Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
23-12-2020 19:31
Static task
static1
Behavioral task
behavioral1
Sample
42ea94ee3adca8b82fba15ecdde25f26.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
42ea94ee3adca8b82fba15ecdde25f26.exe
Resource
win10v20201028
General
-
Target
42ea94ee3adca8b82fba15ecdde25f26.exe
-
Size
214KB
-
MD5
42ea94ee3adca8b82fba15ecdde25f26
-
SHA1
ca17412cd44d186db91c4b2fa7df03363533ffd2
-
SHA256
332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a
-
SHA512
cbec5875fdbcd1182ce9cb87728f36f9a36da032589394b20418229780a2182f6641519fd7545bd812257492a0fd9a68ebfd487d6ec5ebb9e3f666558bb81874
Malware Config
Extracted
C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
uspex1@cock.li
uspex2@cock.li
Signatures
-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
services.exeservices.exepid process 1008 services.exe 2176 services.exe -
Deletes itself 1 IoCs
Processes:
notepad.exepid process 2708 notepad.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
42ea94ee3adca8b82fba15ecdde25f26.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run 42ea94ee3adca8b82fba15ecdde25f26.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\services.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\services.exe\" -start" 42ea94ee3adca8b82fba15ecdde25f26.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
services.exedescription ioc process File opened (read-only) \??\N: services.exe File opened (read-only) \??\M: services.exe File opened (read-only) \??\X: services.exe File opened (read-only) \??\R: services.exe File opened (read-only) \??\P: services.exe File opened (read-only) \??\K: services.exe File opened (read-only) \??\H: services.exe File opened (read-only) \??\G: services.exe File opened (read-only) \??\Y: services.exe File opened (read-only) \??\T: services.exe File opened (read-only) \??\L: services.exe File opened (read-only) \??\J: services.exe File opened (read-only) \??\F: services.exe File opened (read-only) \??\A: services.exe File opened (read-only) \??\Z: services.exe File opened (read-only) \??\W: services.exe File opened (read-only) \??\Q: services.exe File opened (read-only) \??\O: services.exe File opened (read-only) \??\I: services.exe File opened (read-only) \??\E: services.exe File opened (read-only) \??\B: services.exe File opened (read-only) \??\V: services.exe File opened (read-only) \??\U: services.exe File opened (read-only) \??\S: services.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 geoiptool.com -
Drops file in Program Files directory 24125 IoCs
Processes:
services.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-pl.xrm-ms.6F2-647-C8C services.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Mobile\mobile_13h.png services.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\Sounds\Camcorder_stop_5.wav services.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x services.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\cs_get.svg.6F2-647-C8C services.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\jfxrt.jar.6F2-647-C8C services.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Grace-ppd.xrm-ms services.exe File created C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT services.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\about.html.6F2-647-C8C services.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-api-progress.xml services.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\MSOSEC.XML.6F2-647-C8C services.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench.nl_ja_4.4.0.v20140623020002.jar services.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-ul-phn.xrm-ms services.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ul-phn.xrm-ms.6F2-647-C8C services.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\HeroHelp\Scenario1.png services.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupMedTile.scale-100.png services.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-80.png services.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreSmallTile.scale-200.png services.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.nl_ja_4.4.0.v20140623020002.jar.6F2-647-C8C services.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTest-ppd.xrm-ms.6F2-647-C8C services.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\vlc.mo services.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\SmallTile.scale-125.png services.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\sk-sk\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT services.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\nb-no\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT services.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxSignature.p7x services.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\MANIFEST.MF services.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\boot_ja.jar.6F2-647-C8C services.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-uihandler_ja.jar services.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-threaddump_ja.jar.6F2-647-C8C services.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_KMS_Client_AE-ppd.xrm-ms.6F2-647-C8C services.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoasb.exe.6F2-647-C8C services.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\TEE\Url.model services.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-80_altform-unplated.png services.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailWideTile.scale-100.png services.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\editpdf.svg services.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\TXP_HotelReservation_Dark.png services.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-applemenu.xml services.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_BypassTrial180-ul-oob.xrm-ms services.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ul-oob.xrm-ms services.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PIXEL\PREVIEW.GIF services.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Moustache.png services.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookMedTile.scale-150.png services.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml services.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ca-es\ui-strings.js.6F2-647-C8C services.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe services.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-explorer.xml services.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Retail-ul-phn.xrm-ms.6F2-647-C8C services.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\sqlpdw.xsl.6F2-647-C8C services.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\guicommon.respack services.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\action_poster.jpg.6F2-647-C8C services.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-pl.xrm-ms services.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL012.XML services.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\proof.fr-fr.msi.16.fr-fr.boot.tree.dat services.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-24_altform-unplated_contrast-white.png services.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\rain.png services.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\MapDarkTheme.png services.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppPackageStoreLogo.scale-100.png services.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-40_altform-unplated_contrast-black.png services.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\8498_40x40x32.png services.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\line.cur.6F2-647-C8C services.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themes\dark\close.svg services.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\nb-no\ui-strings.js services.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\cc_16x11.png services.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\6365_40x40x32.png services.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 2432 vssadmin.exe 2576 vssadmin.exe -
Processes:
42ea94ee3adca8b82fba15ecdde25f26.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 42ea94ee3adca8b82fba15ecdde25f26.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 42ea94ee3adca8b82fba15ecdde25f26.exe -
Suspicious use of AdjustPrivilegeToken 91 IoCs
Processes:
42ea94ee3adca8b82fba15ecdde25f26.exeWMIC.exeWMIC.exevssvc.exedescription pid process Token: SeDebugPrivilege 756 42ea94ee3adca8b82fba15ecdde25f26.exe Token: SeDebugPrivilege 756 42ea94ee3adca8b82fba15ecdde25f26.exe Token: SeIncreaseQuotaPrivilege 1752 WMIC.exe Token: SeSecurityPrivilege 1752 WMIC.exe Token: SeTakeOwnershipPrivilege 1752 WMIC.exe Token: SeLoadDriverPrivilege 1752 WMIC.exe Token: SeSystemProfilePrivilege 1752 WMIC.exe Token: SeSystemtimePrivilege 1752 WMIC.exe Token: SeProfSingleProcessPrivilege 1752 WMIC.exe Token: SeIncBasePriorityPrivilege 1752 WMIC.exe Token: SeCreatePagefilePrivilege 1752 WMIC.exe Token: SeBackupPrivilege 1752 WMIC.exe Token: SeRestorePrivilege 1752 WMIC.exe Token: SeShutdownPrivilege 1752 WMIC.exe Token: SeDebugPrivilege 1752 WMIC.exe Token: SeSystemEnvironmentPrivilege 1752 WMIC.exe Token: SeRemoteShutdownPrivilege 1752 WMIC.exe Token: SeUndockPrivilege 1752 WMIC.exe Token: SeManageVolumePrivilege 1752 WMIC.exe Token: 33 1752 WMIC.exe Token: 34 1752 WMIC.exe Token: 35 1752 WMIC.exe Token: 36 1752 WMIC.exe Token: SeIncreaseQuotaPrivilege 864 WMIC.exe Token: SeSecurityPrivilege 864 WMIC.exe Token: SeTakeOwnershipPrivilege 864 WMIC.exe Token: SeLoadDriverPrivilege 864 WMIC.exe Token: SeSystemProfilePrivilege 864 WMIC.exe Token: SeSystemtimePrivilege 864 WMIC.exe Token: SeProfSingleProcessPrivilege 864 WMIC.exe Token: SeIncBasePriorityPrivilege 864 WMIC.exe Token: SeCreatePagefilePrivilege 864 WMIC.exe Token: SeBackupPrivilege 864 WMIC.exe Token: SeRestorePrivilege 864 WMIC.exe Token: SeShutdownPrivilege 864 WMIC.exe Token: SeDebugPrivilege 864 WMIC.exe Token: SeSystemEnvironmentPrivilege 864 WMIC.exe Token: SeRemoteShutdownPrivilege 864 WMIC.exe Token: SeUndockPrivilege 864 WMIC.exe Token: SeManageVolumePrivilege 864 WMIC.exe Token: 33 864 WMIC.exe Token: 34 864 WMIC.exe Token: 35 864 WMIC.exe Token: 36 864 WMIC.exe Token: SeBackupPrivilege 1412 vssvc.exe Token: SeRestorePrivilege 1412 vssvc.exe Token: SeAuditPrivilege 1412 vssvc.exe Token: SeIncreaseQuotaPrivilege 864 WMIC.exe Token: SeSecurityPrivilege 864 WMIC.exe Token: SeTakeOwnershipPrivilege 864 WMIC.exe Token: SeLoadDriverPrivilege 864 WMIC.exe Token: SeSystemProfilePrivilege 864 WMIC.exe Token: SeSystemtimePrivilege 864 WMIC.exe Token: SeProfSingleProcessPrivilege 864 WMIC.exe Token: SeIncBasePriorityPrivilege 864 WMIC.exe Token: SeCreatePagefilePrivilege 864 WMIC.exe Token: SeBackupPrivilege 864 WMIC.exe Token: SeRestorePrivilege 864 WMIC.exe Token: SeShutdownPrivilege 864 WMIC.exe Token: SeDebugPrivilege 864 WMIC.exe Token: SeSystemEnvironmentPrivilege 864 WMIC.exe Token: SeRemoteShutdownPrivilege 864 WMIC.exe Token: SeUndockPrivilege 864 WMIC.exe Token: SeManageVolumePrivilege 864 WMIC.exe -
Suspicious use of WriteProcessMemory 48 IoCs
Processes:
42ea94ee3adca8b82fba15ecdde25f26.exeservices.execmd.execmd.execmd.exedescription pid process target process PID 756 wrote to memory of 1008 756 42ea94ee3adca8b82fba15ecdde25f26.exe services.exe PID 756 wrote to memory of 1008 756 42ea94ee3adca8b82fba15ecdde25f26.exe services.exe PID 756 wrote to memory of 1008 756 42ea94ee3adca8b82fba15ecdde25f26.exe services.exe PID 756 wrote to memory of 2708 756 42ea94ee3adca8b82fba15ecdde25f26.exe notepad.exe PID 756 wrote to memory of 2708 756 42ea94ee3adca8b82fba15ecdde25f26.exe notepad.exe PID 756 wrote to memory of 2708 756 42ea94ee3adca8b82fba15ecdde25f26.exe notepad.exe PID 756 wrote to memory of 2708 756 42ea94ee3adca8b82fba15ecdde25f26.exe notepad.exe PID 756 wrote to memory of 2708 756 42ea94ee3adca8b82fba15ecdde25f26.exe notepad.exe PID 756 wrote to memory of 2708 756 42ea94ee3adca8b82fba15ecdde25f26.exe notepad.exe PID 1008 wrote to memory of 3884 1008 services.exe cmd.exe PID 1008 wrote to memory of 3884 1008 services.exe cmd.exe PID 1008 wrote to memory of 3884 1008 services.exe cmd.exe PID 1008 wrote to memory of 904 1008 services.exe cmd.exe PID 1008 wrote to memory of 904 1008 services.exe cmd.exe PID 1008 wrote to memory of 904 1008 services.exe cmd.exe PID 1008 wrote to memory of 2824 1008 services.exe cmd.exe PID 1008 wrote to memory of 2824 1008 services.exe cmd.exe PID 1008 wrote to memory of 2824 1008 services.exe cmd.exe PID 1008 wrote to memory of 3560 1008 services.exe cmd.exe PID 1008 wrote to memory of 3560 1008 services.exe cmd.exe PID 1008 wrote to memory of 3560 1008 services.exe cmd.exe PID 1008 wrote to memory of 2652 1008 services.exe cmd.exe PID 1008 wrote to memory of 2652 1008 services.exe cmd.exe PID 1008 wrote to memory of 2652 1008 services.exe cmd.exe PID 1008 wrote to memory of 2296 1008 services.exe cmd.exe PID 1008 wrote to memory of 2296 1008 services.exe cmd.exe PID 1008 wrote to memory of 2296 1008 services.exe cmd.exe PID 1008 wrote to memory of 2176 1008 services.exe services.exe PID 1008 wrote to memory of 2176 1008 services.exe services.exe PID 1008 wrote to memory of 2176 1008 services.exe services.exe PID 2652 wrote to memory of 2432 2652 cmd.exe vssadmin.exe PID 2652 wrote to memory of 2432 2652 cmd.exe vssadmin.exe PID 2652 wrote to memory of 2432 2652 cmd.exe vssadmin.exe PID 2296 wrote to memory of 864 2296 cmd.exe WMIC.exe PID 2296 wrote to memory of 864 2296 cmd.exe WMIC.exe PID 2296 wrote to memory of 864 2296 cmd.exe WMIC.exe PID 3884 wrote to memory of 1752 3884 cmd.exe WMIC.exe PID 3884 wrote to memory of 1752 3884 cmd.exe WMIC.exe PID 3884 wrote to memory of 1752 3884 cmd.exe WMIC.exe PID 2296 wrote to memory of 2576 2296 cmd.exe vssadmin.exe PID 2296 wrote to memory of 2576 2296 cmd.exe vssadmin.exe PID 2296 wrote to memory of 2576 2296 cmd.exe vssadmin.exe PID 1008 wrote to memory of 2096 1008 services.exe notepad.exe PID 1008 wrote to memory of 2096 1008 services.exe notepad.exe PID 1008 wrote to memory of 2096 1008 services.exe notepad.exe PID 1008 wrote to memory of 2096 1008 services.exe notepad.exe PID 1008 wrote to memory of 2096 1008 services.exe notepad.exe PID 1008 wrote to memory of 2096 1008 services.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\42ea94ee3adca8b82fba15ecdde25f26.exe"C:\Users\Admin\AppData\Local\Temp\42ea94ee3adca8b82fba15ecdde25f26.exe"1⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe" -start2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe" -agent 03⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
-
C:\Windows\SysWOW64\notepad.exenotepad.exe3⤵
-
C:\Windows\SysWOW64\notepad.exenotepad.exe2⤵
- Deletes itself
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CBMD5
4e19bf0c03ce3953fdb5be54e6a22f35
SHA1385b3bebf4d6df49a2d99ee9486921bb6bebfed8
SHA256f4f869d5f04bba7bfed5ce6a0f32037621f46ef35afcb8cf6a9bb2a9c181edfe
SHA51223bb6feb476ec5ef55fe7b1544fc9cf2bda0c14798070897f90a0a6df062dbe57109de99caac0e32c0586b41de51b11170484abfd0e297372cd392858e3426a8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEEMD5
75b88d0202e859a52bf202eafebbe0c4
SHA124a1603ccba645ded249983df14897803b538fb6
SHA256835effde837d6182dd65867cb76119b6418ffa6868ab235dbbdc028ddb32ca20
SHA512a37db7e053e819850b013862ce105e74a078081dd99bfe672406c9c3cba68f8e2e8cf7edea98402785e1751ddc0b21f5842b7be2873e8664bfd416cb20bee1f9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
71938f18af4460ae7dfc95eaa7f86c41
SHA13c728520871d891f4ed95ae676fb4ef7d2202f45
SHA256577745264b01a9e92767ed05946bf7825077e8303874f32893c09443c66cde65
SHA512679f66ace333ec45c4541a226e482059f3fed3dcbd6b005c77fc8458f2c241294a95d6e3a6972e84978ce291eacec23c22f5e5295b5155b874cf5fcb53c8474c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CBMD5
53780ec372a09f41690886bee3e299e8
SHA1beab2ce9261ced619ca95f2997ee8c32d3e76786
SHA256bdbae6d52c9f9c5ee83265dd275dde57478364cb774aba29a0412b4a0cb42a81
SHA5126368dd5ea82ad4a5b72006e90c04d9d931be972645b0cfa6c0b344eed7371c02b16882c4c28584ce8568b69f2df200583ea4adb15ddbb13462e15d57dee1b030
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEEMD5
3e9a6904aefefdc22e4f255b9053ff52
SHA15cbb891a4aafac900a2c4cb21526a9b3f02984fb
SHA25647a93c94f7411dbbd030fc635e2ce868abeee5ff9dec2a4f9afad2625edda10a
SHA512ca0ee7a4503c670db4c2274f4f13e5400933e29343cd03bb342c948c7e1a579dd478bf9619571f055ad52a1fe86d814a82cfae283e61b0608577c9679395013f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
8682526341b69644059a36ff12bc35b3
SHA138954a4a9948aaa1182d2c57be4752da1cc50857
SHA25686c20afe5292c64a1cec0e2aa7112f1097d30f69ddc6058d764162f588ea1867
SHA512a222586f955e78d18269fce54c3e67b6d7fdfdc42c8b5a9e863a1713cca4fc5c39a03a56c64b8763c7becf50365abe7bb5ab7840f954124edf91b8f4ab41ed00
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\JGAO043J\YZY6ZLF9.htmMD5
6b17a59cec1a7783febae9aa55c56556
SHA101d4581e2b3a6348679147a915a0b22b2a66643a
SHA25666987b14b90d41632be98836f9601b12e7f329ffab05595887889c9c5716fbeb
SHA5123337efd12b9c06b7768eb928a78caae243b75257c5aabe7a49e908a2f735af55f7257a40bd2330dc13865ead18ed805b54a6c5105740fdcbbaccacf7997bcbc3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\S7PGJ114\BYZRZL1K.htmMD5
b1cd7c031debba3a5c77b39b6791c1a7
SHA1e5d91e14e9c685b06f00e550d9e189deb2075f76
SHA25657ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa
SHA512d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72
-
C:\Users\Admin\AppData\Local\Temp\~temp001.batMD5
ef572e2c7b1bbd57654b36e8dcfdc37a
SHA1b84c4db6d0dfd415c289d0c8ae099aea4001e3b7
SHA256e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64
SHA512b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exeMD5
42ea94ee3adca8b82fba15ecdde25f26
SHA1ca17412cd44d186db91c4b2fa7df03363533ffd2
SHA256332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a
SHA512cbec5875fdbcd1182ce9cb87728f36f9a36da032589394b20418229780a2182f6641519fd7545bd812257492a0fd9a68ebfd487d6ec5ebb9e3f666558bb81874
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exeMD5
42ea94ee3adca8b82fba15ecdde25f26
SHA1ca17412cd44d186db91c4b2fa7df03363533ffd2
SHA256332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a
SHA512cbec5875fdbcd1182ce9cb87728f36f9a36da032589394b20418229780a2182f6641519fd7545bd812257492a0fd9a68ebfd487d6ec5ebb9e3f666558bb81874
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exeMD5
42ea94ee3adca8b82fba15ecdde25f26
SHA1ca17412cd44d186db91c4b2fa7df03363533ffd2
SHA256332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a
SHA512cbec5875fdbcd1182ce9cb87728f36f9a36da032589394b20418229780a2182f6641519fd7545bd812257492a0fd9a68ebfd487d6ec5ebb9e3f666558bb81874
-
C:\Users\Admin\Desktop\BlockLock.DVR-MS.6F2-647-C8CMD5
876a1e9eb1888cc462f603cb7afc1d53
SHA1906f7e5f12f54632542e3f7d4a2c9e96ff230b39
SHA256bdd8e10948581e97fe6a250048e728c0dfa663e800fc57e2b25eb1baf31056cd
SHA512960f5beeb175061fc7586e5d388da190440039e49936154e2acb4047ccf1bbe499d6e006576d50f4b20fc48a860714f7d26257c52f36dec99e832dca5ee1bfcf
-
C:\Users\Admin\Desktop\ConnectRemove.temp.6F2-647-C8CMD5
3946cd006aef8ca72949a855528a5c8a
SHA1ee64f85ad03d5ce84f7c465b078047eb73ad762a
SHA256aadc4a4717fdb2e86e52d648025c065cb44d19ff3d084aab30a80a4e055f3f6c
SHA512807a70949bb25bb869006c57c81a20d075f72e2852fdc99e169201ddf2e52fec3fd8eb3c68c2721e5188186d53f6df8e421dee3a272c81510a86ebf70655946e
-
C:\Users\Admin\Desktop\CopyComplete.jpeg.6F2-647-C8CMD5
2919013159bf54e3f654c0222c366379
SHA16bf2167c2603604ef6b16570cf3657ad0e9a976b
SHA2566fbc4e3b54d2ba17e219f32d3c4ef7c38d9520b51f4940e6317057dbf3f43bb7
SHA51202f5496fb62e81c76315cd5f8d6d7cb28a4a1eac3903cc8e8db3e0649d3462d4593da23e4511438db507a1bf79865d72079419fd681931a9c95c6e5f1e1080d8
-
C:\Users\Admin\Desktop\CopyOpen.emz.6F2-647-C8CMD5
ee471454cd34ec33c6211ec1e69bebea
SHA147ee368bf82f313b5412701aeab00c63d4684e2f
SHA256866c1ef0d3a9933c2903327e09f2dd8ec7fb1a926ed935daccec90325a30d6d1
SHA51264d53fdecad2e876d504f650f4f5784a9c56962aee34adaa10035fa9080d0d46ef0d17bdb53e795f4b4d79653706f549f15f905d2cf26482add6adb2671502ff
-
C:\Users\Admin\Desktop\DisableProtect.vsd.6F2-647-C8CMD5
43e87a5d104300c4a5349081cd0238d6
SHA1ea2fe5796a7dabb12367bfc0d9c7cd0554588678
SHA2565c516c898adf1bed2bd25ca0ee5d91775856ddc8e36c9b1360dd3dfe4bfff70d
SHA51244f6eae23c6f813d1a0b42253a982c41a2108ebad80d4e086405686c92af1ef824b278410bb26adc9129fa11d8178abe62c217abfe6a19541cb8ad6cdeab06c4
-
C:\Users\Admin\Desktop\EnableResolve.raw.6F2-647-C8CMD5
1c3446dd2d534c0747bea49161cdfbfa
SHA19ec3d563925d546fd1a19ce6a1c524c5ae53b520
SHA2568e039db9486e707718383107212248314691858becd431bba717e5b0afc5d38b
SHA512af587ba908cb4bab245c65dd1e2de8972faf3c258c4a723c436abc29195680a17631e7038bdcb3c2a9694c7f3ca132e6c12a02842cd8aec969ae4ae3a7eea8db
-
C:\Users\Admin\Desktop\EnableSkip.sql.6F2-647-C8CMD5
3f3a58d4b00062970ae1c6044098870e
SHA17c344cae1e606446df0669295d5c3f246de7ac65
SHA256ca0fa16425b7523f498298c4cdf56275888846862582c5613156718bca83c139
SHA512a3d8b74431c767e247d3b6e756e6329838ca8342c37ca101c347b33b5c2561f150ec5c267ab9240b012f311e15dce1899cb087f105b14baefcf2d3617f78a3eb
-
C:\Users\Admin\Desktop\ImportCompare.pps.6F2-647-C8CMD5
1cd78d9f6f4a76953f0992f909573f59
SHA1a84bd846640c65703800b651e49ea81e729538e3
SHA2560003456031704be220f4914c81836f9d2d7e27510a3e52363a499a5f6c890974
SHA5123bd583ec7cee977feffebf54db43bd0380d57ff6c2d8dc80d2debd7f451453db3cb207e334ec2b8c3c2b167b909bb74f0388ff2bb6cc9bf4e0dc4f78445dde8f
-
C:\Users\Admin\Desktop\InvokeClear.docx.6F2-647-C8CMD5
a1eba8c32d87aa35db28e8aabb2eebd1
SHA19abc01084b85a5f3e451d3aadb46e37b6451e6e5
SHA2561dec577c629cb7fda609af503da8149f230274cbfdfbdf5d720e413c45d97508
SHA5123caffba77c6a37a295d00c548c9e0874e5e5322d394835ae099d5dbd3e19052e5e4379887a042b5b0cc64863f4c7f8977c7d6e6f3dc822ee4df362de313e32f0
-
C:\Users\Admin\Desktop\OpenPush.jpg.6F2-647-C8CMD5
cc45cdf72f65f9bbb6d93cb61aeff6d7
SHA1e96ffd841118412933ef4f01571f4a213d08d057
SHA2562c1e63dfe743a47caa37afd369d92d513bdfdf7a0a07d694d4b9da03fdc4be58
SHA51244af518fc81827d96dc94d5ed3a5148b2a42ccdf162486d8bfcff8b4bb96b751c1becb7eb66f23b4b8410f2d71f4f7738f403acb71d778d78b8a06c629be31a3
-
C:\Users\Admin\Desktop\PublishHide.MOD.6F2-647-C8CMD5
3d9200a35aee1d16df942fe2c49da39d
SHA161d2c2f92b75cda24432f5f1be0575b866818908
SHA256961361be74b5546862dae88e4318d55bac5643a10c8148b836fc56aa6fb03e38
SHA51208018fa8b7787c145f34386d771efda0e7111e3683f439975abac6771eb508c17e9dd2cd9a21b437746b80fb32015236f4272094389a6d99be84c7b6ec994253
-
C:\Users\Admin\Desktop\PushUnlock.mpg.6F2-647-C8CMD5
e9e53809fd3e17e1055b36e8260c9ecf
SHA1c3fe1d32f3e8554cd79d36dcdd6e5cfa892b92e0
SHA2566959ad2b481b7895594da0e1e27c372a0f3d08ab121f3ceb1dacbaef7e94cce9
SHA5121cfe2b75b9ac427a56c1a2ebdb9553655034c119c331942d80244884a1a4ba1a06d32f1147eef831d8b649900a556f7cc9bc62560bda9daf008708d192c6b6f9
-
C:\Users\Admin\Desktop\ReceiveImport.mov.6F2-647-C8CMD5
f66f5e297597846fc97b550968eef96a
SHA14265e468e0c1e5b7179210e3e619536b986adcbb
SHA256656c7df886c90ce130c819d405675ea75f632c2bb3ccf3fc3b24fda435b6e03f
SHA512ae7637ce3c7dc5361863932d64c7ba2c789b30a195b72d1c241d130161423d1af8578e1ada4279b02ad6b01d7c3adfac51777d1091fc90efdeee82b426cbd648
-
C:\Users\Admin\Desktop\RegisterUnregister.mpeg3.6F2-647-C8CMD5
9a9e65f246cd6f84678391e72fa9d189
SHA1255470308771bfc1f3034b5fb316428a3c0a23ef
SHA256f65567a9de69f2322ffb0e992d23ae43ba9ee1ed0a6d7a3880ca533074b4747a
SHA51263d3dd4fbeec5b8478756553482084b527f8557e04a091b91ca0da1512a7692e36dc088ab2ea0b71925e62d186727f26d34b9859d6a200b7c1a20c6961374bd0
-
C:\Users\Admin\Desktop\RegisterWatch.M2V.6F2-647-C8CMD5
76f2aa1a9f72281cf1b7b9727ef589df
SHA1157bec22ed47652c37b77c530b3c406fd247e138
SHA256221d3be95ef28f2b13a9b3b3a4316ab7c139003315e96f6b139e2dd036075b79
SHA5123cefdaacc703cc165a98caa40fc0ab20efd87e507121fabe77397b6289926b5d2f7c10f901802b5ab09f4a3bc534290758c513fe1ed34952c94377cfb761def0
-
C:\Users\Admin\Desktop\RenameRestore.eprtx.6F2-647-C8CMD5
f2b9d2d944534990e0c28275742e5b77
SHA1b3bcd158503ee50e4d4b9f4240a77c7fa2addb6c
SHA2563dc3e038794f890c1c3fa75b5d54c2f02362445b4477287c7be2cfac0aa1fab4
SHA512779148c64788f5fb0137e45edaf7f393612e27eecbce39a98f4172a8faa4c70473a86a18dd45b33448bb64ed166c7eb1e535377625da7df74cdf59c465907a49
-
C:\Users\Admin\Desktop\RenameSwitch.docx.6F2-647-C8CMD5
d449bfd5072a77d8c7df4e81e28d0e00
SHA1908bb7270c48f3c13290d89d0dae45db2b6610a1
SHA256b5f4b13bc9ab242bf918500bce8dbcae703d0396a956a6a74fc615f26c5fadfc
SHA512144d613a11dc18c2ef4a0baf33d524571be7cd93265dbe4b5c746ab79e7bd2a99f402aa9a1383cf8da845f91a64ffcb20b764d589dc8f949255a4a43a0cbe325
-
C:\Users\Admin\Desktop\RepairTest.wmf.6F2-647-C8CMD5
1c273addeca05cab9ecb1c783e025bde
SHA185c7e4246deb0c7f1ab47116d52aa6ed3d6c3307
SHA256bb3b5a150ec52b4a19b6cd9e8dee954fd8d2b01591dc96a7577477fe27bcd006
SHA512a3a338937fe06f517d7f1d0e17dfc861b04401f5accfeb7d8968dd07fecb89020393d3da2adf4b6c76323a2c9af7b379fee0a6cef24e0edf83e5225cd1bbd33f
-
C:\Users\Admin\Desktop\ResetPublish.TS.6F2-647-C8CMD5
84255a9f8cdc9d21a747da8416587bb3
SHA10717c08d49257eb6d67a9bb53b9d7e2985417fc6
SHA256d6d9b5ba2b903e763d16762cbc7dadc859c9ebcb318459ebdd54b23113a6489d
SHA512fc74fa889933c4765f1a38263bcb91989bb7e1b3e38d8c63fbf54af109322a50211541b438876b79d4d69a03ab70ac9f91223c48043751878fe2a329b4025479
-
C:\Users\Admin\Desktop\ResolveUnregister.contact.6F2-647-C8CMD5
3a7199c6bf45339bd963d8cd1a5d87ca
SHA1c182cf5b3a317e02112dcc9f3e9c10d60ffaff3f
SHA25619d424852a4dd5fee57080fe0c8cfda4ca435f47919f2557784890df7f3c5de7
SHA512be5c2185c9b8e79e0b0397cb2c2989fcea4b92bd9b5bf0d1b6f4f722d6c0e1e4aec104ed753b0d02efd8fe76be3dcc558fc284a140115002857b65004968d369
-
C:\Users\Admin\Desktop\RestoreApprove.png.6F2-647-C8CMD5
787c26405e44120b3a9236637269f95c
SHA194f23cd7b925e07b3be2f054a176784cd895bf5c
SHA256147b8e29b5da04fa57d0f04a41ad91ef2c9343c092bc576ae34bfe18a126ada5
SHA51233f55a5532cff787dec27a7ae83ae751edd343464a6574fe4067bd7801dc484476ae7ce5960fc66544a54afb3c3d1da47b23d650d2a408ff93b43991524dbdc2
-
C:\Users\Admin\Desktop\RestoreRevoke.vdx.6F2-647-C8CMD5
d9ff133405319ce50b3c7281cd8297d1
SHA14aaf2bfea28614972a77e6765493622043963f8f
SHA2568f906b1e6f7681f8d5ea1472b6f76cb33b6bbff1c0b889c86e521ee1a6951324
SHA5127cfb1ef165be9945db725bbde3440c65acfdf00ce68e14e94e56b9eeb8a99b9a9b5026b993444d289640e2badcc487307ad29b139bf8b3e4c8c912c4bcd4c8c2
-
C:\Users\Admin\Desktop\RevokeTest.bmp.6F2-647-C8CMD5
8f1cb58d12d25a2b74dd2eb173b2823a
SHA180864ab43d67c908d10f08f890cd3c1211b2a4f9
SHA256096f3e602fcf1ce068b32ccc47d184edde1ec36e7fc9427d85b234ca64b6c38f
SHA51281876b02c3c8b34fe3ee8c8f15f2392ee0a373f6e192c54b39bc3dd2dfb8be4a27cbcdd41d21d9b8142883c123de136c5c254660deb9d6a448db11e298cf716c
-
C:\Users\Admin\Desktop\SetBackup.au.6F2-647-C8CMD5
651ed69981f52929e57ea8fbdc3eac0b
SHA11c4d031cd6ceaae4ed45e8e800272a6d9d8ef19a
SHA256b4d6af271c7361e07fe4701c7b8c2fd75e4be93d88df62b1ceeb9ddb1b97751b
SHA51238e92c6b8e14d6827d2dd12cc1a92de88904a40405c278bfdab903dd211a913c7954014cba93dd521faf5955c2adfe1238d091d9f730a5799db28837dca5bd41
-
memory/864-25-0x0000000000000000-mapping.dmp
-
memory/904-16-0x0000000000000000-mapping.dmp
-
memory/1008-2-0x0000000000000000-mapping.dmp
-
memory/1752-26-0x0000000000000000-mapping.dmp
-
memory/2096-52-0x00000000027F0000-0x00000000027F1000-memory.dmpFilesize
4KB
-
memory/2096-53-0x0000000000000000-mapping.dmp
-
memory/2176-21-0x0000000000000000-mapping.dmp
-
memory/2296-20-0x0000000000000000-mapping.dmp
-
memory/2432-23-0x0000000000000000-mapping.dmp
-
memory/2576-27-0x0000000000000000-mapping.dmp
-
memory/2652-19-0x0000000000000000-mapping.dmp
-
memory/2708-4-0x00000000025D0000-0x00000000025D1000-memory.dmpFilesize
4KB
-
memory/2708-6-0x0000000000000000-mapping.dmp
-
memory/2824-17-0x0000000000000000-mapping.dmp
-
memory/3560-18-0x0000000000000000-mapping.dmp
-
memory/3884-15-0x0000000000000000-mapping.dmp