Analysis
-
max time kernel
137s -
max time network
129s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
19-02-2021 04:00
Static task
static1
Behavioral task
behavioral1
Sample
70ca11d0dfb726a0c141e05253a1b42d.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
70ca11d0dfb726a0c141e05253a1b42d.exe
Resource
win10v20201028
General
-
Target
70ca11d0dfb726a0c141e05253a1b42d.exe
-
Size
581KB
-
MD5
70ca11d0dfb726a0c141e05253a1b42d
-
SHA1
3b8ff05941e2acebf7fc071c70b18ea9da83326b
-
SHA256
0b3e8b562e8fe50b6039db8d1f3871bdf6f9d1f9246ab7459eb91844bcbc8bd6
-
SHA512
dc08a9d20e5fc789a1ffab9f9b2cd136bdc9e61f44f6c9ee06b0ae15495db9a1bf340b4d75fb393eadce75fc1cdfb7cb6f80cce525e4850305ea5b0906850478
Malware Config
Extracted
C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
kassmaster@tutanota.com
kassmaster@danwin1210.me
Signatures
-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
svchost.exesvchost.exepid process 944 svchost.exe 1604 svchost.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe upx \Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe upx C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe upx C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe upx C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe upx -
Deletes itself 1 IoCs
Processes:
notepad.exepid process 916 notepad.exe -
Loads dropped DLL 2 IoCs
Processes:
70ca11d0dfb726a0c141e05253a1b42d.exepid process 292 70ca11d0dfb726a0c141e05253a1b42d.exe 292 70ca11d0dfb726a0c141e05253a1b42d.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
70ca11d0dfb726a0c141e05253a1b42d.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run 70ca11d0dfb726a0c141e05253a1b42d.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\svchost.exe\" -start" 70ca11d0dfb726a0c141e05253a1b42d.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
svchost.exedescription ioc process File opened (read-only) \??\R: svchost.exe File opened (read-only) \??\Q: svchost.exe File opened (read-only) \??\J: svchost.exe File opened (read-only) \??\A: svchost.exe File opened (read-only) \??\S: svchost.exe File opened (read-only) \??\P: svchost.exe File opened (read-only) \??\K: svchost.exe File opened (read-only) \??\I: svchost.exe File opened (read-only) \??\Z: svchost.exe File opened (read-only) \??\V: svchost.exe File opened (read-only) \??\U: svchost.exe File opened (read-only) \??\T: svchost.exe File opened (read-only) \??\G: svchost.exe File opened (read-only) \??\E: svchost.exe File opened (read-only) \??\L: svchost.exe File opened (read-only) \??\H: svchost.exe File opened (read-only) \??\F: svchost.exe File opened (read-only) \??\X: svchost.exe File opened (read-only) \??\W: svchost.exe File opened (read-only) \??\O: svchost.exe File opened (read-only) \??\N: svchost.exe File opened (read-only) \??\Y: svchost.exe File opened (read-only) \??\M: svchost.exe File opened (read-only) \??\B: svchost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 geoiptool.com -
Drops file in Program Files directory 64 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe.15D-3C3-588 svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\CST6CDT.15D-3C3-588 svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\UnreadIconImagesMask.bmp svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCalls.c.15D-3C3-588 svchost.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Tijuana svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.nl_zh_4.4.0.v20140623020002.jar svchost.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\CET.15D-3C3-588 svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt svchost.exe File opened for modification C:\Program Files\7-Zip\Lang\az.txt svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\ECLIPSE_.SF.15D-3C3-588 svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00289_.WMF svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199475.WMF.15D-3C3-588 svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.inject_1.0.0.v20091030.jar.15D-3C3-588 svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105520.WMF.15D-3C3-588 svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00135_.WMF svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Thatch.xml svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME32.CSS.15D-3C3-588 svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.manipulator_2.0.0.v20131217-1203.jar.15D-3C3-588 svchost.exe File opened for modification C:\Program Files\Java\jre7\lib\deploy\messages_de.properties svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx.15D-3C3-588 svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099174.WMF.15D-3C3-588 svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\CalendarToolIconImages.jpg svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.xml_1.3.4.v201005080400.jar.15D-3C3-588 svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\VDK10.SYD.15D-3C3-588 svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD09662_.WMF.15D-3C3-588 svchost.exe File opened for modification C:\Program Files\7-Zip\Lang\eo.txt.15D-3C3-588 svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\vlc.mo svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-attach_zh_CN.jar svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Singapore svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-utilities.xml.15D-3C3-588 svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107744.WMF svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsHomePageStyle.css svchost.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Dawson_Creek svchost.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Antarctica\Davis svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107146.WMF svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net_1.2.200.v20140124-2013.jar.15D-3C3-588 svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs-nio2.xml.15D-3C3-588 svchost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationLeft_ButtonGraphic.png svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.nl_zh_4.4.0.v20140623020002.jar svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt.15D-3C3-588 svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14757_.GIF.15D-3C3-588 svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGZIP.DPV svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-spi-actions.jar.15D-3C3-588 svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00157_.GIF.15D-3C3-588 svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0212685.WMF.15D-3C3-588 svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\OLAPPTR.FAE svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\config.ini svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\plugin.properties svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL00308_.WMF.15D-3C3-588 svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01139_.WMF svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EN00202_.WMF svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsHomePage.html svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Dialog.accdt svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099180.WMF.15D-3C3-588 svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Perspective.xml svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107254.WMF svchost.exe File created C:\Program Files\VideoLAN\VLC\lua\playlist\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14756_.GIF svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Fancy\SPACER.GIF svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\ContactSelector.ico svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Dubai.15D-3C3-588 svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-cli.xml svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01478U.BMP svchost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01245_.GIF svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 1104 vssadmin.exe 916 vssadmin.exe -
Processes:
70ca11d0dfb726a0c141e05253a1b42d.exesvchost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 70ca11d0dfb726a0c141e05253a1b42d.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 70ca11d0dfb726a0c141e05253a1b42d.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 70ca11d0dfb726a0c141e05253a1b42d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 svchost.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
svchost.exepid process 944 svchost.exe 944 svchost.exe 944 svchost.exe 944 svchost.exe 944 svchost.exe 944 svchost.exe 944 svchost.exe 944 svchost.exe 944 svchost.exe 944 svchost.exe 944 svchost.exe 944 svchost.exe 944 svchost.exe 944 svchost.exe 944 svchost.exe 944 svchost.exe 944 svchost.exe 944 svchost.exe 944 svchost.exe 944 svchost.exe 944 svchost.exe 944 svchost.exe 944 svchost.exe 944 svchost.exe 944 svchost.exe 944 svchost.exe 944 svchost.exe 944 svchost.exe 944 svchost.exe 944 svchost.exe 944 svchost.exe 944 svchost.exe 944 svchost.exe 944 svchost.exe 944 svchost.exe 944 svchost.exe 944 svchost.exe 944 svchost.exe 944 svchost.exe 944 svchost.exe 944 svchost.exe 944 svchost.exe 944 svchost.exe 944 svchost.exe 944 svchost.exe 944 svchost.exe 944 svchost.exe 944 svchost.exe 944 svchost.exe 944 svchost.exe 944 svchost.exe 944 svchost.exe 944 svchost.exe 944 svchost.exe 944 svchost.exe 944 svchost.exe 944 svchost.exe 944 svchost.exe 944 svchost.exe 944 svchost.exe 944 svchost.exe 944 svchost.exe 944 svchost.exe 944 svchost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
70ca11d0dfb726a0c141e05253a1b42d.exeWMIC.exevssvc.exeWMIC.exedescription pid process Token: SeDebugPrivilege 292 70ca11d0dfb726a0c141e05253a1b42d.exe Token: SeDebugPrivilege 292 70ca11d0dfb726a0c141e05253a1b42d.exe Token: SeIncreaseQuotaPrivilege 816 WMIC.exe Token: SeSecurityPrivilege 816 WMIC.exe Token: SeTakeOwnershipPrivilege 816 WMIC.exe Token: SeLoadDriverPrivilege 816 WMIC.exe Token: SeSystemProfilePrivilege 816 WMIC.exe Token: SeSystemtimePrivilege 816 WMIC.exe Token: SeProfSingleProcessPrivilege 816 WMIC.exe Token: SeIncBasePriorityPrivilege 816 WMIC.exe Token: SeCreatePagefilePrivilege 816 WMIC.exe Token: SeBackupPrivilege 816 WMIC.exe Token: SeRestorePrivilege 816 WMIC.exe Token: SeShutdownPrivilege 816 WMIC.exe Token: SeDebugPrivilege 816 WMIC.exe Token: SeSystemEnvironmentPrivilege 816 WMIC.exe Token: SeRemoteShutdownPrivilege 816 WMIC.exe Token: SeUndockPrivilege 816 WMIC.exe Token: SeManageVolumePrivilege 816 WMIC.exe Token: 33 816 WMIC.exe Token: 34 816 WMIC.exe Token: 35 816 WMIC.exe Token: SeBackupPrivilege 2008 vssvc.exe Token: SeRestorePrivilege 2008 vssvc.exe Token: SeAuditPrivilege 2008 vssvc.exe Token: SeIncreaseQuotaPrivilege 816 WMIC.exe Token: SeSecurityPrivilege 816 WMIC.exe Token: SeTakeOwnershipPrivilege 816 WMIC.exe Token: SeLoadDriverPrivilege 816 WMIC.exe Token: SeSystemProfilePrivilege 816 WMIC.exe Token: SeSystemtimePrivilege 816 WMIC.exe Token: SeProfSingleProcessPrivilege 816 WMIC.exe Token: SeIncBasePriorityPrivilege 816 WMIC.exe Token: SeCreatePagefilePrivilege 816 WMIC.exe Token: SeBackupPrivilege 816 WMIC.exe Token: SeRestorePrivilege 816 WMIC.exe Token: SeShutdownPrivilege 816 WMIC.exe Token: SeDebugPrivilege 816 WMIC.exe Token: SeSystemEnvironmentPrivilege 816 WMIC.exe Token: SeRemoteShutdownPrivilege 816 WMIC.exe Token: SeUndockPrivilege 816 WMIC.exe Token: SeManageVolumePrivilege 816 WMIC.exe Token: 33 816 WMIC.exe Token: 34 816 WMIC.exe Token: 35 816 WMIC.exe Token: SeIncreaseQuotaPrivilege 1600 WMIC.exe Token: SeSecurityPrivilege 1600 WMIC.exe Token: SeTakeOwnershipPrivilege 1600 WMIC.exe Token: SeLoadDriverPrivilege 1600 WMIC.exe Token: SeSystemProfilePrivilege 1600 WMIC.exe Token: SeSystemtimePrivilege 1600 WMIC.exe Token: SeProfSingleProcessPrivilege 1600 WMIC.exe Token: SeIncBasePriorityPrivilege 1600 WMIC.exe Token: SeCreatePagefilePrivilege 1600 WMIC.exe Token: SeBackupPrivilege 1600 WMIC.exe Token: SeRestorePrivilege 1600 WMIC.exe Token: SeShutdownPrivilege 1600 WMIC.exe Token: SeDebugPrivilege 1600 WMIC.exe Token: SeSystemEnvironmentPrivilege 1600 WMIC.exe Token: SeRemoteShutdownPrivilege 1600 WMIC.exe Token: SeUndockPrivilege 1600 WMIC.exe Token: SeManageVolumePrivilege 1600 WMIC.exe Token: 33 1600 WMIC.exe Token: 34 1600 WMIC.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
NOTEPAD.EXEpid process 2016 NOTEPAD.EXE -
Suspicious use of WriteProcessMemory 62 IoCs
Processes:
70ca11d0dfb726a0c141e05253a1b42d.exesvchost.execmd.execmd.execmd.exedescription pid process target process PID 292 wrote to memory of 944 292 70ca11d0dfb726a0c141e05253a1b42d.exe svchost.exe PID 292 wrote to memory of 944 292 70ca11d0dfb726a0c141e05253a1b42d.exe svchost.exe PID 292 wrote to memory of 944 292 70ca11d0dfb726a0c141e05253a1b42d.exe svchost.exe PID 292 wrote to memory of 944 292 70ca11d0dfb726a0c141e05253a1b42d.exe svchost.exe PID 292 wrote to memory of 916 292 70ca11d0dfb726a0c141e05253a1b42d.exe notepad.exe PID 292 wrote to memory of 916 292 70ca11d0dfb726a0c141e05253a1b42d.exe notepad.exe PID 292 wrote to memory of 916 292 70ca11d0dfb726a0c141e05253a1b42d.exe notepad.exe PID 292 wrote to memory of 916 292 70ca11d0dfb726a0c141e05253a1b42d.exe notepad.exe PID 292 wrote to memory of 916 292 70ca11d0dfb726a0c141e05253a1b42d.exe notepad.exe PID 292 wrote to memory of 916 292 70ca11d0dfb726a0c141e05253a1b42d.exe notepad.exe PID 292 wrote to memory of 916 292 70ca11d0dfb726a0c141e05253a1b42d.exe notepad.exe PID 944 wrote to memory of 1316 944 svchost.exe cmd.exe PID 944 wrote to memory of 1316 944 svchost.exe cmd.exe PID 944 wrote to memory of 1316 944 svchost.exe cmd.exe PID 944 wrote to memory of 1316 944 svchost.exe cmd.exe PID 944 wrote to memory of 396 944 svchost.exe cmd.exe PID 944 wrote to memory of 396 944 svchost.exe cmd.exe PID 944 wrote to memory of 396 944 svchost.exe cmd.exe PID 944 wrote to memory of 396 944 svchost.exe cmd.exe PID 944 wrote to memory of 1156 944 svchost.exe cmd.exe PID 944 wrote to memory of 1156 944 svchost.exe cmd.exe PID 944 wrote to memory of 1156 944 svchost.exe cmd.exe PID 944 wrote to memory of 1156 944 svchost.exe cmd.exe PID 944 wrote to memory of 304 944 svchost.exe cmd.exe PID 944 wrote to memory of 304 944 svchost.exe cmd.exe PID 944 wrote to memory of 304 944 svchost.exe cmd.exe PID 944 wrote to memory of 304 944 svchost.exe cmd.exe PID 944 wrote to memory of 1332 944 svchost.exe cmd.exe PID 944 wrote to memory of 1332 944 svchost.exe cmd.exe PID 944 wrote to memory of 1332 944 svchost.exe cmd.exe PID 944 wrote to memory of 1332 944 svchost.exe cmd.exe PID 1316 wrote to memory of 816 1316 cmd.exe WMIC.exe PID 1316 wrote to memory of 816 1316 cmd.exe WMIC.exe PID 1316 wrote to memory of 816 1316 cmd.exe WMIC.exe PID 1316 wrote to memory of 816 1316 cmd.exe WMIC.exe PID 944 wrote to memory of 2040 944 svchost.exe cmd.exe PID 944 wrote to memory of 2040 944 svchost.exe cmd.exe PID 944 wrote to memory of 2040 944 svchost.exe cmd.exe PID 944 wrote to memory of 2040 944 svchost.exe cmd.exe PID 1332 wrote to memory of 1104 1332 cmd.exe vssadmin.exe PID 1332 wrote to memory of 1104 1332 cmd.exe vssadmin.exe PID 1332 wrote to memory of 1104 1332 cmd.exe vssadmin.exe PID 1332 wrote to memory of 1104 1332 cmd.exe vssadmin.exe PID 944 wrote to memory of 1604 944 svchost.exe svchost.exe PID 944 wrote to memory of 1604 944 svchost.exe svchost.exe PID 944 wrote to memory of 1604 944 svchost.exe svchost.exe PID 944 wrote to memory of 1604 944 svchost.exe svchost.exe PID 2040 wrote to memory of 1600 2040 cmd.exe WMIC.exe PID 2040 wrote to memory of 1600 2040 cmd.exe WMIC.exe PID 2040 wrote to memory of 1600 2040 cmd.exe WMIC.exe PID 2040 wrote to memory of 1600 2040 cmd.exe WMIC.exe PID 2040 wrote to memory of 916 2040 cmd.exe vssadmin.exe PID 2040 wrote to memory of 916 2040 cmd.exe vssadmin.exe PID 2040 wrote to memory of 916 2040 cmd.exe vssadmin.exe PID 2040 wrote to memory of 916 2040 cmd.exe vssadmin.exe PID 944 wrote to memory of 1356 944 svchost.exe notepad.exe PID 944 wrote to memory of 1356 944 svchost.exe notepad.exe PID 944 wrote to memory of 1356 944 svchost.exe notepad.exe PID 944 wrote to memory of 1356 944 svchost.exe notepad.exe PID 944 wrote to memory of 1356 944 svchost.exe notepad.exe PID 944 wrote to memory of 1356 944 svchost.exe notepad.exe PID 944 wrote to memory of 1356 944 svchost.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\70ca11d0dfb726a0c141e05253a1b42d.exe"C:\Users\Admin\AppData\Local\Temp\70ca11d0dfb726a0c141e05253a1b42d.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe" -start2⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe" -agent 03⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\notepad.exenotepad.exe3⤵
-
C:\Windows\SysWOW64\notepad.exenotepad.exe2⤵
- Deletes itself
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4e81⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT1⤵
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXTMD5
74666ddc6d7b727d60b336687b0c3899
SHA1c233af825d0d1b6124fcb08b5b505c5836d40ad3
SHA2568ced6c8567a83e4c4ceb1585dc062de079e484cc81cdabd9996a1c49e2899d9a
SHA5123204ccb089a2e15039b3363b93764cf8d80a233f3977a41e22c5857279fd42dbd2c8c71abbca1a285f93a0882f5a8cb4dbc2b20c5c16c421ffb18a1eb624ba02
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CBMD5
de45a65ca84a9d847a105fcf5db17d4d
SHA17e9bf35371fa3ceb195e2b2ab9a55be036464e1f
SHA25635f6afd87526003ea4433d30b8561609d3af244d4602acc30e8b491a30b51694
SHA512f60e252ffabb64a1b5413e02cd46c10df3cfacadd4051ac50674f79c834cd5607bf49660d57665b18fd86e6b493411afe17668b2cbd131bfeeae954dd2da52d8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEEMD5
25702f32850469ed11d3cd68086b8e48
SHA1170ace58972fae2bbc1f254631c95c1ccf7388ff
SHA25642bf99c6490ec13de964fd7e4eaafc5df9f95a87b92f65e2cac8e18a79954411
SHA5122d121b1442dd4b449c5bafb9bd295a0f15f02aba9030e4571e258420779431cd6dbec11c867284f8ae84f69a1c7b032110e9fab89ab75456f77b6d7aed74706b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015MD5
e92176b0889cc1bb97114beb2f3c1728
SHA1ad1459d390ec23ab1c3da73ff2fbec7fa3a7f443
SHA25658a4f38ba43f115ba3f465c311eaaf67f43d92e580f7f153de3ab605fc9900f3
SHA512cd2267ba2f08d2f87538f5b4f8d3032638542ac3476863a35f0df491eb3a84458ce36c06e8c1bd84219f5297b6f386748e817945a406082fa8e77244ec229d8f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
1217ab0d20378cd200fbe07bedb5ee7b
SHA1b10c62032206809cc18abab57a26bd1916005ce0
SHA256d772cb57e040249255d60d6265daabaf009303399dde95f7e37093a4d0e7b613
SHA512732d0f36070083b88f340ee9831672cdaaad55a2052b2833096264c81441da5b1c5e8b327ab2549d19fd50517aad95b0a98a6af5f2aeb218e1a97970bb2188bb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CBMD5
e04fb93b0662ef69865ca2fa74a7cfd8
SHA18aa28e6a547adbe7eccf512944bff2095dc9422b
SHA2560dd91ef88c43c1aa5944f7e6b7c62bd66e076d1d9ec60e1348157478b58cb2c8
SHA512aff7ee43a27557e65b3a5575c2f055d58a92bc7d308c613b753e4ae50ed583acfcddef04a549445948c3125b69f9da53feb1ff7be1885f014e9c6b6fe3b13771
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEEMD5
b7874b90a005aee3226079f6e1c6d61e
SHA18bba02ea2e7b13cd902b045f39755fce3e0d8ed0
SHA2567d3f5b5412726f9cd284cf78e8f12d2f6a56824debc9477702ff537914bd5a9b
SHA512e05b9c347a61f35256362b37d0471fc22aa56468bdea8bfd5ef4b10e88b198939d2a2cc76554a5753f5fa68187e4052ef475c1c49e7f245ecc9b29c810eca7e7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
dd8f04702048b027b70b5815732430fe
SHA1ffd17f23db179f34561cd52a697e972b3662fef8
SHA2562b7b0ed3e507790d4125fc85d9dea9df7afca17d2943a45087514c8efbcd1c63
SHA512c67e1b9d051a5184012400f8663d1afb47eb4e0de634f065d387d2563060622fcd175a146fcef0b83d859baeb619b56083e5c04926f3e84227d83357ed842698
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
0a3f9e34ff75294c03302af7f541c496
SHA1a00f616d24be539db08bb373cf48b5110ccb391c
SHA2560dbdcf047569dc328379f6eb5996149a945f617b1ceefac3d4d5e1ac1b46b765
SHA512ace7e4f140102a40e6f042937d3b72645fd0846120ab5bed1bbda6ddfe406f8f5cbc4008ef50e9fadd7a81793d0ee8968fc152aa189832493aecf32e2c98fb05
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D73194RS\XLX8F3UF.htmMD5
b1cd7c031debba3a5c77b39b6791c1a7
SHA1e5d91e14e9c685b06f00e550d9e189deb2075f76
SHA25657ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa
SHA512d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O1R1CL99\ZKXBC84T.htmMD5
6b17a59cec1a7783febae9aa55c56556
SHA101d4581e2b3a6348679147a915a0b22b2a66643a
SHA25666987b14b90d41632be98836f9601b12e7f329ffab05595887889c9c5716fbeb
SHA5123337efd12b9c06b7768eb928a78caae243b75257c5aabe7a49e908a2f735af55f7257a40bd2330dc13865ead18ed805b54a6c5105740fdcbbaccacf7997bcbc3
-
C:\Users\Admin\AppData\Local\Temp\~temp001.batMD5
ef572e2c7b1bbd57654b36e8dcfdc37a
SHA1b84c4db6d0dfd415c289d0c8ae099aea4001e3b7
SHA256e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64
SHA512b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exeMD5
70ca11d0dfb726a0c141e05253a1b42d
SHA13b8ff05941e2acebf7fc071c70b18ea9da83326b
SHA2560b3e8b562e8fe50b6039db8d1f3871bdf6f9d1f9246ab7459eb91844bcbc8bd6
SHA512dc08a9d20e5fc789a1ffab9f9b2cd136bdc9e61f44f6c9ee06b0ae15495db9a1bf340b4d75fb393eadce75fc1cdfb7cb6f80cce525e4850305ea5b0906850478
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exeMD5
70ca11d0dfb726a0c141e05253a1b42d
SHA13b8ff05941e2acebf7fc071c70b18ea9da83326b
SHA2560b3e8b562e8fe50b6039db8d1f3871bdf6f9d1f9246ab7459eb91844bcbc8bd6
SHA512dc08a9d20e5fc789a1ffab9f9b2cd136bdc9e61f44f6c9ee06b0ae15495db9a1bf340b4d75fb393eadce75fc1cdfb7cb6f80cce525e4850305ea5b0906850478
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exeMD5
70ca11d0dfb726a0c141e05253a1b42d
SHA13b8ff05941e2acebf7fc071c70b18ea9da83326b
SHA2560b3e8b562e8fe50b6039db8d1f3871bdf6f9d1f9246ab7459eb91844bcbc8bd6
SHA512dc08a9d20e5fc789a1ffab9f9b2cd136bdc9e61f44f6c9ee06b0ae15495db9a1bf340b4d75fb393eadce75fc1cdfb7cb6f80cce525e4850305ea5b0906850478
-
C:\Users\Admin\Desktop\DisconnectGrant.mpg.15D-3C3-588MD5
b889384388faa9a5e625bb9c3ea881e7
SHA16cd403e93425f6f2f44d293c2d99c8edf7b2ca74
SHA2561d048153210022a9b5dcc6c055168f74033744f02883406a0338cbfe692f9c03
SHA512b2451cf011efe74f1fce9bcfd584b3e6774556318b7b23f5f16105b27bea161220250e30aee49afb7af4edbfa114ec81ed2897f381fc7bc97b7fab9f2ca97c95
-
C:\Users\Admin\Desktop\ExitExport.ram.15D-3C3-588MD5
2fcd335e65e4b918206b5305d29a0489
SHA10ed246becc4fc6402db5c7135f04c3f66fa4d710
SHA256ea2d1b2827c2475278ac30bc18b531ae34ecd33a5306e97f38064eb1ccc32258
SHA512077bc42adababe49fae31d2d16ff8c4ad3b5591c247394e23aed71c0eb7dea20c9137bb7c2d726ac6e9897505f493e7e90f078072c18774ac12e87acde16d2cc
-
C:\Users\Admin\Desktop\ExpandUpdate.ini.15D-3C3-588MD5
e31544f8ff02b510d3dcf3ee617aaf7b
SHA13f9df628d43fc90c1003a32a227340bc4d46d559
SHA256b4b00a5764df3c0d8a94abb51e88e649c8cf471e7c4215600f8e8296fe94cad8
SHA512ba076e3edef583bfefe86b334a55009a34bb0262cc29e4dd20d9f3767fd310d43422c762f75370309fec420a872750d8c5f47bd61ac8e6a13225ee1e381322e2
-
C:\Users\Admin\Desktop\NewLock.mov.15D-3C3-588MD5
d494f0ea11a5cb7f601769ededa72490
SHA11f671ea5da61e26b4fc2f9bb34eb3cf3c9008c64
SHA256e0a09a4559da183daa61ccbd4679725ec262abf383196314090445a14f4e588a
SHA512a95f89a29cd088d78d68cfae89f157dee92d98d0a06498c95574926436be22a47748c318762af06ff6fc06ddda6903661afedd086881c7afb84968f92bdf8705
-
C:\Users\Admin\Desktop\OpenRevoke.dib.15D-3C3-588MD5
566c9d527151bd94e5ae3bf6a13f9d01
SHA126df574bdaa3a1d1627806f3f10d86427c432e23
SHA256f1910b0fc80f2591c179b2aeb9a6546f7f79ee93eea5dca10cc9c2ed377b7969
SHA5127fc5dacb27f9b4cf9e7e9d323e6a06b4b78f63e3c04998a84f584157ce048702114b47a5cd5eff1a884be55ebaaa271c9559f607437169509b571f58b7e748ae
-
C:\Users\Admin\Desktop\OpenTest.pdf.15D-3C3-588MD5
391488b527a83d699da83a14b54b4e8b
SHA149d0af5412ce1e083adf92dade78886a826f9450
SHA2569d60daa0c4637d420d68f99352f4f033578bf2030a6d6934209a54ca38341ff8
SHA512fe220b705a66fc0ec7671e8931025f663bfc765d842080924e7912b3201ce153eeaa41c90677bd2ddafad30d9837a3a09916598945dbf8a15702e5d2b76d94ce
-
C:\Users\Admin\Desktop\ReceiveComplete.vdw.15D-3C3-588MD5
338826c7350c0b60d92096333749579b
SHA177d8627ef9846aeb4865eeba61e912616e55d70a
SHA2567e696fb352d31f669589eadca6971571a3ba2b34ded34182145c068250302619
SHA51207425fdfe49aa13b33d1b1a86daff922d8f78bbc925b9716ef45d5fddf3ad317100d9d5fb0ae894cd9ec997d79b291e5c72a8f8be2a5baf8cb672ce87c816d7c
-
C:\Users\Admin\Desktop\ReceiveConvertFrom.reg.15D-3C3-588MD5
108bcec636a6bc7d83ad5adb7e288db6
SHA115ce927d30b7e784bc2b37ee55f1851c81c233bd
SHA25623e87cc957aabe368519f05bb891487414edc73ccc96fd6b91b36fc4a0a11df2
SHA5123a24cfd95d80b9124e8e3eefa062929c3604bba543ad4dbc8a07ff33a92b36b825d2096770b4e0748221bd5b30b4874b6d3eb53e7d5496a6f1d22bf8f14fece9
-
C:\Users\Admin\Desktop\RegisterGrant.cab.15D-3C3-588MD5
15498ea78425ec8555fa170ffbed2f80
SHA10ba941dc86d50bd6c88f82de283d23b5a8f17aae
SHA2568d88f09883ff6e6b6d51c73717b215b6796e7ff2487fc9c709685ce3cd4760ea
SHA5124efe89e12c90898375682b46ba91d953114fa3c4aee207f5f76187ce7022ef0189e2becf4e99f073c405626b01e91e0afe9a5770d96ed9f6db54e0226dfb72f4
-
C:\Users\Admin\Desktop\RemoveRequest.potm.15D-3C3-588MD5
510b5198a420fdc29dc16af84ec21ae3
SHA17b9d507e025e50b32628a85a8e3ca42fa099ffde
SHA2561b538fc0ca682131995f6238312d3a72586a02927daf71aec6f5661a7d504229
SHA512c644c38caf9ed6f9ee8c2aa0742745c11489367f8d353f969ee750840711bbf97160e9b1060dc6682245fba568d1a5ac20c7db2df2a4c33de6be878a0c1700fb
-
C:\Users\Admin\Desktop\RequestSkip.htm.15D-3C3-588MD5
6f18151ec07bfcd390a592433f288442
SHA18ad01e35d345bb1b7d9cef434827782f01a05512
SHA2560e4bc0eb42ea81557270a59c31b103eba7e2a54c01289377bb3f1f9c33de9891
SHA512541fea55567b1e7458695479bb3eda3ed170af765a0f0a2c4aa9f9415da9acc6ec4924ff1e2d9c37dc6dab269e528242bfbf74b9b83ff834d64a7ad753915d84
-
C:\Users\Admin\Desktop\ResetUnpublish.vssm.15D-3C3-588MD5
7cb04e6da8a9cce3c043cb9b219bdd6c
SHA12adae56966a537286ac6ede57b2f6d13c5e2c04b
SHA256ac71c92d7b8201087b39f31e37feb1bf020456b2c801cac422a4c8022acff390
SHA5122584cd77d87118772fa4b0b06e24f17f082e343aa6f3fb761877ac57d21a65aee9712d87b1fb4916c6c3c8f8c5d263eb398e57585070ac7747af93cfa08650ef
-
C:\Users\Admin\Desktop\RestartGrant.xls.15D-3C3-588MD5
143aa0b06a52c8886e025d2a90ecd44a
SHA1b9dc2374acc293e100f798173b16b526510927de
SHA2568abab1a9cd61759c739f982d26612264c79ce74bb9e4e2003949ffdd5cf0ebc6
SHA5125249c725bc8c278bb4bb4116c2f6631e81e18f72d19dc7efaae9ac169e1706c08c5c8e98f09c21a7f7a9fefd5ace4433fb0d741332507092ffda465e125a1339
-
C:\Users\Admin\Desktop\ResumeInstall.m4a.15D-3C3-588MD5
4e71e7187a1b3994c0b57605a12308cc
SHA13176565ea177221e72be70b6eef9377a9115ebff
SHA2568759ebb1fbcdfe8e2d41823f1a46c6360ef644bfe5e9e36a6ad7c083007f82a8
SHA51247a1a212149ff0816d423387d5d9d822aef0942a23ed87acc2744dbcf041faa743ab8150d0f83d0ca3197e90394ff3fe248e4fdf15d0fd2cf95c256a0f9997ca
-
C:\Users\Admin\Desktop\SaveMove.3gpp.15D-3C3-588MD5
2bed8d2da6afaf115e27bd50dba8a2d3
SHA1824d575d6af6f9e36fad8d0254b1d73da79d2a6d
SHA256ee1fc2fa9192e0fe649b87bfdf2946617136f2b334f06870605e1c2ef30f7acd
SHA512360ee4de27a1d64d93109216901c4119fc2f13d6f030df4de2ce25975b4b8a755c1d4864b4cbdd934c721571ea33f6f0abb15af2e68ba4bd480dbe0468285173
-
C:\Users\Admin\Desktop\SendStep.mht.15D-3C3-588MD5
6da198deca2240e30e2a44f9d65da140
SHA1d62514368ca62444e289c3bd7b8092c7df22595f
SHA256666d6cdb36b0921f0702126bb8e4be5f3eb6fd441917b0a38f2d84257737a634
SHA512d3ccfa21cb5456feef11dcdc3218625a6a2fdcc7a4ef732130cf0b623782e9c7b7ef256541bcd541c674a2a2408773b7ae3a024f280aa893dbeae5a22930cb4c
-
C:\Users\Admin\Desktop\StartClose.mp2v.15D-3C3-588MD5
309a78c13926db33278294feb4491399
SHA144f944ba125a211bb366ba2161eb1c795d4d5160
SHA256c1171342846dbdb2ee893da9c5caf8020bb2bea4630a38b87f33ef8954f5c6fc
SHA512e8e6e946f5e2dd2a826448135216b0c0d6bf97cbad59c9d40a755ae5f03594cfc5cd1f7e9599ee842504e346c85e6b197cf14e56c9d7dee6658bab56e26e71bc
-
C:\Users\Admin\Desktop\StopLimit.doc.15D-3C3-588MD5
c3940be576c74b3b432a59c2102f3e08
SHA12c054f64c07e8224d6436f69ddfb89de3fecb0d4
SHA25629a06ae2f9a1a5d30dd9b7ff3ffc0bde64e6afdb9feac4537d0facd4d92b907c
SHA512e3f5b964763b0f7885c3aa326fa84a7f20d822e2dea83e0c9d20e2658700e572afdde8c2d49af3f6797b590c90eff9bae7a0e2486f71c206cf07e29deb66bd63
-
C:\Users\Admin\Desktop\UninstallSet.vsdx.15D-3C3-588MD5
11b43b1828414b07d59a6efba8782224
SHA17fa1053a249930fe0eb555e5e48a489d87e4044a
SHA256fb22f2241daba189aa8810ae3b500fc9da11f9c2a4056f1723d5280074f5d8a9
SHA512c0e98e3662a342fc20629c3968fa1f9c6ae30112002a4f81c0c24a04a41caad485fa16da3ae6cbfda6703939af94e1b880db03e02c5c98f77142eb595cb16228
-
C:\Users\Admin\Desktop\UnlockRevoke.asf.15D-3C3-588MD5
4d97beec3684db1c30e26e5804ee624f
SHA137e037d30405080e882c24539ff6b4e7fe2f042f
SHA256eefacb2b19dfaa6509382c58e3d9ada9a4c7b82ea1e74914f47b30a3276b1f4e
SHA51276ef55ef0b9a9d7927cd556510bca5cb664d8f02970f60e501139735b1b01c27179d333a26898dc1873a1700a4d1498fdc219bf80b3c00d4a8294ff7a61abefb
-
C:\Users\Admin\Desktop\UsePush.3g2.15D-3C3-588MD5
5319a9861435257b8e37bffe03747643
SHA13f9b74e24418e17de01c5358ff1b73c0ef720f83
SHA25698f37fefc0eea456bdc500ad10c503d623b183ef24d4a109b40bd024386c1512
SHA5129a236fed8f8e4a31a47fc1775c06b109e91c2c5b47ccf8922128bd7ff2eb1c2c0eb12b505a737226c23d0abe9b6893e9ca95e5255ed73212399606f09bea4e20
-
C:\Users\Admin\Desktop\UseResize.m4v.15D-3C3-588MD5
ecb61e3b4bd868e985bc10a23b86d705
SHA1a33e326f3091290fd4ea22747bce4b055f1d6650
SHA2568cb918ff7b58c92d4b1e671cfb140868c5f6210f783fc16f04efe260c19cbaa9
SHA5122eec1a852a908415000e89e40d6601a1d9c8d02a5b550236e5c8b622cbf42c1663ff50ad932afe3c7c35ca074a352911370c33ebd70c3dd5209c33dde71e167f
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exeMD5
70ca11d0dfb726a0c141e05253a1b42d
SHA13b8ff05941e2acebf7fc071c70b18ea9da83326b
SHA2560b3e8b562e8fe50b6039db8d1f3871bdf6f9d1f9246ab7459eb91844bcbc8bd6
SHA512dc08a9d20e5fc789a1ffab9f9b2cd136bdc9e61f44f6c9ee06b0ae15495db9a1bf340b4d75fb393eadce75fc1cdfb7cb6f80cce525e4850305ea5b0906850478
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exeMD5
70ca11d0dfb726a0c141e05253a1b42d
SHA13b8ff05941e2acebf7fc071c70b18ea9da83326b
SHA2560b3e8b562e8fe50b6039db8d1f3871bdf6f9d1f9246ab7459eb91844bcbc8bd6
SHA512dc08a9d20e5fc789a1ffab9f9b2cd136bdc9e61f44f6c9ee06b0ae15495db9a1bf340b4d75fb393eadce75fc1cdfb7cb6f80cce525e4850305ea5b0906850478
-
memory/292-2-0x0000000076861000-0x0000000076863000-memory.dmpFilesize
8KB
-
memory/304-26-0x0000000000000000-mapping.dmp
-
memory/396-24-0x0000000000000000-mapping.dmp
-
memory/816-28-0x0000000000000000-mapping.dmp
-
memory/916-9-0x00000000000A0000-0x00000000000A1000-memory.dmpFilesize
4KB
-
memory/916-37-0x0000000000000000-mapping.dmp
-
memory/916-10-0x0000000000000000-mapping.dmp
-
memory/944-6-0x0000000000000000-mapping.dmp
-
memory/1104-30-0x0000000000000000-mapping.dmp
-
memory/1156-25-0x0000000000000000-mapping.dmp
-
memory/1316-23-0x0000000000000000-mapping.dmp
-
memory/1332-27-0x0000000000000000-mapping.dmp
-
memory/1356-64-0x0000000000000000-mapping.dmp
-
memory/1436-3-0x000007FEF6B80000-0x000007FEF6DFA000-memory.dmpFilesize
2.5MB
-
memory/1584-38-0x000007FEFC4E1000-0x000007FEFC4E3000-memory.dmpFilesize
8KB
-
memory/1600-36-0x0000000000000000-mapping.dmp
-
memory/1604-32-0x0000000000000000-mapping.dmp
-
memory/2040-29-0x0000000000000000-mapping.dmp