Analysis
-
max time kernel
140s -
max time network
134s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
16-12-2020 23:45
Static task
static1
Behavioral task
behavioral1
Sample
438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe
Resource
win10v20201028
General
-
Target
438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe
-
Size
449KB
-
MD5
574f031251f67bcc6ea9168364d2fbfd
-
SHA1
f5d6140140829eaa550d2ef57b3ca8281b3d79bb
-
SHA256
438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8
-
SHA512
d7234b117aabb6a50e8619d4bc3a6d283c53d7a7ee396a67f73985d6e09156ab2fc89ec52bddbd949d9236ecde081cc0123719a474b12966a5beaf910de8a15b
Malware Config
Extracted
C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
wiruxa@airmail.cc
anygrishevich@yandex.ru
Signatures
-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
services.exeservices.exepid process 576 services.exe 1236 services.exe -
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
services.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\MeasureResolve.tiff services.exe -
Deletes itself 1 IoCs
Processes:
notepad.exepid process 296 notepad.exe -
Loads dropped DLL 1 IoCs
Processes:
438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exepid process 476 438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run 438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\services.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\services.exe\" -start" 438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
services.exedescription ioc process File opened (read-only) \??\P: services.exe File opened (read-only) \??\K: services.exe File opened (read-only) \??\E: services.exe File opened (read-only) \??\B: services.exe File opened (read-only) \??\W: services.exe File opened (read-only) \??\T: services.exe File opened (read-only) \??\S: services.exe File opened (read-only) \??\Q: services.exe File opened (read-only) \??\A: services.exe File opened (read-only) \??\F: services.exe File opened (read-only) \??\X: services.exe File opened (read-only) \??\V: services.exe File opened (read-only) \??\N: services.exe File opened (read-only) \??\G: services.exe File opened (read-only) \??\I: services.exe File opened (read-only) \??\H: services.exe File opened (read-only) \??\Y: services.exe File opened (read-only) \??\R: services.exe File opened (read-only) \??\L: services.exe File opened (read-only) \??\J: services.exe File opened (read-only) \??\Z: services.exe File opened (read-only) \??\U: services.exe File opened (read-only) \??\O: services.exe File opened (read-only) \??\M: services.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 geoiptool.com -
Drops file in Program Files directory 15048 IoCs
Processes:
services.exedescription ioc process File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\drvDX8.x3d.187-7CE-4F1 services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382967.JPG.187-7CE-4F1 services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\form_edit.js services.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Faroe.187-7CE-4F1 services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199465.WMF services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Austin.thmx.187-7CE-4F1 services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\OriginFax.Dotx services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239191.WMF services.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA services.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-text.xml services.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-loaders_zh_CN.jar.187-7CE-4F1 services.exe File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\msmdsrv.rll services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00775_.WMF.187-7CE-4F1 services.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Algiers.187-7CE-4F1 services.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Jujuy services.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-lib-profiler.jar.187-7CE-4F1 services.exe File opened for modification C:\Program Files\Java\jre7\lib\images\cursors\win32_CopyDrop32x32.gif.187-7CE-4F1 services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Apothecary.xml.187-7CE-4F1 services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Civic.eftx.187-7CE-4F1 services.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.console_1.1.0.v20140131-1639.jar services.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Berlin services.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT.187-7CE-4F1 services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01586_.WMF.187-7CE-4F1 services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198021.WMF.187-7CE-4F1 services.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-uisupport.xml services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145879.JPG.187-7CE-4F1 services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PICTPH.POC.187-7CE-4F1 services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00158_.GIF.187-7CE-4F1 services.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.win32.nl_zh_4.4.0.v20140623020002.jar.187-7CE-4F1 services.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT services.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Mawson.187-7CE-4F1 services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107314.WMF.187-7CE-4F1 services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14768_.GIF services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSTORE.EXE services.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Oasis\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT services.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInAcrobat.gif services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18242_.WMF services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\ACTIVITS.ICO.187-7CE-4F1 services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierDownArrow.jpg services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL054.XML services.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationRight_ButtonGraphic.png services.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.inject_1.0.0.v20091030.jar.187-7CE-4F1 services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_High.jpg.187-7CE-4F1 services.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\gimap.jar services.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-core-kit_zh_CN.jar.187-7CE-4F1 services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178348.JPG.187-7CE-4F1 services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR29F.GIF services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_ON.GIF.187-7CE-4F1 services.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.text.nl_ja_4.4.0.v20140623020002.jar services.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\MANIFEST.MF.187-7CE-4F1 services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0237336.WMF services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18255_.WMF.187-7CE-4F1 services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif.187-7CE-4F1 services.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\topnav.gif.187-7CE-4F1 services.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Dubai.187-7CE-4F1 services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02293_.WMF services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS.DEV_K_COL.HXK.187-7CE-4F1 services.exe File opened for modification C:\Program Files\7-Zip\Lang\vi.txt.187-7CE-4F1 services.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\ONELEV.EXE services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\CONTACTL.ICO services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.HK.XML services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\messageboxinfo.ico.187-7CE-4F1 services.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.SF services.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 1544 vssadmin.exe 776 vssadmin.exe -
Processes:
438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exeservices.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 services.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e services.exe -
Suspicious behavior: EnumeratesProcesses 1094 IoCs
Processes:
services.exepid process 576 services.exe 576 services.exe 576 services.exe 576 services.exe 576 services.exe 576 services.exe 576 services.exe 576 services.exe 576 services.exe 576 services.exe 576 services.exe 576 services.exe 576 services.exe 576 services.exe 576 services.exe 576 services.exe 576 services.exe 576 services.exe 576 services.exe 576 services.exe 576 services.exe 576 services.exe 576 services.exe 576 services.exe 576 services.exe 576 services.exe 576 services.exe 576 services.exe 576 services.exe 576 services.exe 576 services.exe 576 services.exe 576 services.exe 576 services.exe 576 services.exe 576 services.exe 576 services.exe 576 services.exe 576 services.exe 576 services.exe 576 services.exe 576 services.exe 576 services.exe 576 services.exe 576 services.exe 576 services.exe 576 services.exe 576 services.exe 576 services.exe 576 services.exe 576 services.exe 576 services.exe 576 services.exe 576 services.exe 576 services.exe 576 services.exe 576 services.exe 576 services.exe 576 services.exe 576 services.exe 576 services.exe 576 services.exe 576 services.exe 576 services.exe -
Suspicious use of AdjustPrivilegeToken 87 IoCs
Processes:
438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exeWMIC.exeWMIC.exedescription pid process Token: SeDebugPrivilege 476 438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe Token: SeDebugPrivilege 476 438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe Token: SeIncreaseQuotaPrivilege 1052 WMIC.exe Token: SeSecurityPrivilege 1052 WMIC.exe Token: SeTakeOwnershipPrivilege 1052 WMIC.exe Token: SeLoadDriverPrivilege 1052 WMIC.exe Token: SeSystemProfilePrivilege 1052 WMIC.exe Token: SeSystemtimePrivilege 1052 WMIC.exe Token: SeProfSingleProcessPrivilege 1052 WMIC.exe Token: SeIncBasePriorityPrivilege 1052 WMIC.exe Token: SeCreatePagefilePrivilege 1052 WMIC.exe Token: SeBackupPrivilege 1052 WMIC.exe Token: SeRestorePrivilege 1052 WMIC.exe Token: SeShutdownPrivilege 1052 WMIC.exe Token: SeDebugPrivilege 1052 WMIC.exe Token: SeSystemEnvironmentPrivilege 1052 WMIC.exe Token: SeRemoteShutdownPrivilege 1052 WMIC.exe Token: SeUndockPrivilege 1052 WMIC.exe Token: SeManageVolumePrivilege 1052 WMIC.exe Token: 33 1052 WMIC.exe Token: 34 1052 WMIC.exe Token: 35 1052 WMIC.exe Token: SeIncreaseQuotaPrivilege 840 WMIC.exe Token: SeSecurityPrivilege 840 WMIC.exe Token: SeTakeOwnershipPrivilege 840 WMIC.exe Token: SeLoadDriverPrivilege 840 WMIC.exe Token: SeSystemProfilePrivilege 840 WMIC.exe Token: SeSystemtimePrivilege 840 WMIC.exe Token: SeProfSingleProcessPrivilege 840 WMIC.exe Token: SeIncBasePriorityPrivilege 840 WMIC.exe Token: SeCreatePagefilePrivilege 840 WMIC.exe Token: SeBackupPrivilege 840 WMIC.exe Token: SeRestorePrivilege 840 WMIC.exe Token: SeShutdownPrivilege 840 WMIC.exe Token: SeDebugPrivilege 840 WMIC.exe Token: SeSystemEnvironmentPrivilege 840 WMIC.exe Token: SeRemoteShutdownPrivilege 840 WMIC.exe Token: SeUndockPrivilege 840 WMIC.exe Token: SeManageVolumePrivilege 840 WMIC.exe Token: 33 840 WMIC.exe Token: 34 840 WMIC.exe Token: 35 840 WMIC.exe Token: SeIncreaseQuotaPrivilege 1052 WMIC.exe Token: SeSecurityPrivilege 1052 WMIC.exe Token: SeTakeOwnershipPrivilege 1052 WMIC.exe Token: SeLoadDriverPrivilege 1052 WMIC.exe Token: SeSystemProfilePrivilege 1052 WMIC.exe Token: SeSystemtimePrivilege 1052 WMIC.exe Token: SeProfSingleProcessPrivilege 1052 WMIC.exe Token: SeIncBasePriorityPrivilege 1052 WMIC.exe Token: SeCreatePagefilePrivilege 1052 WMIC.exe Token: SeBackupPrivilege 1052 WMIC.exe Token: SeRestorePrivilege 1052 WMIC.exe Token: SeShutdownPrivilege 1052 WMIC.exe Token: SeDebugPrivilege 1052 WMIC.exe Token: SeSystemEnvironmentPrivilege 1052 WMIC.exe Token: SeRemoteShutdownPrivilege 1052 WMIC.exe Token: SeUndockPrivilege 1052 WMIC.exe Token: SeManageVolumePrivilege 1052 WMIC.exe Token: 33 1052 WMIC.exe Token: 34 1052 WMIC.exe Token: 35 1052 WMIC.exe Token: SeIncreaseQuotaPrivilege 840 WMIC.exe Token: SeSecurityPrivilege 840 WMIC.exe -
Suspicious use of WriteProcessMemory 62 IoCs
Processes:
438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exeservices.execmd.execmd.execmd.exedescription pid process target process PID 476 wrote to memory of 576 476 438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe services.exe PID 476 wrote to memory of 576 476 438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe services.exe PID 476 wrote to memory of 576 476 438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe services.exe PID 476 wrote to memory of 576 476 438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe services.exe PID 476 wrote to memory of 296 476 438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe notepad.exe PID 476 wrote to memory of 296 476 438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe notepad.exe PID 476 wrote to memory of 296 476 438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe notepad.exe PID 476 wrote to memory of 296 476 438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe notepad.exe PID 476 wrote to memory of 296 476 438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe notepad.exe PID 476 wrote to memory of 296 476 438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe notepad.exe PID 476 wrote to memory of 296 476 438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe notepad.exe PID 576 wrote to memory of 1576 576 services.exe cmd.exe PID 576 wrote to memory of 1576 576 services.exe cmd.exe PID 576 wrote to memory of 1576 576 services.exe cmd.exe PID 576 wrote to memory of 1576 576 services.exe cmd.exe PID 576 wrote to memory of 1728 576 services.exe cmd.exe PID 576 wrote to memory of 1728 576 services.exe cmd.exe PID 576 wrote to memory of 1728 576 services.exe cmd.exe PID 576 wrote to memory of 1728 576 services.exe cmd.exe PID 576 wrote to memory of 292 576 services.exe cmd.exe PID 576 wrote to memory of 292 576 services.exe cmd.exe PID 576 wrote to memory of 292 576 services.exe cmd.exe PID 576 wrote to memory of 292 576 services.exe cmd.exe PID 576 wrote to memory of 2032 576 services.exe cmd.exe PID 576 wrote to memory of 2032 576 services.exe cmd.exe PID 576 wrote to memory of 2032 576 services.exe cmd.exe PID 576 wrote to memory of 2032 576 services.exe cmd.exe PID 576 wrote to memory of 1380 576 services.exe cmd.exe PID 576 wrote to memory of 1380 576 services.exe cmd.exe PID 576 wrote to memory of 1380 576 services.exe cmd.exe PID 576 wrote to memory of 1380 576 services.exe cmd.exe PID 1576 wrote to memory of 1052 1576 cmd.exe WMIC.exe PID 1576 wrote to memory of 1052 1576 cmd.exe WMIC.exe PID 1576 wrote to memory of 1052 1576 cmd.exe WMIC.exe PID 1576 wrote to memory of 1052 1576 cmd.exe WMIC.exe PID 576 wrote to memory of 1712 576 services.exe cmd.exe PID 576 wrote to memory of 1712 576 services.exe cmd.exe PID 576 wrote to memory of 1712 576 services.exe cmd.exe PID 576 wrote to memory of 1712 576 services.exe cmd.exe PID 576 wrote to memory of 1236 576 services.exe services.exe PID 576 wrote to memory of 1236 576 services.exe services.exe PID 576 wrote to memory of 1236 576 services.exe services.exe PID 576 wrote to memory of 1236 576 services.exe services.exe PID 1380 wrote to memory of 1544 1380 cmd.exe vssadmin.exe PID 1380 wrote to memory of 1544 1380 cmd.exe vssadmin.exe PID 1380 wrote to memory of 1544 1380 cmd.exe vssadmin.exe PID 1380 wrote to memory of 1544 1380 cmd.exe vssadmin.exe PID 1712 wrote to memory of 840 1712 cmd.exe WMIC.exe PID 1712 wrote to memory of 840 1712 cmd.exe WMIC.exe PID 1712 wrote to memory of 840 1712 cmd.exe WMIC.exe PID 1712 wrote to memory of 840 1712 cmd.exe WMIC.exe PID 1712 wrote to memory of 776 1712 cmd.exe vssadmin.exe PID 1712 wrote to memory of 776 1712 cmd.exe vssadmin.exe PID 1712 wrote to memory of 776 1712 cmd.exe vssadmin.exe PID 1712 wrote to memory of 776 1712 cmd.exe vssadmin.exe PID 576 wrote to memory of 964 576 services.exe notepad.exe PID 576 wrote to memory of 964 576 services.exe notepad.exe PID 576 wrote to memory of 964 576 services.exe notepad.exe PID 576 wrote to memory of 964 576 services.exe notepad.exe PID 576 wrote to memory of 964 576 services.exe notepad.exe PID 576 wrote to memory of 964 576 services.exe notepad.exe PID 576 wrote to memory of 964 576 services.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe"C:\Users\Admin\AppData\Local\Temp\438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe" -start2⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe" -agent 03⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\notepad.exenotepad.exe3⤵
-
C:\Windows\SysWOW64\notepad.exenotepad.exe2⤵
- Deletes itself
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CBMD5
b36da5c81e37e66335b100fe541c1668
SHA181b166b7d5c9801ca146d1ef5b95aac47c952112
SHA256996dbe67869eabac1e506abdc5b12c933eb5c735778481c9894c7a9ae9bd1d49
SHA512c551487a3b6f952a7328abd2449934427209dc537a0c0429335facb7faa103fc5a8788197ab6f48830e184d953cbd0e9e99b4787e3565f52c9fd50759ff0abaa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEEMD5
a39a754e0b0ba7e439a962153cc63feb
SHA1b4d9a16bce5017a94196a68d87de254f0795922b
SHA256bcd4f320f4b3cf23708d4f373d4eb0208c453dbaffa9f5b402ab73f127528c6e
SHA5128c206e9fc85c7a05b4eaa34269c5af83bf016c043d881472b9f90ecf83c781892c450d1593d36bdcc080c552748e2fe61c439769ca93ccdc5a2453b74a2175b6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
c8f6d84e4c36d9393622a1af12a9a848
SHA11df0282b790a4a641c0f256a842141d5666a3f30
SHA256c7b9816df943aee5e1923deaaa2abef8881da46a27fec381e0b92ac30f810ebb
SHA512a835f48c7468366ebee56d2387493c5d789a695d895ad9c0f010cdd7ca96ed33269266a2ca4264a45021644d811853eab371520377bcdf404f70ab3b9ed6f9d1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CBMD5
a00620526efb2f4aeaeaaaa4af7e1340
SHA1764bdfb3c74e16dd9d225608ad7e029f7cd41a1e
SHA256ff0aa6b3465b237a8b2b6899696e56f7ef1f4dc7ab0d9ddd38964338d3fe342f
SHA5121413e003c445e4b122329412ccddaa788cf51ad93d493d4a9883f6fdee9276fccb50544e26983a0e55eb5381d8d737fba3595e0a5e28b4923a469d96312cc7ee
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEEMD5
ac3bfbc26f286ba88ec2a1576b43d5b3
SHA1e4709601dc40a38ce75283da4fa3d730dc1f7e7b
SHA256e17947d26fee7d5f2d860433935ae6df2d3fe7964f3df7fe6ef01434edd3624e
SHA512e13e03e0e3692fc51ff18b36c393473f70f6931f4ca8e49083c5ab50fc87dfe9c9ca4a18f725fc553482648feedad105592a6b77253d2b47852f7f401b3b3b14
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
826c1982a1c2fdbe242ca153d6431c51
SHA1de22856ef242c02641e712cbd1ea906c4667ac5f
SHA256c17ad4e4f249088e20a3468890bf80ec1255c7220ce197d4e1c8d9a19f629da0
SHA5127f381e273c1f42641268582300941a4328ac09ec3427002e56a5e46c71bde8874cffc04128e5c93e07c0fb2712db671743285d172d74d7493ae454d4ebf34470
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
4f10231095719fdce58ca4900f857003
SHA1ec410bc56db508659e66a9a93266aba1b4a684e6
SHA256ec83aa7e82a903ab1e491d453aadea0196f99e9363071cb92e0168c158842fcb
SHA512d8d57edc61d271475dae414f302ce09b5444a2f8d1909dc0c795b584a25322f9ca91f46d8cd3206c5ac6c67b7273085ab5882bf581a19a72c14d7b863d0177ae
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D73194RS\I14MIR0D.htmMD5
b1cd7c031debba3a5c77b39b6791c1a7
SHA1e5d91e14e9c685b06f00e550d9e189deb2075f76
SHA25657ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa
SHA512d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O1R1CL99\SIMSL8J3.htmMD5
6b17a59cec1a7783febae9aa55c56556
SHA101d4581e2b3a6348679147a915a0b22b2a66643a
SHA25666987b14b90d41632be98836f9601b12e7f329ffab05595887889c9c5716fbeb
SHA5123337efd12b9c06b7768eb928a78caae243b75257c5aabe7a49e908a2f735af55f7257a40bd2330dc13865ead18ed805b54a6c5105740fdcbbaccacf7997bcbc3
-
C:\Users\Admin\AppData\Local\Temp\~temp001.batMD5
ef572e2c7b1bbd57654b36e8dcfdc37a
SHA1b84c4db6d0dfd415c289d0c8ae099aea4001e3b7
SHA256e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64
SHA512b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exeMD5
574f031251f67bcc6ea9168364d2fbfd
SHA1f5d6140140829eaa550d2ef57b3ca8281b3d79bb
SHA256438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8
SHA512d7234b117aabb6a50e8619d4bc3a6d283c53d7a7ee396a67f73985d6e09156ab2fc89ec52bddbd949d9236ecde081cc0123719a474b12966a5beaf910de8a15b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exeMD5
574f031251f67bcc6ea9168364d2fbfd
SHA1f5d6140140829eaa550d2ef57b3ca8281b3d79bb
SHA256438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8
SHA512d7234b117aabb6a50e8619d4bc3a6d283c53d7a7ee396a67f73985d6e09156ab2fc89ec52bddbd949d9236ecde081cc0123719a474b12966a5beaf910de8a15b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exeMD5
574f031251f67bcc6ea9168364d2fbfd
SHA1f5d6140140829eaa550d2ef57b3ca8281b3d79bb
SHA256438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8
SHA512d7234b117aabb6a50e8619d4bc3a6d283c53d7a7ee396a67f73985d6e09156ab2fc89ec52bddbd949d9236ecde081cc0123719a474b12966a5beaf910de8a15b
-
C:\Users\Admin\Desktop\AssertResize.xhtml.187-7CE-4F1MD5
9a015b1f81f148edb9f442856b5baf69
SHA163aae38c766f976523a6b2496b3244be315af3bd
SHA256333fd06fb6618e7b311a1719c4155a96c1840228e035ed8a0b6acec96e8ae5db
SHA512220fa6989732fdc8d7b931093815a4c6ecf6dca6a4c5de545d6ea3523b6d5f050b6a3189f095f84a6c95e969f2d2136aff86ac27de153268d01812c2d3f74724
-
C:\Users\Admin\Desktop\ConvertToImport.tif.187-7CE-4F1MD5
0af8a588d2f83334bd559a34a315200d
SHA14ed5d3a46d548ceb7c2d9226d0de068a2dd57d81
SHA25629d84a27f64dc8c5e1bb33dc910b0f62421704b0b517709c7e5118272c640062
SHA512a4a6b0ed36615079c0d717063f27a7a373f12b4f3384be0adb0b4355a4d0a460046a690543d267569ec926c11583c6015639ae541679a0eb8eacdb87ac1ba943
-
C:\Users\Admin\Desktop\ConvertToRemove.m4v.187-7CE-4F1MD5
59f6b4ea46dbdfaeda7eaa9635c77b34
SHA1fcd75d6c58825772df834427c799995d8ed37893
SHA25695e961f28dbf7838d5efbdde204f26aa56734ea89647fd434b92e91ffc8f284e
SHA512246b787aced93463d0d0e0af1ee6bfd2683c81070add2fed65fb9f8474d68014fa12814d5833ff691b1f02f221d717af2cf89575bc29604a3ad4e5cf29593baf
-
C:\Users\Admin\Desktop\ConvertToUnlock.xht.187-7CE-4F1MD5
4b9e69aec9281781f3b26af76e338965
SHA11b448107870ea9675a5eb79b1fb17892ca1a2315
SHA2564de62ad05756e2aa0d1b3ad53ddfdef2c53b83238543b1b31e197f78ed9233a2
SHA51271073f7a4c303c678cd25817b651d4c389d06efc64291f2c62e1dd7f043cdf8a4190144cc832415f4a254b0afa76da64639d830b4ae905dbedf4b5aaa4fa875e
-
C:\Users\Admin\Desktop\EnableFind.temp.187-7CE-4F1MD5
e522748a35d6ef3769dd4ecb63228cdb
SHA1fc7d65e8d4899ca681f368152e55e8e1c7af7afd
SHA2563c0fb6e4c91220a8ff608db50f0ae4223be6c5e86589185bea82bd9e195a695c
SHA512fe68043263ee5a6d673a6ce046f22e11c381ca55685181e7ecce2029750aa99368ea90b1828e17b9a24d3f718a9d7599c36b4a94a378933f93bbb1e772f39553
-
C:\Users\Admin\Desktop\ImportOptimize.rmi.187-7CE-4F1MD5
d68d42889b70058ebf0ba8a01b6fcd0b
SHA132ac1d7d9e1f8ec2745c33dc8bc3f64734616d27
SHA256601e3e9dbf5eb37a514926177b1fd62532aba96a0d926ce1b4fe14aebe52ba98
SHA5128591c33999a2684a26eed3a262513fad8a51ec186ab1888cf2530f81721480e506e76c455065a5bcbd04f61d45fa07dc4ac60c09df464830a500ac250a75684d
-
C:\Users\Admin\Desktop\ImportResume.WTV.187-7CE-4F1MD5
4e8358f2d52aa47e482ae99611d49b30
SHA1b0b1df38f9b626c0107f22d2c5ac45e651379704
SHA256ded5a3df9f1f9fe0e80d0825bae5f44d045070a1b7766717400502f6d3422def
SHA512712609d0b9ed14aecab54aa5164aa08dc972260b9f87d644a3222d2fef3c37a7bdb4cde8a33b1800e2c5edf617c15905513ee64217adb5fdb943d872e1d66c19
-
C:\Users\Admin\Desktop\InvokeHide.ogg.187-7CE-4F1MD5
a9486adc13aa6f5abca273ccacb9b379
SHA1bc3b3d3dda6b52c84f1afd74e999f1bfa4c1e92d
SHA2560b8ea2af8659d090053bf4cd582369e329b885d00a2e55b02d68191f1ace9ec6
SHA512282fcac0566afd649abc9e05352daa9e3dde75b14fbef26d783c06911a990afdee28c0329afdcc4d977666d417f5fe8f05b8892268349ee85edf74d76b60fedf
-
C:\Users\Admin\Desktop\MergeExit.cfg.187-7CE-4F1MD5
4379477f8dbb5bcfd9472a227f1e0e51
SHA1d2fd4b7836a06bf29d0cc2cc3b9c7a06f707e3c7
SHA256efd3daacb12da1f7ead53c1829be2e985b39722babbaf86a6ea5d12c16b4f0f6
SHA5127cd4df3fdf0748570f955aa76826f53f3858b8c3b217dd1c25574e071c8cbb3af56140590d41619a2917c41b9b4290930c4943b9714266fda25c2f2cfd3df532
-
C:\Users\Admin\Desktop\PingGet.ods.187-7CE-4F1MD5
ebffeb6f8d54a8c1242e14f4f26b26db
SHA1fd52a3fd724236a03f821f0b0402ed6515f7c3f8
SHA2567477d4cde070b810486aa4f8d94dcd6526299afcbe43ff93c2af8547ac1b26f6
SHA5129eae439f3030c36855cd163400bded2a70bccb7f6db39abbe449a4b26867ea3e11610beddf0c29aeb01eaa30f53e234008ba8792f9adfb68c86cf1fa6d84028e
-
C:\Users\Admin\Desktop\ProtectUpdate.M2T.187-7CE-4F1MD5
2164bd9773355a309fde8656fa948283
SHA14190bd6cfc834144a4efc200a114009a6d4ae81f
SHA2560cae949742587464ca23865464e66a5cc3ac603d2f22ce20339d9afd0b27d7ed
SHA512bf5382ff9be93e61818d63deae8c0e9932117b1b3c41f2b29cb70c331c571f1fe97569ffa7011c042853622ce4122694167e59edd00088aabc40eb806ab18104
-
C:\Users\Admin\Desktop\RedoGet.js.187-7CE-4F1MD5
2138ef1a3e12e86206b7c91e787ca01a
SHA1afb442d4e9f6ebe8146636ae545bb376cd53bb83
SHA25662e529c0ca4f06ac08d342207d74ee1839f9e9c4899044ab7aa767ec28d57989
SHA51219dc05518e71347adbef102f275c10be1a5e732e960743b82ab92d684777423d442814c84d89ccd1d7c3b9bf539c66d379948816314dd3d38216d26639253018
-
C:\Users\Admin\Desktop\SaveMeasure.wax.187-7CE-4F1MD5
a20291b6507dc91a8b593f56e2e87764
SHA1ce909fc889702d54c6d40cd93f0c01f18a5e0bb2
SHA256cc3d11ecf7f003ee7caef708a702c343b66becca2902f19ba4dc822f6a312fa1
SHA51295be3156de2bd6c61eb458791c1159f4cb8709afefb354bc039ba9e1c5efb3286e747a146e5bd2375e61b548e2cc92741d97b443f20efeeb7a3fd996c7dd5724
-
C:\Users\Admin\Desktop\SkipPublish.pub.187-7CE-4F1MD5
07b090cae3d13166ad3e6e695dfa6e07
SHA1f1e38da0494619e1d604a08bd0baf8cf68a04d4c
SHA256970c5fed103c02c6dc260fdb4f174b67a130af22c6950feb319fd7d35bffc4f1
SHA5127beb01fb0510aa4203db8e7afdff49c531be597c8ea5b7b47be608f6477b5cabdf9ab1565a8ab58240f0885ea863b20ac08d4a25278acb8edb5021dabf39e144
-
C:\Users\Admin\Desktop\StepUnlock.ps1xml.187-7CE-4F1MD5
1a882481e1570022846faeb81711ec99
SHA198733b3aa8a4993adc2af475926ec0f1b653ebf4
SHA256bf334cd49a0942abd7a2950f901401f061da6d591cde36365d0e61c67500b5e8
SHA512e5027e3a22f0ef5f21d5102193bb78ec855bf25b103e1ec44e9ed1031960335e54f67dd28cf50f2c935bf5cfc74e3085272c97b958265372a6b61fc9b83dbe10
-
C:\Users\Admin\Desktop\StopDebug.fon.187-7CE-4F1MD5
7c2a4f5bd55f59ee06ae602941bff311
SHA1b390a1472e33ad2fa133cb06c621cf1425f97231
SHA2562a21e7b93ce31a77263ca6604b34ee2ae17982e9accf2eb5edccddd2f595abd8
SHA512389baecc2a8a245638158f1de080c301faeacc41e08b03bf091cc40cba305a524a704bd817175dc81b5900a3f14af7a4f867612a206fc323aaa36593ab2018a7
-
C:\Users\Admin\Desktop\UnprotectMove.htm.187-7CE-4F1MD5
333517df054c350774e06ea36c8203ac
SHA1694486766b0d9bc6044b9b12e0d6080140ac932b
SHA2566cb381086d4733ccd32274c39a33bf472393d8a8837230c12432a320d6c211e5
SHA512d00877bcd7fe84bd15f3b618038d093de40ac6dc62e8185284719b7474afb92485ac331fb75c68b8ae2d8a676b4bde0bd6390b9ea5359126af6666b5b7fe1694
-
C:\Users\Admin\Desktop\WaitRegister.png.187-7CE-4F1MD5
5b36a1071095d5805fd1e496e2f8a090
SHA1a016248f34949e089cd4004cd256716bda4c39ef
SHA2565225fb17e85a47c1e07f850e94d5c7c9364fe2904204dddd759fd89c4ea14455
SHA512389eb602da06c11d582fe13926aa174353b0feeeb2f994e1adce439e4ec8a2264e64138cf61b81f1dc0b9b025354f1414958e334097b362f2ee063cadd3ebfdd
-
C:\Users\Admin\Desktop\WaitStop.ico.187-7CE-4F1MD5
bfd93eb6ae683dd9bf4486b13718b137
SHA14752183a56a76a21a2d129d878bab35a40665d16
SHA25644cd4dbaaf10551ea7d64e202af888f9a7728e0db6a3085ecaf23f4c28cb8001
SHA5122e0a1338aef8a2a4be7b9fc9506799788f45e5f70bfd36cb4ecf4b2dd89ab0315cd7ede61e579d2793c6cbff21850f1d9e4b2dde46ed5759e9c933e13b0df9bc
-
C:\Users\Admin\Desktop\WriteRevoke.AAC.187-7CE-4F1MD5
4333ecf9f859851cc4acab979bb9d903
SHA15051fe4c8ee922a2ae981927879526b143d51cac
SHA2569f22d7cac3597ce2db90c5dd34a33b7b1b08c2ef2e711d011ca2030cbec11c7e
SHA512c83aa1151abb547ac9b54bfdbe201d058a6697e0ce795efd184814f4110f298e0cec423f00d64993b355aabd9be6f6f34c874177358aa35b3c79b051f6ce1881
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exeMD5
574f031251f67bcc6ea9168364d2fbfd
SHA1f5d6140140829eaa550d2ef57b3ca8281b3d79bb
SHA256438d83a22ed38bb2241a99b96d644826522b28327f63055840ee7632d8e95cd8
SHA512d7234b117aabb6a50e8619d4bc3a6d283c53d7a7ee396a67f73985d6e09156ab2fc89ec52bddbd949d9236ecde081cc0123719a474b12966a5beaf910de8a15b
-
memory/292-19-0x0000000000000000-mapping.dmp
-
memory/296-7-0x0000000000000000-mapping.dmp
-
memory/296-6-0x00000000000A0000-0x00000000000A1000-memory.dmpFilesize
4KB
-
memory/576-4-0x0000000000000000-mapping.dmp
-
memory/776-29-0x0000000000000000-mapping.dmp
-
memory/840-28-0x0000000000000000-mapping.dmp
-
memory/964-51-0x0000000000000000-mapping.dmp
-
memory/1052-22-0x0000000000000000-mapping.dmp
-
memory/1236-24-0x0000000000000000-mapping.dmp
-
memory/1380-21-0x0000000000000000-mapping.dmp
-
memory/1432-2-0x000007FEF74B0000-0x000007FEF772A000-memory.dmpFilesize
2.5MB
-
memory/1544-26-0x0000000000000000-mapping.dmp
-
memory/1576-17-0x0000000000000000-mapping.dmp
-
memory/1712-23-0x0000000000000000-mapping.dmp
-
memory/1728-18-0x0000000000000000-mapping.dmp
-
memory/2032-20-0x0000000000000000-mapping.dmp