buran | 7055e8438da61efa50058acd4e010c634f5e33352e2ee6d1f013572f004b7101

Analysis

max time kernel
145s
max time network
128s
platform
windows10_x64
resource
win10v20201028
submitted
03-12-2020 08:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

zeppelin.exe
Size

214KB
MD5

43a791cfe3e906f15a432943088450a1
SHA1

0a2d12d30126385eb85d1ce88d06762bc429fb03
SHA256

7055e8438da61efa50058acd4e010c634f5e33352e2ee6d1f013572f004b7101
SHA512

372cb914052c02115f381e5dbc04d6885aa34a1dfa565b882eae7438681c1e14166b6bfbefb175cf2ca9cd036291057056b8c0a8b025c606c8a8f08eed4b466a

Score

10^/10

buran persistence ransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: uspex1@cock.li and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Pay $ 100 in BTC Write to email: uspex1@cock.li Reserved email: uspex2@cock.li Telegram: @uspex2 Your personal ID: 2DA-F0B-017 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

uspex1@cock.li

uspex2@cock.li

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 2 IoCs

Processes:

taskeng.exetaskeng.exe

pid process

3728 taskeng.exe
4384 taskeng.exe

pid	process
3728	taskeng.exe
4384	taskeng.exe

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

taskeng.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\InstallRestart.tiff	taskeng.exe
File opened for modification	C:\Users\Admin\Pictures\StartResume.tiff	taskeng.exe

Deletes itself 1 IoCs

Processes:

notepad.exe

pid process

4216 notepad.exe

pid	process
4216	notepad.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zeppelin.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	zeppelin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskeng.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\taskeng.exe\" -start"	zeppelin.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskeng.exe

description	ioc	process
File opened (read-only)	\??\Y:	taskeng.exe
File opened (read-only)	\??\S:	taskeng.exe
File opened (read-only)	\??\Q:	taskeng.exe
File opened (read-only)	\??\H:	taskeng.exe
File opened (read-only)	\??\Z:	taskeng.exe
File opened (read-only)	\??\W:	taskeng.exe
File opened (read-only)	\??\V:	taskeng.exe
File opened (read-only)	\??\O:	taskeng.exe
File opened (read-only)	\??\N:	taskeng.exe
File opened (read-only)	\??\M:	taskeng.exe
File opened (read-only)	\??\J:	taskeng.exe
File opened (read-only)	\??\E:	taskeng.exe
File opened (read-only)	\??\X:	taskeng.exe
File opened (read-only)	\??\A:	taskeng.exe
File opened (read-only)	\??\L:	taskeng.exe
File opened (read-only)	\??\K:	taskeng.exe
File opened (read-only)	\??\I:	taskeng.exe
File opened (read-only)	\??\F:	taskeng.exe
File opened (read-only)	\??\B:	taskeng.exe
File opened (read-only)	\??\U:	taskeng.exe
File opened (read-only)	\??\R:	taskeng.exe
File opened (read-only)	\??\P:	taskeng.exe
File opened (read-only)	\??\G:	taskeng.exe
File opened (read-only)	\??\T:	taskeng.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

10 geoiptool.com

flow	ioc
10	geoiptool.com

Drops file in Program Files directory 64 IoCs

Processes:

taskeng.exe

description	ioc	process
File opened for modification	C:\Program Files\RestoreRevoke.tif.2DA-F0B-017	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiler_zh_CN.jar	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt\msipc.dll.mui	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\Localization\localized_SR-LATN-CS.respack	taskeng.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\dc-annotations\js\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.shared.Office.x-none.msi.16.x-none.xml.2DA-F0B-017	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ul-oob.xrm-ms	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest2-ul-oob.xrm-ms.2DA-F0B-017	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\el\msipc.dll.mui.2DA-F0B-017	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\5311_20x20x32.png	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\Assets\contrast-black\OneConnectLargeTile.scale-200.png	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\share.svg	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-ul.xrm-ms	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-ul-phn.xrm-ms	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.StarClub\Assets\Stripes\NewCollection.png	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fi-fi\ui-strings.js	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\toc.gif.2DA-F0B-017	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\plugin.xml	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PowerPointInterProviderRanker.bin.2DA-F0B-017	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AXIS\THMBNAIL.PNG	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\gw_16x11.png	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL065.XML	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\OneConnectLargeTile.scale-125.png	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Generic-Light.scale-300.png	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-swing-tabcontrol.xml.2DA-F0B-017	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-150_8wekyb3d8bbwe\AppxBlockMap.xml	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface_3.10.1.v20140813-1009.jar	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-pl.xrm-ms	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\models\en-US.PostalAddress.model	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-80.png	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-40.png	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\variant.js	taskeng.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt.2DA-F0B-017	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ppd.xrm-ms.2DA-F0B-017	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Unlock@2x.png.2DA-F0B-017	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\mecontrol.png.2DA-F0B-017	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CANYON\THMBNAIL.PNG	taskeng.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\vlc.mo	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\Text\LegalDisclaimer.txt	taskeng.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\de-de\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ppd.xrm-ms	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\7205_48x48x32.png	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\AttachmentPlaceholder.png	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-72.png	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\RHP_icons_2x.png	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\rhp_world_icon_hover_2x.png.2DA-F0B-017	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\nl-nl\ui-strings.js.2DA-F0B-017	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\logo_retina.png	taskeng.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-ul-oob.xrm-ms	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ul-phn.xrm-ms	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Catalog\traintrackstraight.3mf	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\punch.png	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\tr-tr\ui-strings.js.2DA-F0B-017	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ui-strings.js.2DA-F0B-017	taskeng.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\eu-es\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-ppd.xrm-ms	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Unlock@3x.png.2DA-F0B-017	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-180_8wekyb3d8bbwe\Assets\Office\BooleanMerge.scale-180.png	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Spacer\5px.png	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe7d3.png	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\PPKLite.api.2DA-F0B-017	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ui-strings.js.2DA-F0B-017	taskeng.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

1000 vssadmin.exe
2056 vssadmin.exe

pid	process
1000	vssadmin.exe
2056	vssadmin.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

zeppelin.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	zeppelin.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	zeppelin.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

zeppelin.exeWMIC.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	4648	zeppelin.exe
Token: SeDebugPrivilege	4648	zeppelin.exe
Token: SeIncreaseQuotaPrivilege	684	WMIC.exe
Token: SeSecurityPrivilege	684	WMIC.exe
Token: SeTakeOwnershipPrivilege	684	WMIC.exe
Token: SeLoadDriverPrivilege	684	WMIC.exe
Token: SeSystemProfilePrivilege	684	WMIC.exe
Token: SeSystemtimePrivilege	684	WMIC.exe
Token: SeProfSingleProcessPrivilege	684	WMIC.exe
Token: SeIncBasePriorityPrivilege	684	WMIC.exe
Token: SeCreatePagefilePrivilege	684	WMIC.exe
Token: SeBackupPrivilege	684	WMIC.exe
Token: SeRestorePrivilege	684	WMIC.exe
Token: SeShutdownPrivilege	684	WMIC.exe
Token: SeDebugPrivilege	684	WMIC.exe
Token: SeSystemEnvironmentPrivilege	684	WMIC.exe
Token: SeRemoteShutdownPrivilege	684	WMIC.exe
Token: SeUndockPrivilege	684	WMIC.exe
Token: SeManageVolumePrivilege	684	WMIC.exe
Token: 33	684	WMIC.exe
Token: 34	684	WMIC.exe
Token: 35	684	WMIC.exe
Token: 36	684	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1052	WMIC.exe
Token: SeSecurityPrivilege	1052	WMIC.exe
Token: SeTakeOwnershipPrivilege	1052	WMIC.exe
Token: SeLoadDriverPrivilege	1052	WMIC.exe
Token: SeSystemProfilePrivilege	1052	WMIC.exe
Token: SeSystemtimePrivilege	1052	WMIC.exe
Token: SeProfSingleProcessPrivilege	1052	WMIC.exe
Token: SeIncBasePriorityPrivilege	1052	WMIC.exe
Token: SeCreatePagefilePrivilege	1052	WMIC.exe
Token: SeBackupPrivilege	1052	WMIC.exe
Token: SeRestorePrivilege	1052	WMIC.exe
Token: SeShutdownPrivilege	1052	WMIC.exe
Token: SeDebugPrivilege	1052	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1052	WMIC.exe
Token: SeRemoteShutdownPrivilege	1052	WMIC.exe
Token: SeUndockPrivilege	1052	WMIC.exe
Token: SeManageVolumePrivilege	1052	WMIC.exe
Token: 33	1052	WMIC.exe
Token: 34	1052	WMIC.exe
Token: 35	1052	WMIC.exe
Token: 36	1052	WMIC.exe
Token: SeBackupPrivilege	1224	vssvc.exe
Token: SeRestorePrivilege	1224	vssvc.exe
Token: SeAuditPrivilege	1224	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1052	WMIC.exe
Token: SeSecurityPrivilege	1052	WMIC.exe
Token: SeTakeOwnershipPrivilege	1052	WMIC.exe
Token: SeLoadDriverPrivilege	1052	WMIC.exe
Token: SeSystemProfilePrivilege	1052	WMIC.exe
Token: SeSystemtimePrivilege	1052	WMIC.exe
Token: SeProfSingleProcessPrivilege	1052	WMIC.exe
Token: SeIncBasePriorityPrivilege	1052	WMIC.exe
Token: SeCreatePagefilePrivilege	1052	WMIC.exe
Token: SeBackupPrivilege	1052	WMIC.exe
Token: SeRestorePrivilege	1052	WMIC.exe
Token: SeShutdownPrivilege	1052	WMIC.exe
Token: SeDebugPrivilege	1052	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1052	WMIC.exe
Token: SeRemoteShutdownPrivilege	1052	WMIC.exe
Token: SeUndockPrivilege	1052	WMIC.exe
Token: SeManageVolumePrivilege	1052	WMIC.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

zeppelin.exetaskeng.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4648 wrote to memory of 3728	4648	zeppelin.exe	taskeng.exe
PID 4648 wrote to memory of 3728	4648	zeppelin.exe	taskeng.exe
PID 4648 wrote to memory of 3728	4648	zeppelin.exe	taskeng.exe
PID 4648 wrote to memory of 4216	4648	zeppelin.exe	notepad.exe
PID 4648 wrote to memory of 4216	4648	zeppelin.exe	notepad.exe
PID 4648 wrote to memory of 4216	4648	zeppelin.exe	notepad.exe
PID 4648 wrote to memory of 4216	4648	zeppelin.exe	notepad.exe
PID 4648 wrote to memory of 4216	4648	zeppelin.exe	notepad.exe
PID 4648 wrote to memory of 4216	4648	zeppelin.exe	notepad.exe
PID 3728 wrote to memory of 3512	3728	taskeng.exe	cmd.exe
PID 3728 wrote to memory of 3512	3728	taskeng.exe	cmd.exe
PID 3728 wrote to memory of 3512	3728	taskeng.exe	cmd.exe
PID 3728 wrote to memory of 4084	3728	taskeng.exe	cmd.exe
PID 3728 wrote to memory of 4084	3728	taskeng.exe	cmd.exe
PID 3728 wrote to memory of 4084	3728	taskeng.exe	cmd.exe
PID 3728 wrote to memory of 4280	3728	taskeng.exe	cmd.exe
PID 3728 wrote to memory of 4280	3728	taskeng.exe	cmd.exe
PID 3728 wrote to memory of 4280	3728	taskeng.exe	cmd.exe
PID 3728 wrote to memory of 3964	3728	taskeng.exe	cmd.exe
PID 3728 wrote to memory of 3964	3728	taskeng.exe	cmd.exe
PID 3728 wrote to memory of 3964	3728	taskeng.exe	cmd.exe
PID 3728 wrote to memory of 4376	3728	taskeng.exe	cmd.exe
PID 3728 wrote to memory of 4376	3728	taskeng.exe	cmd.exe
PID 3728 wrote to memory of 4376	3728	taskeng.exe	cmd.exe
PID 3728 wrote to memory of 4352	3728	taskeng.exe	cmd.exe
PID 3728 wrote to memory of 4352	3728	taskeng.exe	cmd.exe
PID 3728 wrote to memory of 4352	3728	taskeng.exe	cmd.exe
PID 3728 wrote to memory of 4384	3728	taskeng.exe	taskeng.exe
PID 3728 wrote to memory of 4384	3728	taskeng.exe	taskeng.exe
PID 3728 wrote to memory of 4384	3728	taskeng.exe	taskeng.exe
PID 4376 wrote to memory of 1000	4376	cmd.exe	vssadmin.exe
PID 4376 wrote to memory of 1000	4376	cmd.exe	vssadmin.exe
PID 4376 wrote to memory of 1000	4376	cmd.exe	vssadmin.exe
PID 4352 wrote to memory of 684	4352	cmd.exe	WMIC.exe
PID 4352 wrote to memory of 684	4352	cmd.exe	WMIC.exe
PID 4352 wrote to memory of 684	4352	cmd.exe	WMIC.exe
PID 3512 wrote to memory of 1052	3512	cmd.exe	WMIC.exe
PID 3512 wrote to memory of 1052	3512	cmd.exe	WMIC.exe
PID 3512 wrote to memory of 1052	3512	cmd.exe	WMIC.exe
PID 4352 wrote to memory of 2056	4352	cmd.exe	vssadmin.exe
PID 4352 wrote to memory of 2056	4352	cmd.exe	vssadmin.exe
PID 4352 wrote to memory of 2056	4352	cmd.exe	vssadmin.exe
PID 3728 wrote to memory of 4604	3728	taskeng.exe	notepad.exe
PID 3728 wrote to memory of 4604	3728	taskeng.exe	notepad.exe
PID 3728 wrote to memory of 4604	3728	taskeng.exe	notepad.exe
PID 3728 wrote to memory of 4604	3728	taskeng.exe	notepad.exe
PID 3728 wrote to memory of 4604	3728	taskeng.exe	notepad.exe
PID 3728 wrote to memory of 4604	3728	taskeng.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\zeppelin.exe
"C:\Users\Admin\AppData\Local\Temp\zeppelin.exe"
1⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4648

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe" -start
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:3728

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
3⤵
- Suspicious use of WriteProcessMemory
PID:3512

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1052

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
3⤵
PID:4084

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe" -agent 0
3⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops file in Program Files directory
PID:4384

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:4352

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:684

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:2056

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
3⤵
- Suspicious use of WriteProcessMemory
PID:4376

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:1000

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
3⤵
PID:3964

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
PID:4280

C:\Windows\SysWOW64\notepad.exe
notepad.exe
3⤵
PID:4604

C:\Windows\SysWOW64\notepad.exe
notepad.exe
2⤵
- Deletes itself
PID:4216

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1224

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
MD5
bd691101a043a7ec611591cd7deaa579

SHA1
4b238c877946f915e6f73eeb47b55e1395ebde78

SHA256
50421f1709af0eae07003a608a939217b0c08b8a45d413fdbb53c848af089857

SHA512
a14355876fa3a1e082bc99253c0f41c483b6a154562131003427a4c2b0ba6d1123d238f3b8db6fff1bdeb3a74cec187ff0a3a1521bbbc0376d4f04ceebd27930

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
MD5
c4079b1e5899a00a568db7f85fc623b7

SHA1
173ab04fcda97aca6e7bd0234599009230966f50

SHA256
315e02bb2bd7cf8442223ff870f97bc66273995abe8a9a4803e3fad3d5ba4453

SHA512
0e6ed68b1beec4785ecedd2d97b659b7945981b7256d8daee6a73126c32c9e998d8eda0f94432ffbe218ba42497644ed7768fe29dec6fd403d88282f109bf592

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
38782efcaa469485e22ccbc80f49e3b6

SHA1
f6d8d231077b8976de48d3a4470b10864394be89

SHA256
33f4c06f651bc56205d996d5d56b2b3e261f7f28ee252c4a14ff2be24d35d4ac

SHA512
b50481dd058cf3b45dba0b85b85c336b4bc31c6606e6c7b9174d8345e674053cf684587eeeef10e55b9ed4824a954c7d048404dc4f7392c0be09eee51b6c3de9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
MD5
840d3ce1b3ba0123ae41155bd66f767b

SHA1
8de059be676a513ccd33e3281f2988556bebeda7

SHA256
5e444bf3e104ffbe602955cf8e2772eac58bb78dd8e09f38e1858c0c889083eb

SHA512
7ca06d402e76f95b45c49e7320b326a1d4bd30fd8de87a493aa333bba73703371a6b38cd3babff3e62bbf1e097df778c5436c59861c34150fc53bc8c4e564c4a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
MD5
1d3541a3d4e467784be3c70998857f96

SHA1
11e7373b331a49e4bd3081aa86bd1c0277ce3550

SHA256
732681b6c07a9fc7953436ae577e4342493e14cd749c046b586c5c446fe7f28f

SHA512
751ac3c9b521e657f57aba763ac6566192d24da16052599563b42c40831a7a59f741332ec671eb38da5a3c71ca1a0548ff54cb15558c7724815886ffdd85c393

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
b061b2dfae0d44343e9f7a6dcfc02755

SHA1
a5810002bf5c5a256d4a8d2e9f78067899d9cf50

SHA256
dc0511e366b4c18ce56243bdb0dd886bc8d23027d93c5ef09bfae7c55357be0a

SHA512
24e2cff6a190e999b26615e115f09e5bd3b04270ecf1b29fd4b31ab69ee1701ef2a1659ba95d787b1d81a246b286479d1de96cd384ebabde3c2bd1156c07e2c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\JGAO043J\2FJ2NJ0N.htm
MD5
6b17a59cec1a7783febae9aa55c56556

SHA1
01d4581e2b3a6348679147a915a0b22b2a66643a

SHA256
66987b14b90d41632be98836f9601b12e7f329ffab05595887889c9c5716fbeb

SHA512
3337efd12b9c06b7768eb928a78caae243b75257c5aabe7a49e908a2f735af55f7257a40bd2330dc13865ead18ed805b54a6c5105740fdcbbaccacf7997bcbc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\S7PGJ114\131PXQ8I.htm
MD5
b1cd7c031debba3a5c77b39b6791c1a7

SHA1
e5d91e14e9c685b06f00e550d9e189deb2075f76

SHA256
57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

SHA512
d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat
MD5
ef572e2c7b1bbd57654b36e8dcfdc37a

SHA1
b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

SHA256
e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

SHA512
b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
MD5
43a791cfe3e906f15a432943088450a1

SHA1
0a2d12d30126385eb85d1ce88d06762bc429fb03

SHA256
7055e8438da61efa50058acd4e010c634f5e33352e2ee6d1f013572f004b7101

SHA512
372cb914052c02115f381e5dbc04d6885aa34a1dfa565b882eae7438681c1e14166b6bfbefb175cf2ca9cd036291057056b8c0a8b025c606c8a8f08eed4b466a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
MD5
43a791cfe3e906f15a432943088450a1

SHA1
0a2d12d30126385eb85d1ce88d06762bc429fb03

SHA256
7055e8438da61efa50058acd4e010c634f5e33352e2ee6d1f013572f004b7101

SHA512
372cb914052c02115f381e5dbc04d6885aa34a1dfa565b882eae7438681c1e14166b6bfbefb175cf2ca9cd036291057056b8c0a8b025c606c8a8f08eed4b466a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
MD5
43a791cfe3e906f15a432943088450a1

SHA1
0a2d12d30126385eb85d1ce88d06762bc429fb03

SHA256
7055e8438da61efa50058acd4e010c634f5e33352e2ee6d1f013572f004b7101

SHA512
372cb914052c02115f381e5dbc04d6885aa34a1dfa565b882eae7438681c1e14166b6bfbefb175cf2ca9cd036291057056b8c0a8b025c606c8a8f08eed4b466a

Download Submit
C:\Users\Admin\Desktop\AddMount.png.2DA-F0B-017
MD5
ba1429993f76860f02b2eef01f0ac9ec

SHA1
66c3a15e41bba6357ea5ab36de6f7013a75e0f99

SHA256
d6616a1ef3267c6f9be5a2a101daf85358ad36fe7a69e8a0ad89c1520e86f980

SHA512
73978f5c6afd6776bda5825549ffcfdb893283bd101a1061080b5c14f93f71406566101bac357d0a16a013003e2d94d6c195233beb9ab52f7d4ee0feea317529

Download Submit
C:\Users\Admin\Desktop\CompleteSwitch.ttc.2DA-F0B-017
MD5
e1c9464fc3ab47679fb18ffa50404599

SHA1
9056d90301c5b6a4affddad76ec3136342315937

SHA256
69283ea2fc18edcf7bc8e0cf21c3760f51f9d86cb15f1ae59c0a5eb00d811963

SHA512
f355035c64b8ef7759ad2d30463adc68388c5e35de1f5b2169ec1ca55355809ec9dc2add80f432ee223c11511cb2c106c1cd3791fd21158834003d0ff8da9ea1

Download Submit
C:\Users\Admin\Desktop\ConnectUse.ppt.2DA-F0B-017
MD5
6fee0fadf963b8fa990301138b4263a0

SHA1
d0cfb4a17ee2a74f15a76f9e861cdd021427e85e

SHA256
04f15284d23d49be333465c35f1f62e55803ec18fb9bedc3687410dbf646315c

SHA512
5f2036d64779cb2ef990ba553f1eee36fdee97f0db3a01b6464e33b8efc2ed5d4ba6f3bc426cb3a4854a67a8478318616501233de8756ff377a8aee3bf571a4e

Download Submit
C:\Users\Admin\Desktop\ExportUndo.ico.2DA-F0B-017
MD5
fb0b5594131375282ef23b5a142f83d4

SHA1
33bc60dc09d0ac257836723e86d6708528f59915

SHA256
23a15a8b7c0bd31455b024cc4f786aaa33199efd9f977dc7649ac7fd7fbcae39

SHA512
ce87bc2f6c7df48cbd45813c0be27ce52600c2222658baa9753543dd30c49e4b154c3dae8b96718b7635e3052fa77821efda959901700445595d4f2254d328c8

Download Submit
C:\Users\Admin\Desktop\FormatRedo.pcx.2DA-F0B-017
MD5
77d2ab2d346f7e33b0c0c2247463e173

SHA1
8d2f5f6ebccd13f865c07860e4770ed94b2251e1

SHA256
c6cb9636ffccdb0c93f308de5c137c97ddef1feae58093f5a76ac5193819a334

SHA512
e85759e032514d934c18a2ee0cd979eb60aab787c6310f7d884f5341e05cfdcda7078d6ce3e1c517d4bb8b2c1313faf80e79293c75ca28cb95d4288976daf9f1

Download Submit
C:\Users\Admin\Desktop\GrantMount.mpeg.2DA-F0B-017
MD5
4f73cc193a900582f250535104e0860c

SHA1
7febf8c2425d02071bdceb2c690fd61895efceb7

SHA256
9682eea2b718f7b32e0db7211d314498a314d7b4f17565c764e70bc1d7949854

SHA512
76fa402db196d9f82a8de47245acdb15079e3e34ff72f2673f83c8cfddc1499708ff6f394b1c358a0426203b0570c6ca051bfd81b8256852dd3a3d6ab2f7a005

Download Submit
C:\Users\Admin\Desktop\ImportAssert.wps.2DA-F0B-017
MD5
33e91e85e6dd0a3d4ac298681245a392

SHA1
685b9cb092a7d7e1c11e2f27826b98f697625460

SHA256
275a064fd9b521abdcfa5cf4587df4ab8bea88e656f91e6a777e3a15aca22cb6

SHA512
e9f14e3a27b941d461e6867dea411abcf05cc8fa598bf416e83177a485bbf65ad3ff57cba59fb121199192766d82214d70eb302ee05a96de05ed213359e4ab71

Download Submit
C:\Users\Admin\Desktop\InitializeRepair.3g2.2DA-F0B-017
MD5
3a8d20d6028fe8df925d39b6154f816b

SHA1
1d10fc05fc401c4f4ba0de8ca729bec8f847055a

SHA256
5500961cc7e2d9feddf80f901480f410a76a5af48319bc479bdd82c49210a64d

SHA512
54b01ab88ef1b45e85c08621e8e133aee17040c15eb0aee9709760babc8f017cfddab23ca651ebb8a77afbf581615c8a8eb04da66348a133fd68951beadff19d

Download Submit
C:\Users\Admin\Desktop\InstallCopy.css.2DA-F0B-017
MD5
0b2b82561101826c7c4278857eedd557

SHA1
39e8da529e97052a6e18d623a796320f3670b2b1

SHA256
b9283fc0b553b77f2ef0f7cda29f780c2814d87e45c9c0809460b322103f0422

SHA512
99e958c651c7ce18a598288ef8fbff29e7b1ea917fe220f13bb2ac256707a9b7ff272ecfe3718f0cc1f6f5a474ac029846c702e3f228026ba449e0fbbc674f2f

Download Submit
C:\Users\Admin\Desktop\MeasureFormat.ppsx.2DA-F0B-017
MD5
1bcd4a2ac281cee1fc2a9d4633299775

SHA1
1b9e2612aa75fa0a5840110a3df7caad82bb9c0f

SHA256
dc835f7482ef71ce24d1dee9de3717aaa3cd597319cb83ffc554abb4e6529acf

SHA512
9fd0046964f4ababfb33bbf1532ff7a3fa3093bc25299ae8ec777250805e2fd091e821eb017c495f3e6a58c8b385fb8a17ab05f145d444509ece6ff49b869579

Download Submit
C:\Users\Admin\Desktop\MergeAdd.m4v.2DA-F0B-017
MD5
1fe5c4b70f64ff792d109156153b8421

SHA1
f7cd0ba34ee785b7b491f5ad9fd522a98a25d019

SHA256
eb9737c3f66a1b889bc50e70b1d22d6cb121825600c7e596f11bc7a47dc6d51b

SHA512
0beab023cd3cc625fb070ec0d6fb8e4121d973a8bb26a0bf31751a70fd4d635e0cf34b7586a88064cc00d7bc794c68a1d9718383efbfba9d41bda7bce7a315e7

Download Submit
C:\Users\Admin\Desktop\MergeUse.ini.2DA-F0B-017
MD5
83787a13c5b1f2f74de1b321ae09bbba

SHA1
8eb101954d96aecc80e01f2f52eb507e84baa46c

SHA256
1e816278e2355f8de0c638ac40e4b7dbe97c4ccb1bba9e678263307af58efad4

SHA512
311d18b20436d327a984a8271738a1b382d7a8ce929d7ea51285073d7977881cf6f2867e5da8577779946ac6f01679570bab9eb45ba82104958f32c19f92db92

Download Submit
C:\Users\Admin\Desktop\ReadUse.html.2DA-F0B-017
MD5
a2d9e223c229ddfc19b4da9e7a13be89

SHA1
6d63b4590130b5336962b37a7a8c9f6623a5b86d

SHA256
c054b77e2811d505031d8c67f44dbd080bf5ac34dc82ec3f84d3aa4c1282bad8

SHA512
201e1b1dcb5c338978c04376a2e8afcc2315f4d542b44d94f47f1c1be56d179fd48fd95a425dcb450798ed77ad282cf9cc4136c75411f72f78984cc3ea3d1eb0

Download Submit
C:\Users\Admin\Desktop\ReceiveUnblock.cab.2DA-F0B-017
MD5
22ad3044ac52edf011076db36c953525

SHA1
47d7e035a8ad6f31f008ae5d24e9b25ae5eb9656

SHA256
6f76b08d886c6a964e9da57e6d38f3fc0a7969e50883e0e033370f13bafcdc0c

SHA512
1042a5326b230821b0f79271395104dfbff3554085eb25533e1751db2d06a069f919cf0caa49a1e02f011de05352e0fa4ece441dd4cfb3dfffd653e26362ccd1

Download Submit
C:\Users\Admin\Desktop\RepairSend.xltm.2DA-F0B-017
MD5
8fa57de0d0b98e257f99587dec394bd2

SHA1
749d2c973823ab9ab821b786f0f68d8a1d405e97

SHA256
dbe770915a907f7538787d1df5c649575b73be2d6dfdff93f21a2ac377ba1f2f

SHA512
19563dbcb95d6fb637a30be029899dee26d2735c34e9c0fab9244f4d8fda33b5f1a32a816a2c90fdfcf1ed34a2e964165a68c6242472645404b8afc352edecaf

Download Submit
C:\Users\Admin\Desktop\ResizeConfirm.wav.2DA-F0B-017
MD5
9c28c82491f49acf34bbac7a02e3d3ff

SHA1
f0877fded5c2f4c301aca3652debbddc0a9dcd44

SHA256
72e2afef11e6e7cbe45ce2f0c1b54cc71ca3beea86323eff65935438d982f6dd

SHA512
2663a00a7851e1300befca21cc728909d23f1c37779a030f0b71cc13beaa0f9d116d20e17848e6805c878b04e8db63f547a35fd110d9a9301769954238cbaba6

Download Submit
C:\Users\Admin\Desktop\ResolveImport.ppsx.2DA-F0B-017
MD5
ae132a1dbdead03bacb91a92807c2ad2

SHA1
dac7fb3cb53b5198a380f06c6474e931cfff27df

SHA256
749bad9de8f1840563627b1f570e6c44ee96c557e9a4c32b5fcac1b89c32e8f8

SHA512
059b4f4643a3a406f7d3d4f271f6d633a93955da079eea87e8d52d88629971ef6db9c946d4ae35307c8b003209d58c34c147ffd76b35de7c0c2808c1e671382c

Download Submit
C:\Users\Admin\Desktop\RestartSave.jpeg.2DA-F0B-017
MD5
eb904d313f619889ce81c855351c9988

SHA1
033ec574bced9082e5750869a42a76559188a278

SHA256
1762335dc17cc4438f3a2f4dd5c53172ac12376b7fd519d507e965ea27393109

SHA512
4862fcc86c27bc20dbbb5dfe535244fd32958fa15134aae5fc63fc8f2ded442b8ab09374a7ba99a91069e6882509a3b713d2e4247bac2c401e361f462657128f

Download Submit
C:\Users\Admin\Desktop\RestoreDeny.mht.2DA-F0B-017
MD5
5ceef53e0503fe87af56edef14298147

SHA1
dc4add103d55e574d51f33e4c0d812a670bac240

SHA256
09cbd93323b009aeda758e56fb91b2b3a079e9a0b8ee9dee994368b7ee603474

SHA512
14d7f3e2ee18121022dad67a1a263542a5282cff8536082d311fbaa7cac5289674109b54f9c77e0d848c0279bb88426054b32800b4a63606f57324fdc23ce692

Download Submit
C:\Users\Admin\Desktop\ShowCheckpoint.vdw.2DA-F0B-017
MD5
c6229e15e4ccce5694677e06fc41282a

SHA1
220d1c39bbc3e2923d17398c2152a82f9aa6d18b

SHA256
e1ffa96fcbb1c95ce050ee51e4eb8b2810e4dc56523a662fc9b23d343e0d86c6

SHA512
b95722ff36d8575f1bf07474bd63bbcc275e8cc5cd5a13cbe7924581dd58f1b8e76111b510fbd5dfb837c7360688ab8e6ff79d594a8de88cb22bdf18be0a1135

Download Submit
C:\Users\Admin\Desktop\SkipSend.snd.2DA-F0B-017
MD5
54d81bb7dc369c611e728684d40b2d1f

SHA1
236e8e17f36b3e62f7afd8e908e12554d2d28bc7

SHA256
8c36ca037b4943db938f795690304b3cc887b65d0c8bfc65975a5fa83e5b56bf

SHA512
6d77b386938e79d3d319aabb723c8ec6da3ece28f341fb4def20859b2a3bf20eaea2cd53e3d33514cd85be8227175cbcca6dbfd0692fe4deca458e51836f9dcf

Download Submit
C:\Users\Admin\Desktop\UninstallRequest.vbe.2DA-F0B-017
MD5
468e48a6391a914e034be43c9522df9b

SHA1
bcc025efdb8434eb3a5629820164566006945db5

SHA256
e68dfcfdeb0de0eeeba0088c9db3c76e6fe692cde566e858ea2fdd0c279ff7a1

SHA512
1e4de76cc34596687f65e82b2697b2abcd78287a733de444a6f42852c440d2b7cf2853d9ac934fe7e0e29126042ca94343f2331232fddc572494615f07528f35

Download Submit
C:\Users\Admin\Desktop\UnregisterConvert.eprtx.2DA-F0B-017
MD5
d82a4117782ec4991585856f22d7ed9a

SHA1
f3520c836f564a3abb7e7c202a04b5e82f14e042

SHA256
f4429982a5f3efac2853a27af836fc593530f6a52aceb0203918ac08bcecfd16

SHA512
8bdb485eb55bcc780599f50afb378f17c4018d12d12c3f8e2de5aba1c228053a45dc59c7e082c309eb66e8f07cd25f7d20fc933246fca10be081ab412541b8ce

Download Submit
C:\Users\Admin\Desktop\UnregisterLock.wdp.2DA-F0B-017
MD5
f923430dce4027c0951bbaeb6fc04c72

SHA1
fb9a7761333d8212c8997a285aea00a21f7bae6d

SHA256
f87f14a0cfa73675b92dc86b83dd3b7941eda18adc8902e59260783157269f5e

SHA512
9480e21f4bf145421d3b8599b1479fc22285e80465271af826803f619911cf679d59cff16128d9965d128715593ad4782288582f6be63168300b958075d093d0

Download Submit
memory/684-25-0x0000000000000000-mapping.dmp

Download
memory/1000-23-0x0000000000000000-mapping.dmp

Download
memory/1052-26-0x0000000000000000-mapping.dmp

Download
memory/2056-27-0x0000000000000000-mapping.dmp

Download
memory/3512-15-0x0000000000000000-mapping.dmp

Download
memory/3728-2-0x0000000000000000-mapping.dmp

Download
memory/3964-18-0x0000000000000000-mapping.dmp

Download
memory/4084-16-0x0000000000000000-mapping.dmp

Download
memory/4216-6-0x0000000000000000-mapping.dmp

Download
memory/4216-5-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/4280-17-0x0000000000000000-mapping.dmp

Download
memory/4352-20-0x0000000000000000-mapping.dmp

Download
memory/4376-19-0x0000000000000000-mapping.dmp

Download
memory/4384-21-0x0000000000000000-mapping.dmp

Download
memory/4604-53-0x0000000000000000-mapping.dmp

Download
memory/4604-52-0x0000000000E40000-0x0000000000E41000-memory.dmp

Filesize
4KB

Download