC.exe Token: SeTakeOwnershipPrivilege 1412 WMIC.exe Token: SeLoadDriverPrivilege 1412 WMIC.exe Token: SeSystemProfilePrivilege 1412 WMIC.exe Token: SeSystemtimePrivilege 1412 WMIC.exe Token: SeProfSingleProcessPrivilege 1412 WMIC.exe Token: SeIncBasePriorityPrivilege 1412 WMIC.exe Token: SeCreatePagefilePrivilege 1412 WMIC.exe Token: SeBackupPrivilege 1412 WMIC.exe Token: SeRestorePrivilege 1412 WMIC.exe Token: SeShutdownPrivilege 1412 WMIC.exe Token: SeDebugPrivilege 1412 WMIC.exe Token: SeSystemEnvironmentPrivilege 1412 WMIC.exe Token: SeRemoteShutdownPrivilege 1412 WMIC.exe Token: SeUndockPrivilege 1412 WMIC.exe Token: SeManageVolumePrivilege 1412 WMIC.exe Token: 33 1412 WMIC.exe Token: 34 1412 WMIC.exe Token: 35 1412 WMIC.exe Token: SeIncreaseQuotaPrivilege 1820 WMIC.exe Token: SeSecurityPrivilege 1820 WMIC.exe Token: SeTakeOwnershipPrivilege 1820 WMIC.exe Token: SeLoadDriverPrivilege 1820 WMIC.exe Token: SeSystemProfilePrivilege 1820 WMIC.exe Token: SeSystemtimePrivilege 1820 WMIC.exe Token: SeProfSingleProcessPrivilege 1820 WMIC.exe Token: SeIncBasePriorityPrivilege 1820 WMIC.exe Token: SeCreatePagefilePrivilege 1820 WMIC.exe Token: SeBackupPrivilege 1820 WMIC.exe Token: SeRestorePrivilege 1820 WMIC.exe Token: SeShutdownPrivilege 1820 WMIC.exe Token: SeDebugPrivilege 1820 WMIC.exe Token: SeSystemEnvironmentPrivilege 1820 WMIC.exe Token: SeRemoteShutdownPrivilege 1820 WMIC.exe Token: SeUndockPrivilege 1820 WMIC.exe Token: SeManageVolumePrivilege 1820 WMIC.exe Token: 33 1820 WMIC.exe Token: 34 1820 WMIC.exe Token: 35 1820 WMIC.exe Token: SeBackupPrivilege 956 vssvc.exe Token: SeRestorePrivilege 956 vssvc.exe Token: SeAuditPrivilege 956 vssvc.exe Token: SeIncreaseQuotaPrivilege 1412 WMIC.exe Token: SeSecurityPrivilege 1412 WMIC.exe Token: SeTakeOwnershipPrivilege 1412 WMIC.exe Token: SeLoadDriverPrivilege 1412 WMIC.exe Token: SeSystemProfilePrivilege 1412 WMIC.exe Token: SeSystemtimePrivilege 1412 WMIC.exe Token: SeProfSingleProcessPrivilege 1412 WMIC.exe Token: SeIncBasePriorityPrivilege 1412 WMIC.exe Token: SeCreatePagefilePrivilege 1412 WMIC.exe Token: SeBackupPrivilege 1412 WMIC.exe Token: SeRestorePrivilege 1412 WMIC.exe Token: SeShutdownPrivilege 1412 WMIC.exe Token: SeDebugPrivilege 1412 WMIC.exe Token: SeSystemEnvironmentPrivilege 1412 WMIC.exe Token: SeRemoteShutdownPrivilege 1412 WMIC.exe Token: SeUndockPrivilege 1412 WMIC.exe Token: SeManageVolumePrivilege 1412 WMIC.exe Token: 33 1412 WMIC.exe Token: 34 1412 WMIC.exe -
Suspicious use of WriteProcessMemory 55 IoCs
Processes:
lsass.exesvchost.execmd.execmd.execmd.exedescription pid process target process PID 744 wrote to memory of 1212 744 lsass.exe svchost.exe PID 744 wrote to memory of 1212 744 lsass.exe svchost.exe PID 744 wrote to memory of 1212 744 lsass.exe svchost.exe PID 744 wrote to memory of 1212 744 lsass.exe svchost.exe PID 744 wrote to memory of 1636 744 lsass.exe notepad.exe PID 744 wrote to memory of 1636 744 lsass.exe notepad.exe PID 744 wrote to memory of 1636 744 lsass.exe notepad.exe PID 744 wrote to memory of 1636 744 lsass.exe notepad.exe PID 744 wrote to memory of 1636 744 lsass.exe notepad.exe PID 744 wrote to memory of 1636 744 lsass.exe notepad.exe PID 744 wrote to memory of 1636 744 lsass.exe notepad.exe PID 1212 wrote to memory of 668 1212 svchost.exe cmd.exe PID 1212 wrote to memory of 668 1212 svchost.exe cmd.exe PID 1212 wrote to memory of 668 1212 svchost.exe cmd.exe PID 1212 wrote to memory of 668 1212 svchost.exe cmd.exe PID 1212 wrote to memory of 1940 1212 svchost.exe cmd.exe PID 1212 wrote to memory of 1940 1212 svchost.exe cmd.exe PID 1212 wrote to memory of 1940 1212 svchost.exe cmd.exe PID 1212 wrote to memory of 1940 1212 svchost.exe cmd.exe PID 1212 wrote to memory of 1712 1212 svchost.exe cmd.exe PID 1212 wrote to memory of 1712 1212 svchost.exe cmd.exe PID 1212 wrote to memory of 1712 1212 svchost.exe cmd.exe PID 1212 wrote to memory of 1712 1212 svchost.exe cmd.exe PID 1212 wrote to memory of 1404 1212 svchost.exe cmd.exe PID 1212 wrote to memory of 1404 1212 svchost.exe cmd.exe PID 1212 wrote to memory of 1404 1212 svchost.exe cmd.exe PID 1212 wrote to memory of 1404 1212 svchost.exe cmd.exe PID 1212 wrote to memory of 672 1212 svchost.exe cmd.exe PID 1212 wrote to memory of 672 1212 svchost.exe cmd.exe PID 1212 wrote to memory of 672 1212 svchost.exe cmd.exe PID 1212 wrote to memory of 672 1212 svchost.exe cmd.exe PID 1212 wrote to memory of 940 1212 svchost.exe cmd.exe PID 1212 wrote to memory of 940 1212 svchost.exe cmd.exe PID 1212 wrote to memory of 940 1212 svchost.exe cmd.exe PID 1212 wrote to memory of 940 1212 svchost.exe cmd.exe PID 1212 wrote to memory of 1648 1212 svchost.exe svchost.exe PID 1212 wrote to memory of 1648 1212 svchost.exe svchost.exe PID 1212 wrote to memory of 1648 1212 svchost.exe svchost.exe PID 1212 wrote to memory of 1648 1212 svchost.exe svchost.exe PID 668 wrote to memory of 1412 668 cmd.exe WMIC.exe PID 668 wrote to memory of 1412 668 cmd.exe WMIC.exe PID 668 wrote to memory of 1412 668 cmd.exe WMIC.exe PID 668 wrote to memory of 1412 668 cmd.exe WMIC.exe PID 672 wrote to memory of 1636 672 cmd.exe vssadmin.exe PID 672 wrote to memory of 1636 672 cmd.exe vssadmin.exe PID 672 wrote to memory of 1636 672 cmd.exe vssadmin.exe PID 672 wrote to memory of 1636 672 cmd.exe vssadmin.exe PID 940 wrote to memory of 1820 940 cmd.exe WMIC.exe PID 940 wrote to memory of 1820 940 cmd.exe WMIC.exe PID 940 wrote to memory of 1820 940 cmd.exe WMIC.exe PID 940 wrote to memory of 1820 940 cmd.exe WMIC.exe PID 940 wrote to memory of 1588 940 cmd.exe vssadmin.exe PID 940 wrote to memory of 1588 940 cmd.exe vssadmin.exe PID 940 wrote to memory of 1588 940 cmd.exe vssadmin.exe PID 940 wrote to memory of 1588 940 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\lsass.exe"C:\Users\Admin\AppData\Local\Temp\lsass.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe" -start2⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe" -agent 03⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\notepad.exenotepad.exe2⤵
- Deletes itself
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CBMD5
e5be8c65934ad0c00c584026d085108e
SHA16ce4c8bc54630bf9f70d3fe93ce91bf44004439f
SHA25668413df5f5923c0283167f5bf10bb7a65b1cdbea7602d263f64af49820efa315
SHA51250470648453a249e3ec06572fd418a123bd0500291a8b3bc0c7cde453ac36e027130f49f01c17ab21034d6033abe1f81402166ee80460b0fcb56856f20db2539
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEEMD5
3208da0c038576623565b095fcea4ad1
SHA1bc421f8eb4b9c6100aa444edece988c01dd63b26
SHA25616ca708624c0f83871bbb8349e31fba20e5591f298ee91ddf08faf2919041f4b
SHA51217fd810bdb400ce06167d6009a23cbdafdeb5eb0cb5c18456ec3a833546ad050429b003bdec753aa591d5b370cbb1290633abc1cc71f3ae29e81d58c56b8408c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
3bf227caeee1b07d47b29873a1640f1a
SHA161af6e587db89d7d7f518bb1e16c2d73451e5ed6
SHA25630becef61dd6dd9d8b0402aec82db12ebb3ef7b76d854ca1f8bd30fa50ab5980
SHA51229a3663efa62ccc6dce4e083b7e43e80560de48ebc0eebfff5aed1fc158f0ed65a009589046773cb3c97588005219f45ae414c53f7bffe5a0a2ec80b0c2a903e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CBMD5
bd730d25752cdb8b3f67287d39d2bb7d
SHA1b0215d5567755abae2e6e1c8403393080401769f
SHA256997c071496860e6e483aeb77ff800f71c5db514823b199834d725df0bbddbbb4
SHA5120dc8e16507c1c95b54f05329976d5652b4d7f960ca724b4bee7cc75245be3bb44b41d5e147406e7abcb29aed3795bcc7c80eeebcbb489096c73b9ab8b98af265
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEEMD5
4be7bf0c0097f15ee42b11114da8fca2
SHA1970f042f5ddddba7aac200af55eac4d894cca5d6
SHA2564356b03573a54e751fee6ff5f1cd4461fdf69a33e6a4116c138073e9affdb40f
SHA512f3e872159ba7b71a672bc4312595936b246f450595f08d81b8aa6ca7466c8f0cd9055b3a703f8414f81b828aa2d3e02c66bdec6af999b16907f89b2949cab45a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
46a10d6f47d9c2e9c364ea41758149e1
SHA1d0a3d23dda779e76bbc790395ad6f3d87dddb679
SHA256b1196a089f4128fb5a2467c53cf4c87258a052999890a659c4eda3d9f0d94462
SHA51245ce7a79c801f97f47dac6af0acfc424143ae232221a8fb73b24b8095e314413e0e9a7e989395369f63f1a6b3abef43eb02c70367e0ac7da81fcaf57dfce5dbf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
e191bd4c9f9c67f22677a1dd94f29820
SHA101fd3cd919e6fe3147a82c7cae4c7f87816c6282
SHA25693509e9d87bbc04a39dabe1c0dd106e5455006bcee9bc0b7d7d9a637ba7ce44d
SHA5120b4d64c5a376cc46d59e5a578a69c6096623e76d3f31c6affa570c73758f067bd09ea5ea90be37bdb540d6fac3c6b97e63b56cbf7bc3ba51d6b94c7659a4f08e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3O0J2C38\AQX9PTZT.htmMD5
8615e70875c2cc0b9db16027b9adf11d
SHA14ed62cf405311c0ff562a3c59334a15ddc4f1bf9
SHA256da96949ba6b0567343f144486505c8c8fa1d892fd88c9cbc3ef3d751a570724d
SHA512cd9dfc88dc2af9438b7d6b618d1b62029b3bdf739fc4daa5b37397afd12c4528561b3bf2fc3f3f2adf3fd1f582d5524332441fd30248fcd078e41aa91e17cb73
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7ISB2KAC\2FDOYCER.htmMD5
b1cd7c031debba3a5c77b39b6791c1a7
SHA1e5d91e14e9c685b06f00e550d9e189deb2075f76
SHA25657ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa
SHA512d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72
-
C:\Users\Admin\AppData\Local\Temp\~temp001.batMD5
ef572e2c7b1bbd57654b36e8dcfdc37a
SHA1b84c4db6d0dfd415c289d0c8ae099aea4001e3b7
SHA256e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64
SHA512b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exeMD5
3a87a3c5abcdc92ef421700ac6f5d0d1
SHA170509f9eed0f90f62b804da75aa73b6a3f6390ec
SHA25645dd162163830e078517e6afb39a1b472d5077394500f2b3f85fa3711eb742af
SHA512f6ae90245715e6e0a1e640ab123fa2c47971517142a65ebd4960aefac3493cabd65686cdb99623ce06d586f76b1e12d93e238086e83beed0a6bf649eb2518a6f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exeMD5
3a87a3c5abcdc92ef421700ac6f5d0d1
SHA170509f9eed0f90f62b804da75aa73b6a3f6390ec
SHA25645dd162163830e078517e6afb39a1b472d5077394500f2b3f85fa3711eb742af
SHA512f6ae90245715e6e0a1e640ab123fa2c47971517142a65ebd4960aefac3493cabd65686cdb99623ce06d586f76b1e12d93e238086e83beed0a6bf649eb2518a6f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exeMD5
3a87a3c5abcdc92ef421700ac6f5d0d1
SHA170509f9eed0f90f62b804da75aa73b6a3f6390ec
SHA25645dd162163830e078517e6afb39a1b472d5077394500f2b3f85fa3711eb742af
SHA512f6ae90245715e6e0a1e640ab123fa2c47971517142a65ebd4960aefac3493cabd65686cdb99623ce06d586f76b1e12d93e238086e83beed0a6bf649eb2518a6f
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exeMD5
3a87a3c5abcdc92ef421700ac6f5d0d1
SHA170509f9eed0f90f62b804da75aa73b6a3f6390ec
SHA25645dd162163830e078517e6afb39a1b472d5077394500f2b3f85fa3711eb742af
SHA512f6ae90245715e6e0a1e640ab123fa2c47971517142a65ebd4960aefac3493cabd65686cdb99623ce06d586f76b1e12d93e238086e83beed0a6bf649eb2518a6f
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exeMD5
3a87a3c5abcdc92ef421700ac6f5d0d1
SHA170509f9eed0f90f62b804da75aa73b6a3f6390ec
SHA25645dd162163830e078517e6afb39a1b472d5077394500f2b3f85fa3711eb742af
SHA512f6ae90245715e6e0a1e640ab123fa2c47971517142a65ebd4960aefac3493cabd65686cdb99623ce06d586f76b1e12d93e238086e83beed0a6bf649eb2518a6f
-
memory/668-16-0x0000000000000000-mapping.dmp
-
memory/672-20-0x0000000000000000-mapping.dmp
-
memory/940-21-0x0000000000000000-mapping.dmp
-
memory/1212-3-0x0000000000000000-mapping.dmp
-
memory/1404-19-0x0000000000000000-mapping.dmp
-
memory/1412-25-0x0000000000000000-mapping.dmp
-
memory/1588-29-0x0000000000000000-mapping.dmp
-
memory/1636-5-0x00000000000E0000-0x00000000000E1000-memory.dmpFilesize
4KB
-
memory/1636-26-0x0000000000000000-mapping.dmp
-
memory/1636-6-0x0000000000000000-mapping.dmp
-
memory/1648-23-0x0000000000000000-mapping.dmp
-
memory/1712-18-0x0000000000000000-mapping.dmp
-
memory/1716-0-0x000007FEF7900000-0x000007FEF7B7A000-memory.dmpFilesize
2.5MB
-
memory/1820-28-0x0000000000000000-mapping.dmp
-
memory/1940-17-0x0000000000000000-mapping.dmp