Analysis
-
max time kernel
145s -
max time network
128s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
03-12-2020 08:05
Static task
static1
Behavioral task
behavioral1
Sample
zeppelin.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
zeppelin.exe
Resource
win10v20201028
General
-
Target
zeppelin.exe
-
Size
214KB
-
MD5
43a791cfe3e906f15a432943088450a1
-
SHA1
0a2d12d30126385eb85d1ce88d06762bc429fb03
-
SHA256
7055e8438da61efa50058acd4e010c634f5e33352e2ee6d1f013572f004b7101
-
SHA512
372cb914052c02115f381e5dbc04d6885aa34a1dfa565b882eae7438681c1e14166b6bfbefb175cf2ca9cd036291057056b8c0a8b025c606c8a8f08eed4b466a
Malware Config
Extracted
C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
uspex1@cock.li
uspex2@cock.li
Signatures
-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
taskeng.exetaskeng.exepid process 3728 taskeng.exe 4384 taskeng.exe -
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
taskeng.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\InstallRestart.tiff taskeng.exe File opened for modification C:\Users\Admin\Pictures\StartResume.tiff taskeng.exe -
Deletes itself 1 IoCs
Processes:
notepad.exepid process 4216 notepad.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
zeppelin.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run zeppelin.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskeng.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\taskeng.exe\" -start" zeppelin.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
taskeng.exedescription ioc process File opened (read-only) \??\Y: taskeng.exe File opened (read-only) \??\S: taskeng.exe File opened (read-only) \??\Q: taskeng.exe File opened (read-only) \??\H: taskeng.exe File opened (read-only) \??\Z: taskeng.exe File opened (read-only) \??\W: taskeng.exe File opened (read-only) \??\V: taskeng.exe File opened (read-only) \??\O: taskeng.exe File opened (read-only) \??\N: taskeng.exe File opened (read-only) \??\M: taskeng.exe File opened (read-only) \??\J: taskeng.exe File opened (read-only) \??\E: taskeng.exe File opened (read-only) \??\X: taskeng.exe File opened (read-only) \??\A: taskeng.exe File opened (read-only) \??\L: taskeng.exe File opened (read-only) \??\K: taskeng.exe File opened (read-only) \??\I: taskeng.exe File opened (read-only) \??\F: taskeng.exe File opened (read-only) \??\B: taskeng.exe File opened (read-only) \??\U: taskeng.exe File opened (read-only) \??\R: taskeng.exe File opened (read-only) \??\P: taskeng.exe File opened (read-only) \??\G: taskeng.exe File opened (read-only) \??\T: taskeng.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 10 geoiptool.com -
Drops file in Program Files directory 64 IoCs
Processes:
taskeng.exedescription ioc process File opened for modification C:\Program Files\RestoreRevoke.tif.2DA-F0B-017 taskeng.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiler_zh_CN.jar taskeng.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt\msipc.dll.mui taskeng.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\Localization\localized_SR-LATN-CS.respack taskeng.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT taskeng.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\dc-annotations\js\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT taskeng.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.shared.Office.x-none.msi.16.x-none.xml.2DA-F0B-017 taskeng.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ul-oob.xrm-ms taskeng.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest2-ul-oob.xrm-ms.2DA-F0B-017 taskeng.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\el\msipc.dll.mui.2DA-F0B-017 taskeng.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\5311_20x20x32.png taskeng.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\Assets\contrast-black\OneConnectLargeTile.scale-200.png taskeng.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\share.svg taskeng.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-ul.xrm-ms taskeng.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-ul-phn.xrm-ms taskeng.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.StarClub\Assets\Stripes\NewCollection.png taskeng.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fi-fi\ui-strings.js taskeng.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\toc.gif.2DA-F0B-017 taskeng.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\plugin.xml taskeng.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PowerPointInterProviderRanker.bin.2DA-F0B-017 taskeng.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AXIS\THMBNAIL.PNG taskeng.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\gw_16x11.png taskeng.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL065.XML taskeng.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\OneConnectLargeTile.scale-125.png taskeng.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Generic-Light.scale-300.png taskeng.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-swing-tabcontrol.xml.2DA-F0B-017 taskeng.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-150_8wekyb3d8bbwe\AppxBlockMap.xml taskeng.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface_3.10.1.v20140813-1009.jar taskeng.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-pl.xrm-ms taskeng.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\models\en-US.PostalAddress.model taskeng.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-80.png taskeng.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-40.png taskeng.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\variant.js taskeng.exe File opened for modification C:\Program Files\7-Zip\Lang\si.txt.2DA-F0B-017 taskeng.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ppd.xrm-ms.2DA-F0B-017 taskeng.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Unlock@2x.png.2DA-F0B-017 taskeng.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\mecontrol.png.2DA-F0B-017 taskeng.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CANYON\THMBNAIL.PNG taskeng.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\vlc.mo taskeng.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\Text\LegalDisclaimer.txt taskeng.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\de-de\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT taskeng.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ppd.xrm-ms taskeng.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\7205_48x48x32.png taskeng.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\AttachmentPlaceholder.png taskeng.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-72.png taskeng.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\RHP_icons_2x.png taskeng.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\rhp_world_icon_hover_2x.png.2DA-F0B-017 taskeng.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\nl-nl\ui-strings.js.2DA-F0B-017 taskeng.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\logo_retina.png taskeng.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT taskeng.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-ul-oob.xrm-ms taskeng.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ul-phn.xrm-ms taskeng.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Catalog\traintrackstraight.3mf taskeng.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\punch.png taskeng.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\tr-tr\ui-strings.js.2DA-F0B-017 taskeng.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ui-strings.js.2DA-F0B-017 taskeng.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\eu-es\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT taskeng.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-ppd.xrm-ms taskeng.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Unlock@3x.png.2DA-F0B-017 taskeng.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-180_8wekyb3d8bbwe\Assets\Office\BooleanMerge.scale-180.png taskeng.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Spacer\5px.png taskeng.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe7d3.png taskeng.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\PPKLite.api.2DA-F0B-017 taskeng.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ui-strings.js.2DA-F0B-017 taskeng.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 1000 vssadmin.exe 2056 vssadmin.exe -
Processes:
zeppelin.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 zeppelin.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e zeppelin.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
zeppelin.exeWMIC.exeWMIC.exevssvc.exedescription pid process Token: SeDebugPrivilege 4648 zeppelin.exe Token: SeDebugPrivilege 4648 zeppelin.exe Token: SeIncreaseQuotaPrivilege 684 WMIC.exe Token: SeSecurityPrivilege 684 WMIC.exe Token: SeTakeOwnershipPrivilege 684 WMIC.exe Token: SeLoadDriverPrivilege 684 WMIC.exe Token: SeSystemProfilePrivilege 684 WMIC.exe Token: SeSystemtimePrivilege 684 WMIC.exe Token: SeProfSingleProcessPrivilege 684 WMIC.exe Token: SeIncBasePriorityPrivilege 684 WMIC.exe Token: SeCreatePagefilePrivilege 684 WMIC.exe Token: SeBackupPrivilege 684 WMIC.exe Token: SeRestorePrivilege 684 WMIC.exe Token: SeShutdownPrivilege 684 WMIC.exe Token: SeDebugPrivilege 684 WMIC.exe Token: SeSystemEnvironmentPrivilege 684 WMIC.exe Token: SeRemoteShutdownPrivilege 684 WMIC.exe Token: SeUndockPrivilege 684 WMIC.exe Token: SeManageVolumePrivilege 684 WMIC.exe Token: 33 684 WMIC.exe Token: 34 684 WMIC.exe Token: 35 684 WMIC.exe Token: 36 684 WMIC.exe Token: SeIncreaseQuotaPrivilege 1052 WMIC.exe Token: SeSecurityPrivilege 1052 WMIC.exe Token: SeTakeOwnershipPrivilege 1052 WMIC.exe Token: SeLoadDriverPrivilege 1052 WMIC.exe Token: SeSystemProfilePrivilege 1052 WMIC.exe Token: SeSystemtimePrivilege 1052 WMIC.exe Token: SeProfSingleProcessPrivilege 1052 WMIC.exe Token: SeIncBasePriorityPrivilege 1052 WMIC.exe Token: SeCreatePagefilePrivilege 1052 WMIC.exe Token: SeBackupPrivilege 1052 WMIC.exe Token: SeRestorePrivilege 1052 WMIC.exe Token: SeShutdownPrivilege 1052 WMIC.exe Token: SeDebugPrivilege 1052 WMIC.exe Token: SeSystemEnvironmentPrivilege 1052 WMIC.exe Token: SeRemoteShutdownPrivilege 1052 WMIC.exe Token: SeUndockPrivilege 1052 WMIC.exe Token: SeManageVolumePrivilege 1052 WMIC.exe Token: 33 1052 WMIC.exe Token: 34 1052 WMIC.exe Token: 35 1052 WMIC.exe Token: 36 1052 WMIC.exe Token: SeBackupPrivilege 1224 vssvc.exe Token: SeRestorePrivilege 1224 vssvc.exe Token: SeAuditPrivilege 1224 vssvc.exe Token: SeIncreaseQuotaPrivilege 1052 WMIC.exe Token: SeSecurityPrivilege 1052 WMIC.exe Token: SeTakeOwnershipPrivilege 1052 WMIC.exe Token: SeLoadDriverPrivilege 1052 WMIC.exe Token: SeSystemProfilePrivilege 1052 WMIC.exe Token: SeSystemtimePrivilege 1052 WMIC.exe Token: SeProfSingleProcessPrivilege 1052 WMIC.exe Token: SeIncBasePriorityPrivilege 1052 WMIC.exe Token: SeCreatePagefilePrivilege 1052 WMIC.exe Token: SeBackupPrivilege 1052 WMIC.exe Token: SeRestorePrivilege 1052 WMIC.exe Token: SeShutdownPrivilege 1052 WMIC.exe Token: SeDebugPrivilege 1052 WMIC.exe Token: SeSystemEnvironmentPrivilege 1052 WMIC.exe Token: SeRemoteShutdownPrivilege 1052 WMIC.exe Token: SeUndockPrivilege 1052 WMIC.exe Token: SeManageVolumePrivilege 1052 WMIC.exe -
Suspicious use of WriteProcessMemory 48 IoCs
Processes:
zeppelin.exetaskeng.execmd.execmd.execmd.exedescription pid process target process PID 4648 wrote to memory of 3728 4648 zeppelin.exe taskeng.exe PID 4648 wrote to memory of 3728 4648 zeppelin.exe taskeng.exe PID 4648 wrote to memory of 3728 4648 zeppelin.exe taskeng.exe PID 4648 wrote to memory of 4216 4648 zeppelin.exe notepad.exe PID 4648 wrote to memory of 4216 4648 zeppelin.exe notepad.exe PID 4648 wrote to memory of 4216 4648 zeppelin.exe notepad.exe PID 4648 wrote to memory of 4216 4648 zeppelin.exe notepad.exe PID 4648 wrote to memory of 4216 4648 zeppelin.exe notepad.exe PID 4648 wrote to memory of 4216 4648 zeppelin.exe notepad.exe PID 3728 wrote to memory of 3512 3728 taskeng.exe cmd.exe PID 3728 wrote to memory of 3512 3728 taskeng.exe cmd.exe PID 3728 wrote to memory of 3512 3728 taskeng.exe cmd.exe PID 3728 wrote to memory of 4084 3728 taskeng.exe cmd.exe PID 3728 wrote to memory of 4084 3728 taskeng.exe cmd.exe PID 3728 wrote to memory of 4084 3728 taskeng.exe cmd.exe PID 3728 wrote to memory of 4280 3728 taskeng.exe cmd.exe PID 3728 wrote to memory of 4280 3728 taskeng.exe cmd.exe PID 3728 wrote to memory of 4280 3728 taskeng.exe cmd.exe PID 3728 wrote to memory of 3964 3728 taskeng.exe cmd.exe PID 3728 wrote to memory of 3964 3728 taskeng.exe cmd.exe PID 3728 wrote to memory of 3964 3728 taskeng.exe cmd.exe PID 3728 wrote to memory of 4376 3728 taskeng.exe cmd.exe PID 3728 wrote to memory of 4376 3728 taskeng.exe cmd.exe PID 3728 wrote to memory of 4376 3728 taskeng.exe cmd.exe PID 3728 wrote to memory of 4352 3728 taskeng.exe cmd.exe PID 3728 wrote to memory of 4352 3728 taskeng.exe cmd.exe PID 3728 wrote to memory of 4352 3728 taskeng.exe cmd.exe PID 3728 wrote to memory of 4384 3728 taskeng.exe taskeng.exe PID 3728 wrote to memory of 4384 3728 taskeng.exe taskeng.exe PID 3728 wrote to memory of 4384 3728 taskeng.exe taskeng.exe PID 4376 wrote to memory of 1000 4376 cmd.exe vssadmin.exe PID 4376 wrote to memory of 1000 4376 cmd.exe vssadmin.exe PID 4376 wrote to memory of 1000 4376 cmd.exe vssadmin.exe PID 4352 wrote to memory of 684 4352 cmd.exe WMIC.exe PID 4352 wrote to memory of 684 4352 cmd.exe WMIC.exe PID 4352 wrote to memory of 684 4352 cmd.exe WMIC.exe PID 3512 wrote to memory of 1052 3512 cmd.exe WMIC.exe PID 3512 wrote to memory of 1052 3512 cmd.exe WMIC.exe PID 3512 wrote to memory of 1052 3512 cmd.exe WMIC.exe PID 4352 wrote to memory of 2056 4352 cmd.exe vssadmin.exe PID 4352 wrote to memory of 2056 4352 cmd.exe vssadmin.exe PID 4352 wrote to memory of 2056 4352 cmd.exe vssadmin.exe PID 3728 wrote to memory of 4604 3728 taskeng.exe notepad.exe PID 3728 wrote to memory of 4604 3728 taskeng.exe notepad.exe PID 3728 wrote to memory of 4604 3728 taskeng.exe notepad.exe PID 3728 wrote to memory of 4604 3728 taskeng.exe notepad.exe PID 3728 wrote to memory of 4604 3728 taskeng.exe notepad.exe PID 3728 wrote to memory of 4604 3728 taskeng.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\zeppelin.exe"C:\Users\Admin\AppData\Local\Temp\zeppelin.exe"1⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe" -start2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe" -agent 03⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
-
C:\Windows\SysWOW64\notepad.exenotepad.exe3⤵
-
C:\Windows\SysWOW64\notepad.exenotepad.exe2⤵
- Deletes itself
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CBMD5
bd691101a043a7ec611591cd7deaa579
SHA14b238c877946f915e6f73eeb47b55e1395ebde78
SHA25650421f1709af0eae07003a608a939217b0c08b8a45d413fdbb53c848af089857
SHA512a14355876fa3a1e082bc99253c0f41c483b6a154562131003427a4c2b0ba6d1123d238f3b8db6fff1bdeb3a74cec187ff0a3a1521bbbc0376d4f04ceebd27930
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEEMD5
c4079b1e5899a00a568db7f85fc623b7
SHA1173ab04fcda97aca6e7bd0234599009230966f50
SHA256315e02bb2bd7cf8442223ff870f97bc66273995abe8a9a4803e3fad3d5ba4453
SHA5120e6ed68b1beec4785ecedd2d97b659b7945981b7256d8daee6a73126c32c9e998d8eda0f94432ffbe218ba42497644ed7768fe29dec6fd403d88282f109bf592
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
38782efcaa469485e22ccbc80f49e3b6
SHA1f6d8d231077b8976de48d3a4470b10864394be89
SHA25633f4c06f651bc56205d996d5d56b2b3e261f7f28ee252c4a14ff2be24d35d4ac
SHA512b50481dd058cf3b45dba0b85b85c336b4bc31c6606e6c7b9174d8345e674053cf684587eeeef10e55b9ed4824a954c7d048404dc4f7392c0be09eee51b6c3de9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CBMD5
840d3ce1b3ba0123ae41155bd66f767b
SHA18de059be676a513ccd33e3281f2988556bebeda7
SHA2565e444bf3e104ffbe602955cf8e2772eac58bb78dd8e09f38e1858c0c889083eb
SHA5127ca06d402e76f95b45c49e7320b326a1d4bd30fd8de87a493aa333bba73703371a6b38cd3babff3e62bbf1e097df778c5436c59861c34150fc53bc8c4e564c4a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEEMD5
1d3541a3d4e467784be3c70998857f96
SHA111e7373b331a49e4bd3081aa86bd1c0277ce3550
SHA256732681b6c07a9fc7953436ae577e4342493e14cd749c046b586c5c446fe7f28f
SHA512751ac3c9b521e657f57aba763ac6566192d24da16052599563b42c40831a7a59f741332ec671eb38da5a3c71ca1a0548ff54cb15558c7724815886ffdd85c393
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
b061b2dfae0d44343e9f7a6dcfc02755
SHA1a5810002bf5c5a256d4a8d2e9f78067899d9cf50
SHA256dc0511e366b4c18ce56243bdb0dd886bc8d23027d93c5ef09bfae7c55357be0a
SHA51224e2cff6a190e999b26615e115f09e5bd3b04270ecf1b29fd4b31ab69ee1701ef2a1659ba95d787b1d81a246b286479d1de96cd384ebabde3c2bd1156c07e2c3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\JGAO043J\2FJ2NJ0N.htmMD5
6b17a59cec1a7783febae9aa55c56556
SHA101d4581e2b3a6348679147a915a0b22b2a66643a
SHA25666987b14b90d41632be98836f9601b12e7f329ffab05595887889c9c5716fbeb
SHA5123337efd12b9c06b7768eb928a78caae243b75257c5aabe7a49e908a2f735af55f7257a40bd2330dc13865ead18ed805b54a6c5105740fdcbbaccacf7997bcbc3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\S7PGJ114\131PXQ8I.htmMD5
b1cd7c031debba3a5c77b39b6791c1a7
SHA1e5d91e14e9c685b06f00e550d9e189deb2075f76
SHA25657ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa
SHA512d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72
-
C:\Users\Admin\AppData\Local\Temp\~temp001.batMD5
ef572e2c7b1bbd57654b36e8dcfdc37a
SHA1b84c4db6d0dfd415c289d0c8ae099aea4001e3b7
SHA256e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64
SHA512b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exeMD5
43a791cfe3e906f15a432943088450a1
SHA10a2d12d30126385eb85d1ce88d06762bc429fb03
SHA2567055e8438da61efa50058acd4e010c634f5e33352e2ee6d1f013572f004b7101
SHA512372cb914052c02115f381e5dbc04d6885aa34a1dfa565b882eae7438681c1e14166b6bfbefb175cf2ca9cd036291057056b8c0a8b025c606c8a8f08eed4b466a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exeMD5
43a791cfe3e906f15a432943088450a1
SHA10a2d12d30126385eb85d1ce88d06762bc429fb03
SHA2567055e8438da61efa50058acd4e010c634f5e33352e2ee6d1f013572f004b7101
SHA512372cb914052c02115f381e5dbc04d6885aa34a1dfa565b882eae7438681c1e14166b6bfbefb175cf2ca9cd036291057056b8c0a8b025c606c8a8f08eed4b466a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exeMD5
43a791cfe3e906f15a432943088450a1
SHA10a2d12d30126385eb85d1ce88d06762bc429fb03
SHA2567055e8438da61efa50058acd4e010c634f5e33352e2ee6d1f013572f004b7101
SHA512372cb914052c02115f381e5dbc04d6885aa34a1dfa565b882eae7438681c1e14166b6bfbefb175cf2ca9cd036291057056b8c0a8b025c606c8a8f08eed4b466a
-
C:\Users\Admin\Desktop\AddMount.png.2DA-F0B-017MD5
ba1429993f76860f02b2eef01f0ac9ec
SHA166c3a15e41bba6357ea5ab36de6f7013a75e0f99
SHA256d6616a1ef3267c6f9be5a2a101daf85358ad36fe7a69e8a0ad89c1520e86f980
SHA51273978f5c6afd6776bda5825549ffcfdb893283bd101a1061080b5c14f93f71406566101bac357d0a16a013003e2d94d6c195233beb9ab52f7d4ee0feea317529
-
C:\Users\Admin\Desktop\CompleteSwitch.ttc.2DA-F0B-017MD5
e1c9464fc3ab47679fb18ffa50404599
SHA19056d90301c5b6a4affddad76ec3136342315937
SHA25669283ea2fc18edcf7bc8e0cf21c3760f51f9d86cb15f1ae59c0a5eb00d811963
SHA512f355035c64b8ef7759ad2d30463adc68388c5e35de1f5b2169ec1ca55355809ec9dc2add80f432ee223c11511cb2c106c1cd3791fd21158834003d0ff8da9ea1
-
C:\Users\Admin\Desktop\ConnectUse.ppt.2DA-F0B-017MD5
6fee0fadf963b8fa990301138b4263a0
SHA1d0cfb4a17ee2a74f15a76f9e861cdd021427e85e
SHA25604f15284d23d49be333465c35f1f62e55803ec18fb9bedc3687410dbf646315c
SHA5125f2036d64779cb2ef990ba553f1eee36fdee97f0db3a01b6464e33b8efc2ed5d4ba6f3bc426cb3a4854a67a8478318616501233de8756ff377a8aee3bf571a4e
-
C:\Users\Admin\Desktop\ExportUndo.ico.2DA-F0B-017MD5
fb0b5594131375282ef23b5a142f83d4
SHA133bc60dc09d0ac257836723e86d6708528f59915
SHA25623a15a8b7c0bd31455b024cc4f786aaa33199efd9f977dc7649ac7fd7fbcae39
SHA512ce87bc2f6c7df48cbd45813c0be27ce52600c2222658baa9753543dd30c49e4b154c3dae8b96718b7635e3052fa77821efda959901700445595d4f2254d328c8
-
C:\Users\Admin\Desktop\FormatRedo.pcx.2DA-F0B-017MD5
77d2ab2d346f7e33b0c0c2247463e173
SHA18d2f5f6ebccd13f865c07860e4770ed94b2251e1
SHA256c6cb9636ffccdb0c93f308de5c137c97ddef1feae58093f5a76ac5193819a334
SHA512e85759e032514d934c18a2ee0cd979eb60aab787c6310f7d884f5341e05cfdcda7078d6ce3e1c517d4bb8b2c1313faf80e79293c75ca28cb95d4288976daf9f1
-
C:\Users\Admin\Desktop\GrantMount.mpeg.2DA-F0B-017MD5
4f73cc193a900582f250535104e0860c
SHA17febf8c2425d02071bdceb2c690fd61895efceb7
SHA2569682eea2b718f7b32e0db7211d314498a314d7b4f17565c764e70bc1d7949854
SHA51276fa402db196d9f82a8de47245acdb15079e3e34ff72f2673f83c8cfddc1499708ff6f394b1c358a0426203b0570c6ca051bfd81b8256852dd3a3d6ab2f7a005
-
C:\Users\Admin\Desktop\ImportAssert.wps.2DA-F0B-017MD5
33e91e85e6dd0a3d4ac298681245a392
SHA1685b9cb092a7d7e1c11e2f27826b98f697625460
SHA256275a064fd9b521abdcfa5cf4587df4ab8bea88e656f91e6a777e3a15aca22cb6
SHA512e9f14e3a27b941d461e6867dea411abcf05cc8fa598bf416e83177a485bbf65ad3ff57cba59fb121199192766d82214d70eb302ee05a96de05ed213359e4ab71
-
C:\Users\Admin\Desktop\InitializeRepair.3g2.2DA-F0B-017MD5
3a8d20d6028fe8df925d39b6154f816b
SHA11d10fc05fc401c4f4ba0de8ca729bec8f847055a
SHA2565500961cc7e2d9feddf80f901480f410a76a5af48319bc479bdd82c49210a64d
SHA51254b01ab88ef1b45e85c08621e8e133aee17040c15eb0aee9709760babc8f017cfddab23ca651ebb8a77afbf581615c8a8eb04da66348a133fd68951beadff19d
-
C:\Users\Admin\Desktop\InstallCopy.css.2DA-F0B-017MD5
0b2b82561101826c7c4278857eedd557
SHA139e8da529e97052a6e18d623a796320f3670b2b1
SHA256b9283fc0b553b77f2ef0f7cda29f780c2814d87e45c9c0809460b322103f0422
SHA51299e958c651c7ce18a598288ef8fbff29e7b1ea917fe220f13bb2ac256707a9b7ff272ecfe3718f0cc1f6f5a474ac029846c702e3f228026ba449e0fbbc674f2f
-
C:\Users\Admin\Desktop\MeasureFormat.ppsx.2DA-F0B-017MD5
1bcd4a2ac281cee1fc2a9d4633299775
SHA11b9e2612aa75fa0a5840110a3df7caad82bb9c0f
SHA256dc835f7482ef71ce24d1dee9de3717aaa3cd597319cb83ffc554abb4e6529acf
SHA5129fd0046964f4ababfb33bbf1532ff7a3fa3093bc25299ae8ec777250805e2fd091e821eb017c495f3e6a58c8b385fb8a17ab05f145d444509ece6ff49b869579
-
C:\Users\Admin\Desktop\MergeAdd.m4v.2DA-F0B-017MD5
1fe5c4b70f64ff792d109156153b8421
SHA1f7cd0ba34ee785b7b491f5ad9fd522a98a25d019
SHA256eb9737c3f66a1b889bc50e70b1d22d6cb121825600c7e596f11bc7a47dc6d51b
SHA5120beab023cd3cc625fb070ec0d6fb8e4121d973a8bb26a0bf31751a70fd4d635e0cf34b7586a88064cc00d7bc794c68a1d9718383efbfba9d41bda7bce7a315e7
-
C:\Users\Admin\Desktop\MergeUse.ini.2DA-F0B-017MD5
83787a13c5b1f2f74de1b321ae09bbba
SHA18eb101954d96aecc80e01f2f52eb507e84baa46c
SHA2561e816278e2355f8de0c638ac40e4b7dbe97c4ccb1bba9e678263307af58efad4
SHA512311d18b20436d327a984a8271738a1b382d7a8ce929d7ea51285073d7977881cf6f2867e5da8577779946ac6f01679570bab9eb45ba82104958f32c19f92db92
-
C:\Users\Admin\Desktop\ReadUse.html.2DA-F0B-017MD5
a2d9e223c229ddfc19b4da9e7a13be89
SHA16d63b4590130b5336962b37a7a8c9f6623a5b86d
SHA256c054b77e2811d505031d8c67f44dbd080bf5ac34dc82ec3f84d3aa4c1282bad8
SHA512201e1b1dcb5c338978c04376a2e8afcc2315f4d542b44d94f47f1c1be56d179fd48fd95a425dcb450798ed77ad282cf9cc4136c75411f72f78984cc3ea3d1eb0
-
C:\Users\Admin\Desktop\ReceiveUnblock.cab.2DA-F0B-017MD5
22ad3044ac52edf011076db36c953525
SHA147d7e035a8ad6f31f008ae5d24e9b25ae5eb9656
SHA2566f76b08d886c6a964e9da57e6d38f3fc0a7969e50883e0e033370f13bafcdc0c
SHA5121042a5326b230821b0f79271395104dfbff3554085eb25533e1751db2d06a069f919cf0caa49a1e02f011de05352e0fa4ece441dd4cfb3dfffd653e26362ccd1
-
C:\Users\Admin\Desktop\RepairSend.xltm.2DA-F0B-017MD5
8fa57de0d0b98e257f99587dec394bd2
SHA1749d2c973823ab9ab821b786f0f68d8a1d405e97
SHA256dbe770915a907f7538787d1df5c649575b73be2d6dfdff93f21a2ac377ba1f2f
SHA51219563dbcb95d6fb637a30be029899dee26d2735c34e9c0fab9244f4d8fda33b5f1a32a816a2c90fdfcf1ed34a2e964165a68c6242472645404b8afc352edecaf
-
C:\Users\Admin\Desktop\ResizeConfirm.wav.2DA-F0B-017MD5
9c28c82491f49acf34bbac7a02e3d3ff
SHA1f0877fded5c2f4c301aca3652debbddc0a9dcd44
SHA25672e2afef11e6e7cbe45ce2f0c1b54cc71ca3beea86323eff65935438d982f6dd
SHA5122663a00a7851e1300befca21cc728909d23f1c37779a030f0b71cc13beaa0f9d116d20e17848e6805c878b04e8db63f547a35fd110d9a9301769954238cbaba6
-
C:\Users\Admin\Desktop\ResolveImport.ppsx.2DA-F0B-017MD5
ae132a1dbdead03bacb91a92807c2ad2
SHA1dac7fb3cb53b5198a380f06c6474e931cfff27df
SHA256749bad9de8f1840563627b1f570e6c44ee96c557e9a4c32b5fcac1b89c32e8f8
SHA512059b4f4643a3a406f7d3d4f271f6d633a93955da079eea87e8d52d88629971ef6db9c946d4ae35307c8b003209d58c34c147ffd76b35de7c0c2808c1e671382c
-
C:\Users\Admin\Desktop\RestartSave.jpeg.2DA-F0B-017MD5
eb904d313f619889ce81c855351c9988
SHA1033ec574bced9082e5750869a42a76559188a278
SHA2561762335dc17cc4438f3a2f4dd5c53172ac12376b7fd519d507e965ea27393109
SHA5124862fcc86c27bc20dbbb5dfe535244fd32958fa15134aae5fc63fc8f2ded442b8ab09374a7ba99a91069e6882509a3b713d2e4247bac2c401e361f462657128f
-
C:\Users\Admin\Desktop\RestoreDeny.mht.2DA-F0B-017MD5
5ceef53e0503fe87af56edef14298147
SHA1dc4add103d55e574d51f33e4c0d812a670bac240
SHA25609cbd93323b009aeda758e56fb91b2b3a079e9a0b8ee9dee994368b7ee603474
SHA51214d7f3e2ee18121022dad67a1a263542a5282cff8536082d311fbaa7cac5289674109b54f9c77e0d848c0279bb88426054b32800b4a63606f57324fdc23ce692
-
C:\Users\Admin\Desktop\ShowCheckpoint.vdw.2DA-F0B-017MD5
c6229e15e4ccce5694677e06fc41282a
SHA1220d1c39bbc3e2923d17398c2152a82f9aa6d18b
SHA256e1ffa96fcbb1c95ce050ee51e4eb8b2810e4dc56523a662fc9b23d343e0d86c6
SHA512b95722ff36d8575f1bf07474bd63bbcc275e8cc5cd5a13cbe7924581dd58f1b8e76111b510fbd5dfb837c7360688ab8e6ff79d594a8de88cb22bdf18be0a1135
-
C:\Users\Admin\Desktop\SkipSend.snd.2DA-F0B-017MD5
54d81bb7dc369c611e728684d40b2d1f
SHA1236e8e17f36b3e62f7afd8e908e12554d2d28bc7
SHA2568c36ca037b4943db938f795690304b3cc887b65d0c8bfc65975a5fa83e5b56bf
SHA5126d77b386938e79d3d319aabb723c8ec6da3ece28f341fb4def20859b2a3bf20eaea2cd53e3d33514cd85be8227175cbcca6dbfd0692fe4deca458e51836f9dcf
-
C:\Users\Admin\Desktop\UninstallRequest.vbe.2DA-F0B-017MD5
468e48a6391a914e034be43c9522df9b
SHA1bcc025efdb8434eb3a5629820164566006945db5
SHA256e68dfcfdeb0de0eeeba0088c9db3c76e6fe692cde566e858ea2fdd0c279ff7a1
SHA5121e4de76cc34596687f65e82b2697b2abcd78287a733de444a6f42852c440d2b7cf2853d9ac934fe7e0e29126042ca94343f2331232fddc572494615f07528f35
-
C:\Users\Admin\Desktop\UnregisterConvert.eprtx.2DA-F0B-017MD5
d82a4117782ec4991585856f22d7ed9a
SHA1f3520c836f564a3abb7e7c202a04b5e82f14e042
SHA256f4429982a5f3efac2853a27af836fc593530f6a52aceb0203918ac08bcecfd16
SHA5128bdb485eb55bcc780599f50afb378f17c4018d12d12c3f8e2de5aba1c228053a45dc59c7e082c309eb66e8f07cd25f7d20fc933246fca10be081ab412541b8ce
-
C:\Users\Admin\Desktop\UnregisterLock.wdp.2DA-F0B-017MD5
f923430dce4027c0951bbaeb6fc04c72
SHA1fb9a7761333d8212c8997a285aea00a21f7bae6d
SHA256f87f14a0cfa73675b92dc86b83dd3b7941eda18adc8902e59260783157269f5e
SHA5129480e21f4bf145421d3b8599b1479fc22285e80465271af826803f619911cf679d59cff16128d9965d128715593ad4782288582f6be63168300b958075d093d0
-
memory/684-25-0x0000000000000000-mapping.dmp
-
memory/1000-23-0x0000000000000000-mapping.dmp
-
memory/1052-26-0x0000000000000000-mapping.dmp
-
memory/2056-27-0x0000000000000000-mapping.dmp
-
memory/3512-15-0x0000000000000000-mapping.dmp
-
memory/3728-2-0x0000000000000000-mapping.dmp
-
memory/3964-18-0x0000000000000000-mapping.dmp
-
memory/4084-16-0x0000000000000000-mapping.dmp
-
memory/4216-6-0x0000000000000000-mapping.dmp
-
memory/4216-5-0x0000000000460000-0x0000000000461000-memory.dmpFilesize
4KB
-
memory/4280-17-0x0000000000000000-mapping.dmp
-
memory/4352-20-0x0000000000000000-mapping.dmp
-
memory/4376-19-0x0000000000000000-mapping.dmp
-
memory/4384-21-0x0000000000000000-mapping.dmp
-
memory/4604-53-0x0000000000000000-mapping.dmp
-
memory/4604-52-0x0000000000E40000-0x0000000000E41000-memory.dmpFilesize
4KB