buran | 45dd162163830e078517e6afb39a1b472d5077394500f2b3f85fa3711eb742af

Resubmissions

07-11-2020 21:55

201107-hpbkxklwmn 10

07-11-2020 21:28

201107-vkwbkzk1ej 10

Analysis

max time kernel
150s
max time network
137s
platform
windows7_x64
resource
win7v20201028
submitted
07-11-2020 21:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lsass.exe
Size

214KB
MD5

3a87a3c5abcdc92ef421700ac6f5d0d1
SHA1

70509f9eed0f90f62b804da75aa73b6a3f6390ec
SHA256

45dd162163830e078517e6afb39a1b472d5077394500f2b3f85fa3711eb742af
SHA512

f6ae90245715e6e0a1e640ab123fa2c47971517142a65ebd4960aefac3493cabd65686cdb99623ce06d586f76b1e12d93e238086e83beed0a6bf649eb2518a6f

Score

10^/10

buran persistence ransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: tomriddle1337@cock.li and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: tomriddle1337@cock.li Reserved email: riddletom1337@protonmail.com Your personal ID: E4B-88F-1D5 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

tomriddle1337@cock.li

riddletom1337@protonmail.com

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 2 IoCs

Processes:

lsass.exelsass.exe

pid process

1448 lsass.exe
624 lsass.exe
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
ransomware

Processes:

lsass.exe

description ioc process

File opened for modification C:\Users\Admin\Pictures\FindStep.tiff lsass.exe
Deletes itself 1 IoCs

Processes:

notepad.exe

pid process

640 notepad.exe
Loads dropped DLL 2 IoCs

Processes:

lsass.exe

pid process

1056 lsass.exe
1056 lsass.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\FindStep.tiff	lsass.exe

pid	process
640	notepad.exe

pid	process
1056	lsass.exe
1056	lsass.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

lsass.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" -start"	lsass.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

lsass.exe

description	ioc	process
File opened (read-only)	\??\F:	lsass.exe
File opened (read-only)	\??\R:	lsass.exe
File opened (read-only)	\??\K:	lsass.exe
File opened (read-only)	\??\I:	lsass.exe
File opened (read-only)	\??\G:	lsass.exe
File opened (read-only)	\??\B:	lsass.exe
File opened (read-only)	\??\A:	lsass.exe
File opened (read-only)	\??\Y:	lsass.exe
File opened (read-only)	\??\X:	lsass.exe
File opened (read-only)	\??\U:	lsass.exe
File opened (read-only)	\??\S:	lsass.exe
File opened (read-only)	\??\O:	lsass.exe
File opened (read-only)	\??\N:	lsass.exe
File opened (read-only)	\??\J:	lsass.exe
File opened (read-only)	\??\E:	lsass.exe
File opened (read-only)	\??\Z:	lsass.exe
File opened (read-only)	\??\W:	lsass.exe
File opened (read-only)	\??\T:	lsass.exe
File opened (read-only)	\??\M:	lsass.exe
File opened (read-only)	\??\L:	lsass.exe
File opened (read-only)	\??\H:	lsass.exe
File opened (read-only)	\??\V:	lsass.exe
File opened (read-only)	\??\Q:	lsass.exe
File opened (read-only)	\??\P:	lsass.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 geoiptool.com

flow	ioc
6	geoiptool.com

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Drops file in Program Files directory 15048 IoCs

Processes:

lsass.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Dublin.E4B-88F-1D5	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\plugin.properties.E4B-88F-1D5	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00526_.WMF	lsass.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Berlin	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Earthy.css.E4B-88F-1D5	lsass.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToNotesBackground_PAL.wmv	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_pt_BR.properties.E4B-88F-1D5	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\local_policy.jar	lsass.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mn\LC_MESSAGES\vlc.mo	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCDCNCLL.ICO.E4B-88F-1D5	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif.E4B-88F-1D5	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Tarawa.E4B-88F-1D5	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099193.GIF	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00453_.WMF	lsass.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\stream_config_window.html	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00086_.WMF	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199279.WMF	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00656_.WMF	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Angles.xml.E4B-88F-1D5	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FORM.JS	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CALENDAR.XML.E4B-88F-1D5	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-execution.jar.E4B-88F-1D5	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PSRETRO.WMF	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-progress-ui_zh_CN.jar.E4B-88F-1D5	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0234000.WMF.E4B-88F-1D5	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\feature.properties.E4B-88F-1D5	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-modules-appui.jar.E4B-88F-1D5	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02153_.WMF	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\RE00006_.WMF	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21302_.GIF	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Winamac.E4B-88F-1D5	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-heapdump_zh_CN.jar.E4B-88F-1D5	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01240_.GIF.E4B-88F-1D5	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART15.BDR.E4B-88F-1D5	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\SNEEZE.WAV	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsFormTemplate.html	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\San_Luis	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\LINEAR_RGB.pf	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\mailapi.jar.E4B-88F-1D5	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvm_ja.jar	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00148_.WMF	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00350_.WMF	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Havana	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14514_.GIF	lsass.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\selection_subpicture.png	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach_5.5.0.165303.jar	lsass.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\MST7MDT	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_es.jar.E4B-88F-1D5	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-spi-actions.xml	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0195248.WMF	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00723_.WMF	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Oriel.thmx.E4B-88F-1D5	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CALENDAR.XML	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Vilnius	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\date-span-16.png	lsass.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt.E4B-88F-1D5	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-autoupdate-ui.jar	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-actions.xml.E4B-88F-1D5	lsass.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Funafuti.E4B-88F-1D5	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\license.html.E4B-88F-1D5	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.preferences_3.5.200.v20140224-1527.jar.E4B-88F-1D5	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB00673L.GIF	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR35F.GIF.E4B-88F-1D5	lsass.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt.E4B-88F-1D5	lsass.exe

Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

2008 vssadmin.exe
1636 vssadmin.exe

pid	process
2008	vssadmin.exe
1636	vssadmin.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

lsass.exelsass.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	lsass.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	lsass.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	lsass.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	lsass.exe

Suspicious behavior: EnumeratesProcesses 1204 IoCs

Processes:

lsass.exe

pid	process
1448	lsass.exe
1448	lsass.exe
1448	lsass.exe
1448	lsass.exe
1448	lsass.exe
1448	lsass.exe
1448	lsass.exe
1448	lsass.exe
1448	lsass.exe
1448	lsass.exe
1448	lsass.exe
1448	lsass.exe
1448	lsass.exe
1448	lsass.exe
1448	lsass.exe
1448	lsass.exe
1448	lsass.exe
1448	lsass.exe
1448	lsass.exe
1448	lsass.exe
1448	lsass.exe
1448	lsass.exe
1448	lsass.exe
1448	lsass.exe
1448	lsass.exe
1448	lsass.exe
1448	lsass.exe
1448	lsass.exe
1448	lsass.exe
1448	lsass.exe
1448	lsass.exe
1448	lsass.exe
1448	lsass.exe
1448	lsass.exe
1448	lsass.exe
1448	lsass.exe
1448	lsass.exe
1448	lsass.exe
1448	lsass.exe
1448	lsass.exe
1448	lsass.exe
1448	lsass.exe
1448	lsass.exe
1448	lsass.exe
1448	lsass.exe
1448	lsass.exe
1448	lsass.exe
1448	lsass.exe
1448	lsass.exe
1448	lsass.exe
1448	lsass.exe
1448	lsass.exe
1448	lsass.exe
1448	lsass.exe
1448	lsass.exe
1448	lsass.exe
1448	lsass.exe
1448	lsass.exe
1448	lsass.exe
1448	lsass.exe
1448	lsass.exe
1448	lsass.exe
1448	lsass.exe
1448	lsass.exe

Suspicious use of AdjustPrivilegeToken 91 IoCs

Processes:

lsass.exeWMIC.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1056	lsass.exe
Token: SeDebugPrivilege	1056	lsass.exe
Token: SeIncreaseQuotaPrivilege	1940	WMIC.exe
Token: SeSecurityPrivilege	1940	WMIC.exe
Token: SeTakeOwnershipPrivilege	1940	WMIC.exe
Token: SeLoadDriverPrivilege	1940	WMIC.exe
Token: SeSystemProfilePrivilege	1940	WMIC.exe
Token: SeSystemtimePrivilege	1940	WMIC.exe
Token: SeProfSingleProcessPrivilege	1940	WMIC.exe
Token: SeIncBasePriorityPrivilege	1940	WMIC.exe
Token: SeCreatePagefilePrivilege	1940	WMIC.exe
Token: SeBackupPrivilege	1940	WMIC.exe
Token: SeRestorePrivilege	1940	WMIC.exe
Token: SeShutdownPrivilege	1940	WMIC.exe
Token: SeDebugPrivilege	1940	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1940	WMIC.exe
Token: SeRemoteShutdownPrivilege	1940	WMIC.exe
Token: SeUndockPrivilege	1940	WMIC.exe
Token: SeManageVolumePrivilege	1940	WMIC.exe
Token: 33	1940	WMIC.exe
Token: 34	1940	WMIC.exe
Token: 35	1940	WMIC.exe
Token: SeIncreaseQuotaPrivilege	304	WMIC.exe
Token: SeSecurityPrivilege	304	WMIC.exe
Token: SeTakeOwnershipPrivilege	304	WMIC.exe
Token: SeLoadDriverPrivilege	304	WMIC.exe
Token: SeSystemProfilePrivilege	304	WMIC.exe
Token: SeSystemtimePrivilege	304	WMIC.exe
Token: SeProfSingleProcessPrivilege	304	WMIC.exe
Token: SeIncBasePriorityPrivilege	304	WMIC.exe
Token: SeCreatePagefilePrivilege	304	WMIC.exe
Token: SeBackupPrivilege	304	WMIC.exe
Token: SeRestorePrivilege	304	WMIC.exe
Token: SeShutdownPrivilege	304	WMIC.exe
Token: SeDebugPrivilege	304	WMIC.exe
Token: SeSystemEnvironmentPrivilege	304	WMIC.exe
Token: SeRemoteShutdownPrivilege	304	WMIC.exe
Token: SeUndockPrivilege	304	WMIC.exe
Token: SeManageVolumePrivilege	304	WMIC.exe
Token: 33	304	WMIC.exe
Token: 34	304	WMIC.exe
Token: 35	304	WMIC.exe
Token: SeBackupPrivilege	760	vssvc.exe
Token: SeRestorePrivilege	760	vssvc.exe
Token: SeAuditPrivilege	760	vssvc.exe
Token: SeIncreaseQuotaPrivilege	304	WMIC.exe
Token: SeSecurityPrivilege	304	WMIC.exe
Token: SeTakeOwnershipPrivilege	304	WMIC.exe
Token: SeLoadDriverPrivilege	304	WMIC.exe
Token: SeSystemProfilePrivilege	304	WMIC.exe
Token: SeSystemtimePrivilege	304	WMIC.exe
Token: SeProfSingleProcessPrivilege	304	WMIC.exe
Token: SeIncBasePriorityPrivilege	304	WMIC.exe
Token: SeCreatePagefilePrivilege	304	WMIC.exe
Token: SeBackupPrivilege	304	WMIC.exe
Token: SeRestorePrivilege	304	WMIC.exe
Token: SeShutdownPrivilege	304	WMIC.exe
Token: SeDebugPrivilege	304	WMIC.exe
Token: SeSystemEnvironmentPrivilege	304	WMIC.exe
Token: SeRemoteShutdownPrivilege	304	WMIC.exe
Token: SeUndockPrivilege	304	WMIC.exe
Token: SeManageVolumePrivilege	304	WMIC.exe
Token: 33	304	WMIC.exe
Token: 34	304	WMIC.exe

Suspicious use of WriteProcessMemory 62 IoCs

Processes:

lsass.exelsass.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1056 wrote to memory of 1448	1056	lsass.exe	lsass.exe
PID 1056 wrote to memory of 1448	1056	lsass.exe	lsass.exe
PID 1056 wrote to memory of 1448	1056	lsass.exe	lsass.exe
PID 1056 wrote to memory of 1448	1056	lsass.exe	lsass.exe
PID 1056 wrote to memory of 640	1056	lsass.exe	notepad.exe
PID 1056 wrote to memory of 640	1056	lsass.exe	notepad.exe
PID 1056 wrote to memory of 640	1056	lsass.exe	notepad.exe
PID 1056 wrote to memory of 640	1056	lsass.exe	notepad.exe
PID 1056 wrote to memory of 640	1056	lsass.exe	notepad.exe
PID 1056 wrote to memory of 640	1056	lsass.exe	notepad.exe
PID 1056 wrote to memory of 640	1056	lsass.exe	notepad.exe
PID 1448 wrote to memory of 792	1448	lsass.exe	cmd.exe
PID 1448 wrote to memory of 792	1448	lsass.exe	cmd.exe
PID 1448 wrote to memory of 792	1448	lsass.exe	cmd.exe
PID 1448 wrote to memory of 792	1448	lsass.exe	cmd.exe
PID 1448 wrote to memory of 1904	1448	lsass.exe	cmd.exe
PID 1448 wrote to memory of 1904	1448	lsass.exe	cmd.exe
PID 1448 wrote to memory of 1904	1448	lsass.exe	cmd.exe
PID 1448 wrote to memory of 1904	1448	lsass.exe	cmd.exe
PID 1448 wrote to memory of 1612	1448	lsass.exe	cmd.exe
PID 1448 wrote to memory of 1612	1448	lsass.exe	cmd.exe
PID 1448 wrote to memory of 1612	1448	lsass.exe	cmd.exe
PID 1448 wrote to memory of 1612	1448	lsass.exe	cmd.exe
PID 1448 wrote to memory of 584	1448	lsass.exe	cmd.exe
PID 1448 wrote to memory of 584	1448	lsass.exe	cmd.exe
PID 1448 wrote to memory of 584	1448	lsass.exe	cmd.exe
PID 1448 wrote to memory of 584	1448	lsass.exe	cmd.exe
PID 1448 wrote to memory of 1704	1448	lsass.exe	cmd.exe
PID 1448 wrote to memory of 1704	1448	lsass.exe	cmd.exe
PID 1448 wrote to memory of 1704	1448	lsass.exe	cmd.exe
PID 1448 wrote to memory of 1704	1448	lsass.exe	cmd.exe
PID 1448 wrote to memory of 316	1448	lsass.exe	cmd.exe
PID 1448 wrote to memory of 316	1448	lsass.exe	cmd.exe
PID 1448 wrote to memory of 316	1448	lsass.exe	cmd.exe
PID 1448 wrote to memory of 316	1448	lsass.exe	cmd.exe
PID 1448 wrote to memory of 624	1448	lsass.exe	lsass.exe
PID 1448 wrote to memory of 624	1448	lsass.exe	lsass.exe
PID 1448 wrote to memory of 624	1448	lsass.exe	lsass.exe
PID 1448 wrote to memory of 624	1448	lsass.exe	lsass.exe
PID 792 wrote to memory of 1940	792	cmd.exe	WMIC.exe
PID 792 wrote to memory of 1940	792	cmd.exe	WMIC.exe
PID 792 wrote to memory of 1940	792	cmd.exe	WMIC.exe
PID 792 wrote to memory of 1940	792	cmd.exe	WMIC.exe
PID 1704 wrote to memory of 2008	1704	cmd.exe	vssadmin.exe
PID 1704 wrote to memory of 2008	1704	cmd.exe	vssadmin.exe
PID 1704 wrote to memory of 2008	1704	cmd.exe	vssadmin.exe
PID 1704 wrote to memory of 2008	1704	cmd.exe	vssadmin.exe
PID 316 wrote to memory of 304	316	cmd.exe	WMIC.exe
PID 316 wrote to memory of 304	316	cmd.exe	WMIC.exe
PID 316 wrote to memory of 304	316	cmd.exe	WMIC.exe
PID 316 wrote to memory of 304	316	cmd.exe	WMIC.exe
PID 316 wrote to memory of 1636	316	cmd.exe	vssadmin.exe
PID 316 wrote to memory of 1636	316	cmd.exe	vssadmin.exe
PID 316 wrote to memory of 1636	316	cmd.exe	vssadmin.exe
PID 316 wrote to memory of 1636	316	cmd.exe	vssadmin.exe
PID 1448 wrote to memory of 556	1448	lsass.exe	notepad.exe
PID 1448 wrote to memory of 556	1448	lsass.exe	notepad.exe
PID 1448 wrote to memory of 556	1448	lsass.exe	notepad.exe
PID 1448 wrote to memory of 556	1448	lsass.exe	notepad.exe
PID 1448 wrote to memory of 556	1448	lsass.exe	notepad.exe
PID 1448 wrote to memory of 556	1448	lsass.exe	notepad.exe
PID 1448 wrote to memory of 556	1448	lsass.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\lsass.exe
"C:\Users\Admin\AppData\Local\Temp\lsass.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1056

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -start
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1448

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
3⤵
- Suspicious use of WriteProcessMemory
PID:792

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1940

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
3⤵
PID:1904

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
PID:1612

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
3⤵
PID:584

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
3⤵
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:2008

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:316

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:304

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:1636

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -agent 0
3⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops file in Program Files directory
PID:624

C:\Windows\SysWOW64\notepad.exe
notepad.exe
3⤵
PID:556

C:\Windows\SysWOW64\notepad.exe
notepad.exe
2⤵
- Deletes itself
PID:640

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:760

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1080

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x598
1⤵
PID:1348

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
MD5
e5be8c65934ad0c00c584026d085108e

SHA1
6ce4c8bc54630bf9f70d3fe93ce91bf44004439f

SHA256
68413df5f5923c0283167f5bf10bb7a65b1cdbea7602d263f64af49820efa315

SHA512
50470648453a249e3ec06572fd418a123bd0500291a8b3bc0c7cde453ac36e027130f49f01c17ab21034d6033abe1f81402166ee80460b0fcb56856f20db2539

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
MD5
3208da0c038576623565b095fcea4ad1

SHA1
bc421f8eb4b9c6100aa444edece988c01dd63b26

SHA256
16ca708624c0f83871bbb8349e31fba20e5591f298ee91ddf08faf2919041f4b

SHA512
17fd810bdb400ce06167d6009a23cbdafdeb5eb0cb5c18456ec3a833546ad050429b003bdec753aa591d5b370cbb1290633abc1cc71f3ae29e81d58c56b8408c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
3bf227caeee1b07d47b29873a1640f1a

SHA1
61af6e587db89d7d7f518bb1e16c2d73451e5ed6

SHA256
30becef61dd6dd9d8b0402aec82db12ebb3ef7b76d854ca1f8bd30fa50ab5980

SHA512
29a3663efa62ccc6dce4e083b7e43e80560de48ebc0eebfff5aed1fc158f0ed65a009589046773cb3c97588005219f45ae414c53f7bffe5a0a2ec80b0c2a903e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
MD5
3af6c18e97a627c61153484605c14c5a

SHA1
0ae7488ef2f85f745df8d01ded9238a5db9ad922

SHA256
d48669fb76749a36eea78f3fa8bcf0bc7da23a2c783803a7ff0a3bac81a3bf39

SHA512
694ec41db00f20feba29b76f179a4b48b44aa4170b6e2ecdc47b16675881ddaee50f1fc5f4cd2037902a4f2ed5e7af775ec79762cfcbda7c3a63a3733849afed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
MD5
17188c7f4d87d9c42ce97a5b2387afad

SHA1
da50f3c62aed9782c35498c225b9fd121dca79ad

SHA256
b47a5d8809fe0df50164d579d2399a3b6d303c4411136edc75b1d85d488c06d2

SHA512
7326e3e18d16aeff08eacb48b3c71a5901a1eaa729a1ce7f78ccbcc9a7f58dacc69b821d2360586b115285bdcaeacc279e58db5f4b4fcbd43f5fa3d4a7a5f5c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
0c5d29463eab2f688a7586fdec05fd61

SHA1
239b9822af7c7befdec39334101222c2bf9f8dd5

SHA256
fe4d476cbe6973edce783325639743be5842a9d1128468054fb0f3dc35ad20e8

SHA512
98a2443de6c077c9a93667c743d4a8d75a9a1f7643d2049bfa1f724e130eed3d5851460b14cca406f34ce25155b9b4ce6c31f17d9cfc534cf667b1649262e32a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
fbf5bc2b76f81a5771949ec0cfe14172

SHA1
ed6de5863898c978cad14ffd41a61ebe1f3aecb3

SHA256
46e3be2c9bdb26c7f6b1a25fbb2c29bfeed141baa06c236a55829f9bffd6dd5e

SHA512
ab95828fd7b798bbac512626f6eb408750d3209a900cddadc56c730f30e59b39c37f49856495a566e087819c2f21200d1217fde84deabe4bddafedd8fee7f956

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D73194RS\QZ84IDLQ.htm
MD5
b1cd7c031debba3a5c77b39b6791c1a7

SHA1
e5d91e14e9c685b06f00e550d9e189deb2075f76

SHA256
57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

SHA512
d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O1R1CL99\IEGDHP77.htm
MD5
6b17a59cec1a7783febae9aa55c56556

SHA1
01d4581e2b3a6348679147a915a0b22b2a66643a

SHA256
66987b14b90d41632be98836f9601b12e7f329ffab05595887889c9c5716fbeb

SHA512
3337efd12b9c06b7768eb928a78caae243b75257c5aabe7a49e908a2f735af55f7257a40bd2330dc13865ead18ed805b54a6c5105740fdcbbaccacf7997bcbc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat
MD5
ef572e2c7b1bbd57654b36e8dcfdc37a

SHA1
b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

SHA256
e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

SHA512
b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
MD5
3a87a3c5abcdc92ef421700ac6f5d0d1

SHA1
70509f9eed0f90f62b804da75aa73b6a3f6390ec

SHA256
45dd162163830e078517e6afb39a1b472d5077394500f2b3f85fa3711eb742af

SHA512
f6ae90245715e6e0a1e640ab123fa2c47971517142a65ebd4960aefac3493cabd65686cdb99623ce06d586f76b1e12d93e238086e83beed0a6bf649eb2518a6f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
MD5
3a87a3c5abcdc92ef421700ac6f5d0d1

SHA1
70509f9eed0f90f62b804da75aa73b6a3f6390ec

SHA256
45dd162163830e078517e6afb39a1b472d5077394500f2b3f85fa3711eb742af

SHA512
f6ae90245715e6e0a1e640ab123fa2c47971517142a65ebd4960aefac3493cabd65686cdb99623ce06d586f76b1e12d93e238086e83beed0a6bf649eb2518a6f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
MD5
3a87a3c5abcdc92ef421700ac6f5d0d1

SHA1
70509f9eed0f90f62b804da75aa73b6a3f6390ec

SHA256
45dd162163830e078517e6afb39a1b472d5077394500f2b3f85fa3711eb742af

SHA512
f6ae90245715e6e0a1e640ab123fa2c47971517142a65ebd4960aefac3493cabd65686cdb99623ce06d586f76b1e12d93e238086e83beed0a6bf649eb2518a6f

Download Submit
C:\Users\Admin\Desktop\AssertConfirm.MTS.E4B-88F-1D5
MD5
e1457df4ccc895c1139af3fedabdaa19

SHA1
bdd503a23a68fa20b6d55df1158dd1f16fdd07fb

SHA256
292e501302d048246242eb706f406bcfa6062b3359aaedf80b90669fde8a52e3

SHA512
57323804479b16ea03454e3fa072c52c8bd40be2c2433e6caa7cb51c5425661dba41cf83aa386442cc82999dd4ad08c62b8be330f1ecc7868e2407165e756879

Download Submit
C:\Users\Admin\Desktop\CloseAdd.tmp.E4B-88F-1D5
MD5
f5c61676a5ad7fc65e8ecda92c47a34a

SHA1
e032ded928807648ed9131e83bb47cea82c30e82

SHA256
223c8e44879d3452334f5bf32e86580d2b69a7707ad2d039338b6884ab8abd71

SHA512
2dff01cd183f32883368a6c41c9bd42a506110db629c729260f4698387acc2ca87e1002960026b55ba80063d5072a7f8d9ae1fab019c84433e7da300cbd2182e

Download Submit
C:\Users\Admin\Desktop\CompareClose.m4a.E4B-88F-1D5
MD5
90480a10d8a1a5bbe31363419188f6d2

SHA1
d096ba22de3b7539d77eea982db0a7ecc4079774

SHA256
512709ddef0efec6b30a747214f79ca9bcbf346edce9a3501185895d9ca1ec27

SHA512
2fc649cf9ae63a6cda913f62b8f6f52b58af60fced402a74cf3280d57f6e300e51682213e2a86aaa6c49d3a8f32a5df9a60838070a6f571f2cde3ecc3e37159c

Download Submit
C:\Users\Admin\Desktop\CompareResize.wav.E4B-88F-1D5
MD5
978865b2bfd14855049ae73dfb7c4b82

SHA1
084bda6e0127002246c50383f5ce1dd92bc3cfc5

SHA256
09601d7f74e2c456d96f8556fe5f6229976959918d54e3c53d02701fc6f15a33

SHA512
276851c7cb89af0dcd71f16a727720ec00c7021aaff031c955d2c001aea00e44b54c11e3ee1e2a8a5ac472e5c239de03e7011854c78b32239a08a79b08e310d0

Download Submit
C:\Users\Admin\Desktop\CompressSubmit.wmf.E4B-88F-1D5
MD5
979597dec68f455c2a8763b945ed3ff9

SHA1
a319ab8cd9bf64c1107c9dd269529a852e236aaf

SHA256
a6a8c4167447b0981a519842d2d5cf8e1f9218aa63abea72034f10225110d92f

SHA512
25c3a00bb815659d7d01b9b04354343a3daea9ffafe5a9550093c2588ee1ceec83732ce73232a6af649bd7f1e1c8375592dd43a3f5e54a27bde244a4cb2b96da

Download Submit
C:\Users\Admin\Desktop\ConvertFromClear.rm.E4B-88F-1D5
MD5
ff6e4c4bd68f4ad65be29d5167f72a9b

SHA1
bee207ebc45d95a347f8052a1b57d38908bc2b03

SHA256
d3c3981d15545155d660ca0ec9368bdd60c9546c48a651742125572c6bb125ce

SHA512
a04659caabe4533433bf80007c8dbc355e4c4d3f032a8a1e9520ca65af9b7c77fca0e16d16a98e25462cebda7bfaa87d697485ca5aba0345eafc0a08746df939

Download Submit
C:\Users\Admin\Desktop\CopyExit.vssx.E4B-88F-1D5
MD5
8fd15f211ce4b1eeb1c82a15d5112b19

SHA1
57e817f346659111797bc20396938155f68d0257

SHA256
ef8af024ef684fd18a88b97f6dc1cdecd7b5cfc977f344147338741f44a4b679

SHA512
5a4c0bdc975a534684b3351da2d49f18126d787d28f19138d41cf49633278e08aba5ab277c099f3a842fc55e8d3ab9ae56a823412f34763482117cf722990b10

Download Submit
C:\Users\Admin\Desktop\CopySplit.AAC.E4B-88F-1D5
MD5
3dcfea301b4a8fc3f61a877ac08049ba

SHA1
07b150327cb8f6266ff8001e8778b116d45ece01

SHA256
5a5e52720dd30a2d32da5785e3d14bfb8834791ffc49ff6ce6289698fc3c10ce

SHA512
fcbfb604bf48cb2aa5d078a9a9ab340111217d773fe8745085ce6fc9a8f94306dce63f3d7e5cc359b39c8fe05a29dfd6e1b7ba3b7a1487cbdee713f132982138

Download Submit
C:\Users\Admin\Desktop\DenyConnect.3g2.E4B-88F-1D5
MD5
f0b062f46dff314bba0d238fbf5cfbb9

SHA1
1ae5414dba9fc0df2e3d34086837c94158612a05

SHA256
0ea716bfb0bf1c7ea4af140d7236e97ac9a047a203bc74d7533f7e002a3cf0c0

SHA512
36baa61088b2d6f4cd80576a5d733dcf5eda3a146474335ac65e743275f80f75c16a14d5d646f3573c7bc1997ab946ea242b8c3981ac36257edbf7928d8b3e27

Download Submit
C:\Users\Admin\Desktop\DenyConnect.tif.E4B-88F-1D5
MD5
ed469417ed4b793dd6ed0023319788fd

SHA1
e682755b6f09db094159bd7dfc273239a781bfa6

SHA256
28dc39fd015ace42b4241487239826b7b26f9fbf3410df69ab93bc7ed6773b10

SHA512
7b49b0b3128a6bb7c50d295e337194b10e589367cf4f76bc4cc44f9ebfc5b5d54599a7f8e462cfb76f20387e781b7b4be4eafbb54f9f8ba0f202b34f99ac2cbe

Download Submit
C:\Users\Admin\Desktop\GrantDeny.rm.E4B-88F-1D5
MD5
aa17a9c20e5b3bccc4477958e7bd782f

SHA1
3407fad4496c308f16ac4675b01ec35f9a6d1152

SHA256
e1af895881783416151daca8e5b3e010ed5eb5aecc455e6881f9ad83e6bfc365

SHA512
12d23ee96b2fef01168d5fe9d0214f8cecf2b21312dcf9d7d18cee66f33951efa50cfecc8022d97687a751e90710a7e98686606af9427f3b380e8daeb22ce0b3

Download Submit
C:\Users\Admin\Desktop\GrantUndo.iso.E4B-88F-1D5
MD5
dcf4172b2111f3c788c96f8407a009ff

SHA1
d2c749664ab0772fcbd382d604f8b76a7f3fc33d

SHA256
d2df75b4399504d5d710dd0e3c2f552ce776e78aeae5bf89400a3ec63810043d

SHA512
a2b60ccb4e93548d72c0ce313cef560b7f6f64f8c75a64e93dcaff26372cc53fbf78bc29800c7b3918787ad99a3cc035638f3a71bbccbabaf8f73116bf09bf59

Download Submit
C:\Users\Admin\Desktop\LimitBackup.ogg.E4B-88F-1D5
MD5
37af0709e6e7c92387238b1d00799498

SHA1
e14de75f6b5c74ee41cbafcc5e70023b9290593f

SHA256
3541f574c1a7c4d87641fa73035aeb73976d96b7b1b13417f8e07f6ec56cfb52

SHA512
6a80764df56921544e16a17981ecc527b1d84bf0a5e02308d19968fed67b3580eaf7f386b097a54784c5275361d06e1298ee54df1376130352bc89b4fab23c1a

Download Submit
C:\Users\Admin\Desktop\NewEnable.au.E4B-88F-1D5
MD5
e4fae3786ecb43488e916596eb173c9e

SHA1
5468a0454d528dbf8d5cda74804bc5c438464226

SHA256
4eeaf3a4ec5f429fa0615e77ca7c18082bae2d49f4d422b52f97049d0524b055

SHA512
0aacfa72b97da5dc7fa23d1fd131c36cf6013bcd60d6b01dae9bfee2e8254f12f56ea6eccfb71cc33d7a5e7b99e1180c9a5d520c5137ab1e307f6f70c54ba382

Download Submit
C:\Users\Admin\Desktop\NewProtect.csv.E4B-88F-1D5
MD5
112c4db4ddc2245ccac8f04cfd1b49fd

SHA1
26b7deaf9eacaaec80a97efbed60c21c1887d37f

SHA256
a2091f1a22f082e387d369a6705b8bce53fbc75204b0ff185cb6f3ca85e96cf9

SHA512
ad35568aabe1f07eaaf43cdaf02513e9e5b59f37d6d7e5f097d2e03c4daf45d247c94557297ce9eb7f1cb3439ff162363f8ebee76b506839bdc92ff3a3b0e935

Download Submit
C:\Users\Admin\Desktop\PublishJoin.aifc.E4B-88F-1D5
MD5
efe6c7bc44f9a8123ee67f3c834378fb

SHA1
4f4cc02de31492edac706f63c2873d7b4f5540aa

SHA256
67460a52ef63fb54a3a2d276fd38327970c6ec64a592768df2cc2bc754a2c8a9

SHA512
5dceb618ad726f738e577cc21b5723254898c4712c4772a0e5336d43ea2e1a7f58de811ab33c3f8d821ab7dcce06b764b7588afe5dd8ee9cf048b8a84a8501f1

Download Submit
C:\Users\Admin\Desktop\PushSend.mpg.E4B-88F-1D5
MD5
fcf468fc2d1312f4f08fbdac58cf77ed

SHA1
d2fda9bf5219877d482cf774bf546e25ca28b6ea

SHA256
1510a9b7f8e299e20bb6370bbd019975145fc2eee5fd1e3124c34017f8343b35

SHA512
84b4594b82acec6921d531134a8439fd029272f21bb16da34ceba40436983273b8ca59944ff1ac210f9855a220c0a1b446002c6dac973b503279d4c6f638fc24

Download Submit
C:\Users\Admin\Desktop\SyncJoin.iso.E4B-88F-1D5
MD5
3d21b6dad42b5cd15b171e8d7651c38f

SHA1
869055b978654cd4e4e8f29964d8bda1f4dfe911

SHA256
7e1124e67aa24ac894e4599cdc82cc311427c33807932c7ba429c7e7a6d6ceaa

SHA512
b6c7c670f58b3d98a8690682fb64ef9f8faaed774e3f542ed7412d75f2da50861807a784717b44dcd2dcd7240430f03ba652164aa0871a01ef0f12a4a6308c67

Download Submit
C:\Users\Admin\Desktop\TraceUnregister.wmf.E4B-88F-1D5
MD5
a4f59e6aa5378985af63e6b7a4bbeb83

SHA1
ed67c746640e5a4313ef1ec3873572c01a426890

SHA256
bfd76236524e7760d4891c3d860ae505ebb995a65f41a6e3827e5cad4b673051

SHA512
79d777d478a3e5ca8996cd75b40e0ca21a10b6397d7a8b6dcca67a9c692174ceaaae110a88d2030f48cb3ebf4f38c25579d2edaf19e096153580d5944272526b

Download Submit
C:\Users\Admin\Desktop\UnblockConvertFrom.DVR.E4B-88F-1D5
MD5
bbc98043051a1fb79cd86bbd970cac7c

SHA1
e12e0a271e8c55a750fc81b52ddb708f22179094

SHA256
6f1f847bcaebc2856b1e34696df418efa8fc2990015b4862355a661ebe2de51a

SHA512
60a052154b672ae25d09435504fe1658dd13c98a696f030b9a266a37c1937f349e97eb951042147b3098fce7777da30a6c71696dc4a2587b7b6a204b7404bd5f

Download Submit
C:\Users\Admin\Desktop\UnblockSet.au.E4B-88F-1D5
MD5
451e965f6dabe8dc1c547de0bb8da117

SHA1
505434d7b789a0298cf5f6b1ac4323e437e74501

SHA256
f0835ff4315a0e6a77c7c83dd63f757dbe253a4233e85399eeff4c7d1da06cfe

SHA512
1ebc21868219edd1869d67e40009be4ff4660883eb80d368c7f413ba9551c93ba18d954180359e88633b11aa18cc712e9f96fdd36a529ffda4b1d03e99d675a4

Download Submit
C:\Users\Admin\Desktop\UninstallRestore.m1v.E4B-88F-1D5
MD5
f5e5c95315588893835ccd7e75641588

SHA1
c761fa903a9f7e9419c88a5562ab67a783a2168f

SHA256
d516cb9bb10f4fb601b10dd3cf766edd68995aef2a171790129fd80eaf2bdd73

SHA512
f0526f8ecba9fb291674c5ef15571248762bc760fd429b1bfd5280ce0cd53b555f124c6305baf61ced0a47be02819c3a4aca856b70298a7be61ade62958093ee

Download Submit
C:\Users\Admin\Desktop\UnlockBlock.avi.E4B-88F-1D5
MD5
123a54db0778c933cce1d09a0aedcc37

SHA1
826a71ddf6c4fbdca478c79d8d35daac43490002

SHA256
74f83249aa2e333f607a5ef49a69daa0f076496c06329c7369ae4bec718beba7

SHA512
078f02d510a45ebda66536b1206803cc7a6145d551f9db001e7c84ec6d25fd234d4d1d947b11c77f4141c1472cda59542b2cbe64b7bea2a4cd8722c933385fa3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
MD5
3a87a3c5abcdc92ef421700ac6f5d0d1

SHA1
70509f9eed0f90f62b804da75aa73b6a3f6390ec

SHA256
45dd162163830e078517e6afb39a1b472d5077394500f2b3f85fa3711eb742af

SHA512
f6ae90245715e6e0a1e640ab123fa2c47971517142a65ebd4960aefac3493cabd65686cdb99623ce06d586f76b1e12d93e238086e83beed0a6bf649eb2518a6f

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
MD5
3a87a3c5abcdc92ef421700ac6f5d0d1

SHA1
70509f9eed0f90f62b804da75aa73b6a3f6390ec

SHA256
45dd162163830e078517e6afb39a1b472d5077394500f2b3f85fa3711eb742af

SHA512
f6ae90245715e6e0a1e640ab123fa2c47971517142a65ebd4960aefac3493cabd65686cdb99623ce06d586f76b1e12d93e238086e83beed0a6bf649eb2518a6f

Download Submit
memory/304-28-0x0000000000000000-mapping.dmp

Download
memory/316-21-0x0000000000000000-mapping.dmp

Download
memory/556-54-0x0000000000000000-mapping.dmp

Download
memory/556-53-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/584-19-0x0000000000000000-mapping.dmp

Download
memory/624-23-0x0000000000000000-mapping.dmp

Download
memory/640-5-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/640-6-0x0000000000000000-mapping.dmp

Download
memory/792-16-0x0000000000000000-mapping.dmp

Download
memory/1448-3-0x0000000000000000-mapping.dmp

Download
memory/1612-18-0x0000000000000000-mapping.dmp

Download
memory/1632-0-0x000007FEF6930000-0x000007FEF6BAA000-memory.dmp

Filesize
2.5MB

Download
memory/1636-29-0x0000000000000000-mapping.dmp

Download
memory/1704-20-0x0000000000000000-mapping.dmp

Download
memory/1904-17-0x0000000000000000-mapping.dmp

Download
memory/1940-25-0x0000000000000000-mapping.dmp

Download
memory/2008-26-0x0000000000000000-mapping.dmp

Download