zeppelin | 0e3a28023ba5030fbf2395239b89ca959982bbeec1972aa0adaae6c1fb44e08d

Analysis

max time kernel
107s
max time network
110s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
24-09-2022 08:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1.exe
Size

214KB
MD5

9df62163926e1801587b0f824add2f1d
SHA1

2e4d3b2561e89844f01267bbd26383012931a773
SHA256

0e3a28023ba5030fbf2395239b89ca959982bbeec1972aa0adaae6c1fb44e08d
SHA512

b0ce0047a488a1df52fa7c0a4d180feeaa806858677f2fc0abe05450228aa3e00498797a7ac7f4fb9dcf442dd5cdd79e09cca42101259f0866f8699f80b4622e
SSDEEP

6144:syJE1yd7WHJmcyfjtPWna4DQFu/U3buRKlemZ9DnGAevIhdiMM+:sU/d7WsvBPWa4DQFu/U3buRKlemZ9DnG

Score

10^/10

zeppelin persistence ransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] 1. Visit https://tox.chat/download.html 2. Download and install qTOX on your PC. 3. Open it, click "New Profile" and create profile. 4. Click "Add friends" button and search our contact - 126E30C4CC9DE90F79D1FA90830FDC2069A2E981ED26B6DC148DA8827FB3D63A1B46CFDEC191 Your personal ID: E00-519-900 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

URLs

https://tox.chat/download.html

Signatures

Detects Zeppelin payload 5 IoCs

resource	yara_rule
behavioral1/files/0x0008000000014f7f-55.dat	family_zeppelin
behavioral1/files/0x0008000000014f7f-56.dat	family_zeppelin
behavioral1/files/0x0008000000014f7f-58.dat	family_zeppelin
behavioral1/files/0x0008000000014f7f-76.dat	family_zeppelin
behavioral1/files/0x0008000000014f7f-78.dat	family_zeppelin

Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
ransomware zeppelin
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 2 IoCs

pid	Process
932	lsass.exe
1064	lsass.exe

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\GrantRequest.tiff	lsass.exe

Loads dropped DLL 2 IoCs

pid	Process
1048	1.exe
1048	1.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" -start"	1.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	lsass.exe
File opened (read-only)	\??\J:	lsass.exe
File opened (read-only)	\??\I:	lsass.exe
File opened (read-only)	\??\F:	lsass.exe
File opened (read-only)	\??\E:	lsass.exe
File opened (read-only)	\??\S:	lsass.exe
File opened (read-only)	\??\P:	lsass.exe
File opened (read-only)	\??\K:	lsass.exe
File opened (read-only)	\??\H:	lsass.exe
File opened (read-only)	\??\G:	lsass.exe
File opened (read-only)	\??\B:	lsass.exe
File opened (read-only)	\??\A:	lsass.exe
File opened (read-only)	\??\X:	lsass.exe
File opened (read-only)	\??\Y:	lsass.exe
File opened (read-only)	\??\W:	lsass.exe
File opened (read-only)	\??\V:	lsass.exe
File opened (read-only)	\??\U:	lsass.exe
File opened (read-only)	\??\T:	lsass.exe
File opened (read-only)	\??\Q:	lsass.exe
File opened (read-only)	\??\N:	lsass.exe
File opened (read-only)	\??\Z:	lsass.exe
File opened (read-only)	\??\L:	lsass.exe
File opened (read-only)	\??\O:	lsass.exe
File opened (read-only)	\??\R:	lsass.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	geoiptool.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe.colambia.E00-519-900	lsass.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Brunei	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD09031_.WMF.colambia.E00-519-900	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0297707.WMF	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UCT.colambia.E00-519-900	lsass.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\VPREVIEW.EXE.colambia.E00-519-900	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18181_.WMF.colambia.E00-519-900	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR16F.GIF	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\TALK21.COM.XML	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\EST	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Merida.colambia.E00-519-900	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-charts.xml	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt.colambia.E00-519-900	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKACCS.ICO	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL089.XML.colambia.E00-519-900	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\EquityReport.Dotx	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.xml_1.3.4.v201005080400.jar.colambia.E00-519-900	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099204.WMF.colambia.E00-519-900	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\VisioCustom.propdesc.colambia.E00-519-900	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OIS_COL.HXC.colambia.E00-519-900	lsass.exe
File opened for modification	C:\Program Files\ConvertFromDeny.3g2	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\St_Johns	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0281008.WMF.colambia.E00-519-900	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.mbeanbrowser.zh_CN_5.5.0.165303.jar	lsass.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Whitehorse.colambia.E00-519-900	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21370_.GIF	lsass.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\modules\sandbox.luac.colambia.E00-519-900	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPrintTemplate.html.colambia.E00-519-900	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL01565_.WMF.colambia.E00-519-900	lsass.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\anevia_xml.luac.colambia.E00-519-900	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Places\ALARM.WAV.colambia.E00-519-900	lsass.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Montevideo	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0188669.WMF.colambia.E00-519-900	lsass.exe
File created	C:\Program Files\Microsoft Games\Hearts\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif.colambia.E00-519-900	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01586_.WMF.colambia.E00-519-900	lsass.exe
File opened for modification	C:\Program Files\RestoreUndo.mp4	lsass.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_PreComp_MATTE_PAL.wmv	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Riyadh87.colambia.E00-519-900	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.ui.ja_5.5.0.165303.jar	lsass.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Paris.colambia.E00-519-900	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01332U.BMP.colambia.E00-519-900	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PSSKETSM.WMF.colambia.E00-519-900	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01176_.WMF	lsass.exe
File created	C:\Program Files\VideoLAN\VLC\locale\uz\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\PDDom.api.colambia.E00-519-900	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\HST10.colambia.E00-519-900	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR51F.GIF.colambia.E00-519-900	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\BUTTON.GIF	lsass.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport.png	lsass.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\Passport.wmv	lsass.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152878.WMF.colambia.E00-519-900	lsass.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsImageTemplate.html.colambia.E00-519-900	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Singapore	lsass.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	lsass.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\newgrounds.luac	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-uisupport.xml	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN011.XML	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\WSSFilesToolHomePageBackground.jpg	lsass.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	lsass.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1600	vssadmin.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	lsass.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	1.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2004	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1824	WMIC.exe
Token: SeSecurityPrivilege	1824	WMIC.exe
Token: SeTakeOwnershipPrivilege	1824	WMIC.exe
Token: SeLoadDriverPrivilege	1824	WMIC.exe
Token: SeSystemProfilePrivilege	1824	WMIC.exe
Token: SeSystemtimePrivilege	1824	WMIC.exe
Token: SeProfSingleProcessPrivilege	1824	WMIC.exe
Token: SeIncBasePriorityPrivilege	1824	WMIC.exe
Token: SeCreatePagefilePrivilege	1824	WMIC.exe
Token: SeBackupPrivilege	1824	WMIC.exe
Token: SeRestorePrivilege	1824	WMIC.exe
Token: SeShutdownPrivilege	1824	WMIC.exe
Token: SeDebugPrivilege	1824	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1824	WMIC.exe
Token: SeRemoteShutdownPrivilege	1824	WMIC.exe
Token: SeUndockPrivilege	1824	WMIC.exe
Token: SeManageVolumePrivilege	1824	WMIC.exe
Token: 33	1824	WMIC.exe
Token: 34	1824	WMIC.exe
Token: 35	1824	WMIC.exe
Token: SeBackupPrivilege	1708	vssvc.exe
Token: SeRestorePrivilege	1708	vssvc.exe
Token: SeAuditPrivilege	1708	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1824	WMIC.exe
Token: SeSecurityPrivilege	1824	WMIC.exe
Token: SeTakeOwnershipPrivilege	1824	WMIC.exe
Token: SeLoadDriverPrivilege	1824	WMIC.exe
Token: SeSystemProfilePrivilege	1824	WMIC.exe
Token: SeSystemtimePrivilege	1824	WMIC.exe
Token: SeProfSingleProcessPrivilege	1824	WMIC.exe
Token: SeIncBasePriorityPrivilege	1824	WMIC.exe
Token: SeCreatePagefilePrivilege	1824	WMIC.exe
Token: SeBackupPrivilege	1824	WMIC.exe
Token: SeRestorePrivilege	1824	WMIC.exe
Token: SeShutdownPrivilege	1824	WMIC.exe
Token: SeDebugPrivilege	1824	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1824	WMIC.exe
Token: SeRemoteShutdownPrivilege	1824	WMIC.exe
Token: SeUndockPrivilege	1824	WMIC.exe
Token: SeManageVolumePrivilege	1824	WMIC.exe
Token: 33	1824	WMIC.exe
Token: 34	1824	WMIC.exe
Token: 35	1824	WMIC.exe
Token: SeDebugPrivilege	2004	powershell.exe
Token: SeIncreaseQuotaPrivilege	2000	WMIC.exe
Token: SeSecurityPrivilege	2000	WMIC.exe
Token: SeTakeOwnershipPrivilege	2000	WMIC.exe
Token: SeLoadDriverPrivilege	2000	WMIC.exe
Token: SeSystemProfilePrivilege	2000	WMIC.exe
Token: SeSystemtimePrivilege	2000	WMIC.exe
Token: SeProfSingleProcessPrivilege	2000	WMIC.exe
Token: SeIncBasePriorityPrivilege	2000	WMIC.exe
Token: SeCreatePagefilePrivilege	2000	WMIC.exe
Token: SeBackupPrivilege	2000	WMIC.exe
Token: SeRestorePrivilege	2000	WMIC.exe
Token: SeShutdownPrivilege	2000	WMIC.exe
Token: SeDebugPrivilege	2000	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2000	WMIC.exe
Token: SeRemoteShutdownPrivilege	2000	WMIC.exe
Token: SeUndockPrivilege	2000	WMIC.exe
Token: SeManageVolumePrivilege	2000	WMIC.exe
Token: 33	2000	WMIC.exe
Token: 34	2000	WMIC.exe
Token: 35	2000	WMIC.exe

Suspicious use of WriteProcessMemory 55 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 932	1048	1.exe	29
PID 1048 wrote to memory of 932	1048	1.exe	29
PID 1048 wrote to memory of 932	1048	1.exe	29
PID 1048 wrote to memory of 932	1048	1.exe	29
PID 932 wrote to memory of 456	932	lsass.exe	31
PID 932 wrote to memory of 456	932	lsass.exe	31
PID 932 wrote to memory of 456	932	lsass.exe	31
PID 932 wrote to memory of 456	932	lsass.exe	31
PID 932 wrote to memory of 1992	932	lsass.exe	32
PID 932 wrote to memory of 1992	932	lsass.exe	32
PID 932 wrote to memory of 1992	932	lsass.exe	32
PID 932 wrote to memory of 1992	932	lsass.exe	32
PID 932 wrote to memory of 1152	932	lsass.exe	36
PID 932 wrote to memory of 1152	932	lsass.exe	36
PID 932 wrote to memory of 1152	932	lsass.exe	36
PID 932 wrote to memory of 1152	932	lsass.exe	36
PID 932 wrote to memory of 1800	932	lsass.exe	35
PID 932 wrote to memory of 1800	932	lsass.exe	35
PID 932 wrote to memory of 1800	932	lsass.exe	35
PID 932 wrote to memory of 1800	932	lsass.exe	35
PID 932 wrote to memory of 1268	932	lsass.exe	39
PID 932 wrote to memory of 1268	932	lsass.exe	39
PID 932 wrote to memory of 1268	932	lsass.exe	39
PID 932 wrote to memory of 1268	932	lsass.exe	39
PID 932 wrote to memory of 1728	932	lsass.exe	40
PID 932 wrote to memory of 1728	932	lsass.exe	40
PID 932 wrote to memory of 1728	932	lsass.exe	40
PID 932 wrote to memory of 1728	932	lsass.exe	40
PID 932 wrote to memory of 1064	932	lsass.exe	41
PID 932 wrote to memory of 1064	932	lsass.exe	41
PID 932 wrote to memory of 1064	932	lsass.exe	41
PID 932 wrote to memory of 1064	932	lsass.exe	41
PID 456 wrote to memory of 1824	456	cmd.exe	44
PID 456 wrote to memory of 1824	456	cmd.exe	44
PID 456 wrote to memory of 1824	456	cmd.exe	44
PID 456 wrote to memory of 1824	456	cmd.exe	44
PID 1268 wrote to memory of 1600	1268	cmd.exe	45
PID 1268 wrote to memory of 1600	1268	cmd.exe	45
PID 1268 wrote to memory of 1600	1268	cmd.exe	45
PID 1268 wrote to memory of 1600	1268	cmd.exe	45
PID 1728 wrote to memory of 2004	1728	cmd.exe	46
PID 1728 wrote to memory of 2004	1728	cmd.exe	46
PID 1728 wrote to memory of 2004	1728	cmd.exe	46
PID 1728 wrote to memory of 2004	1728	cmd.exe	46
PID 1728 wrote to memory of 2000	1728	cmd.exe	49
PID 1728 wrote to memory of 2000	1728	cmd.exe	49
PID 1728 wrote to memory of 2000	1728	cmd.exe	49
PID 1728 wrote to memory of 2000	1728	cmd.exe	49
PID 932 wrote to memory of 1600	932	lsass.exe	50
PID 932 wrote to memory of 1600	932	lsass.exe	50
PID 932 wrote to memory of 1600	932	lsass.exe	50
PID 932 wrote to memory of 1600	932	lsass.exe	50
PID 932 wrote to memory of 1600	932	lsass.exe	50
PID 932 wrote to memory of 1600	932	lsass.exe	50
PID 932 wrote to memory of 1600	932	lsass.exe	50

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:932
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:456
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1824
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    PID:1992
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    PID:1800
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:1152
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1268
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:1600
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1728
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -ExecutionPolicy ByPass -Command "Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}"
      4⤵
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2004
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC.exe shadowcopy delete /nointeractive
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2000
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Modifies extensions of user files
    - Drops file in Program Files directory
    - Drops file in Windows directory
    PID:1064
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:1600

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

Filesize
2KB

MD5
12dbb5eb4ce1ea3942d83f9309151677

SHA1
19e529c286499b44fa120d9effd8e0fabb1c56a3

SHA256
bca95945f5d1a63cb8fd232b3cd7cf857acdb04697b0a8537b6aaf697b1ff34b

SHA512
61593564ef6273b4493b8a9ef6669690f5a040c579effa26d44f2ba5977850d6afda17afba5ef80fdb461fbf4d061ec8bfb13cf6a87c5e2ed8c6c9cae3d9e84d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_8AE57F9FAAC778EA4099F469BEEE4C46

Filesize
472B

MD5
e89c3fa7244c0f301da2fb10568f2c1c

SHA1
553c49cda8392207c090ce206910ee386b034ebb

SHA256
71c7869933d22d4dd6156019ef7f4b872263999a116b97ebed6eff4b174a49e0

SHA512
98858dd163a15259d3e1dbb39d1cf4df8a93ead5f0e0230bcc6957b7d3fa5b8032d31d854861793358a06f062cbe45d8efca4e484145b894dfbbd307a12c3cc7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
60KB

MD5
6c6a24456559f305308cb1fb6c5486b3

SHA1
3273ac27d78572f16c3316732b9756ebc22cb6ed

SHA256
efc3c579bd619ceab040c4b8c1b821b2d82c64fddd9e80a00ec0d7f6577ed973

SHA512
587d4a9175a6aa82cd8bb1c11ca6508f95cd218f76ac322ddbd1bc7146a0e25f8937ee426a6fb0fb0bb045cedb24d8c8a9edfe9f654112f293d8701220f726b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
0d870ca424457579d4bd345ac1ec6c3c

SHA1
fc3d8924e13b4fc5eca7cabd4967eea3d4db1690

SHA256
cf9df8d62ec78ca20a50633047af6c913dc2d10f15823795e8d86042c7b05ed0

SHA512
a1e731ae03b1a2259f8e1afc86058aabb3b8ce3b0141f08ea18b6c7003c55aeb135d40bba38ebf1f76174eb1ad758fbec10841dee1ed704fb0285e36b2f7d66b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

Filesize
484B

MD5
baa92d0d1e0d16ddcec55d0b5275dedc

SHA1
5051b589fb060916453b65d762df774ce575188f

SHA256
41e09f1ffca413ada012496e0062cbc49bd87b7d4abd8de6813098d04619810b

SHA512
d23f98cf2ceee2dd955c54c57adde3988e4af72da295845005d2cd67013166014ef492ddfbb1c63d5deaa25d449ff704d00d9a6e2a85dce976f04357433e09a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_8AE57F9FAAC778EA4099F469BEEE4C46

Filesize
488B

MD5
c814b223ea8ecf2a7f5718539c694fc0

SHA1
9cf0b167e38ff0bed7bcc2fcc9ad40b8728ae1da

SHA256
c57e3acc4de55714f29ecc0c630113d0ae43fc89f565205271c501adb6021977

SHA512
8cbf376b826f974110e2b3cb17c2f643e9e68a32fb5296bebec2473cf5a5aada1a72bcbea4b577db77f0b6529f15bd91606fc8205f4620e30a6c0cd76cbe020c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
50073b1bd9027e145bd5b71eb3a5b951

SHA1
f9ab6e2b09bedb6a9e30fdc3b9bcf5d5bdd306ee

SHA256
a53061058a30e5331d8cd8bc5e03eb202ea9c6844ce6261bbc9117922626a685

SHA512
4419ddffe4ece59669989362727cc6dc7a09dd51858c03c6e832b2ca1187794f713a6f074a287cc3d1ffc8de2f9acaa1f4a4691b73e8541cc5ef88ddbcd8d77a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
f170ab711fe5e9677d2cb4f3edad1e03

SHA1
08133d8131bf8f850db8171d318ba3f5b09d8299

SHA256
100ee0dfbec7ad94bc9e8bac4200cbc0162edf66d474662045b012e2138605b0

SHA512
19130dd848ca0ca3475b910ee9c1c20c50a01e495fbac22267a4dd3d17569f825c687a041eb9b997aec9d10355a5066eb3fb5ade74c01faacfef945a81d49b1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3XPFXPM5\E35Y0HSW.htm

Filesize
18KB

MD5
19cb5295e21160d78213d3ccc33b8f75

SHA1
d70bc890627b2dd33479eff5d2ffc8aff40a534b

SHA256
7810c957fdddcb7e1477957c0b1f6e90cbaf2bec084ede2a9aa5190d131084c8

SHA512
5b437b9055cdb29e0074fe493c2281af5f6bc4697e6f60d22329fa606c09bd4ffe8c0e50f98c2a12233eac00c480bc38ded1d8431ed771a4495955d865607c5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BG9XQTG0\140L9SBV.htm

Filesize
184B

MD5
b1cd7c031debba3a5c77b39b6791c1a7

SHA1
e5d91e14e9c685b06f00e550d9e189deb2075f76

SHA256
57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

SHA512
d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat

Filesize
262B

MD5
e6545ccb3660f88529716ed4e647c713

SHA1
ecd628f29985599a24c5c1d23083c689917dd74e

SHA256
e802bf0c4481bef693d4d1f307aba48301e330d3728dd46a4ec97c4a96b4d4a7

SHA512
f745e7d5dd006083234e783dd5dc7fb83043a7d0479ea2a91a2ddbc8c20ca47343516efbd155271768c675a22b32e88febdfe51551ec42dfdb64805c62c3188d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe

Filesize
214KB

MD5
9df62163926e1801587b0f824add2f1d

SHA1
2e4d3b2561e89844f01267bbd26383012931a773

SHA256
0e3a28023ba5030fbf2395239b89ca959982bbeec1972aa0adaae6c1fb44e08d

SHA512
b0ce0047a488a1df52fa7c0a4d180feeaa806858677f2fc0abe05450228aa3e00498797a7ac7f4fb9dcf442dd5cdd79e09cca42101259f0866f8699f80b4622e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe

Filesize
214KB

MD5
9df62163926e1801587b0f824add2f1d

SHA1
2e4d3b2561e89844f01267bbd26383012931a773

SHA256
0e3a28023ba5030fbf2395239b89ca959982bbeec1972aa0adaae6c1fb44e08d

SHA512
b0ce0047a488a1df52fa7c0a4d180feeaa806858677f2fc0abe05450228aa3e00498797a7ac7f4fb9dcf442dd5cdd79e09cca42101259f0866f8699f80b4622e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe

Filesize
214KB

MD5
9df62163926e1801587b0f824add2f1d

SHA1
2e4d3b2561e89844f01267bbd26383012931a773

SHA256
0e3a28023ba5030fbf2395239b89ca959982bbeec1972aa0adaae6c1fb44e08d

SHA512
b0ce0047a488a1df52fa7c0a4d180feeaa806858677f2fc0abe05450228aa3e00498797a7ac7f4fb9dcf442dd5cdd79e09cca42101259f0866f8699f80b4622e

Download Submit
C:\Users\Admin\Desktop\CloseUndo.aiff.colambia.E00-519-900

Filesize
433KB

MD5
be810447b9dae9433c0d924398e9a18e

SHA1
3c12585e20103dff8aee636617bd4f3d1e7c5a1a

SHA256
e87854e18208c4f4a7973f7f8e3ce85bd3b7af8348d9de49732e5979b8356614

SHA512
c54dbc7fa5cb7c020dfe9b5d158b0a192ffe8b3d61d16a7b9d665cc7e1fb47705784f6e900cc567f569c57aba49d2a66f5e3199137ca852c7a8079c1b1de3bfb

Download Submit
C:\Users\Admin\Desktop\CompleteRevoke.3gp.colambia.E00-519-900

Filesize
687KB

MD5
a9feaeccca6a3d419a0c8a666b4c03ab

SHA1
0805737608c88171e81bc1eae27013ef8a4d17a6

SHA256
df1e3de94ddf94b2a63621ab876a623d17b283e62073a08eb4442ba663102f26

SHA512
f8e6a934cfbfe6eea7ee8edabd8dd63f8af55baa21720c1bf1d77c286416377163046adcd3c1bbe0fa8e124b6f46a394319d473974da22da2451f12bb72443b8

Download Submit
C:\Users\Admin\Desktop\DisableSync.mpeg.colambia.E00-519-900

Filesize
382KB

MD5
e79f0358f3676b7e313029a7f826fb40

SHA1
36e4630136d6732d57cedeec90eee0eead683a09

SHA256
94d19df2e8cda02e99ca3ef81a70e8053988bda23fbc3bd190fc430aa3e89f58

SHA512
6033a1ee406de3cae28d61373bbca1f7330d8c2b2852dbf1dd6ae7581ad05ea81c5c3091cd7086babad99ee43f9d9091763e5bdc6b8b87f78530fe16008bb71b

Download Submit
C:\Users\Admin\Desktop\DismountEnter.doc.colambia.E00-519-900

Filesize
763KB

MD5
d5d921ebb2ae3792f3bdeec4aa6500d9

SHA1
56f4153de753a41ac33b157c0015f4fb29dd8078

SHA256
006811b240817d5d12ffbaba427cfb1e5add8b2dee2e0e5e3d43c287c6f76d6c

SHA512
a4ce76ba52be829a37efebe8931c5abd39252cf8f65cccae20c8d77d0d3b60954c11c818499b8364ff6761fa30762f3d011e47ca651244972aba02f6a8768dab

Download Submit
C:\Users\Admin\Desktop\ExportEdit.vsdx.colambia.E00-519-900

Filesize
280KB

MD5
f077da33b443889174174f38fa6754cc

SHA1
a3a320e054e25b730096b3cad1d10e5eaec9fc17

SHA256
244e60863f7500020913fed99013c4c302b845b073cb52decab0e09b43ff614b

SHA512
83181ef9d4a7b3f2d2b145e6bbffc6a00d1133eb21c6fdd4d5c5f8eb1488c4ab9910886880e2126e2f3ce021b33a3d37fe9e4c4ca2a0e8f828101495368fe197

Download Submit
C:\Users\Admin\Desktop\InitializeOpen.mpg.colambia.E00-519-900

Filesize
357KB

MD5
e955b75f248759d95ae04c8fcd03ee73

SHA1
a10bfe1ff862fb0f4f16a3e8a878de365ff42f34

SHA256
e33247376f4edfe36c5a298fa1ae6f805fcfc171e556df79c3984eeaad12f5fe

SHA512
2abae4e4da8ad7e2367c228ab6c58242245237dd0457e14979e7bbe0009c702aedae517f0b36a2bdc9377654304cd8a872d7eb06acdf20c494c1956c575d66c1

Download Submit
C:\Users\Admin\Desktop\InstallUnpublish.ico.colambia.E00-519-900

Filesize
306KB

MD5
3df1ed42c9fd42093fe3e88f166c078e

SHA1
c806bb8ff0dab1d7280b9452f6be29264ddb59b6

SHA256
bb985639c56f16f9462e5dbf1cf3e27ebda50d5f89298a95224fb0f30a9fbcc2

SHA512
3fd77653f075faaef7b7b8579b549aabb22946baa4368787b93894d1abd14a241fabd6b6c183fd9365b289389ff2edf241b799602910039f735a6b89098632cf

Download Submit
C:\Users\Admin\Desktop\LimitSave.vssm.colambia.E00-519-900

Filesize
1.1MB

MD5
1e27a45f7fa162fe4c279a7b4d1fc810

SHA1
2650bca321e5126aa4c55de6817aa8adba218620

SHA256
62010c9b46e1508d38f1dd4e337cbe0c966e177ffb8326b4fb5efec38eaaf44b

SHA512
23faef5d6cdda6ab32c0ef47a994b6c1cec5444bd688bd89ac415690326177c62adf4a1b1e20b8e81114c39d0ef38ae36b8ed7e24168c6fe7eb264eda648912a

Download Submit
C:\Users\Admin\Desktop\MountSkip.mhtml.colambia.E00-519-900

Filesize
788KB

MD5
daff96dcd9ba417666f62a02d95b5c9a

SHA1
a463bee9d1fec1ddeed4a783c86afa089e3ecd42

SHA256
d79e930e4b1e2d173f9666e036d7add72f63b7cdc759cd38ce43fd890a90cc4a

SHA512
2b6ac800f4fdcbde1a32efceb1c3bf9834bc08dcff5c1a39010855ee81e6fe3c5be411ec5c1630d9caad86ce416799745f9a22ecbbb463fbe78983e4bfd7602a

Download Submit
C:\Users\Admin\Desktop\NewConvertTo.zip.colambia.E00-519-900

Filesize
458KB

MD5
740f2cb63f5e8bfa141979cce2286b80

SHA1
bcb989b64346daaef2f95a811b8acd2c0abc7ab2

SHA256
d8b0f8401ea017278bafabc5467a9ed3a816a75970bdc7f37a92859d7bb2c4f4

SHA512
bd186eb52564fe586d5c9d4ae49ba3e51e19fa2e6bed68ff70f4d9cd5182db64e9d3fc1fc73846cf303ed4cf69a0cc04b88c5f4d184c18abf3b266f4f414bf9d

Download Submit
C:\Users\Admin\Desktop\ProtectFind.xml.colambia.E00-519-900

Filesize
560KB

MD5
effef269441050e630fba181f683c045

SHA1
57d4cca7f055b41568a5fc12f0463dac4cabf971

SHA256
776bcd28d9dd2ac99a80803fcf23ef7fbadcd02bced1a0911e8fc1a7c82ef566

SHA512
d4f9c6bd8a86aaffa7e430ed739c31c84d0612b378e8d12357bfcf10ce2410d581c7a4e04e384dc4e473da024c59097419d3298b8d5a48954969d851ea75adbb

Download Submit
C:\Users\Admin\Desktop\RepairUnblock.mhtml.colambia.E00-519-900

Filesize
331KB

MD5
1de151224cef2bd257ed0d8935e3bb38

SHA1
87cf3b9f5789dbdda7782c9156ccc8084d7a576b

SHA256
c0a7e0bda461d4662dde52ced65d908dbb5956f4c2598a3f21346b9329bc11ac

SHA512
e678c30e8d448186409ec9987b2d90526ed2f3c8443990ddf4abb9bc856f94be35c27e5e0235d50898920f2c416cf3611a0d2dddceebb556ea89ad27c30d716a

Download Submit
C:\Users\Admin\Desktop\RevokeSave.AAC.colambia.E00-519-900

Filesize
636KB

MD5
94a59ef1f66c913302f5ddf4a057680f

SHA1
eaec6aa1abb0bd3397d328afc8183363e53e05ea

SHA256
a5fbc04fdad8d63ad59989b2c5d75925c21e6e123bdf0936651bc9d8aac66211

SHA512
2085bf62efae4fbdfa4268d36366b5ba33ba6b98b1483971b5b87ba1f436dfd80f0ae7e2182e1b9925aef1bc12d93573d7d1583df53ef7b9a7b747dd8fc2ecb4

Download Submit
C:\Users\Admin\Desktop\SearchDebug.dwg.colambia.E00-519-900

Filesize
484KB

MD5
3b79166638a9c5e10f1de4019d345c33

SHA1
a60f436f5ce3ce2de809d9d3ef820905a3800bcc

SHA256
b1d418bc2915ed6b5f2d93c6e7e7e1b490de216c9399597a197c7bca927cca82

SHA512
6223ea3f29b316b3ba33b7f3df9e9fae0fb9693371c023fa29447d121cb6e24a93c1909aa4c74cf9275011fc0ce1aaaa09b179edc65897045744dd1f1cbb6411

Download Submit
C:\Users\Admin\Desktop\StopInvoke.mpeg3.colambia.E00-519-900

Filesize
610KB

MD5
3577b4359f1181e4113f06236c52186c

SHA1
c3408660047ec97f5bf993d17c6b2e142533d4ff

SHA256
411c52cad4ee8dfd40466bea79f4c5e8f7790c630db8475069d80713cd965024

SHA512
a0b3a73ffb3e35bb1732be29b00ab01bde358873662cc8b1c19d51c3cee1c7dfa3c0b6431243d27a00259853bb93f1d3a950fb0432f892f5b76cc7c11329280c

Download Submit
C:\Users\Admin\Desktop\SuspendStop.vst.colambia.E00-519-900

Filesize
534KB

MD5
8187274e85a0678051d0e529145c1b26

SHA1
c23c1e03b27b97efe9f9fe4cdd081d23ba24adc6

SHA256
0f08594296785ae9aa0ccba6a8cadac3a333e736d978dee0e59aa73c0505d6ef

SHA512
e1b7786fffe4d46234fe2ddfe53aca54fb3944016d9fb7deccbbe535b9be8efee17915fbfc0825618112253612ffd64e9bd868b857ce0e8ac8257da0bb459451

Download Submit
C:\Users\Admin\Desktop\SyncLock.php.colambia.E00-519-900

Filesize
712KB

MD5
30d775de8f06db2e7966c18fb8e086ae

SHA1
af7b08c2150611f0e016eff11c1933601ed4887e

SHA256
e28392cb19b8fc3ec60b21b274a81a5df700287d1bdbf306d9f9c2089b18965e

SHA512
af9978c96a993a66f1ae5813f47b093768af1894871358ef53f19a3373858c59552b2b2612eb3258a079664b2c4dab1b2180cf775a4bc78d1e4c34862c489175

Download Submit
C:\Users\Admin\Desktop\TestConvertTo.midi.colambia.E00-519-900

Filesize
585KB

MD5
1d757f01ccc81e3aaee2146dc4ace2e1

SHA1
77406e86158813d8c528b2700bd2348fa1104d34

SHA256
b03b7dc23ee0a87b74994b8a7fc79c1e4bc5a50e8c121cbc61b2fa9774c8d9b2

SHA512
ff99b6d2c5c030818a35abb791c3e43c512965c480b0132ee0dc0a79fd61935c57b7f6f3e1d16371f531c29264173d123f760bbc6108c755fce1197a784f7e90

Download Submit
C:\Users\Admin\Desktop\UndoUninstall.bmp.colambia.E00-519-900

Filesize
407KB

MD5
625f116adc859d893ac1b564c730de97

SHA1
dc954aec5e987c7943808c47dac968476f665aa2

SHA256
455d73d477f21305b4db05e32f183341f2d9d2cefa47338651281ebc8efc20aa

SHA512
d4b02edff468fa180b5430d66fda118cdc45d39b892c08182512a4ef406f49b915f8978719a2fcee9c2d113d5ee5f2db39ca8b2ff013344e1270081eb53814ac

Download Submit
C:\Users\Admin\Desktop\UnprotectInstall.vsd.colambia.E00-519-900

Filesize
737KB

MD5
46522bb4347e634b290d40e035a0a056

SHA1
f30cedec3c66922876553147961e305f1d1ecf26

SHA256
2350e21b616bf286ac8c4e4dc594d80e95949fa921c80703ae77c2f98d355e60

SHA512
fe1381e32ef618ba03536448f5be03b7a0ff379bcf3aba6a84b6b3ad35293bcc889577827b68d2b5eafdf9e1216986f2c0246582e13974d1029be5ad89c10fab

Download Submit
C:\Users\Admin\Desktop\UseStop.nfo.colambia.E00-519-900

Filesize
661KB

MD5
2f21eba0dbc12672a56c36459a826d58

SHA1
eb3d521c29c5f8617814faf0a032f84fd54119cf

SHA256
81bd84be30ecd9552c9d3992f49d2464629b57622a9eae8645c1f821d2e352d3

SHA512
2b95762100f4c33c9fc40d79e4e6605a9e59a5cbcb654314ce47fc8a61612a3ddc1911b1a041e593e5a4b95bf09d5add908556d2303ef545b8b0dfc4f782d771

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe

Filesize
214KB

MD5
9df62163926e1801587b0f824add2f1d

SHA1
2e4d3b2561e89844f01267bbd26383012931a773

SHA256
0e3a28023ba5030fbf2395239b89ca959982bbeec1972aa0adaae6c1fb44e08d

SHA512
b0ce0047a488a1df52fa7c0a4d180feeaa806858677f2fc0abe05450228aa3e00498797a7ac7f4fb9dcf442dd5cdd79e09cca42101259f0866f8699f80b4622e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe

Filesize
214KB

MD5
9df62163926e1801587b0f824add2f1d

SHA1
2e4d3b2561e89844f01267bbd26383012931a773

SHA256
0e3a28023ba5030fbf2395239b89ca959982bbeec1972aa0adaae6c1fb44e08d

SHA512
b0ce0047a488a1df52fa7c0a4d180feeaa806858677f2fc0abe05450228aa3e00498797a7ac7f4fb9dcf442dd5cdd79e09cca42101259f0866f8699f80b4622e

Download Submit
memory/1048-54-0x0000000076171000-0x0000000076173000-memory.dmp

Filesize
8KB

Download
memory/2004-85-0x0000000073900000-0x0000000073EAB000-memory.dmp

Filesize
5.7MB

Download
memory/2004-86-0x0000000073900000-0x0000000073EAB000-memory.dmp

Filesize
5.7MB

Download