Analysis
-
max time kernel
134s -
max time network
128s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
03-12-2020 08:05
Static task
static1
Behavioral task
behavioral1
Sample
zeppelin.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
zeppelin.exe
Resource
win10v20201028
General
-
Target
zeppelin.exe
-
Size
214KB
-
MD5
43a791cfe3e906f15a432943088450a1
-
SHA1
0a2d12d30126385eb85d1ce88d06762bc429fb03
-
SHA256
7055e8438da61efa50058acd4e010c634f5e33352e2ee6d1f013572f004b7101
-
SHA512
372cb914052c02115f381e5dbc04d6885aa34a1dfa565b882eae7438681c1e14166b6bfbefb175cf2ca9cd036291057056b8c0a8b025c606c8a8f08eed4b466a
Malware Config
Extracted
C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
uspex1@cock.li
uspex2@cock.li
Signatures
-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
svchost.exesvchost.exepid process 1652 svchost.exe 1740 svchost.exe -
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
svchost.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\RemoveStart.tiff svchost.exe -
Deletes itself 1 IoCs
Processes:
notepad.exepid process 1148 notepad.exe -
Loads dropped DLL 2 IoCs
Processes:
zeppelin.exepid process 1944 zeppelin.exe 1944 zeppelin.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
zeppelin.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run zeppelin.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\svchost.exe\" -start" zeppelin.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
svchost.exedescription ioc process File opened (read-only) \??\F: svchost.exe File opened (read-only) \??\E: svchost.exe File opened (read-only) \??\B: svchost.exe File opened (read-only) \??\Y: svchost.exe File opened (read-only) \??\W: svchost.exe File opened (read-only) \??\U: svchost.exe File opened (read-only) \??\M: svchost.exe File opened (read-only) \??\I: svchost.exe File opened (read-only) \??\A: svchost.exe File opened (read-only) \??\V: svchost.exe File opened (read-only) \??\Q: svchost.exe File opened (read-only) \??\O: svchost.exe File opened (read-only) \??\K: svchost.exe File opened (read-only) \??\H: svchost.exe File opened (read-only) \??\G: svchost.exe File opened (read-only) \??\R: svchost.exe File opened (read-only) \??\P: svchost.exe File opened (read-only) \??\N: svchost.exe File opened (read-only) \??\S: svchost.exe File opened (read-only) \??\L: svchost.exe File opened (read-only) \??\J: svchost.exe File opened (read-only) \??\Z: svchost.exe File opened (read-only) \??\X: svchost.exe File opened (read-only) \??\T: svchost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 geoiptool.com -
Drops file in Program Files directory 64 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.properties svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\RSWOP.ICM.106-D50-1E2 svchost.exe File created C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\1 Right.accdt.106-D50-1E2 svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0195384.WMF svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\jni_md.h svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\modules\dkjson.luac.106-D50-1E2 svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Gibraltar.106-D50-1E2 svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY00560_.WMF svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Contacts.accdt svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-api_zh_CN.jar.106-D50-1E2 svchost.exe File created C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\Invite or Link.one.106-D50-1E2 svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\CAMERA.WAV.106-D50-1E2 svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-11.106-D50-1E2 svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-sendopts.xml svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14529_.GIF svchost.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\La_Paz.106-D50-1E2 svchost.exe File created C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18208_.WMF svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18227_.WMF.106-D50-1E2 svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\QuestionIconMask.bmp svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\POST98SP.POC.106-D50-1E2 svchost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationRight_ButtonGraphic.png svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-heapdump.xml.106-D50-1E2 svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe.106-D50-1E2 svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BUSINESS.ONE svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\PST8PDT svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Salta svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Dhaka.106-D50-1E2 svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tokyo.106-D50-1E2 svchost.exe File opened for modification C:\Program Files\Java\jre7\lib\fonts\LucidaTypewriterRegular.ttf.106-D50-1E2 svchost.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Honolulu.106-D50-1E2 svchost.exe File created C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04385_.WMF svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03379I.JPG svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Taipei.106-D50-1E2 svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105276.WMF.106-D50-1E2 svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\TYPE.WAV svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00346_.WMF.106-D50-1E2 svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01368_.WMF svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14984_.GIF svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\HEADER.GIF.106-D50-1E2 svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00161_.GIF svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Wordcnvpxy.cnv.106-D50-1E2 svchost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\PassportMask.wmv svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE01661_.WMF.106-D50-1E2 svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGATNGET.XML svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.operations.nl_zh_4.4.0.v20140623020002.jar.106-D50-1E2 svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00076_.WMF svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107302.WMF.106-D50-1E2 svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01255G.GIF.106-D50-1E2 svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewAttachmentIcons.jpg.106-D50-1E2 svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\PAWPRINT.HTM.106-D50-1E2 svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup-impl_zh_CN.jar svchost.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT svchost.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Gambier svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe.106-D50-1E2 svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00957_.WMF.106-D50-1E2 svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21533_.GIF.106-D50-1E2 svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OWSHLP10.CHM svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02075_.WMF svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105320.WMF.106-D50-1E2 svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 324 vssadmin.exe 888 vssadmin.exe -
Processes:
zeppelin.exesvchost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 zeppelin.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e zeppelin.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e zeppelin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 svchost.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e svchost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
zeppelin.exeWMIC.exeWMIC.exevssvc.exedescription pid process Token: SeDebugPrivilege 1944 zeppelin.exe Token: SeDebugPrivilege 1944 zeppelin.exe Token: SeIncreaseQuotaPrivilege 1344 WMIC.exe Token: SeSecurityPrivilege 1344 WMIC.exe Token: SeTakeOwnershipPrivilege 1344 WMIC.exe Token: SeLoadDriverPrivilege 1344 WMIC.exe Token: SeSystemProfilePrivilege 1344 WMIC.exe Token: SeSystemtimePrivilege 1344 WMIC.exe Token: SeProfSingleProcessPrivilege 1344 WMIC.exe Token: SeIncBasePriorityPrivilege 1344 WMIC.exe Token: SeCreatePagefilePrivilege 1344 WMIC.exe Token: SeBackupPrivilege 1344 WMIC.exe Token: SeRestorePrivilege 1344 WMIC.exe Token: SeShutdownPrivilege 1344 WMIC.exe Token: SeDebugPrivilege 1344 WMIC.exe Token: SeSystemEnvironmentPrivilege 1344 WMIC.exe Token: SeRemoteShutdownPrivilege 1344 WMIC.exe Token: SeUndockPrivilege 1344 WMIC.exe Token: SeManageVolumePrivilege 1344 WMIC.exe Token: 33 1344 WMIC.exe Token: 34 1344 WMIC.exe Token: 35 1344 WMIC.exe Token: SeIncreaseQuotaPrivilege 268 WMIC.exe Token: SeSecurityPrivilege 268 WMIC.exe Token: SeTakeOwnershipPrivilege 268 WMIC.exe Token: SeLoadDriverPrivilege 268 WMIC.exe Token: SeSystemProfilePrivilege 268 WMIC.exe Token: SeSystemtimePrivilege 268 WMIC.exe Token: SeProfSingleProcessPrivilege 268 WMIC.exe Token: SeIncBasePriorityPrivilege 268 WMIC.exe Token: SeCreatePagefilePrivilege 268 WMIC.exe Token: SeBackupPrivilege 268 WMIC.exe Token: SeRestorePrivilege 268 WMIC.exe Token: SeShutdownPrivilege 268 WMIC.exe Token: SeDebugPrivilege 268 WMIC.exe Token: SeSystemEnvironmentPrivilege 268 WMIC.exe Token: SeRemoteShutdownPrivilege 268 WMIC.exe Token: SeUndockPrivilege 268 WMIC.exe Token: SeManageVolumePrivilege 268 WMIC.exe Token: 33 268 WMIC.exe Token: 34 268 WMIC.exe Token: 35 268 WMIC.exe Token: SeBackupPrivilege 1232 vssvc.exe Token: SeRestorePrivilege 1232 vssvc.exe Token: SeAuditPrivilege 1232 vssvc.exe Token: SeIncreaseQuotaPrivilege 1344 WMIC.exe Token: SeSecurityPrivilege 1344 WMIC.exe Token: SeTakeOwnershipPrivilege 1344 WMIC.exe Token: SeLoadDriverPrivilege 1344 WMIC.exe Token: SeSystemProfilePrivilege 1344 WMIC.exe Token: SeSystemtimePrivilege 1344 WMIC.exe Token: SeProfSingleProcessPrivilege 1344 WMIC.exe Token: SeIncBasePriorityPrivilege 1344 WMIC.exe Token: SeCreatePagefilePrivilege 1344 WMIC.exe Token: SeBackupPrivilege 1344 WMIC.exe Token: SeRestorePrivilege 1344 WMIC.exe Token: SeShutdownPrivilege 1344 WMIC.exe Token: SeDebugPrivilege 1344 WMIC.exe Token: SeSystemEnvironmentPrivilege 1344 WMIC.exe Token: SeRemoteShutdownPrivilege 1344 WMIC.exe Token: SeUndockPrivilege 1344 WMIC.exe Token: SeManageVolumePrivilege 1344 WMIC.exe Token: 33 1344 WMIC.exe Token: 34 1344 WMIC.exe -
Suspicious use of WriteProcessMemory 62 IoCs
Processes:
zeppelin.exesvchost.execmd.execmd.execmd.exedescription pid process target process PID 1944 wrote to memory of 1652 1944 zeppelin.exe svchost.exe PID 1944 wrote to memory of 1652 1944 zeppelin.exe svchost.exe PID 1944 wrote to memory of 1652 1944 zeppelin.exe svchost.exe PID 1944 wrote to memory of 1652 1944 zeppelin.exe svchost.exe PID 1944 wrote to memory of 1148 1944 zeppelin.exe notepad.exe PID 1944 wrote to memory of 1148 1944 zeppelin.exe notepad.exe PID 1944 wrote to memory of 1148 1944 zeppelin.exe notepad.exe PID 1944 wrote to memory of 1148 1944 zeppelin.exe notepad.exe PID 1944 wrote to memory of 1148 1944 zeppelin.exe notepad.exe PID 1944 wrote to memory of 1148 1944 zeppelin.exe notepad.exe PID 1944 wrote to memory of 1148 1944 zeppelin.exe notepad.exe PID 1652 wrote to memory of 1628 1652 svchost.exe cmd.exe PID 1652 wrote to memory of 1628 1652 svchost.exe cmd.exe PID 1652 wrote to memory of 1628 1652 svchost.exe cmd.exe PID 1652 wrote to memory of 1628 1652 svchost.exe cmd.exe PID 1652 wrote to memory of 1584 1652 svchost.exe cmd.exe PID 1652 wrote to memory of 1584 1652 svchost.exe cmd.exe PID 1652 wrote to memory of 1584 1652 svchost.exe cmd.exe PID 1652 wrote to memory of 1584 1652 svchost.exe cmd.exe PID 1652 wrote to memory of 564 1652 svchost.exe cmd.exe PID 1652 wrote to memory of 564 1652 svchost.exe cmd.exe PID 1652 wrote to memory of 564 1652 svchost.exe cmd.exe PID 1652 wrote to memory of 564 1652 svchost.exe cmd.exe PID 1652 wrote to memory of 1112 1652 svchost.exe cmd.exe PID 1652 wrote to memory of 1112 1652 svchost.exe cmd.exe PID 1652 wrote to memory of 1112 1652 svchost.exe cmd.exe PID 1652 wrote to memory of 1112 1652 svchost.exe cmd.exe PID 1652 wrote to memory of 852 1652 svchost.exe cmd.exe PID 1652 wrote to memory of 852 1652 svchost.exe cmd.exe PID 1652 wrote to memory of 852 1652 svchost.exe cmd.exe PID 1652 wrote to memory of 852 1652 svchost.exe cmd.exe PID 1652 wrote to memory of 1092 1652 svchost.exe cmd.exe PID 1652 wrote to memory of 1092 1652 svchost.exe cmd.exe PID 1652 wrote to memory of 1092 1652 svchost.exe cmd.exe PID 1652 wrote to memory of 1092 1652 svchost.exe cmd.exe PID 1652 wrote to memory of 1740 1652 svchost.exe svchost.exe PID 1652 wrote to memory of 1740 1652 svchost.exe svchost.exe PID 1652 wrote to memory of 1740 1652 svchost.exe svchost.exe PID 1652 wrote to memory of 1740 1652 svchost.exe svchost.exe PID 1628 wrote to memory of 1344 1628 cmd.exe WMIC.exe PID 1628 wrote to memory of 1344 1628 cmd.exe WMIC.exe PID 1628 wrote to memory of 1344 1628 cmd.exe WMIC.exe PID 1628 wrote to memory of 1344 1628 cmd.exe WMIC.exe PID 852 wrote to memory of 324 852 cmd.exe vssadmin.exe PID 852 wrote to memory of 324 852 cmd.exe vssadmin.exe PID 852 wrote to memory of 324 852 cmd.exe vssadmin.exe PID 852 wrote to memory of 324 852 cmd.exe vssadmin.exe PID 1092 wrote to memory of 268 1092 cmd.exe WMIC.exe PID 1092 wrote to memory of 268 1092 cmd.exe WMIC.exe PID 1092 wrote to memory of 268 1092 cmd.exe WMIC.exe PID 1092 wrote to memory of 268 1092 cmd.exe WMIC.exe PID 1092 wrote to memory of 888 1092 cmd.exe vssadmin.exe PID 1092 wrote to memory of 888 1092 cmd.exe vssadmin.exe PID 1092 wrote to memory of 888 1092 cmd.exe vssadmin.exe PID 1092 wrote to memory of 888 1092 cmd.exe vssadmin.exe PID 1652 wrote to memory of 1256 1652 svchost.exe notepad.exe PID 1652 wrote to memory of 1256 1652 svchost.exe notepad.exe PID 1652 wrote to memory of 1256 1652 svchost.exe notepad.exe PID 1652 wrote to memory of 1256 1652 svchost.exe notepad.exe PID 1652 wrote to memory of 1256 1652 svchost.exe notepad.exe PID 1652 wrote to memory of 1256 1652 svchost.exe notepad.exe PID 1652 wrote to memory of 1256 1652 svchost.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\zeppelin.exe"C:\Users\Admin\AppData\Local\Temp\zeppelin.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe" -start2⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe" -agent 03⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\notepad.exenotepad.exe3⤵
-
C:\Windows\SysWOW64\notepad.exenotepad.exe2⤵
- Deletes itself
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CBMD5
bd691101a043a7ec611591cd7deaa579
SHA14b238c877946f915e6f73eeb47b55e1395ebde78
SHA25650421f1709af0eae07003a608a939217b0c08b8a45d413fdbb53c848af089857
SHA512a14355876fa3a1e082bc99253c0f41c483b6a154562131003427a4c2b0ba6d1123d238f3b8db6fff1bdeb3a74cec187ff0a3a1521bbbc0376d4f04ceebd27930
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEEMD5
c4079b1e5899a00a568db7f85fc623b7
SHA1173ab04fcda97aca6e7bd0234599009230966f50
SHA256315e02bb2bd7cf8442223ff870f97bc66273995abe8a9a4803e3fad3d5ba4453
SHA5120e6ed68b1beec4785ecedd2d97b659b7945981b7256d8daee6a73126c32c9e998d8eda0f94432ffbe218ba42497644ed7768fe29dec6fd403d88282f109bf592
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
38782efcaa469485e22ccbc80f49e3b6
SHA1f6d8d231077b8976de48d3a4470b10864394be89
SHA25633f4c06f651bc56205d996d5d56b2b3e261f7f28ee252c4a14ff2be24d35d4ac
SHA512b50481dd058cf3b45dba0b85b85c336b4bc31c6606e6c7b9174d8345e674053cf684587eeeef10e55b9ed4824a954c7d048404dc4f7392c0be09eee51b6c3de9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CBMD5
a4f50a1b0436f830abf250355009cef0
SHA1c08951bdec05dfc5c2edc153a1ab56581c59cea5
SHA2564b1d83893b233285c89d415f306e9e89db11accda1b2df3d33cce511edd041b5
SHA51225d4e57e84af2f4ef60880b6d9334af7a011ee4abc20cfc53b14db20aeddea7b43b0fa313dcd25551e5cc964b1116591dcc7a9f879b85059f469bcbec9f5cd16
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEEMD5
7a02f945ce8a812df06ad11440be14e6
SHA1c821451bd11ca3584c479554f52397007468476c
SHA25653db68ca2d26aee18584d10caa240df9eb65446939ed33cefd0664620a311897
SHA5129df6ed16cf33993e44e1963980b228bbfdff232f617fd1541810020660bf3ef84047ee09a54002efd8bf0b1ef81d8aad52f5d0686e80e856043de3e1a1ac2d84
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
4686a8bfdd57f44b39c3a23c6a7248a3
SHA15bb3e83661a2ed4953cf2239e3dc577034efb2c8
SHA256b4bda7cdc99f465cef975e7cc703d6b8652e652dbfd5cdefd34e5c5003aa98cb
SHA51280c51833b7358ff6a0f1c14173854571992f242f80f916913d03a06234e6899fab7ad644d4ba5002881b31fbe04255bccba290276046c5bc5314e3b5e64fba12
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
eb35d7e9508b5ff44c3cbb64cb93f96b
SHA1cf4c704bf9a8e0cffe94644d1972b70f83ed1a5c
SHA2567afc6a748758dc98fb57113b5ba54accfa6e84a9d9098d228c272cbba19dcaf2
SHA512f84a6c3984fd0b6938c5531fbbabc02d6da84e646670e08fc3c423c14227ef4a935ce431e583252b952a116a0e7b5ddc52985c8b4171eae93c3820a82dfd39b9
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D73194RS\C7SRFLSP.htmMD5
b1cd7c031debba3a5c77b39b6791c1a7
SHA1e5d91e14e9c685b06f00e550d9e189deb2075f76
SHA25657ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa
SHA512d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O1R1CL99\NBIB2YRM.htmMD5
6b17a59cec1a7783febae9aa55c56556
SHA101d4581e2b3a6348679147a915a0b22b2a66643a
SHA25666987b14b90d41632be98836f9601b12e7f329ffab05595887889c9c5716fbeb
SHA5123337efd12b9c06b7768eb928a78caae243b75257c5aabe7a49e908a2f735af55f7257a40bd2330dc13865ead18ed805b54a6c5105740fdcbbaccacf7997bcbc3
-
C:\Users\Admin\AppData\Local\Temp\~temp001.batMD5
ef572e2c7b1bbd57654b36e8dcfdc37a
SHA1b84c4db6d0dfd415c289d0c8ae099aea4001e3b7
SHA256e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64
SHA512b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exeMD5
43a791cfe3e906f15a432943088450a1
SHA10a2d12d30126385eb85d1ce88d06762bc429fb03
SHA2567055e8438da61efa50058acd4e010c634f5e33352e2ee6d1f013572f004b7101
SHA512372cb914052c02115f381e5dbc04d6885aa34a1dfa565b882eae7438681c1e14166b6bfbefb175cf2ca9cd036291057056b8c0a8b025c606c8a8f08eed4b466a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exeMD5
43a791cfe3e906f15a432943088450a1
SHA10a2d12d30126385eb85d1ce88d06762bc429fb03
SHA2567055e8438da61efa50058acd4e010c634f5e33352e2ee6d1f013572f004b7101
SHA512372cb914052c02115f381e5dbc04d6885aa34a1dfa565b882eae7438681c1e14166b6bfbefb175cf2ca9cd036291057056b8c0a8b025c606c8a8f08eed4b466a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exeMD5
43a791cfe3e906f15a432943088450a1
SHA10a2d12d30126385eb85d1ce88d06762bc429fb03
SHA2567055e8438da61efa50058acd4e010c634f5e33352e2ee6d1f013572f004b7101
SHA512372cb914052c02115f381e5dbc04d6885aa34a1dfa565b882eae7438681c1e14166b6bfbefb175cf2ca9cd036291057056b8c0a8b025c606c8a8f08eed4b466a
-
C:\Users\Admin\Desktop\AddImport.m1v.106-D50-1E2MD5
1d8301324df7ac16f5f98bcc9c48ad4f
SHA174f297d54802157c752f85e8b7d80ac9a6f194f1
SHA2564b72c7de376b3a6345864b781c8769d6f2daca9542e06c31df43e9fab14533a2
SHA5127d669ad1e2886ea26292fd93c26393b227da237d2bd8ff18e38e39d9ef5e74501caf1e58e1440b807225784927124198e2ba1a1a02d0cf19456d1e033d2749b8
-
C:\Users\Admin\Desktop\ClearLimit.vsd.106-D50-1E2MD5
0b2df3cf33bf5c851763b999fb21ea12
SHA11ef7fc880ca2746374947606d6a72919a34e0413
SHA256cbea64f0c7feeace3695e1d95efd109ed6fef712db377d317b7e7ef3f53423a5
SHA512f0ef9f8665533eb95f3aa221e01f46f107a0df22f5cfb88b904ff80b3dbd5cd31f2403c6cad792436abdcfa38b92270e0854a7f3257d61145115338f12d86551
-
C:\Users\Admin\Desktop\CloseSearch.wav.106-D50-1E2MD5
a7d66a0ccac7d5acc754b9e6fbef1bc0
SHA12a6b09347e49559c2fbc6e66924ff4de153a6e3c
SHA2569c3498c7c1e33e90f0d6d83f266068aa1c687b09b48c93106965ba11160a94b0
SHA512150adbf6a7a65209513fd835c607c29f30b75b63722738191f0a8275cd808483c92bc16120c42a3ab88eb960fe108dfd91d0dcdbfd465ad2be77359054b54eb9
-
C:\Users\Admin\Desktop\ConnectPop.kix.106-D50-1E2MD5
2605bcbd894d23794e2c7314f24b6840
SHA1245bcf91b9055083efe58c9de3362857254d3ef7
SHA2568b839123b8c4157a740f11b573e3ba9b9c91cac01157bd6cd6c60ea738927612
SHA51279c809418b45f77f57f7b8550f9ba08b68292e2f9a6c5d4d063932ff9debac726a0fbad069e510710fa860ec86cb618f858855e916f74ee5e7b76824045276e4
-
C:\Users\Admin\Desktop\ConvertFromSwitch.vsdx.106-D50-1E2MD5
794f76793fd2c8d7b04ee3e347b9465e
SHA12c9feb4e8f9bad0a3eff53a4b478a6667c0b785a
SHA256a96b2221afa013393eaf7f292c6dd4cb5ac70f2b8ae6f0eaa83468caa76b0d8f
SHA5120148b47e73d431266d34d755430b8a3579a1a99a0658bce06b2a75225518a67cf7fe0ee4f388e96fd7498936963e3bec0815718679a71f7cb0c19f2ec4afd364
-
C:\Users\Admin\Desktop\ConvertFromUnblock.wmf.106-D50-1E2MD5
e77d6c505aacd29244b45ef5153ce170
SHA1e88d90b202b3136e02240504538e4eb370edada3
SHA2565cd6474a07297d14e4e64b13460ab964ea131810a3d7c4e7b2a7816826ca0990
SHA5125b88320f8078eb18ff79ef0ef251d8e46a1f87b559a5c5ad561d177baba445d7979d51ca8b556ab106b66c9a03388da4bd74e82a39ca0f4a9adcf7c1578d9a7d
-
C:\Users\Admin\Desktop\ConvertToFormat.tif.106-D50-1E2MD5
e8262e9484c3d85b1396c307f5355b3c
SHA1ee2a23a5cb72bbfed76d5ab63c2f2be75f4bfbda
SHA256bc2273b399a0b09b8ff86b5de028e708e167302c289962fd6f9d471d688cbcbd
SHA512d7851a2f3acccc634596ae0f54f85b8231797702a202b4dd2432b21e3497606829531964f10339d2f5b8e7fdfec9ef4073e32ebc176e8e5edb3979e585b6c5f6
-
C:\Users\Admin\Desktop\DisablePush.txt.106-D50-1E2MD5
36816c8ceed625310e30b3cce0ef5822
SHA1a08cb1c7e7de1261b16ded22c8dc410b839ea051
SHA25698a824877ab50eeb225746c9b2e1d40a9d2be601f57976894c16452238e159a7
SHA512c10e5c8bb7f27a2f4a8e607dbee2eafdaf55bddf4df3929ebf8292933af7845c605dafb11c77b1343375e0c0d06b4a8cb74cf1287c53b0b5d8140210f4578f43
-
C:\Users\Admin\Desktop\EditUnblock.ps1.106-D50-1E2MD5
a318d0733bbc76cdcb631de92d7dc19b
SHA1c0696bfd55fb745faf48b7d449225c42429e8460
SHA2560a2080e10dc071998a371b102b83901652d1f9994dba449993a9b6ed31daaf64
SHA5126d97fe39f4c7a5a45147c7c65b82f16d799f7d4e69c7076b25641be8b2631bf46f93540131308deafe39284a902bd4eb8f935b265b8297a62494a3d594edca56
-
C:\Users\Admin\Desktop\ExpandRestore.MTS.106-D50-1E2MD5
389adddf6743e1eaeeb944c9c3368076
SHA193cf2fffb7f1aad4463cffe8f3cd167bf65f913d
SHA2568d2807cc5771cd325ba9823010493cd6464c565b71d983648e82392ddca4e8ce
SHA5126659d43056ee32107783de7ebdfd73932ef6968546862b10f0868a2aa9e04a02c113e713d4663f5e069110a103b410034f2e56b49fce7a628a9f50695e321507
-
C:\Users\Admin\Desktop\FindCopy.sql.106-D50-1E2MD5
1015b34be2a312b16b4baf262f0f38ac
SHA147e104910a3de9992d6db2abc8ca61020ad2cea1
SHA25694c3818eac8acbd6a06055c87987abf251de1677620661fa8154560dd27ed3f5
SHA512fcce8884b218c64930793aaf17394a45b2a67624fc53bed1e567b52e2999fce4c17a3a9169b995e0cc3127f0c145e219464f43d1c6c0bc36a9497844651dd22f
-
C:\Users\Admin\Desktop\GrantResize.tiff.106-D50-1E2MD5
49dd2a31b86013a722a0ccaccfbc700b
SHA1498cefa1ef754771ac3f9c351d29057dc03bb090
SHA2564adb8abe20ee3acfcaa3cd6259d019de9dc0638eca9f206d58c1157f564aeaab
SHA512549809bebe53833b426a4db9b9d32a09e0cbea4d54df9a685e4358ed2773e35d93a8a1b458cc2836248d7bcfcbe25040895e0d2f9afab95733608add1f695fee
-
C:\Users\Admin\Desktop\InvokeCheckpoint.potm.106-D50-1E2MD5
7cb480f34eaec7fdb76a04c9bdb91e05
SHA1c1c8f3437d879d3580cf80a84c141a57d50d64ac
SHA256ffd4b80de9efa608a8db0b83d4803643894c6d5cbae0c74c9b6c150dac8c9950
SHA5127f4a22e622520ac6f4e2ec5064e35c30a5a7b19ae2b9374b315c6c083df697c98410455694ec466a6b95a7fed98e8cc61cba36f0b5ee632c1d60a7d11f525b15
-
C:\Users\Admin\Desktop\PingInvoke.mpeg2.106-D50-1E2MD5
cd3a7b2cd7dcddd3c5eeefac66ee6686
SHA1138776386b97f7e9784f62022d7b0367270e366c
SHA2564a40e029928e0b7804616a262189a25249e78705998f245100dcc8925db871bf
SHA512e807af49f270dce74bdbb6189d8a947f1b8b27527e0dfc614e4f759a32e3cb7677a1236b9626ee6aecb88cf53d4ef363c4ae062a40682ecbddf60698f08d72c7
-
C:\Users\Admin\Desktop\RequestFormat.wmv.106-D50-1E2MD5
4141e137755d45bd74a48a28d87ff37d
SHA19fd5f1147a63c0a42bb3929e37754de77defe923
SHA256c8bd71660f89d27bec152b10addbfbe88395e36c109122a17f42f5d3d9deecaa
SHA5122a69002ee64516d1ae97c21bd24fb860b7901fb1757fa85e04c4b220644c399847e324998f858f759633916af6f5e4a0a8e2573ef7cba648b4819446d3b0b94c
-
C:\Users\Admin\Desktop\RestartDisconnect.midi.106-D50-1E2MD5
bce2531e07675383f61dd7bdb00c78d5
SHA1662e01da74c3a8266b8ff7814ad0f2f1cafffc14
SHA256f76c0a6a9cd03d890d6ad6b9136cc920f6fdc8ea7f846c3f3814192894ea577c
SHA51267ef155581ca4e8366392b72ea2bc1353455ea57261e848b61f8d39ff0b99612b0baf5be137e60591faa0ecd75ba67313744954be2e5e0d0cd004a7f6074cdb6
-
C:\Users\Admin\Desktop\RestartEdit.cab.106-D50-1E2MD5
fd940342f442c5a8c81d63b3555ddb5b
SHA1b0d8c1c7cb53e3fb292ed0577cd48cbc836757a1
SHA2563ed4f8c2cd9f95434035c7e8538bf47621a353012b12b145e8b03e0a012d0804
SHA51257132a800ecbf20f58994844e77c1b10f754d553e628e998a802f7e730b0e39de0dfb14ca7ce01b8a24836b69d982b7be330d169d795d8846a5108c6b48756b1
-
C:\Users\Admin\Desktop\RestartRegister.WTV.106-D50-1E2MD5
81d8359c5768c439ad4e91182ece0589
SHA16b30df0f3867e63e2815b5a26f16542a9d15aeb8
SHA2566abbd0a97e5662c37d2cafc39a09ec382b8f8e2a3dcaa7c5dd49e86fc425621b
SHA512886bb65b0fc3ad13275d63dea639e4a50ebe6ad7b5f09427d360034b7ffe9d2a16fb491aa0320f86726c2790f8ce65b5aa522e1c3e8359bde36da5e9489e0e92
-
C:\Users\Admin\Desktop\SubmitPublish.dwfx.106-D50-1E2MD5
29cad0e93457097c7fedb739605f96be
SHA1989cd988d644facbf86da23a761f0189f0c3dd8d
SHA256ae7aff34b01904a6cba7a7c7d4f99560769db2287c26b4255be5a4d665a14296
SHA5129b1cd507e9fa2668cd40ea83f97cd25219297a7ee81385f48077a4de28ee4bc9231a58ee53d0d523c249ff96d7e7f238933c4bfadc96ef8393aaf297e0eeb96f
-
C:\Users\Admin\Desktop\TestLimit.wvx.106-D50-1E2MD5
720ff593810275f1532df289941c01ed
SHA15548cf0f0816fbf75591c01730ba8aa2f3268b3d
SHA2563f60269400a9ed01ec6d9431512bd749570aeb479bb3ec456508897cfa8e4d32
SHA5121512085f0ae85080864028c4ad1306ebb870e309264ae89690ad2303d0e80fbefc89cdec93158ce1b16ca47b447a6d981ae4054aab9157458017c5ee778662ba
-
C:\Users\Admin\Desktop\TestWrite.rar.106-D50-1E2MD5
fb7bf5220ed52f95e949c70d06ec350b
SHA134fa5c704983dc01a364fd13e6749111a7011e08
SHA25648ea012fa4cb4db4c7741f9b21c738a45576a7dc9e8e7f3c2654db6f9aa6a978
SHA51223bfeab7188077f6d3b947011f663567e4ead62d0eae6c0818255ad7d869c13af33a19b683fce46ab9c1925db3a61e1f618d38458dfacabaf2fa9a7e08e870bd
-
C:\Users\Admin\Desktop\UnblockAssert.contact.106-D50-1E2MD5
5c46bff6b8516a81d8603601859d76eb
SHA140e46d123b2c27c54c1337a2bd2508ab82cc95ac
SHA25620d3ad558ef85f773754bc8a91b071e16344e572208d4af693a1ddfb1c1c0208
SHA5127064c71c893b70b2d4d54dfcec56bdbb2ff840a8896ec42f58a08130f28f70f9f4f4c8d3e3b5f4dc2a3f53763224d58f7f93e6830e6db5d7d92a4f8b090791f6
-
C:\Users\Admin\Desktop\UnblockComplete.MOD.106-D50-1E2MD5
4740c876d1890d0c08e20e6a30fa8ecd
SHA1b70e668a695688ac7a39b2d1f70c89ab31599ce7
SHA256316b201ca571a8ef52f8e42e41515ddce86e2fe5a4bdf842057ef34cef317044
SHA51258d5cadca45df9a9144e22a8f4ba85e46cd5e91e75483527fcd33e3e46dc68825d497379ddc5deae25233ea6e90101ecd00427647ed1994d18ea15382aaabc2a
-
C:\Users\Admin\Desktop\UnlockMeasure.xlsb.106-D50-1E2MD5
8253ee70f8cf8bc52d5423e92ff58050
SHA1b5ac2f3836df353ac6fdce3378f56bd2d8480496
SHA25638db4638946880914fc2848dce2df90c936419c1733500760f512a6c03470b0d
SHA51257250040fe4aa108a0981e4937508f5dead9e1f8281cfead111aa3afb1d49fb5517e4de13800074f94b76c16ff06dbf11a2bf68d516ab90f0c325298df4c9f3e
-
C:\Users\Admin\Desktop\UnregisterPublish.vstx.106-D50-1E2MD5
bc547308e2f1d9bfe4038c5313a91156
SHA112cc736932a586c8928b927a62a7efc1cf9a415c
SHA256fbab6c76d1300c2dd45b7c9ca631c9be809a71e9cfdfd87e6e1e7715d624de81
SHA51271a84634f5dd01d30d2dea719d02c66d62c9e9453dfa378a75c4376ff2e7e03677d64c1b7dc3185718e6cc67b087434a2a181ab05920751424e9e6c21f5ff992
-
C:\Users\Admin\Desktop\WaitTest.crw.106-D50-1E2MD5
6f3c8a48deb941b2f1802293608bb66f
SHA127051deac892049d01512f0cd1a169e1b15027ca
SHA25617cafafe31f810cfea54e676f73fcd8213d4df9c16c09bfe0353d3ca8d49cfef
SHA512d8bc80bf8907f286c3202c3334fd67d12f61fe0957c27334a3a7d44cc1bd883927eb9140eaafe6854ef8d6ca31e84891047b45876139bf91c4b3a1f863879814
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exeMD5
43a791cfe3e906f15a432943088450a1
SHA10a2d12d30126385eb85d1ce88d06762bc429fb03
SHA2567055e8438da61efa50058acd4e010c634f5e33352e2ee6d1f013572f004b7101
SHA512372cb914052c02115f381e5dbc04d6885aa34a1dfa565b882eae7438681c1e14166b6bfbefb175cf2ca9cd036291057056b8c0a8b025c606c8a8f08eed4b466a
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exeMD5
43a791cfe3e906f15a432943088450a1
SHA10a2d12d30126385eb85d1ce88d06762bc429fb03
SHA2567055e8438da61efa50058acd4e010c634f5e33352e2ee6d1f013572f004b7101
SHA512372cb914052c02115f381e5dbc04d6885aa34a1dfa565b882eae7438681c1e14166b6bfbefb175cf2ca9cd036291057056b8c0a8b025c606c8a8f08eed4b466a
-
memory/268-30-0x0000000000000000-mapping.dmp
-
memory/324-28-0x0000000000000000-mapping.dmp
-
memory/564-20-0x0000000000000000-mapping.dmp
-
memory/776-2-0x000007FEF7430000-0x000007FEF76AA000-memory.dmpFilesize
2.5MB
-
memory/852-22-0x0000000000000000-mapping.dmp
-
memory/888-31-0x0000000000000000-mapping.dmp
-
memory/1092-23-0x0000000000000000-mapping.dmp
-
memory/1112-21-0x0000000000000000-mapping.dmp
-
memory/1148-7-0x00000000000A0000-0x00000000000A1000-memory.dmpFilesize
4KB
-
memory/1148-8-0x0000000000000000-mapping.dmp
-
memory/1256-58-0x00000000000A0000-0x00000000000A1000-memory.dmpFilesize
4KB
-
memory/1256-59-0x0000000000000000-mapping.dmp
-
memory/1344-27-0x0000000000000000-mapping.dmp
-
memory/1584-19-0x0000000000000000-mapping.dmp
-
memory/1628-18-0x0000000000000000-mapping.dmp
-
memory/1652-5-0x0000000000000000-mapping.dmp
-
memory/1740-25-0x0000000000000000-mapping.dmp