buran | 45dd162163830e078517e6afb39a1b472d5077394500f2b3f85fa3711eb742af

Resubmissions

07-11-2020 21:55

201107-hpbkxklwmn 10

07-11-2020 21:28

201107-vkwbkzk1ej 10

Analysis

max time kernel
151s
max time network
127s
platform
windows7_x64
resource
win7v20201028
submitted
07-11-2020 21:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lsass.exe
Size

214KB
MD5

3a87a3c5abcdc92ef421700ac6f5d0d1
SHA1

70509f9eed0f90f62b804da75aa73b6a3f6390ec
SHA256

45dd162163830e078517e6afb39a1b472d5077394500f2b3f85fa3711eb742af
SHA512

f6ae90245715e6e0a1e640ab123fa2c47971517142a65ebd4960aefac3493cabd65686cdb99623ce06d586f76b1e12d93e238086e83beed0a6bf649eb2518a6f

Score

10^/10

buran persistence ransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: tomriddle1337@cock.li and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: tomriddle1337@cock.li Reserved email: riddletom1337@protonmail.com Your personal ID: 285-093-7AC Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

tomriddle1337@cock.li

riddletom1337@protonmail.com

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 2 IoCs

Processes:

svchost.exesvchost.exe

pid process

1212 svchost.exe
1648 svchost.exe
Deletes itself 1 IoCs

Processes:

notepad.exe

pid process

1636 notepad.exe
Loads dropped DLL 2 IoCs

Processes:

lsass.exe

pid process

744 lsass.exe
744 lsass.exe

pid	process
1636	notepad.exe

pid	process
744	lsass.exe
744	lsass.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

lsass.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\svchost.exe\" -start"	lsass.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\A:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\F:	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 geoiptool.com

flow	ioc
6	geoiptool.com

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Drops file in Program Files directory 13766 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\about.html.285-093-7AC	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-keyring-impl.jar.285-093-7AC	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\images\cursors\win32_CopyNoDrop32x32.gif.285-093-7AC	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\PDFFile_8.ico	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0296279.WMF.285-093-7AC	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kathmandu.285-093-7AC	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Adelaide.285-093-7AC	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\com-sun-tools-visualvm-modules-startup.jar.285-093-7AC	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\vlc.mo.285-093-7AC	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185796.WMF	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WSSFilesToolIconImages.jpg	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200377.WMF.285-093-7AC	svchost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Notes_content-background.png	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Lindeman.285-093-7AC	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21299_.GIF.285-093-7AC	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataListIconImages.jpg	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\WhiteboxMask.bmp	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\modules\httprequests.luac.285-093-7AC	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\AdobePDF417.pmp.285-093-7AC	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02120_.WMF	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\about.html.285-093-7AC	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02470U.BMP.285-093-7AC	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\mscss7wre_es.dub.285-093-7AC	svchost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationRight_SelectionSubpicture.png	svchost.exe
File created	C:\Program Files\Java\jre7\lib\images\cursors\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\SUBMIT.JS	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0215709.WMF	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14829_.GIF.285-093-7AC	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\New_Skins.url	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR21F.GIF.285-093-7AC	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	svchost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMain_PAL.wmv	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Palau	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.security_1.2.0.v20130424-1801.jar	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DiscussionToolIconImages.jpg.285-093-7AC	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro.zh_CN_5.5.0.165303.jar.285-093-7AC	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185798.WMF.285-093-7AC	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0321179.JPG	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341475.JPG.285-093-7AC	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FORM.ICO.285-093-7AC	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01461_.WMF	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105526.WMF.285-093-7AC	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14578_.GIF.285-093-7AC	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\THIRDPARTYLICENSEREADME.txt	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0195248.WMF	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0232393.WMF	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\ELPHRG01.WAV	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14583_.GIF.285-093-7AC	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\sql90.xsl	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00775_.WMF.285-093-7AC	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt.285-093-7AC	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01954_.WMF.285-093-7AC	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME19.CSS	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Athens	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\feature.xml	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.nl_ja_4.4.0.v20140623020002.jar	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup-impl_ja.jar.285-093-7AC	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105974.WMF.285-093-7AC	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\about.html.285-093-7AC	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0103402.WMF	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21327_.GIF	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.nl_zh_4.4.0.v20140623020002.jar.285-093-7AC	svchost.exe

Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

1588 vssadmin.exe
1636 vssadmin.exe

pid	process
1588	vssadmin.exe
1636	vssadmin.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

svchost.exelsass.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	lsass.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	lsass.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	lsass.exe

Suspicious behavior: EnumeratesProcesses 1224 IoCs

Processes:

svchost.exe

pid	process
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe

Suspicious use of AdjustPrivilegeToken 85 IoCs

Processes:

lsass.exeWMIC.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	744	lsass.exe
Token: SeDebugPrivilege	744	lsass.exe
Token: SeIncreaseQuotaPrivilege	1412	WMIC.exe
Token: SeSecurityPrivilege	1412	WMIC.exe
Token: SeTakeOwnershipPrivilege	1412	WMIC.exe
Token: SeLoadDriverPrivilege	1412	WMIC.exe
Token: SeSystemProfilePrivilege	1412	WMIC.exe
Token: SeSystemtimePrivilege	1412	WMIC.exe
Token: SeProfSingleProcessPrivilege	1412	WMIC.exe
Token: SeIncBasePriorityPrivilege	1412	WMIC.exe
Token: SeCreatePagefilePrivilege	1412	WMIC.exe
Token: SeBackupPrivilege	1412	WMIC.exe
Token: SeRestorePrivilege	1412	WMIC.exe
Token: SeShutdownPrivilege	1412	WMIC.exe
Token: SeDebugPrivilege	1412	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1412	WMIC.exe
Token: SeRemoteShutdownPrivilege	1412	WMIC.exe
Token: SeUndockPrivilege	1412	WMIC.exe
Token: SeManageVolumePrivilege	1412	WMIC.exe
Token: 33	1412	WMIC.exe
Token: 34	1412	WMIC.exe
Token: 35	1412	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1820	WMIC.exe
Token: SeSecurityPrivilege	1820	WMIC.exe
Token: SeTakeOwnershipPrivilege	1820	WMIC.exe
Token: SeLoadDriverPrivilege	1820	WMIC.exe
Token: SeSystemProfilePrivilege	1820	WMIC.exe
Token: SeSystemtimePrivilege	1820	WMIC.exe
Token: SeProfSingleProcessPrivilege	1820	WMIC.exe
Token: SeIncBasePriorityPrivilege	1820	WMIC.exe
Token: SeCreatePagefilePrivilege	1820	WMIC.exe
Token: SeBackupPrivilege	1820	WMIC.exe
Token: SeRestorePrivilege	1820	WMIC.exe
Token: SeShutdownPrivilege	1820	WMIC.exe
Token: SeDebugPrivilege	1820	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1820	WMIC.exe
Token: SeRemoteShutdownPrivilege	1820	WMIC.exe
Token: SeUndockPrivilege	1820	WMIC.exe
Token: SeManageVolumePrivilege	1820	WMIC.exe
Token: 33	1820	WMIC.exe
Token: 34	1820	WMIC.exe
Token: 35	1820	WMIC.exe
Token: SeBackupPrivilege	956	vssvc.exe
Token: SeRestorePrivilege	956	vssvc.exe
Token: SeAuditPrivilege	956	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1412	WMIC.exe
Token: SeSecurityPrivilege	1412	WMIC.exe
Token: SeTakeOwnershipPrivilege	1412	WMIC.exe
Token: SeLoadDriverPrivilege	1412	WMIC.exe
Token: SeSystemProfilePrivilege	1412	WMIC.exe
Token: SeSystemtimePrivilege	1412	WMIC.exe
Token: SeProfSingleProcessPrivilege	1412	WMIC.exe
Token: SeIncBasePriorityPrivilege	1412	WMIC.exe
Token: SeCreatePagefilePrivilege	1412	WMIC.exe
Token: SeBackupPrivilege	1412	WMIC.exe
Token: SeRestorePrivilege	1412	WMIC.exe
Token: SeShutdownPrivilege	1412	WMIC.exe
Token: SeDebugPrivilege	1412	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1412	WMIC.exe
Token: SeRemoteShutdownPrivilege	1412	WMIC.exe
Token: SeUndockPrivilege	1412	WMIC.exe
Token: SeManageVolumePrivilege	1412	WMIC.exe
Token: 33	1412	WMIC.exe
Token: 34	1412	WMIC.exe

Suspicious use of WriteProcessMemory 55 IoCs

Processes:

lsass.exesvchost.execmd.execmd.execmd.exe

description	pid	process	target process
PID 744 wrote to memory of 1212	744	lsass.exe	svchost.exe
PID 744 wrote to memory of 1212	744	lsass.exe	svchost.exe
PID 744 wrote to memory of 1212	744	lsass.exe	svchost.exe
PID 744 wrote to memory of 1212	744	lsass.exe	svchost.exe
PID 744 wrote to memory of 1636	744	lsass.exe	notepad.exe
PID 744 wrote to memory of 1636	744	lsass.exe	notepad.exe
PID 744 wrote to memory of 1636	744	lsass.exe	notepad.exe
PID 744 wrote to memory of 1636	744	lsass.exe	notepad.exe
PID 744 wrote to memory of 1636	744	lsass.exe	notepad.exe
PID 744 wrote to memory of 1636	744	lsass.exe	notepad.exe
PID 744 wrote to memory of 1636	744	lsass.exe	notepad.exe
PID 1212 wrote to memory of 668	1212	svchost.exe	cmd.exe
PID 1212 wrote to memory of 668	1212	svchost.exe	cmd.exe
PID 1212 wrote to memory of 668	1212	svchost.exe	cmd.exe
PID 1212 wrote to memory of 668	1212	svchost.exe	cmd.exe
PID 1212 wrote to memory of 1940	1212	svchost.exe	cmd.exe
PID 1212 wrote to memory of 1940	1212	svchost.exe	cmd.exe
PID 1212 wrote to memory of 1940	1212	svchost.exe	cmd.exe
PID 1212 wrote to memory of 1940	1212	svchost.exe	cmd.exe
PID 1212 wrote to memory of 1712	1212	svchost.exe	cmd.exe
PID 1212 wrote to memory of 1712	1212	svchost.exe	cmd.exe
PID 1212 wrote to memory of 1712	1212	svchost.exe	cmd.exe
PID 1212 wrote to memory of 1712	1212	svchost.exe	cmd.exe
PID 1212 wrote to memory of 1404	1212	svchost.exe	cmd.exe
PID 1212 wrote to memory of 1404	1212	svchost.exe	cmd.exe
PID 1212 wrote to memory of 1404	1212	svchost.exe	cmd.exe
PID 1212 wrote to memory of 1404	1212	svchost.exe	cmd.exe
PID 1212 wrote to memory of 672	1212	svchost.exe	cmd.exe
PID 1212 wrote to memory of 672	1212	svchost.exe	cmd.exe
PID 1212 wrote to memory of 672	1212	svchost.exe	cmd.exe
PID 1212 wrote to memory of 672	1212	svchost.exe	cmd.exe
PID 1212 wrote to memory of 940	1212	svchost.exe	cmd.exe
PID 1212 wrote to memory of 940	1212	svchost.exe	cmd.exe
PID 1212 wrote to memory of 940	1212	svchost.exe	cmd.exe
PID 1212 wrote to memory of 940	1212	svchost.exe	cmd.exe
PID 1212 wrote to memory of 1648	1212	svchost.exe	svchost.exe
PID 1212 wrote to memory of 1648	1212	svchost.exe	svchost.exe
PID 1212 wrote to memory of 1648	1212	svchost.exe	svchost.exe
PID 1212 wrote to memory of 1648	1212	svchost.exe	svchost.exe
PID 668 wrote to memory of 1412	668	cmd.exe	WMIC.exe
PID 668 wrote to memory of 1412	668	cmd.exe	WMIC.exe
PID 668 wrote to memory of 1412	668	cmd.exe	WMIC.exe
PID 668 wrote to memory of 1412	668	cmd.exe	WMIC.exe
PID 672 wrote to memory of 1636	672	cmd.exe	vssadmin.exe
PID 672 wrote to memory of 1636	672	cmd.exe	vssadmin.exe
PID 672 wrote to memory of 1636	672	cmd.exe	vssadmin.exe
PID 672 wrote to memory of 1636	672	cmd.exe	vssadmin.exe
PID 940 wrote to memory of 1820	940	cmd.exe	WMIC.exe
PID 940 wrote to memory of 1820	940	cmd.exe	WMIC.exe
PID 940 wrote to memory of 1820	940	cmd.exe	WMIC.exe
PID 940 wrote to memory of 1820	940	cmd.exe	WMIC.exe
PID 940 wrote to memory of 1588	940	cmd.exe	vssadmin.exe
PID 940 wrote to memory of 1588	940	cmd.exe	vssadmin.exe
PID 940 wrote to memory of 1588	940	cmd.exe	vssadmin.exe
PID 940 wrote to memory of 1588	940	cmd.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\lsass.exe
"C:\Users\Admin\AppData\Local\Temp\lsass.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:744

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe" -start
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1212

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
3⤵
- Suspicious use of WriteProcessMemory
PID:668

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1412

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
3⤵
PID:1940

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
PID:1712

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
3⤵
PID:1404

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
3⤵
- Suspicious use of WriteProcessMemory
PID:672

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:1636

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:940

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1820

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:1588

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe" -agent 0
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1648

C:\Windows\SysWOW64\notepad.exe
notepad.exe
2⤵
- Deletes itself
PID:1636

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:956

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
MD5
e5be8c65934ad0c00c584026d085108e

SHA1
6ce4c8bc54630bf9f70d3fe93ce91bf44004439f

SHA256
68413df5f5923c0283167f5bf10bb7a65b1cdbea7602d263f64af49820efa315

SHA512
50470648453a249e3ec06572fd418a123bd0500291a8b3bc0c7cde453ac36e027130f49f01c17ab21034d6033abe1f81402166ee80460b0fcb56856f20db2539

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
MD5
3208da0c038576623565b095fcea4ad1

SHA1
bc421f8eb4b9c6100aa444edece988c01dd63b26

SHA256
16ca708624c0f83871bbb8349e31fba20e5591f298ee91ddf08faf2919041f4b

SHA512
17fd810bdb400ce06167d6009a23cbdafdeb5eb0cb5c18456ec3a833546ad050429b003bdec753aa591d5b370cbb1290633abc1cc71f3ae29e81d58c56b8408c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
3bf227caeee1b07d47b29873a1640f1a

SHA1
61af6e587db89d7d7f518bb1e16c2d73451e5ed6

SHA256
30becef61dd6dd9d8b0402aec82db12ebb3ef7b76d854ca1f8bd30fa50ab5980

SHA512
29a3663efa62ccc6dce4e083b7e43e80560de48ebc0eebfff5aed1fc158f0ed65a009589046773cb3c97588005219f45ae414c53f7bffe5a0a2ec80b0c2a903e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
MD5
bd730d25752cdb8b3f67287d39d2bb7d

SHA1
b0215d5567755abae2e6e1c8403393080401769f

SHA256
997c071496860e6e483aeb77ff800f71c5db514823b199834d725df0bbddbbb4

SHA512
0dc8e16507c1c95b54f05329976d5652b4d7f960ca724b4bee7cc75245be3bb44b41d5e147406e7abcb29aed3795bcc7c80eeebcbb489096c73b9ab8b98af265

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
MD5
4be7bf0c0097f15ee42b11114da8fca2

SHA1
970f042f5ddddba7aac200af55eac4d894cca5d6

SHA256
4356b03573a54e751fee6ff5f1cd4461fdf69a33e6a4116c138073e9affdb40f

SHA512
f3e872159ba7b71a672bc4312595936b246f450595f08d81b8aa6ca7466c8f0cd9055b3a703f8414f81b828aa2d3e02c66bdec6af999b16907f89b2949cab45a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
46a10d6f47d9c2e9c364ea41758149e1

SHA1
d0a3d23dda779e76bbc790395ad6f3d87dddb679

SHA256
b1196a089f4128fb5a2467c53cf4c87258a052999890a659c4eda3d9f0d94462

SHA512
45ce7a79c801f97f47dac6af0acfc424143ae232221a8fb73b24b8095e314413e0e9a7e989395369f63f1a6b3abef43eb02c70367e0ac7da81fcaf57dfce5dbf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
e191bd4c9f9c67f22677a1dd94f29820

SHA1
01fd3cd919e6fe3147a82c7cae4c7f87816c6282

SHA256
93509e9d87bbc04a39dabe1c0dd106e5455006bcee9bc0b7d7d9a637ba7ce44d

SHA512
0b4d64c5a376cc46d59e5a578a69c6096623e76d3f31c6affa570c73758f067bd09ea5ea90be37bdb540d6fac3c6b97e63b56cbf7bc3ba51d6b94c7659a4f08e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3O0J2C38\AQX9PTZT.htm
MD5
8615e70875c2cc0b9db16027b9adf11d

SHA1
4ed62cf405311c0ff562a3c59334a15ddc4f1bf9

SHA256
da96949ba6b0567343f144486505c8c8fa1d892fd88c9cbc3ef3d751a570724d

SHA512
cd9dfc88dc2af9438b7d6b618d1b62029b3bdf739fc4daa5b37397afd12c4528561b3bf2fc3f3f2adf3fd1f582d5524332441fd30248fcd078e41aa91e17cb73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7ISB2KAC\2FDOYCER.htm
MD5
b1cd7c031debba3a5c77b39b6791c1a7

SHA1
e5d91e14e9c685b06f00e550d9e189deb2075f76

SHA256
57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

SHA512
d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat
MD5
ef572e2c7b1bbd57654b36e8dcfdc37a

SHA1
b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

SHA256
e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

SHA512
b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
MD5
3a87a3c5abcdc92ef421700ac6f5d0d1

SHA1
70509f9eed0f90f62b804da75aa73b6a3f6390ec

SHA256
45dd162163830e078517e6afb39a1b472d5077394500f2b3f85fa3711eb742af

SHA512
f6ae90245715e6e0a1e640ab123fa2c47971517142a65ebd4960aefac3493cabd65686cdb99623ce06d586f76b1e12d93e238086e83beed0a6bf649eb2518a6f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
MD5
3a87a3c5abcdc92ef421700ac6f5d0d1

SHA1
70509f9eed0f90f62b804da75aa73b6a3f6390ec

SHA256
45dd162163830e078517e6afb39a1b472d5077394500f2b3f85fa3711eb742af

SHA512
f6ae90245715e6e0a1e640ab123fa2c47971517142a65ebd4960aefac3493cabd65686cdb99623ce06d586f76b1e12d93e238086e83beed0a6bf649eb2518a6f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
MD5
3a87a3c5abcdc92ef421700ac6f5d0d1

SHA1
70509f9eed0f90f62b804da75aa73b6a3f6390ec

SHA256
45dd162163830e078517e6afb39a1b472d5077394500f2b3f85fa3711eb742af

SHA512
f6ae90245715e6e0a1e640ab123fa2c47971517142a65ebd4960aefac3493cabd65686cdb99623ce06d586f76b1e12d93e238086e83beed0a6bf649eb2518a6f

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
MD5
3a87a3c5abcdc92ef421700ac6f5d0d1

SHA1
70509f9eed0f90f62b804da75aa73b6a3f6390ec

SHA256
45dd162163830e078517e6afb39a1b472d5077394500f2b3f85fa3711eb742af

SHA512
f6ae90245715e6e0a1e640ab123fa2c47971517142a65ebd4960aefac3493cabd65686cdb99623ce06d586f76b1e12d93e238086e83beed0a6bf649eb2518a6f

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
MD5
3a87a3c5abcdc92ef421700ac6f5d0d1

SHA1
70509f9eed0f90f62b804da75aa73b6a3f6390ec

SHA256
45dd162163830e078517e6afb39a1b472d5077394500f2b3f85fa3711eb742af

SHA512
f6ae90245715e6e0a1e640ab123fa2c47971517142a65ebd4960aefac3493cabd65686cdb99623ce06d586f76b1e12d93e238086e83beed0a6bf649eb2518a6f

Download Submit
memory/668-16-0x0000000000000000-mapping.dmp

Download
memory/672-20-0x0000000000000000-mapping.dmp

Download
memory/940-21-0x0000000000000000-mapping.dmp

Download
memory/1212-3-0x0000000000000000-mapping.dmp

Download
memory/1404-19-0x0000000000000000-mapping.dmp

Download
memory/1412-25-0x0000000000000000-mapping.dmp

Download
memory/1588-29-0x0000000000000000-mapping.dmp

Download
memory/1636-5-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/1636-26-0x0000000000000000-mapping.dmp

Download
memory/1636-6-0x0000000000000000-mapping.dmp

Download
memory/1648-23-0x0000000000000000-mapping.dmp

Download
memory/1712-18-0x0000000000000000-mapping.dmp

Download
memory/1716-0-0x000007FEF7900000-0x000007FEF7B7A000-memory.dmp

Filesize
2.5MB

Download
memory/1820-28-0x0000000000000000-mapping.dmp

Download
memory/1940-17-0x0000000000000000-mapping.dmp

Download