Analysis
-
max time kernel
129s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
25-03-2024 01:43
Static task
static1
Behavioral task
behavioral1
Sample
dcef208fcdac3345c6899a478d16980f.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
dcef208fcdac3345c6899a478d16980f.exe
Resource
win10v2004-20240226-en
General
-
Target
dcef208fcdac3345c6899a478d16980f.exe
-
Size
416KB
-
MD5
dcef208fcdac3345c6899a478d16980f
-
SHA1
fd127c6ecaee57972b7acc3b8e4a2d3b25f928e0
-
SHA256
824a76c39895bc3ad4f5dfc27fc3ac80d26514118c4669505a1f0cfdc8fdbcdc
-
SHA512
28e403a6d66895a2461828f49acb2862602e6be94405657bee0aec5d35d86dd83713c4cd1f33d28b94fed6546633683f9ffa693d37dc94bc862f6584833f9fba
-
SSDEEP
6144:iYdiLQNWloaXoLJYksETr0vpvejH6ols25A0LJjI4WHB/N7:BiLQqosgZs+8vejap0LJ6h
Malware Config
Extracted
C:\$Recycle.Bin\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
buran
Signatures
-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Detects Zeppelin payload 21 IoCs
resource yara_rule behavioral1/memory/2744-2-0x0000000000400000-0x0000000000557000-memory.dmp family_zeppelin behavioral1/memory/2744-68-0x0000000000400000-0x0000000000557000-memory.dmp family_zeppelin behavioral1/memory/2392-78-0x0000000000400000-0x0000000000557000-memory.dmp family_zeppelin behavioral1/memory/2392-104-0x0000000000400000-0x0000000000557000-memory.dmp family_zeppelin behavioral1/memory/2392-125-0x0000000000400000-0x0000000000557000-memory.dmp family_zeppelin behavioral1/memory/2392-183-0x0000000000400000-0x0000000000557000-memory.dmp family_zeppelin behavioral1/memory/1508-187-0x0000000000400000-0x0000000000557000-memory.dmp family_zeppelin behavioral1/memory/2792-188-0x0000000000400000-0x0000000000557000-memory.dmp family_zeppelin behavioral1/memory/2792-202-0x0000000000400000-0x0000000000557000-memory.dmp family_zeppelin behavioral1/memory/1508-3933-0x0000000000400000-0x0000000000557000-memory.dmp family_zeppelin behavioral1/memory/1508-5401-0x0000000000400000-0x0000000000557000-memory.dmp family_zeppelin behavioral1/memory/1508-7004-0x0000000000400000-0x0000000000557000-memory.dmp family_zeppelin behavioral1/memory/1508-7017-0x0000000000400000-0x0000000000557000-memory.dmp family_zeppelin behavioral1/memory/1508-10326-0x0000000000400000-0x0000000000557000-memory.dmp family_zeppelin behavioral1/memory/1508-13649-0x0000000000400000-0x0000000000557000-memory.dmp family_zeppelin behavioral1/memory/1508-18090-0x0000000000400000-0x0000000000557000-memory.dmp family_zeppelin behavioral1/memory/1508-22173-0x0000000000400000-0x0000000000557000-memory.dmp family_zeppelin behavioral1/memory/1508-26018-0x0000000000400000-0x0000000000557000-memory.dmp family_zeppelin behavioral1/memory/1508-29238-0x0000000000400000-0x0000000000557000-memory.dmp family_zeppelin behavioral1/memory/1508-30429-0x0000000000400000-0x0000000000557000-memory.dmp family_zeppelin behavioral1/memory/2392-30461-0x0000000000400000-0x0000000000557000-memory.dmp family_zeppelin -
Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (7326) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
pid Process 1828 notepad.exe -
Executes dropped EXE 3 IoCs
pid Process 2392 smss.exe 1508 smss.exe 2792 smss.exe -
Loads dropped DLL 1 IoCs
pid Process 2744 dcef208fcdac3345c6899a478d16980f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\smss.exe\" -start" dcef208fcdac3345c6899a478d16980f.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: smss.exe File opened (read-only) \??\V: smss.exe File opened (read-only) \??\U: smss.exe File opened (read-only) \??\J: smss.exe File opened (read-only) \??\K: smss.exe File opened (read-only) \??\H: smss.exe File opened (read-only) \??\G: smss.exe File opened (read-only) \??\E: smss.exe File opened (read-only) \??\A: smss.exe File opened (read-only) \??\W: smss.exe File opened (read-only) \??\S: smss.exe File opened (read-only) \??\R: smss.exe File opened (read-only) \??\B: smss.exe File opened (read-only) \??\Z: smss.exe File opened (read-only) \??\T: smss.exe File opened (read-only) \??\N: smss.exe File opened (read-only) \??\P: smss.exe File opened (read-only) \??\O: smss.exe File opened (read-only) \??\M: smss.exe File opened (read-only) \??\L: smss.exe File opened (read-only) \??\Y: smss.exe File opened (read-only) \??\X: smss.exe File opened (read-only) \??\Q: smss.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 17 iplogger.org 19 iplogger.org -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 geoiptool.com -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Games\Minesweeper\fr-FR\Minesweeper.exe.mui.kd8eby0.158-73B-9B3 smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00076_.WMF smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01354_.WMF smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF.kd8eby0.158-73B-9B3 smss.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Nicosia.kd8eby0.158-73B-9B3 smss.exe File opened for modification C:\Program Files\VideoLAN\VLC\hrtfs\dodeca_and_7channel_3DSL_HRTF.sofa.kd8eby0.158-73B-9B3 smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199473.WMF.kd8eby0.158-73B-9B3 smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\OnLineBusy.ico smss.exe File opened for modification C:\Program Files\Microsoft Games\More Games\fr-FR\MoreGames.dll.mui smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Lime\TAB_ON.GIF smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LETTHEAD.DPV.kd8eby0.158-73B-9B3 smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02412K.JPG smss.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Tbilisi smss.exe File created C:\Program Files\VideoLAN\VLC\plugins\visualization\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT smss.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif.kd8eby0.158-73B-9B3 smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00120_.GIF smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD15302_.GIF.kd8eby0.158-73B-9B3 smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21390_.GIF smss.exe File created C:\Program Files (x86)\Microsoft Office\Office14\OneNote\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT smss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\updater.jar smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Slipstream.eftx smss.exe File created C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT smss.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif.kd8eby0.158-73B-9B3 smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR8F.GIF smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\SplashImageMask.bmp.kd8eby0.158-73B-9B3 smss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector.nl_ja_4.4.0.v20140623020002.jar smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309705.JPG smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\JUDGESCH.HTM.kd8eby0.158-73B-9B3 smss.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Port_Moresby smss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\day-of-week-16.png.kd8eby0.158-73B-9B3 smss.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0098497.WMF.kd8eby0.158-73B-9B3 smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Solstice.thmx.kd8eby0.158-73B-9B3 smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL086.XML.kd8eby0.158-73B-9B3 smss.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT smss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\default.jfc.kd8eby0.158-73B-9B3 smss.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Boise smss.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\tesselate.x3d.kd8eby0.158-73B-9B3 smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL105.XML smss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\file_obj.gif smss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-queries.xml smss.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Moscow.kd8eby0.158-73B-9B3 smss.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287641.JPG.kd8eby0.158-73B-9B3 smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00050_.WMF.kd8eby0.158-73B-9B3 smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\GIGGLE.WAV smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\BUTTON.GIF smss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Whitehorse.kd8eby0.158-73B-9B3 smss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-swing-plaf.jar.kd8eby0.158-73B-9B3 smss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\jni_md.h smss.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif.kd8eby0.158-73B-9B3 smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00057_.WMF.kd8eby0.158-73B-9B3 smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGSIDEBR.DPV.kd8eby0.158-73B-9B3 smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0292152.WMF smss.exe File created C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14579_.GIF smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLBAR.INF.kd8eby0.158-73B-9B3 smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsVersion1Warning.htm smss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-impl_ja.jar.kd8eby0.158-73B-9B3 smss.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Guam.kd8eby0.158-73B-9B3 smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SpringGreen\TAB_OFF.GIF smss.exe File created C:\Program Files (x86)\MSBuild\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT smss.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EN00202_.WMF smss.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\background.png smss.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT smss.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2760 vssadmin.exe 376 vssadmin.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 smss.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 smss.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 dcef208fcdac3345c6899a478d16980f.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e dcef208fcdac3345c6899a478d16980f.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e dcef208fcdac3345c6899a478d16980f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 smss.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 smss.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 smss.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2744 dcef208fcdac3345c6899a478d16980f.exe Token: SeDebugPrivilege 2744 dcef208fcdac3345c6899a478d16980f.exe Token: SeIncreaseQuotaPrivilege 884 WMIC.exe Token: SeSecurityPrivilege 884 WMIC.exe Token: SeTakeOwnershipPrivilege 884 WMIC.exe Token: SeLoadDriverPrivilege 884 WMIC.exe Token: SeSystemProfilePrivilege 884 WMIC.exe Token: SeSystemtimePrivilege 884 WMIC.exe Token: SeProfSingleProcessPrivilege 884 WMIC.exe Token: SeIncBasePriorityPrivilege 884 WMIC.exe Token: SeCreatePagefilePrivilege 884 WMIC.exe Token: SeBackupPrivilege 884 WMIC.exe Token: SeRestorePrivilege 884 WMIC.exe Token: SeShutdownPrivilege 884 WMIC.exe Token: SeDebugPrivilege 884 WMIC.exe Token: SeSystemEnvironmentPrivilege 884 WMIC.exe Token: SeRemoteShutdownPrivilege 884 WMIC.exe Token: SeUndockPrivilege 884 WMIC.exe Token: SeManageVolumePrivilege 884 WMIC.exe Token: 33 884 WMIC.exe Token: 34 884 WMIC.exe Token: 35 884 WMIC.exe Token: SeIncreaseQuotaPrivilege 1680 WMIC.exe Token: SeSecurityPrivilege 1680 WMIC.exe Token: SeTakeOwnershipPrivilege 1680 WMIC.exe Token: SeLoadDriverPrivilege 1680 WMIC.exe Token: SeSystemProfilePrivilege 1680 WMIC.exe Token: SeSystemtimePrivilege 1680 WMIC.exe Token: SeProfSingleProcessPrivilege 1680 WMIC.exe Token: SeIncBasePriorityPrivilege 1680 WMIC.exe Token: SeCreatePagefilePrivilege 1680 WMIC.exe Token: SeBackupPrivilege 1680 WMIC.exe Token: SeRestorePrivilege 1680 WMIC.exe Token: SeShutdownPrivilege 1680 WMIC.exe Token: SeDebugPrivilege 1680 WMIC.exe Token: SeSystemEnvironmentPrivilege 1680 WMIC.exe Token: SeRemoteShutdownPrivilege 1680 WMIC.exe Token: SeUndockPrivilege 1680 WMIC.exe Token: SeManageVolumePrivilege 1680 WMIC.exe Token: 33 1680 WMIC.exe Token: 34 1680 WMIC.exe Token: 35 1680 WMIC.exe Token: SeBackupPrivilege 2752 vssvc.exe Token: SeRestorePrivilege 2752 vssvc.exe Token: SeAuditPrivilege 2752 vssvc.exe Token: SeIncreaseQuotaPrivilege 884 WMIC.exe Token: SeSecurityPrivilege 884 WMIC.exe Token: SeTakeOwnershipPrivilege 884 WMIC.exe Token: SeLoadDriverPrivilege 884 WMIC.exe Token: SeSystemProfilePrivilege 884 WMIC.exe Token: SeSystemtimePrivilege 884 WMIC.exe Token: SeProfSingleProcessPrivilege 884 WMIC.exe Token: SeIncBasePriorityPrivilege 884 WMIC.exe Token: SeCreatePagefilePrivilege 884 WMIC.exe Token: SeBackupPrivilege 884 WMIC.exe Token: SeRestorePrivilege 884 WMIC.exe Token: SeShutdownPrivilege 884 WMIC.exe Token: SeDebugPrivilege 884 WMIC.exe Token: SeSystemEnvironmentPrivilege 884 WMIC.exe Token: SeRemoteShutdownPrivilege 884 WMIC.exe Token: SeUndockPrivilege 884 WMIC.exe Token: SeManageVolumePrivilege 884 WMIC.exe Token: 33 884 WMIC.exe Token: 34 884 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2744 wrote to memory of 2392 2744 dcef208fcdac3345c6899a478d16980f.exe 29 PID 2744 wrote to memory of 2392 2744 dcef208fcdac3345c6899a478d16980f.exe 29 PID 2744 wrote to memory of 2392 2744 dcef208fcdac3345c6899a478d16980f.exe 29 PID 2744 wrote to memory of 2392 2744 dcef208fcdac3345c6899a478d16980f.exe 29 PID 2744 wrote to memory of 1828 2744 dcef208fcdac3345c6899a478d16980f.exe 30 PID 2744 wrote to memory of 1828 2744 dcef208fcdac3345c6899a478d16980f.exe 30 PID 2744 wrote to memory of 1828 2744 dcef208fcdac3345c6899a478d16980f.exe 30 PID 2744 wrote to memory of 1828 2744 dcef208fcdac3345c6899a478d16980f.exe 30 PID 2744 wrote to memory of 1828 2744 dcef208fcdac3345c6899a478d16980f.exe 30 PID 2744 wrote to memory of 1828 2744 dcef208fcdac3345c6899a478d16980f.exe 30 PID 2744 wrote to memory of 1828 2744 dcef208fcdac3345c6899a478d16980f.exe 30 PID 2392 wrote to memory of 1352 2392 smss.exe 34 PID 2392 wrote to memory of 1352 2392 smss.exe 34 PID 2392 wrote to memory of 1352 2392 smss.exe 34 PID 2392 wrote to memory of 1352 2392 smss.exe 34 PID 2392 wrote to memory of 1584 2392 smss.exe 35 PID 2392 wrote to memory of 1584 2392 smss.exe 35 PID 2392 wrote to memory of 1584 2392 smss.exe 35 PID 2392 wrote to memory of 1584 2392 smss.exe 35 PID 2392 wrote to memory of 1348 2392 smss.exe 37 PID 2392 wrote to memory of 1348 2392 smss.exe 37 PID 2392 wrote to memory of 1348 2392 smss.exe 37 PID 2392 wrote to memory of 1348 2392 smss.exe 37 PID 2392 wrote to memory of 964 2392 smss.exe 38 PID 2392 wrote to memory of 964 2392 smss.exe 38 PID 2392 wrote to memory of 964 2392 smss.exe 38 PID 2392 wrote to memory of 964 2392 smss.exe 38 PID 1352 wrote to memory of 884 1352 cmd.exe 42 PID 1352 wrote to memory of 884 1352 cmd.exe 42 PID 1352 wrote to memory of 884 1352 cmd.exe 42 PID 1352 wrote to memory of 884 1352 cmd.exe 42 PID 2392 wrote to memory of 868 2392 smss.exe 43 PID 2392 wrote to memory of 868 2392 smss.exe 43 PID 2392 wrote to memory of 868 2392 smss.exe 43 PID 2392 wrote to memory of 868 2392 smss.exe 43 PID 2392 wrote to memory of 1944 2392 smss.exe 44 PID 2392 wrote to memory of 1944 2392 smss.exe 44 PID 2392 wrote to memory of 1944 2392 smss.exe 44 PID 2392 wrote to memory of 1944 2392 smss.exe 44 PID 2392 wrote to memory of 1508 2392 smss.exe 45 PID 2392 wrote to memory of 1508 2392 smss.exe 45 PID 2392 wrote to memory of 1508 2392 smss.exe 45 PID 2392 wrote to memory of 1508 2392 smss.exe 45 PID 2392 wrote to memory of 2792 2392 smss.exe 47 PID 2392 wrote to memory of 2792 2392 smss.exe 47 PID 2392 wrote to memory of 2792 2392 smss.exe 47 PID 2392 wrote to memory of 2792 2392 smss.exe 47 PID 868 wrote to memory of 2760 868 cmd.exe 49 PID 868 wrote to memory of 2760 868 cmd.exe 49 PID 868 wrote to memory of 2760 868 cmd.exe 49 PID 868 wrote to memory of 2760 868 cmd.exe 49 PID 1944 wrote to memory of 1680 1944 cmd.exe 50 PID 1944 wrote to memory of 1680 1944 cmd.exe 50 PID 1944 wrote to memory of 1680 1944 cmd.exe 50 PID 1944 wrote to memory of 1680 1944 cmd.exe 50 PID 1944 wrote to memory of 376 1944 cmd.exe 53 PID 1944 wrote to memory of 376 1944 cmd.exe 53 PID 1944 wrote to memory of 376 1944 cmd.exe 53 PID 1944 wrote to memory of 376 1944 cmd.exe 53 PID 2392 wrote to memory of 1824 2392 smss.exe 55 PID 2392 wrote to memory of 1824 2392 smss.exe 55 PID 2392 wrote to memory of 1824 2392 smss.exe 55 PID 2392 wrote to memory of 1824 2392 smss.exe 55 PID 2392 wrote to memory of 1824 2392 smss.exe 55 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\dcef208fcdac3345c6899a478d16980f.exe"C:\Users\Admin\AppData\Local\Temp\dcef208fcdac3345c6899a478d16980f.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -start2⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:884
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no3⤵PID:1584
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵PID:1348
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet3⤵PID:964
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet3⤵
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:2760
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat3⤵
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1680
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:376
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -agent 03⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1508
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -agent 13⤵
- Executes dropped EXE
PID:2792
-
-
C:\Windows\SysWOW64\notepad.exenotepad.exe3⤵PID:1824
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad.exe2⤵
- Deletes itself
PID:1828
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2752
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Indicator Removal
2File Deletion
2Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
975B
MD5ada38a971e5894187b595680cf57375a
SHA1d5dfc53bdfaded438f69eab8dbd2f47636ddc6e0
SHA256ad0e70788b5acab9edeab014538ea17f5d5e59f478a8c7acf0b16553e4281ef2
SHA512d36e4146f46701206799ee1410b76452731a936c503bf12abc64238eb147249ac7bacdd1c9d40b8ed483ea969160963c8fd67ca8c43565936d36a859e67965fa
-
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt
Filesize28KB
MD5244eb3058da2c3a8eb34637d82a7b773
SHA1f1152c5b162217b1a564c66fd11cd5f93b76eb50
SHA2560bf28aca8d68a60e603c5c71c8d389440478b5f40bb877ea88938a3cbc731f77
SHA512c0207d86e9619aa01686828dbc432c506d5f292dbcfb22ea701826afbda36a28b1705b3623a53eb6d89bdef2be8cf749f4bdfb0e71f9307690db89ddbecc3ffa
-
Filesize
122KB
MD5883b2b893de12b187056df6ecad8283e
SHA17761013422e328816b6768147fa164832575e1b7
SHA256b5d9d82952f06327b1de80d1faccf2333d2b3f497661be5c83820692ccb9ce63
SHA512c713e588e1594e6f45caa363ed9e523242e245188abad8dd7b9201921abb5f1c1995917a03cbb88bfb26eb56e9d295586413e1ea49906a7a4dff646f4b7f1f51
-
Filesize
125KB
MD5bf01774a1aaf428f52e089f7d185cb74
SHA1096acf09af5e9c0ca81420a49b2329a841a37fce
SHA256a8defb9235cb4ca3b90e764efd48d6522a8866c08075ac7c2ef2105324a5ee5d
SHA512e234668069054c7a7b945e147ce2d7683eff5084ee4a90321f05bde1bf2b1f2bdd019cdb77e05e3ba1c1009d263fc7d3e0a7f87caf4ee8a15588b2cd346fd005
-
Filesize
258KB
MD523bcab74982c51373f08e34b46e6b668
SHA1512803649e42ec85d02a50a88db211d11fd747d9
SHA256ffa70d151813cc503644f31ad873883810f63c4aec3d1cb70c536cc6db2db95c
SHA51268335c2a06df003d0671d1486a7335fd6774bdfa952a3db7fa70eaa6f4388011367557050966ad96e9312b7973dce8543b2ecdb4ffc8196efbdd2627a271f10c
-
Filesize
78KB
MD54a1cb93b84397f9ff874913cd8622865
SHA10e3bfaf361f297db4dd25630a5bdb56734d93ba5
SHA25616aeb115d1c076c388b5abd942e5b8d6a01c013885b14bdd7e18045cdd76163f
SHA512a6231419f59756aa6a89565fb63fa1392364e1e5145894050dda5124019a7672a4b383816526c85b58625991299602b4262cfad10a450439b8d72b4b74de8c92
-
Filesize
7KB
MD55431a339de6ced5be0d0518a15cc8cdc
SHA18795ee53e530faf309450c479179cbab9ce30541
SHA2562616f040e93764ad38a9da11785bbf2f1c442ac519f6297847e7720980daaf0b
SHA512e09ba99f2548093514d476616ce413c4382cf9b284cec17dff22ecba0c366fe5ce8e373a4a7225bf41dd221140bf5aef58c1368e76c92be8dec783c1a2ae5253
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_OffMask.bmp
Filesize8KB
MD592797fb9783d57236f9255d75a5563a2
SHA1027c14d799c0f1e14a4335c7ae9c2bfe03bf7ddd
SHA2566d4d47f4c16f77129b391ffcd54c48466092bdaa0bb68ba088437458e6b38836
SHA51256e05cf1fe97629037c3fe5182b0095a5b02c38f8987444b69215c55c22a21fa601ca23feffb887c23f6410dec3ffde665f7681ffe19244e61e21a109f7c9ed1
-
C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\Microsoft.Office.InfoPath.xml
Filesize249KB
MD529282a376dd92658e3c2b8aa18517eaa
SHA1f58a83909d1ee2854b48508c766323055852f3a7
SHA2569fefb18d682d7ce7fc4239a220fedeb5832e48602c9110ffacef56646017e4bf
SHA5128dec8f4a7d8e7731cf1b49c53a56b264ff00be3ebf32273e02462a16aa1d9fb52588fa97f96b4798e92f4371200d34fe35c03bef092883550a5971d005e7dd86
-
Filesize
78KB
MD5b38e3d20846648b47baa300288119d07
SHA16dd9019fcfe290906c440360a34e8c0ffbb8354f
SHA256cf0fec517ae65995d5337922b1d361246ee3dcb267e3b03c003cb2db4d0401cc
SHA5129db7e56e83e5ea616c6d4df5033598accda7033b0b6be3b83f730c1a5b685558345d67c50f2dac5e3049af9756d3e65801577a43746b444ece42dc660d108bbf
-
Filesize
78KB
MD504c731a79ab21cf7476f8d3aa67e3a62
SHA13f28434f5dac047fcb1786828ba6ef483c094a2d
SHA2565cab5afc50cd816b300017073b74b7931767e66a037e749f25e84e885cd69169
SHA5122cda40aa76ff79c32df3cabe9884654fb728a0b1997b1e3c5e8cb33dd5d9003ddea5d2f3136fcf0f47c361a924ad9c1aeebf997501bb0d29cbc350552985983e
-
Filesize
78KB
MD5ead8e35cb1da42092b15cb93009dc1f8
SHA1351b71e0e74f40bd9d7c6bae1b462dd8c02f8db9
SHA2567fed77afa38e24ec318b668887c1c0e124b51344f30c3d7bbb75b83a3eb864f1
SHA512223bf8f35a46603f8fbad9b7cf9b8aa4ca546bd2abc08d7820696d363de0f3a3a6815c9cea4ca8718f6d4f207a9ab294e28ccc3ac93b1c2ff5a6198038e66825
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\eclipse_update_120.jpg
Filesize22KB
MD5e4acfc0f34efd67ef7cbab6b1ef6f3a4
SHA1a3fd1654788783cca2a5e315244088710b5fb201
SHA256a4bcd2710eec6d8f615767e142b1fc375a035d2d76197d19d0b0e63bf41d5fcc
SHA5120e80828672b1d8726578f94bc6723da0c0c89682a4bf01e88e69feff5c3ecc5136838510b8580f9fa35f6b3ba03c304bf43c7ad6627a4a727f2bd79ed95b7e58
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\epl-v10.html
Filesize17KB
MD5829412ef0bf2e720cb7bd7989d1643b8
SHA1292a0f178bb133d66cd8e1a00dc9dfed4ff17310
SHA2567277370390a477e3b837facc8e4018e72680018f8dee6e3ec96a58ee5367c72e
SHA512f5f27d56904f010d5ad686609ab1222b540ae29dbf8bc11bab1763229d4c7a6d151d6ed1b8a14be4511550f26e508b405e2d307290517498cc5b6c78614747e7
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\feature.properties
Filesize7KB
MD580c20e9641a3cf51a58ac0bc7a4f9266
SHA11bce5ac6c9c929c3e66c65be1d2f46991ea9f846
SHA256b30ab7878f4b5c69a7ae9eb6e7963d472e132e220189ee642e9e286f74668f91
SHA512f6254fa3445bd6232e78511b60a5f3fb3ca0d42ebcf41b125391f2bf42358c92c88f03ed25218d28dbdced84b6eb99318d158136422412ee2a7d1c46156363ce
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\epl-v10.html
Filesize13KB
MD5d61f50ddc6b115e2ebf0188aaa341cc3
SHA14a1cf22053c243f043c5809a35705266ea365ac3
SHA256910722f7cf1cdccc8ff63d391dd25d84cdf8edd84b45f4b6307b916953175d86
SHA512e8457aa393bc3ba61ddfa4208d927d2b77a5409eaf3170588148a5ed78cbb0d1cd6dea1ccb0ce8cb795033f9569ed9b0b3966c4d94be6ca227491cb11570b4da
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\license.html
Filesize10KB
MD5b36d792ef18f402530aa783082d9e2a8
SHA1920a73e6dd56dbdc72ac9e4f7558ee1638fae311
SHA256b9bf88032b3ed3c47f74a56ccbf2d876f05a9c98d7aeb77ff189721bd095978e
SHA512bf6eb5419c1e4be2f3ecbf42c04b1ddc3dffbe5a722780d4ac514c5f345de23552f865bc3446af5caa89c63143e4855d03df9d10000a9ec14f8c1569417ed3fe
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html
Filesize13KB
MD522d24fa52682d117f344187e0f825c6c
SHA1b6dad36af1404390d7fb5ea3e562ebe8b5fce5ea
SHA256dc58dbf4c65b71765bd4845fe25c806a0734fa4364d7beadee0c3a18856eecef
SHA5121ed6c40714b68c0226d114b941af7bcfa44ba672786d239019c78bafb48c7ab9282aebb0db8172f6ee189e43a8fa7777a1b99f5a7f1b724814e34399b63677f4
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\license.html
Filesize10KB
MD5c8b6632ed4642a6837c5a1c881afb281
SHA15e198214f8982aea4862b8990094de7ca6713c09
SHA25658e3585259441d8843923471d8867e22684b79886c7b85950647d4b3f93695ed
SHA512de7d2d50503538e49d89f2137689eca70a3a712c505f696fc83e4f2f7ca3a48e57b91d7ac734b05834e108466035727819a166abed14613f2186ca61e02d7956
-
Filesize
609KB
MD5779e1773f2fdf8dc76929548cd2f9f22
SHA10dd90a4e807569430b9e4bef962087c68535186b
SHA256acddd5981e7450f9187d748505ea99b99e22e198996e110d2c5a5ae3fb669de8
SHA512681e6435c7d5c117b03601090c605dd915324cfe3cc74869f1e21f797f7aa7b3e63633e01d3a54f7ef3f17e505fa1967fab8e17d2e5cfbb9bed3c0e6be494969
-
Filesize
610KB
MD575bb734bef78d9977fac51a5977adc8f
SHA1b581b5fd8f5cb7e7d81516a651d76d0409b30690
SHA2568d310512cc351b2b9fc610a7a928a111ca4d4f04421705f96ee10584de3080a5
SHA512d0c075ea5f08840e13b8aef44773e889a641e6c45f5486f2b5c1dfe0cca70c91b3e7a56fdc6f945606195aeeb3dbf031be223ed645b9e95b04eeeb55864f9299
-
Filesize
587KB
MD550a52e4b6b87b37d008adb5429eef74e
SHA176f1eef177bbfc1040db82d73354d529135fbb86
SHA256735dfa0a7874caf29051a21580953f082d515d84b57c55bc007a72c0d1f2bf93
SHA51284ddb182b3552abab6c6809a91bc3a9f4b1b15f0b4c98dda14ad520cf8cd7caaaada0887ae78da82d402f73a4e8c60f5b318111f3dc40224c46ca2aacf9fefa0
-
Filesize
764KB
MD571d83bf017d34f4c657a4b9cf231f46f
SHA1c2cebe9210c8932c47e6df0e5e72fcd3c96a712d
SHA2564abdd702a194e407ad329b205fe6faf58cd592499416f9f7a48e73c4c6488eb4
SHA512afbffebc2ee88e9f18214223353a5bf7e23b4b507225604ace1a29df9f34895b98be877b7edd54467cf380d7a8c6d59e619c67cdf1761ce1dcd60cb22f37b0e3
-
Filesize
545KB
MD579c49db1a9fb4a642a277943fd8d2853
SHA1222ec8a4fec42e6516c4fee53efde280b709545c
SHA256147199534a39d1129b5db904f0252dd2e0de2bce965fc537bc3e8cd22a215fea
SHA51220a7aeda2ba75d79fa164741a77d515011db85b2df9052b175e8d4c98dbd862871697a876f87765208ae39be351515833e2bf15841e3a462c6dd2941f1298cc4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
Filesize2KB
MD511d71c970ccf0e5af1a11cb5e15d9fc9
SHA15cfbda5675975a7d691101a9096cd9d42c964b4c
SHA2563f37c40cc9fbf51ffff7a4147d81398cde110a815e5fa7894d04dcb883d6fc1d
SHA51203b6de82dbec27d4b7ca2226f30ed949091969533460f9e2d6f4162d44e4cd6c5d1d8be567b268c0935c71fe06b509001a6c9404595eef8cb2f8c5808d47e632
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_3F2A9DB42365395CA97CFD2FA38D17E4
Filesize472B
MD538cfeb9a4a7c8007273ead650b17d7b0
SHA1f1bdff77349e0a1b0554b39e1480191a6593668d
SHA256d71077717606050c4571f0933f95ac9b4cc40e8fd3a724e2728132a94750b587
SHA5128734e86451ad7c657b54dc1ccce25bfcf49d1459634d2b2f4e65f5bdf1ab243042304fbbd3e9d7560bfc6397a33d5d09681694e6a363497b77f0b9b4e6ff5ad5
-
Filesize
67KB
MD5753df6889fd7410a2e9fe333da83a429
SHA13c425f16e8267186061dd48ac1c77c122962456e
SHA256b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA5129d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize1KB
MD54bbdeccef77d0216c7c85aa8ce6fd456
SHA1a8e6ece2829f7a721d5e02c7e37d30c0ee584105
SHA256d4c20a525b2cb0035944212b76b0573779ec672ea64b72679dafebdf7c44a6dc
SHA5127a5cbcde4e7d2a952f9bc846e29326b53166592224af39d3b67dd6f602a9cc77c2e4d97929823e4329ce1b6557a6df5f437dffe18f4ed93b85f97dd81105d6e9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
Filesize484B
MD59c166d0b0e37058c4030c2dfbc142737
SHA1b0d45e8f4552bf5c9b80904f02cd21711ee90641
SHA25689f5110e2cf0295ca8e0c259ca8c1ffd3b14b91e12fda17eaa767eb3105d58a4
SHA51247ce60f0631d5866708f08daa0b7daef241ae9111a46447d9c2b0b564889cf81232f0e0fce9094212fec5d4408032570f83c21c98bc5b9bec12b48bf4b019af3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_3F2A9DB42365395CA97CFD2FA38D17E4
Filesize488B
MD539b1d7dcf58e8bac47648e90407ac05e
SHA12f41056573da7d68b825ace441666fadb4d37b03
SHA2566058a8374f80b032c3187ec7da153c3ebd0ac48d824387abe9b4e9e75d2c7d79
SHA51235d594f5687130785ee0a1368b8f53f329ade86900511d5016521fb4af9f234016689a5754f25adea52ae6f632734cf79b3aa17dc2faf70e436b5e2b6451143f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD540f17fb9b7acaf788bd5042aa89e4800
SHA1fe308dd19c0b708c026de37750f11f7e767b2054
SHA256e1384f53fec88cb2334153d38786e84baa2571b73da75671467145569ebcda82
SHA5125d4c5eef6569acde753331174aed155ac4d6a77ca724243ebf6ab0009d7a0680ec8cd3f84c28bbafe18b794520f0914affc125eb0895126d81dbfe77cdaae3b1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5c0144148d5480fc656372c760047651f
SHA19794a332d9016e43612f7e5ba0fbe25a5bf483a4
SHA256fd158392c2360703ad996248caf77f36ac66435e39e40e5a11054572cb317b99
SHA512a1fd16e32c746ab68c58c6b1bc49c232fb49a7fb86cd9d597fc96486d8b56874670973cdbb02076a9623fc28097d349ee9e551f408d141a41bc2be0f4f4a8681
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize482B
MD5404c1a618ae9dcaaac65261f6fb95f55
SHA1c2c22dc3cd3b64b03bdf490811c29bb8e42a6ef6
SHA2567668b9426bda8df41d26f8ae3512318bc939da735c760c427b96f04e0ad95147
SHA5124e69f7029304cfe7f5683f73ea3787736404b5d485578990ac54dd76ce29e57bafc47d5fb0cb0406b62c4fdb9ef7b088de53a244e11d90893a09a6e4fd89413d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5DKX8QD5\LHWU1XF0.htm
Filesize18KB
MD5d86c179bcfbd66e883f47019ea1ca200
SHA1c63ad8a4b2a4c3e5408225a1231e25ec44d65eb8
SHA256b465036b723ca3a35874e6eb4a2560140a2a9364ecc53b2dc7c0f1b59d216bea
SHA512d9136ce45ba1210a717199f6f9292a656ef0fa86674c168a9be09c7ae2aab25c247bc417d1bf24c11fc403becc0da50805a61f0731c358c596a0780ffe986d8f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L9PN2QMY\NDWBNDRM.htm
Filesize190B
MD56ebbeb8c70d5f8ffc3fb501950468594
SHA1c06e60a316e48f5c35d39bcf7ed7e6254957ac9e
SHA256a563426e24d132cd87b70d9cb5cd3d57c2e1428873a3f3eb94649cf42e37b6a1
SHA51275cfab1c9f5a05c892cf3b564aed06d351c6dc40048faea03ae163154ff7635252817d66b72a6ef51c4f895eebf7728f302df51148acce2a0c285502bf13652c
-
Filesize
175KB
MD5dd73cead4b93366cf3465c8cd32e2796
SHA174546226dfe9ceb8184651e920d1dbfb432b314e
SHA256a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63
-
Filesize
406B
MD5ef572e2c7b1bbd57654b36e8dcfdc37a
SHA1b84c4db6d0dfd415c289d0c8ae099aea4001e3b7
SHA256e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64
SHA512b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9
-
Filesize
258KB
MD56b4d3c29921b23568ceb15575b1481b1
SHA112d6ebce00d97537ce6beb69ba15f2537872a185
SHA256e5e0806342a09e1d76762389cac57b77542eea7fac608e087e8a939cd14969e3
SHA51294250fb15ca02a9ee06582018ab8b9fa1ac32b2468be0969613c55d477bc2ad798a53fcef763b6a9e56e4fbfa58b90574cdd5d8b976b958cf11ae3e2bad34c50
-
Filesize
642KB
MD528395d196814b52d489be6fb6aa3120b
SHA1b77b3182e122c5e63f78b759ac61b53de6f99af4
SHA256771359db5f3795f96803496f5d0d2517a9691071effc888251a8758fd43a4e33
SHA5120f9be983589f4f8f80c4f8f2c177806a0e415db79d2a52cd5e5ae0ea63c937a921b98f92188b8e5501901e562a252b705f005298deee57c682694fe89b2593b2
-
Filesize
799KB
MD587e4d442a9c044e809cba2c1a75e2bef
SHA102d9caf877a37c9a3ac1ce9fad7427d4af6b16c5
SHA2567e89241a52729f8b4e291aaba8f8423ff015c265bfd5a643ee044410f05fa6f9
SHA51262c69d3b83aa4265b7028c172d9a8ca13b4bb555289071ac07b5e8f35567b8ce10b9bba11606ff33e04761d2d6d9aa613c5d64cdf462ca405d2d75f91cd8413f
-
Filesize
484KB
MD5cb42c73d647b6fba616a4105f01ae96b
SHA1ace33cb90a8ca1fa14a70689b41a8091dfa899e4
SHA25630188897507120048d628097cd0b27bb3a7e3cc0263f0c4f1b2c52aece9c53c8
SHA5125446b6f5e3d46d7afe2d605c6828c572159949b52ced235a0341889fdb8a2c5ebac63606a90463a8f53a251cfc765458f149043834e3f6e701da84cd7ac3e94f
-
Filesize
372KB
MD559cfe1929b58b1d1cf30547a366c26d0
SHA10d99b4422cff8e3fdf39bfe0276f258764acfa67
SHA256108b2697e7a896ed1f6c26c5f60ab72ec4d5cb7a39d3dd48fd9fd2791fdcfca9
SHA512b0ffd92447a96384ae4a60420fe2cf29cfc4e62f37f20af323a886644a61779263571820adbfd8f0ae8b952784fa03fc4cfe2ea5ff1f11234d66d721357480be
-
Filesize
574KB
MD54a28bc944d1c433a9f948d13e433a707
SHA198e5c2879ed3f945414732626bb291f391693e32
SHA256d6e0e8c79a967712d016412ba71e86871b20d671d9a7a090f6ff59e074c81b81
SHA51208076fd22abc4ca5c88a913457598f4368566def5c79b5c34b641ee01dc3b1d56d2c385ee5db0172b9a0523dc9a3d3ef8a423dbd0a71fc71b3de157482ff0ae5
-
Filesize
507KB
MD520b28b86836d8eebed09666a1a0f21b1
SHA17e1365d28c0af35c2ec426e1d023cd8da6ab037c
SHA256416ab8ae6e83c9bd628b966cdda1005c959888c5a777995925a4723a69828338
SHA5124d766e323faa27a2e09127caf2031ec445091326bc0e4a0d580c80755518da2bc708ded893b53db19c0907cb37ca033715612fc48748c9dd1ac1298f61c94589
-
Filesize
664KB
MD5093b4739e4c8f196160157fdc28d2d81
SHA167ac8d5ab82251f8f758d34e599ec8b234e5d941
SHA25660a13cf3395fdc944b01425869268d6e12cb59f0a4441e611dc8861660fd672a
SHA5125a0996bf0b464f8a90336b2a31649940331dc72778d6561d74bf24686aba6d138656e070cf4fb558b8052bbb7e474643aca27bee4148952cdd8a715e36f6f2b7
-
Filesize
754KB
MD50c135ef5168de2c5167bb95bc27928d5
SHA129f3a345ebcd3ae2d4a1860bb9af6da413c625ee
SHA256555131c511c00e5818f739dbbb033c772f85893d705e0874fc797422d5bcb789
SHA5129495c66d2071df184fea2645796a790db9750daf308d9e80f5f60de69df7e90f2cc3bd0e7e2d21801659bdabedb255c6a83fdabff83a0d9307ac9f6e1b4542b9
-
Filesize
327KB
MD585b16f6faa3f786ed2bc54030f4d0362
SHA19e7e176d7eb09bb7712a8e3d17043edfc33f84ae
SHA256c7a9ee0950433917034d64bacd2904ef8b51d6238736c2cbf47658776ec825fa
SHA5129cc97ad4c98398d5b78023232df6df50e78f73dc25d9ba220dcaff75aefd1928c87be6a96c5c3e0ceab832660167ac69a3e495722d49b0684ca6936b030b8d0c
-
Filesize
732KB
MD576da4f10fa89d4bfc4f0424bcaf77c27
SHA13b67518a24018598a80f332ac8ee90f4994e8563
SHA25606a64ab6dd41ca0993a0576d966b2a2b844ef773f9b6cf837db774e0b659e1bc
SHA5125be367bf4f3adffe1bf19a58437fa59511ebb59cb524b1503d086ed5069e6e8c84c6451b04766fd0da3aaab89129ade28931c5214ba0b6b3385c42f408bc9b36
-
Filesize
462KB
MD54ecb7cfa98a4d70610c2225722088cc1
SHA16141fd14baf2b84be148fbf51111de00226b2218
SHA25611c9bacd6e23bc99b2b22a78b32d92509ef3f5063ebc894c3526e4fd584cbc8d
SHA51258a0dab89b947c5378d2054b5ce8cadd7c44aa54cd24005cc936777205e61421e2a6582d5aaaeac83bb02e56e66a846cbe9d49f30729c1f03e3b8f36d77cff99
-
Filesize
349KB
MD5bbacfa3a31c9158539286eceb6519cc1
SHA19a719dd8ead698d3311450f16b2279a2e35130c1
SHA256c763068dc8103935d4f94958407bf3a00763e5e3a90ffaba9a59969a4398c90a
SHA51249cd1b12ad19fa09af9218714d9165ebd7767762100f1efeea944df5fed106124728276ad82d2b57883a55c2fdb9fdfe35e7952dc8d0e47c0558894d3f1f42c3
-
Filesize
552KB
MD5574a5c87139aa6bc20a752c3bc0b3117
SHA101392166b350f67100d6415883ba5c260740f9ab
SHA2568212dfa5de354d863b4a13648141e370fe6c15514579d7c5e7a325cd761c0ae0
SHA51220a06a76b5cc75bacca83e8afe09b2c08fd314a25bde94a2a2cc771503c9eecaecb08cba8317f909b72a56e3b888ad91cbe3e36b9a3febd88915acd48fc030a8
-
Filesize
689KB
MD5ba3d2ca0c4be6cedc84b02a08c4930f8
SHA1bb4a8b03824fc8a6cfdd4d0165ad3f667d9fb54f
SHA256a62d187db0a7a17dbb2d8c168a2e631c301aadded3861f2b4f9fb8aab78cf0b3
SHA51213648267ad3e1a9681eaaaeee5b9a1490eb63a60f03ed39cd424e020125db50e1e1ba9a351da486857eac26421c1cbc65a15f4a03f3a564e631e318d64689556
-
Filesize
714KB
MD58078fb31b53c61597ffea94e36d950dd
SHA14371142fb4bff96789643a88088f291bac298bef
SHA25687337611542673257976f88004b9e13b2b583dccaf88cbb4b745408c03baabad
SHA512742dd317bb933b2006824e7dd4838c02ce18e4b4534ebc36198cfc0c26a9eb8dc41442e2b19c9de078860d5c6f5112765e7f63dd5811d9912df76050b19a3058
-
Filesize
394KB
MD5fa34660a1593fc55125090aaad3f543d
SHA11390e8952e363eb861e4bd517debfa611cf8cfd4
SHA2560534a0f91b7d45d381012f5ea1da430c00672cdb0246c2e1eae14d444ea1282f
SHA512571b215dea4f03e44583cef214ee80f76bc77aa5d3c29a884647802cc1a6f12a98ef12f5d1528d410c3675dc0857674ac78fc17a7edc03d3e1e3d53b7791e122
-
Filesize
727KB
MD5460276ab231e510048c5e377b4739ee6
SHA11babdd9a18adc4252ebbfb487479d84cb560748f
SHA256b8e504b50044cca40072f3166531ad9bd05c0037dc4fc9bb4300dac6e3a5efef
SHA512695a708a720ec250eed17e2d28dd42f097da93f8166bc7e19a8804966f0a24e426fda563a5bd830077ae266be99e164596c47e7a95d5514b4b4c0415ea0c18de
-
Filesize
812KB
MD55851181f9348c1f57bcf305eaf0ecd05
SHA16f9a8f22eeb0a061674ae615c7b48e8205ec6fb4
SHA2569ae16b1b055edbfa42d6dde195d84e53fc268e3d182e140a237781c714e30677
SHA512c049df25f7f0bf47233f43483ed8ac6ba78737e789efd651f74417637e18a3337ce70940b5bca247354b32a5263f31cc34ffee81575d2a8977ec44555ded8908
-
Filesize
439KB
MD5470e3daafd75afd93ed7723a30128ede
SHA15def431bba457633e2b5eac12ef08cffb4e27dfc
SHA2569b4572a1032d5025733799b1d273ca1f278e93926fd5001cbf83eb7573dad679
SHA512df8bda3c4cb4a3ffc5303416013eb1c9468f610c3c1548590d6a98aa7afda74563cea3dd70a47d68ece18bf942b7d8b640d47739db103752c13168ae19a2959d
-
Filesize
529KB
MD5df533048e73399871c585152e2aece79
SHA1c18b6a5de36fee00a263ad9ec4d0e4445a97fe89
SHA256955b4d545a55bf67c97ecb94e1263da6e843f7276d98d0ea0f2a116fbb2f37c3
SHA512621b8da083c44db9134b273baa244a771aba9bff9e46152ca6b41467415b49ae43a08067c800151bfc9d3d8d70ca2a4f3af889605b1e2fb4002d2fb56e0ec737
-
Filesize
417KB
MD5d12970fbeaf80f696dbc405361b3a410
SHA1053ab13eaef2894193066c117d9c59b61b238c53
SHA2560703ea00a7381394c6913b5c9da9fb47835077fc1a7e77c69d5cb75381b817ad
SHA5125a3620ca61e3b5c67337b0ed6772c0482fa7fb20a16d85cdffe40eb9f8b09b9f8bccdd8d78a41de94c239c323f5a22aefa379784a2135e071eab868b6ac22c54
-
Filesize
304KB
MD53617c401d61b7449672ca11ef1034c19
SHA1ced4cf1e4b431079c5adda187dec6dd2030d84cf
SHA2565569dc0726d5d3ed391a294eff4fe719dff601105da78043e31acbf2ff4b4a07
SHA5121cc6b66f0bea991053ae8941267d90e57ac0371c5cbbe05d49bef9604c9796f6e0889ae10ee0d487772d5e0346ac20396a09d329102cca12fb17f127b479bf1e
-
Filesize
619KB
MD518014a7f9f9f4ff84bc0fff4c1f0e7d1
SHA1b8625cf6c7ff4c9214a15b34af511b95fbb6ea97
SHA256bb5b67fe7583d7c8a4d6146aaffdcfc5db1d6ac27e5a0d9d13416b173292b290
SHA5129b8bd4af5f56fe9240b2f4f33079f59f67a145b12c2a748d598fef9a9e0af6a21c230b5c48b782b7991dfbcc195bb84d13aedb8142b7163359c0d0e43842b86a
-
Filesize
597KB
MD5357581350f33e9113be9dfbce0e6cf7b
SHA19b44e58352b5ab77792f9890180615ed4f711d13
SHA2560e718702c77552e22e52f8144f62ca0252ef09feafa9f862fe348cf438496fac
SHA512578e9435a4db1b53305bc3e724c20cd729d1ae25b551c8db4e8ddc09212b94dd7fd059723b5bd48bf65909ac675fdd3185c6358adeb9372f57715f4bce036c85
-
Filesize
461KB
MD59a575f9b299ecc53a8c8e191e50c2fb6
SHA172790094eae6a9e51b09247c9859c7510855a65c
SHA256ab59d2ad5c856798416fb945bed071c43ac0bcf40ffa00c8f4d2c97e34bb9c9d
SHA512d7a192cd937bfe2421dfd691361dd0a71575c47f868a64daae1675014d216c9478ecf528fd2011900e4c09bffcf3b433a20dfe1b35b00c72eaf6fb894ada13cc
-
Filesize
483KB
MD515aaf0159f8d63759ebe6a69237a619c
SHA12407700f05fd5ea13b66dab236b87c5db65133d9
SHA256387969958f1a08943bbc8780fec3ac22ea045fb162aa4306962590fd19262a1c
SHA512b0fdae438139ab682aa1e685266c0746e8f4b2a907ceedd57d944d95b4c4d535110ed8908534aa5a05d2430a2c3338440da810bfd1ab7560efb05a938a8afac3
-
Filesize
82KB
MD528d37effa4a882e5579a2c9a57aedbfe
SHA15057c9fff67ad3ec4c9fe97b82af0686d33b71a1
SHA25602bbde6c9cc8846470fe32cac92d539cf5ca8dfa3d3d12a6efb8de81e84a0215
SHA5123fd8d7d11ec3721f667b13fc23b1f6d0ae92298a67ce6aa6afbe4281f6cc48f7b22c3b75d16d794416e3555a9ebaa4d7f92bea15f2bbabcb3c4ba3e457ef29a5
-
Filesize
513B
MD58bff8f7ec2dee0630915c750011b1bad
SHA13f37e6bc23aba846bffa9d510bfd03024af53c73
SHA256aca5c1161a85a45d36eaf2bceeff54a0d668bc04957b91f49665fe2a52857ef3
SHA512e9f1100ee8ebb3614351f8300615fa9400198848502e7d67e8dce918d95a0ce7a245db2a9951fcb7baaeff9c8d0fe36b38d368c263e5daf34ddf0947470d9abe
-
Filesize
416KB
MD5dcef208fcdac3345c6899a478d16980f
SHA1fd127c6ecaee57972b7acc3b8e4a2d3b25f928e0
SHA256824a76c39895bc3ad4f5dfc27fc3ac80d26514118c4669505a1f0cfdc8fdbcdc
SHA51228e403a6d66895a2461828f49acb2862602e6be94405657bee0aec5d35d86dd83713c4cd1f33d28b94fed6546633683f9ffa693d37dc94bc862f6584833f9fba