buran | 7055e8438da61efa50058acd4e010c634f5e33352e2ee6d1f013572f004b7101

Analysis

max time kernel
134s
max time network
128s
platform
windows7_x64
resource
win7v20201028
submitted
03-12-2020 08:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

zeppelin.exe
Size

214KB
MD5

43a791cfe3e906f15a432943088450a1
SHA1

0a2d12d30126385eb85d1ce88d06762bc429fb03
SHA256

7055e8438da61efa50058acd4e010c634f5e33352e2ee6d1f013572f004b7101
SHA512

372cb914052c02115f381e5dbc04d6885aa34a1dfa565b882eae7438681c1e14166b6bfbefb175cf2ca9cd036291057056b8c0a8b025c606c8a8f08eed4b466a

Score

10^/10

buran persistence ransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: uspex1@cock.li and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Pay $ 100 in BTC Write to email: uspex1@cock.li Reserved email: uspex2@cock.li Telegram: @uspex2 Your personal ID: 106-D50-1E2 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

uspex1@cock.li

uspex2@cock.li

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 2 IoCs

Processes:

svchost.exesvchost.exe

pid process

1652 svchost.exe
1740 svchost.exe
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
ransomware

Processes:

svchost.exe

description ioc process

File opened for modification C:\Users\Admin\Pictures\RemoveStart.tiff svchost.exe
Deletes itself 1 IoCs

Processes:

notepad.exe

pid process

1148 notepad.exe
Loads dropped DLL 2 IoCs

Processes:

zeppelin.exe

pid process

1944 zeppelin.exe
1944 zeppelin.exe

pid	process
1652	svchost.exe
1740	svchost.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\RemoveStart.tiff	svchost.exe

pid	process
1148	notepad.exe

pid	process
1944	zeppelin.exe
1944	zeppelin.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zeppelin.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	zeppelin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\svchost.exe\" -start"	zeppelin.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
File opened (read-only)	\??\F:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\A:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 geoiptool.com

flow	ioc
4	geoiptool.com

Drops file in Program Files directory 64 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.properties	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\RSWOP.ICM.106-D50-1E2	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\1 Right.accdt.106-D50-1E2	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0195384.WMF	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\win32\jni_md.h	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\modules\dkjson.luac.106-D50-1E2	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Gibraltar.106-D50-1E2	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY00560_.WMF	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Contacts.accdt	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-api_zh_CN.jar.106-D50-1E2	svchost.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\Invite or Link.one.106-D50-1E2	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\CAMERA.WAV.106-D50-1E2	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-11.106-D50-1E2	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-sendopts.xml	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14529_.GIF	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\La_Paz.106-D50-1E2	svchost.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18208_.WMF	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18227_.WMF.106-D50-1E2	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\QuestionIconMask.bmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\POST98SP.POC.106-D50-1E2	svchost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationRight_ButtonGraphic.png	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-heapdump.xml.106-D50-1E2	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe.106-D50-1E2	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BUSINESS.ONE	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\PST8PDT	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Salta	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Dhaka.106-D50-1E2	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tokyo.106-D50-1E2	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\fonts\LucidaTypewriterRegular.ttf.106-D50-1E2	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Honolulu.106-D50-1E2	svchost.exe
File created	C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04385_.WMF	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03379I.JPG	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Taipei.106-D50-1E2	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105276.WMF.106-D50-1E2	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\TYPE.WAV	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00346_.WMF.106-D50-1E2	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01368_.WMF	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14984_.GIF	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\HEADER.GIF.106-D50-1E2	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00161_.GIF	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Wordcnvpxy.cnv.106-D50-1E2	svchost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\PassportMask.wmv	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE01661_.WMF.106-D50-1E2	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGATNGET.XML	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.operations.nl_zh_4.4.0.v20140623020002.jar.106-D50-1E2	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00076_.WMF	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107302.WMF.106-D50-1E2	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01255G.GIF.106-D50-1E2	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewAttachmentIcons.jpg.106-D50-1E2	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\PAWPRINT.HTM.106-D50-1E2	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup-impl_zh_CN.jar	svchost.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Gambier	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe.106-D50-1E2	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00957_.WMF.106-D50-1E2	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21533_.GIF.106-D50-1E2	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OWSHLP10.CHM	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02075_.WMF	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105320.WMF.106-D50-1E2	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

324 vssadmin.exe
888 vssadmin.exe

pid	process
324	vssadmin.exe
888	vssadmin.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

zeppelin.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	zeppelin.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	zeppelin.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	zeppelin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

zeppelin.exeWMIC.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1944	zeppelin.exe
Token: SeDebugPrivilege	1944	zeppelin.exe
Token: SeIncreaseQuotaPrivilege	1344	WMIC.exe
Token: SeSecurityPrivilege	1344	WMIC.exe
Token: SeTakeOwnershipPrivilege	1344	WMIC.exe
Token: SeLoadDriverPrivilege	1344	WMIC.exe
Token: SeSystemProfilePrivilege	1344	WMIC.exe
Token: SeSystemtimePrivilege	1344	WMIC.exe
Token: SeProfSingleProcessPrivilege	1344	WMIC.exe
Token: SeIncBasePriorityPrivilege	1344	WMIC.exe
Token: SeCreatePagefilePrivilege	1344	WMIC.exe
Token: SeBackupPrivilege	1344	WMIC.exe
Token: SeRestorePrivilege	1344	WMIC.exe
Token: SeShutdownPrivilege	1344	WMIC.exe
Token: SeDebugPrivilege	1344	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1344	WMIC.exe
Token: SeRemoteShutdownPrivilege	1344	WMIC.exe
Token: SeUndockPrivilege	1344	WMIC.exe
Token: SeManageVolumePrivilege	1344	WMIC.exe
Token: 33	1344	WMIC.exe
Token: 34	1344	WMIC.exe
Token: 35	1344	WMIC.exe
Token: SeIncreaseQuotaPrivilege	268	WMIC.exe
Token: SeSecurityPrivilege	268	WMIC.exe
Token: SeTakeOwnershipPrivilege	268	WMIC.exe
Token: SeLoadDriverPrivilege	268	WMIC.exe
Token: SeSystemProfilePrivilege	268	WMIC.exe
Token: SeSystemtimePrivilege	268	WMIC.exe
Token: SeProfSingleProcessPrivilege	268	WMIC.exe
Token: SeIncBasePriorityPrivilege	268	WMIC.exe
Token: SeCreatePagefilePrivilege	268	WMIC.exe
Token: SeBackupPrivilege	268	WMIC.exe
Token: SeRestorePrivilege	268	WMIC.exe
Token: SeShutdownPrivilege	268	WMIC.exe
Token: SeDebugPrivilege	268	WMIC.exe
Token: SeSystemEnvironmentPrivilege	268	WMIC.exe
Token: SeRemoteShutdownPrivilege	268	WMIC.exe
Token: SeUndockPrivilege	268	WMIC.exe
Token: SeManageVolumePrivilege	268	WMIC.exe
Token: 33	268	WMIC.exe
Token: 34	268	WMIC.exe
Token: 35	268	WMIC.exe
Token: SeBackupPrivilege	1232	vssvc.exe
Token: SeRestorePrivilege	1232	vssvc.exe
Token: SeAuditPrivilege	1232	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1344	WMIC.exe
Token: SeSecurityPrivilege	1344	WMIC.exe
Token: SeTakeOwnershipPrivilege	1344	WMIC.exe
Token: SeLoadDriverPrivilege	1344	WMIC.exe
Token: SeSystemProfilePrivilege	1344	WMIC.exe
Token: SeSystemtimePrivilege	1344	WMIC.exe
Token: SeProfSingleProcessPrivilege	1344	WMIC.exe
Token: SeIncBasePriorityPrivilege	1344	WMIC.exe
Token: SeCreatePagefilePrivilege	1344	WMIC.exe
Token: SeBackupPrivilege	1344	WMIC.exe
Token: SeRestorePrivilege	1344	WMIC.exe
Token: SeShutdownPrivilege	1344	WMIC.exe
Token: SeDebugPrivilege	1344	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1344	WMIC.exe
Token: SeRemoteShutdownPrivilege	1344	WMIC.exe
Token: SeUndockPrivilege	1344	WMIC.exe
Token: SeManageVolumePrivilege	1344	WMIC.exe
Token: 33	1344	WMIC.exe
Token: 34	1344	WMIC.exe

Suspicious use of WriteProcessMemory 62 IoCs

Processes:

zeppelin.exesvchost.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1944 wrote to memory of 1652	1944	zeppelin.exe	svchost.exe
PID 1944 wrote to memory of 1652	1944	zeppelin.exe	svchost.exe
PID 1944 wrote to memory of 1652	1944	zeppelin.exe	svchost.exe
PID 1944 wrote to memory of 1652	1944	zeppelin.exe	svchost.exe
PID 1944 wrote to memory of 1148	1944	zeppelin.exe	notepad.exe
PID 1944 wrote to memory of 1148	1944	zeppelin.exe	notepad.exe
PID 1944 wrote to memory of 1148	1944	zeppelin.exe	notepad.exe
PID 1944 wrote to memory of 1148	1944	zeppelin.exe	notepad.exe
PID 1944 wrote to memory of 1148	1944	zeppelin.exe	notepad.exe
PID 1944 wrote to memory of 1148	1944	zeppelin.exe	notepad.exe
PID 1944 wrote to memory of 1148	1944	zeppelin.exe	notepad.exe
PID 1652 wrote to memory of 1628	1652	svchost.exe	cmd.exe
PID 1652 wrote to memory of 1628	1652	svchost.exe	cmd.exe
PID 1652 wrote to memory of 1628	1652	svchost.exe	cmd.exe
PID 1652 wrote to memory of 1628	1652	svchost.exe	cmd.exe
PID 1652 wrote to memory of 1584	1652	svchost.exe	cmd.exe
PID 1652 wrote to memory of 1584	1652	svchost.exe	cmd.exe
PID 1652 wrote to memory of 1584	1652	svchost.exe	cmd.exe
PID 1652 wrote to memory of 1584	1652	svchost.exe	cmd.exe
PID 1652 wrote to memory of 564	1652	svchost.exe	cmd.exe
PID 1652 wrote to memory of 564	1652	svchost.exe	cmd.exe
PID 1652 wrote to memory of 564	1652	svchost.exe	cmd.exe
PID 1652 wrote to memory of 564	1652	svchost.exe	cmd.exe
PID 1652 wrote to memory of 1112	1652	svchost.exe	cmd.exe
PID 1652 wrote to memory of 1112	1652	svchost.exe	cmd.exe
PID 1652 wrote to memory of 1112	1652	svchost.exe	cmd.exe
PID 1652 wrote to memory of 1112	1652	svchost.exe	cmd.exe
PID 1652 wrote to memory of 852	1652	svchost.exe	cmd.exe
PID 1652 wrote to memory of 852	1652	svchost.exe	cmd.exe
PID 1652 wrote to memory of 852	1652	svchost.exe	cmd.exe
PID 1652 wrote to memory of 852	1652	svchost.exe	cmd.exe
PID 1652 wrote to memory of 1092	1652	svchost.exe	cmd.exe
PID 1652 wrote to memory of 1092	1652	svchost.exe	cmd.exe
PID 1652 wrote to memory of 1092	1652	svchost.exe	cmd.exe
PID 1652 wrote to memory of 1092	1652	svchost.exe	cmd.exe
PID 1652 wrote to memory of 1740	1652	svchost.exe	svchost.exe
PID 1652 wrote to memory of 1740	1652	svchost.exe	svchost.exe
PID 1652 wrote to memory of 1740	1652	svchost.exe	svchost.exe
PID 1652 wrote to memory of 1740	1652	svchost.exe	svchost.exe
PID 1628 wrote to memory of 1344	1628	cmd.exe	WMIC.exe
PID 1628 wrote to memory of 1344	1628	cmd.exe	WMIC.exe
PID 1628 wrote to memory of 1344	1628	cmd.exe	WMIC.exe
PID 1628 wrote to memory of 1344	1628	cmd.exe	WMIC.exe
PID 852 wrote to memory of 324	852	cmd.exe	vssadmin.exe
PID 852 wrote to memory of 324	852	cmd.exe	vssadmin.exe
PID 852 wrote to memory of 324	852	cmd.exe	vssadmin.exe
PID 852 wrote to memory of 324	852	cmd.exe	vssadmin.exe
PID 1092 wrote to memory of 268	1092	cmd.exe	WMIC.exe
PID 1092 wrote to memory of 268	1092	cmd.exe	WMIC.exe
PID 1092 wrote to memory of 268	1092	cmd.exe	WMIC.exe
PID 1092 wrote to memory of 268	1092	cmd.exe	WMIC.exe
PID 1092 wrote to memory of 888	1092	cmd.exe	vssadmin.exe
PID 1092 wrote to memory of 888	1092	cmd.exe	vssadmin.exe
PID 1092 wrote to memory of 888	1092	cmd.exe	vssadmin.exe
PID 1092 wrote to memory of 888	1092	cmd.exe	vssadmin.exe
PID 1652 wrote to memory of 1256	1652	svchost.exe	notepad.exe
PID 1652 wrote to memory of 1256	1652	svchost.exe	notepad.exe
PID 1652 wrote to memory of 1256	1652	svchost.exe	notepad.exe
PID 1652 wrote to memory of 1256	1652	svchost.exe	notepad.exe
PID 1652 wrote to memory of 1256	1652	svchost.exe	notepad.exe
PID 1652 wrote to memory of 1256	1652	svchost.exe	notepad.exe
PID 1652 wrote to memory of 1256	1652	svchost.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\zeppelin.exe
"C:\Users\Admin\AppData\Local\Temp\zeppelin.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1944

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe" -start
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
3⤵
- Suspicious use of WriteProcessMemory
PID:1628

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1344

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
3⤵
PID:1584

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
PID:564

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
3⤵
PID:1112

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe" -agent 0
3⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops file in Program Files directory
PID:1740

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:1092

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:268

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:888

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
3⤵
- Suspicious use of WriteProcessMemory
PID:852

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:324

C:\Windows\SysWOW64\notepad.exe
notepad.exe
3⤵
PID:1256

C:\Windows\SysWOW64\notepad.exe
notepad.exe
2⤵
- Deletes itself
PID:1148

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1232

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
MD5
bd691101a043a7ec611591cd7deaa579

SHA1
4b238c877946f915e6f73eeb47b55e1395ebde78

SHA256
50421f1709af0eae07003a608a939217b0c08b8a45d413fdbb53c848af089857

SHA512
a14355876fa3a1e082bc99253c0f41c483b6a154562131003427a4c2b0ba6d1123d238f3b8db6fff1bdeb3a74cec187ff0a3a1521bbbc0376d4f04ceebd27930

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
MD5
c4079b1e5899a00a568db7f85fc623b7

SHA1
173ab04fcda97aca6e7bd0234599009230966f50

SHA256
315e02bb2bd7cf8442223ff870f97bc66273995abe8a9a4803e3fad3d5ba4453

SHA512
0e6ed68b1beec4785ecedd2d97b659b7945981b7256d8daee6a73126c32c9e998d8eda0f94432ffbe218ba42497644ed7768fe29dec6fd403d88282f109bf592

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
38782efcaa469485e22ccbc80f49e3b6

SHA1
f6d8d231077b8976de48d3a4470b10864394be89

SHA256
33f4c06f651bc56205d996d5d56b2b3e261f7f28ee252c4a14ff2be24d35d4ac

SHA512
b50481dd058cf3b45dba0b85b85c336b4bc31c6606e6c7b9174d8345e674053cf684587eeeef10e55b9ed4824a954c7d048404dc4f7392c0be09eee51b6c3de9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
MD5
a4f50a1b0436f830abf250355009cef0

SHA1
c08951bdec05dfc5c2edc153a1ab56581c59cea5

SHA256
4b1d83893b233285c89d415f306e9e89db11accda1b2df3d33cce511edd041b5

SHA512
25d4e57e84af2f4ef60880b6d9334af7a011ee4abc20cfc53b14db20aeddea7b43b0fa313dcd25551e5cc964b1116591dcc7a9f879b85059f469bcbec9f5cd16

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
MD5
7a02f945ce8a812df06ad11440be14e6

SHA1
c821451bd11ca3584c479554f52397007468476c

SHA256
53db68ca2d26aee18584d10caa240df9eb65446939ed33cefd0664620a311897

SHA512
9df6ed16cf33993e44e1963980b228bbfdff232f617fd1541810020660bf3ef84047ee09a54002efd8bf0b1ef81d8aad52f5d0686e80e856043de3e1a1ac2d84

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
4686a8bfdd57f44b39c3a23c6a7248a3

SHA1
5bb3e83661a2ed4953cf2239e3dc577034efb2c8

SHA256
b4bda7cdc99f465cef975e7cc703d6b8652e652dbfd5cdefd34e5c5003aa98cb

SHA512
80c51833b7358ff6a0f1c14173854571992f242f80f916913d03a06234e6899fab7ad644d4ba5002881b31fbe04255bccba290276046c5bc5314e3b5e64fba12

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
eb35d7e9508b5ff44c3cbb64cb93f96b

SHA1
cf4c704bf9a8e0cffe94644d1972b70f83ed1a5c

SHA256
7afc6a748758dc98fb57113b5ba54accfa6e84a9d9098d228c272cbba19dcaf2

SHA512
f84a6c3984fd0b6938c5531fbbabc02d6da84e646670e08fc3c423c14227ef4a935ce431e583252b952a116a0e7b5ddc52985c8b4171eae93c3820a82dfd39b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D73194RS\C7SRFLSP.htm
MD5
b1cd7c031debba3a5c77b39b6791c1a7

SHA1
e5d91e14e9c685b06f00e550d9e189deb2075f76

SHA256
57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

SHA512
d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O1R1CL99\NBIB2YRM.htm
MD5
6b17a59cec1a7783febae9aa55c56556

SHA1
01d4581e2b3a6348679147a915a0b22b2a66643a

SHA256
66987b14b90d41632be98836f9601b12e7f329ffab05595887889c9c5716fbeb

SHA512
3337efd12b9c06b7768eb928a78caae243b75257c5aabe7a49e908a2f735af55f7257a40bd2330dc13865ead18ed805b54a6c5105740fdcbbaccacf7997bcbc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat
MD5
ef572e2c7b1bbd57654b36e8dcfdc37a

SHA1
b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

SHA256
e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

SHA512
b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
MD5
43a791cfe3e906f15a432943088450a1

SHA1
0a2d12d30126385eb85d1ce88d06762bc429fb03

SHA256
7055e8438da61efa50058acd4e010c634f5e33352e2ee6d1f013572f004b7101

SHA512
372cb914052c02115f381e5dbc04d6885aa34a1dfa565b882eae7438681c1e14166b6bfbefb175cf2ca9cd036291057056b8c0a8b025c606c8a8f08eed4b466a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
MD5
43a791cfe3e906f15a432943088450a1

SHA1
0a2d12d30126385eb85d1ce88d06762bc429fb03

SHA256
7055e8438da61efa50058acd4e010c634f5e33352e2ee6d1f013572f004b7101

SHA512
372cb914052c02115f381e5dbc04d6885aa34a1dfa565b882eae7438681c1e14166b6bfbefb175cf2ca9cd036291057056b8c0a8b025c606c8a8f08eed4b466a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
MD5
43a791cfe3e906f15a432943088450a1

SHA1
0a2d12d30126385eb85d1ce88d06762bc429fb03

SHA256
7055e8438da61efa50058acd4e010c634f5e33352e2ee6d1f013572f004b7101

SHA512
372cb914052c02115f381e5dbc04d6885aa34a1dfa565b882eae7438681c1e14166b6bfbefb175cf2ca9cd036291057056b8c0a8b025c606c8a8f08eed4b466a

Download Submit
C:\Users\Admin\Desktop\AddImport.m1v.106-D50-1E2
MD5
1d8301324df7ac16f5f98bcc9c48ad4f

SHA1
74f297d54802157c752f85e8b7d80ac9a6f194f1

SHA256
4b72c7de376b3a6345864b781c8769d6f2daca9542e06c31df43e9fab14533a2

SHA512
7d669ad1e2886ea26292fd93c26393b227da237d2bd8ff18e38e39d9ef5e74501caf1e58e1440b807225784927124198e2ba1a1a02d0cf19456d1e033d2749b8

Download Submit
C:\Users\Admin\Desktop\ClearLimit.vsd.106-D50-1E2
MD5
0b2df3cf33bf5c851763b999fb21ea12

SHA1
1ef7fc880ca2746374947606d6a72919a34e0413

SHA256
cbea64f0c7feeace3695e1d95efd109ed6fef712db377d317b7e7ef3f53423a5

SHA512
f0ef9f8665533eb95f3aa221e01f46f107a0df22f5cfb88b904ff80b3dbd5cd31f2403c6cad792436abdcfa38b92270e0854a7f3257d61145115338f12d86551

Download Submit
C:\Users\Admin\Desktop\CloseSearch.wav.106-D50-1E2
MD5
a7d66a0ccac7d5acc754b9e6fbef1bc0

SHA1
2a6b09347e49559c2fbc6e66924ff4de153a6e3c

SHA256
9c3498c7c1e33e90f0d6d83f266068aa1c687b09b48c93106965ba11160a94b0

SHA512
150adbf6a7a65209513fd835c607c29f30b75b63722738191f0a8275cd808483c92bc16120c42a3ab88eb960fe108dfd91d0dcdbfd465ad2be77359054b54eb9

Download Submit
C:\Users\Admin\Desktop\ConnectPop.kix.106-D50-1E2
MD5
2605bcbd894d23794e2c7314f24b6840

SHA1
245bcf91b9055083efe58c9de3362857254d3ef7

SHA256
8b839123b8c4157a740f11b573e3ba9b9c91cac01157bd6cd6c60ea738927612

SHA512
79c809418b45f77f57f7b8550f9ba08b68292e2f9a6c5d4d063932ff9debac726a0fbad069e510710fa860ec86cb618f858855e916f74ee5e7b76824045276e4

Download Submit
C:\Users\Admin\Desktop\ConvertFromSwitch.vsdx.106-D50-1E2
MD5
794f76793fd2c8d7b04ee3e347b9465e

SHA1
2c9feb4e8f9bad0a3eff53a4b478a6667c0b785a

SHA256
a96b2221afa013393eaf7f292c6dd4cb5ac70f2b8ae6f0eaa83468caa76b0d8f

SHA512
0148b47e73d431266d34d755430b8a3579a1a99a0658bce06b2a75225518a67cf7fe0ee4f388e96fd7498936963e3bec0815718679a71f7cb0c19f2ec4afd364

Download Submit
C:\Users\Admin\Desktop\ConvertFromUnblock.wmf.106-D50-1E2
MD5
e77d6c505aacd29244b45ef5153ce170

SHA1
e88d90b202b3136e02240504538e4eb370edada3

SHA256
5cd6474a07297d14e4e64b13460ab964ea131810a3d7c4e7b2a7816826ca0990

SHA512
5b88320f8078eb18ff79ef0ef251d8e46a1f87b559a5c5ad561d177baba445d7979d51ca8b556ab106b66c9a03388da4bd74e82a39ca0f4a9adcf7c1578d9a7d

Download Submit
C:\Users\Admin\Desktop\ConvertToFormat.tif.106-D50-1E2
MD5
e8262e9484c3d85b1396c307f5355b3c

SHA1
ee2a23a5cb72bbfed76d5ab63c2f2be75f4bfbda

SHA256
bc2273b399a0b09b8ff86b5de028e708e167302c289962fd6f9d471d688cbcbd

SHA512
d7851a2f3acccc634596ae0f54f85b8231797702a202b4dd2432b21e3497606829531964f10339d2f5b8e7fdfec9ef4073e32ebc176e8e5edb3979e585b6c5f6

Download Submit
C:\Users\Admin\Desktop\DisablePush.txt.106-D50-1E2
MD5
36816c8ceed625310e30b3cce0ef5822

SHA1
a08cb1c7e7de1261b16ded22c8dc410b839ea051

SHA256
98a824877ab50eeb225746c9b2e1d40a9d2be601f57976894c16452238e159a7

SHA512
c10e5c8bb7f27a2f4a8e607dbee2eafdaf55bddf4df3929ebf8292933af7845c605dafb11c77b1343375e0c0d06b4a8cb74cf1287c53b0b5d8140210f4578f43

Download Submit
C:\Users\Admin\Desktop\EditUnblock.ps1.106-D50-1E2
MD5
a318d0733bbc76cdcb631de92d7dc19b

SHA1
c0696bfd55fb745faf48b7d449225c42429e8460

SHA256
0a2080e10dc071998a371b102b83901652d1f9994dba449993a9b6ed31daaf64

SHA512
6d97fe39f4c7a5a45147c7c65b82f16d799f7d4e69c7076b25641be8b2631bf46f93540131308deafe39284a902bd4eb8f935b265b8297a62494a3d594edca56

Download Submit
C:\Users\Admin\Desktop\ExpandRestore.MTS.106-D50-1E2
MD5
389adddf6743e1eaeeb944c9c3368076

SHA1
93cf2fffb7f1aad4463cffe8f3cd167bf65f913d

SHA256
8d2807cc5771cd325ba9823010493cd6464c565b71d983648e82392ddca4e8ce

SHA512
6659d43056ee32107783de7ebdfd73932ef6968546862b10f0868a2aa9e04a02c113e713d4663f5e069110a103b410034f2e56b49fce7a628a9f50695e321507

Download Submit
C:\Users\Admin\Desktop\FindCopy.sql.106-D50-1E2
MD5
1015b34be2a312b16b4baf262f0f38ac

SHA1
47e104910a3de9992d6db2abc8ca61020ad2cea1

SHA256
94c3818eac8acbd6a06055c87987abf251de1677620661fa8154560dd27ed3f5

SHA512
fcce8884b218c64930793aaf17394a45b2a67624fc53bed1e567b52e2999fce4c17a3a9169b995e0cc3127f0c145e219464f43d1c6c0bc36a9497844651dd22f

Download Submit
C:\Users\Admin\Desktop\GrantResize.tiff.106-D50-1E2
MD5
49dd2a31b86013a722a0ccaccfbc700b

SHA1
498cefa1ef754771ac3f9c351d29057dc03bb090

SHA256
4adb8abe20ee3acfcaa3cd6259d019de9dc0638eca9f206d58c1157f564aeaab

SHA512
549809bebe53833b426a4db9b9d32a09e0cbea4d54df9a685e4358ed2773e35d93a8a1b458cc2836248d7bcfcbe25040895e0d2f9afab95733608add1f695fee

Download Submit
C:\Users\Admin\Desktop\InvokeCheckpoint.potm.106-D50-1E2
MD5
7cb480f34eaec7fdb76a04c9bdb91e05

SHA1
c1c8f3437d879d3580cf80a84c141a57d50d64ac

SHA256
ffd4b80de9efa608a8db0b83d4803643894c6d5cbae0c74c9b6c150dac8c9950

SHA512
7f4a22e622520ac6f4e2ec5064e35c30a5a7b19ae2b9374b315c6c083df697c98410455694ec466a6b95a7fed98e8cc61cba36f0b5ee632c1d60a7d11f525b15

Download Submit
C:\Users\Admin\Desktop\PingInvoke.mpeg2.106-D50-1E2
MD5
cd3a7b2cd7dcddd3c5eeefac66ee6686

SHA1
138776386b97f7e9784f62022d7b0367270e366c

SHA256
4a40e029928e0b7804616a262189a25249e78705998f245100dcc8925db871bf

SHA512
e807af49f270dce74bdbb6189d8a947f1b8b27527e0dfc614e4f759a32e3cb7677a1236b9626ee6aecb88cf53d4ef363c4ae062a40682ecbddf60698f08d72c7

Download Submit
C:\Users\Admin\Desktop\RequestFormat.wmv.106-D50-1E2
MD5
4141e137755d45bd74a48a28d87ff37d

SHA1
9fd5f1147a63c0a42bb3929e37754de77defe923

SHA256
c8bd71660f89d27bec152b10addbfbe88395e36c109122a17f42f5d3d9deecaa

SHA512
2a69002ee64516d1ae97c21bd24fb860b7901fb1757fa85e04c4b220644c399847e324998f858f759633916af6f5e4a0a8e2573ef7cba648b4819446d3b0b94c

Download Submit
C:\Users\Admin\Desktop\RestartDisconnect.midi.106-D50-1E2
MD5
bce2531e07675383f61dd7bdb00c78d5

SHA1
662e01da74c3a8266b8ff7814ad0f2f1cafffc14

SHA256
f76c0a6a9cd03d890d6ad6b9136cc920f6fdc8ea7f846c3f3814192894ea577c

SHA512
67ef155581ca4e8366392b72ea2bc1353455ea57261e848b61f8d39ff0b99612b0baf5be137e60591faa0ecd75ba67313744954be2e5e0d0cd004a7f6074cdb6

Download Submit
C:\Users\Admin\Desktop\RestartEdit.cab.106-D50-1E2
MD5
fd940342f442c5a8c81d63b3555ddb5b

SHA1
b0d8c1c7cb53e3fb292ed0577cd48cbc836757a1

SHA256
3ed4f8c2cd9f95434035c7e8538bf47621a353012b12b145e8b03e0a012d0804

SHA512
57132a800ecbf20f58994844e77c1b10f754d553e628e998a802f7e730b0e39de0dfb14ca7ce01b8a24836b69d982b7be330d169d795d8846a5108c6b48756b1

Download Submit
C:\Users\Admin\Desktop\RestartRegister.WTV.106-D50-1E2
MD5
81d8359c5768c439ad4e91182ece0589

SHA1
6b30df0f3867e63e2815b5a26f16542a9d15aeb8

SHA256
6abbd0a97e5662c37d2cafc39a09ec382b8f8e2a3dcaa7c5dd49e86fc425621b

SHA512
886bb65b0fc3ad13275d63dea639e4a50ebe6ad7b5f09427d360034b7ffe9d2a16fb491aa0320f86726c2790f8ce65b5aa522e1c3e8359bde36da5e9489e0e92

Download Submit
C:\Users\Admin\Desktop\SubmitPublish.dwfx.106-D50-1E2
MD5
29cad0e93457097c7fedb739605f96be

SHA1
989cd988d644facbf86da23a761f0189f0c3dd8d

SHA256
ae7aff34b01904a6cba7a7c7d4f99560769db2287c26b4255be5a4d665a14296

SHA512
9b1cd507e9fa2668cd40ea83f97cd25219297a7ee81385f48077a4de28ee4bc9231a58ee53d0d523c249ff96d7e7f238933c4bfadc96ef8393aaf297e0eeb96f

Download Submit
C:\Users\Admin\Desktop\TestLimit.wvx.106-D50-1E2
MD5
720ff593810275f1532df289941c01ed

SHA1
5548cf0f0816fbf75591c01730ba8aa2f3268b3d

SHA256
3f60269400a9ed01ec6d9431512bd749570aeb479bb3ec456508897cfa8e4d32

SHA512
1512085f0ae85080864028c4ad1306ebb870e309264ae89690ad2303d0e80fbefc89cdec93158ce1b16ca47b447a6d981ae4054aab9157458017c5ee778662ba

Download Submit
C:\Users\Admin\Desktop\TestWrite.rar.106-D50-1E2
MD5
fb7bf5220ed52f95e949c70d06ec350b

SHA1
34fa5c704983dc01a364fd13e6749111a7011e08

SHA256
48ea012fa4cb4db4c7741f9b21c738a45576a7dc9e8e7f3c2654db6f9aa6a978

SHA512
23bfeab7188077f6d3b947011f663567e4ead62d0eae6c0818255ad7d869c13af33a19b683fce46ab9c1925db3a61e1f618d38458dfacabaf2fa9a7e08e870bd

Download Submit
C:\Users\Admin\Desktop\UnblockAssert.contact.106-D50-1E2
MD5
5c46bff6b8516a81d8603601859d76eb

SHA1
40e46d123b2c27c54c1337a2bd2508ab82cc95ac

SHA256
20d3ad558ef85f773754bc8a91b071e16344e572208d4af693a1ddfb1c1c0208

SHA512
7064c71c893b70b2d4d54dfcec56bdbb2ff840a8896ec42f58a08130f28f70f9f4f4c8d3e3b5f4dc2a3f53763224d58f7f93e6830e6db5d7d92a4f8b090791f6

Download Submit
C:\Users\Admin\Desktop\UnblockComplete.MOD.106-D50-1E2
MD5
4740c876d1890d0c08e20e6a30fa8ecd

SHA1
b70e668a695688ac7a39b2d1f70c89ab31599ce7

SHA256
316b201ca571a8ef52f8e42e41515ddce86e2fe5a4bdf842057ef34cef317044

SHA512
58d5cadca45df9a9144e22a8f4ba85e46cd5e91e75483527fcd33e3e46dc68825d497379ddc5deae25233ea6e90101ecd00427647ed1994d18ea15382aaabc2a

Download Submit
C:\Users\Admin\Desktop\UnlockMeasure.xlsb.106-D50-1E2
MD5
8253ee70f8cf8bc52d5423e92ff58050

SHA1
b5ac2f3836df353ac6fdce3378f56bd2d8480496

SHA256
38db4638946880914fc2848dce2df90c936419c1733500760f512a6c03470b0d

SHA512
57250040fe4aa108a0981e4937508f5dead9e1f8281cfead111aa3afb1d49fb5517e4de13800074f94b76c16ff06dbf11a2bf68d516ab90f0c325298df4c9f3e

Download Submit
C:\Users\Admin\Desktop\UnregisterPublish.vstx.106-D50-1E2
MD5
bc547308e2f1d9bfe4038c5313a91156

SHA1
12cc736932a586c8928b927a62a7efc1cf9a415c

SHA256
fbab6c76d1300c2dd45b7c9ca631c9be809a71e9cfdfd87e6e1e7715d624de81

SHA512
71a84634f5dd01d30d2dea719d02c66d62c9e9453dfa378a75c4376ff2e7e03677d64c1b7dc3185718e6cc67b087434a2a181ab05920751424e9e6c21f5ff992

Download Submit
C:\Users\Admin\Desktop\WaitTest.crw.106-D50-1E2
MD5
6f3c8a48deb941b2f1802293608bb66f

SHA1
27051deac892049d01512f0cd1a169e1b15027ca

SHA256
17cafafe31f810cfea54e676f73fcd8213d4df9c16c09bfe0353d3ca8d49cfef

SHA512
d8bc80bf8907f286c3202c3334fd67d12f61fe0957c27334a3a7d44cc1bd883927eb9140eaafe6854ef8d6ca31e84891047b45876139bf91c4b3a1f863879814

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
MD5
43a791cfe3e906f15a432943088450a1

SHA1
0a2d12d30126385eb85d1ce88d06762bc429fb03

SHA256
7055e8438da61efa50058acd4e010c634f5e33352e2ee6d1f013572f004b7101

SHA512
372cb914052c02115f381e5dbc04d6885aa34a1dfa565b882eae7438681c1e14166b6bfbefb175cf2ca9cd036291057056b8c0a8b025c606c8a8f08eed4b466a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
MD5
43a791cfe3e906f15a432943088450a1

SHA1
0a2d12d30126385eb85d1ce88d06762bc429fb03

SHA256
7055e8438da61efa50058acd4e010c634f5e33352e2ee6d1f013572f004b7101

SHA512
372cb914052c02115f381e5dbc04d6885aa34a1dfa565b882eae7438681c1e14166b6bfbefb175cf2ca9cd036291057056b8c0a8b025c606c8a8f08eed4b466a

Download Submit
memory/268-30-0x0000000000000000-mapping.dmp

Download
memory/324-28-0x0000000000000000-mapping.dmp

Download
memory/564-20-0x0000000000000000-mapping.dmp

Download
memory/776-2-0x000007FEF7430000-0x000007FEF76AA000-memory.dmp

Filesize
2.5MB

Download
memory/852-22-0x0000000000000000-mapping.dmp

Download
memory/888-31-0x0000000000000000-mapping.dmp

Download
memory/1092-23-0x0000000000000000-mapping.dmp

Download
memory/1112-21-0x0000000000000000-mapping.dmp

Download
memory/1148-7-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1148-8-0x0000000000000000-mapping.dmp

Download
memory/1256-58-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1256-59-0x0000000000000000-mapping.dmp

Download
memory/1344-27-0x0000000000000000-mapping.dmp

Download
memory/1584-19-0x0000000000000000-mapping.dmp

Download
memory/1628-18-0x0000000000000000-mapping.dmp

Download
memory/1652-5-0x0000000000000000-mapping.dmp

Download
memory/1740-25-0x0000000000000000-mapping.dmp

Download