buran | 442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024

Analysis

max time kernel
135s
max time network
126s
platform
windows7_x64
resource
win7v20201028
submitted
08-01-2021 06:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Buran.exe
Size

214KB
MD5

2f1ecf99dd8a2648dd013c5fe6ecb6f5
SHA1

121c377693b96eef8e84861f091ef47e6fb6cae5
SHA256

442bf867c8738c7231ff09db0715ec79d0ae15c050fbd46946c45b76a040d024
SHA512

793eb6a3f3d0323b0749a35e372c9fcde15a912f32d74fc5fa0fc104c32d8348f431347fefd1c34e3d51d9b20432f8e66b9ae3b9523b4b4b21e76b6fd2ae8219

Score

10^/10

buran ransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: uspex1@cock.li and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: uspex1@cock.li Reserved email: uspex2@cock.li Your personal ID: 7E0-36C-F53 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

uspex1@cock.li

uspex2@cock.li

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Deletes itself 1 IoCs

Processes:

notepad.exe

pid process

1920 notepad.exe

pid	process
1920	notepad.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Buran.exe

description	ioc	process
File opened (read-only)	\??\Z:	Buran.exe
File opened (read-only)	\??\V:	Buran.exe
File opened (read-only)	\??\N:	Buran.exe
File opened (read-only)	\??\M:	Buran.exe
File opened (read-only)	\??\I:	Buran.exe
File opened (read-only)	\??\B:	Buran.exe
File opened (read-only)	\??\A:	Buran.exe
File opened (read-only)	\??\Y:	Buran.exe
File opened (read-only)	\??\R:	Buran.exe
File opened (read-only)	\??\K:	Buran.exe
File opened (read-only)	\??\H:	Buran.exe
File opened (read-only)	\??\G:	Buran.exe
File opened (read-only)	\??\F:	Buran.exe
File opened (read-only)	\??\U:	Buran.exe
File opened (read-only)	\??\S:	Buran.exe
File opened (read-only)	\??\Q:	Buran.exe
File opened (read-only)	\??\P:	Buran.exe
File opened (read-only)	\??\L:	Buran.exe
File opened (read-only)	\??\J:	Buran.exe
File opened (read-only)	\??\X:	Buran.exe
File opened (read-only)	\??\W:	Buran.exe
File opened (read-only)	\??\T:	Buran.exe
File opened (read-only)	\??\O:	Buran.exe
File opened (read-only)	\??\E:	Buran.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 geoiptool.com

flow	ioc
5	geoiptool.com

Drops file in Program Files directory 15044 IoCs

Processes:

Buran.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_Country.gif	Buran.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\button_mid.gif	Buran.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN092.XML	Buran.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\RES98.POC	Buran.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Ulaanbaatar.7E0-36C-F53	Buran.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-utilities.jar.7E0-36C-F53	Buran.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-selector-api.xml	Buran.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Indiana\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	Buran.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca.7E0-36C-F53	Buran.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Oriel.thmx	Buran.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ADVZIP.DIC.7E0-36C-F53	Buran.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	Buran.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.reconciler.dropins_1.1.200.v20131119-0908.jar.7E0-36C-F53	Buran.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT	Buran.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01759_.WMF.7E0-36C-F53	Buran.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_OFF.GIF	Buran.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-applemenu_ja.jar	Buran.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\La_Paz.7E0-36C-F53	Buran.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL00345_.WMF	Buran.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_alignright.gif.7E0-36C-F53	Buran.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\Microsoft.Office.InfoPath.xml	Buran.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt.7E0-36C-F53	Buran.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt.7E0-36C-F53	Buran.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200521.WMF	Buran.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.nl_ja_4.4.0.v20140623020002.jar.7E0-36C-F53	Buran.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-javahelp.xml.7E0-36C-F53	Buran.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.workbench.nl_ja_4.4.0.v20140623020002.jar	Buran.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\grvschema.xsd	Buran.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105846.WMF.7E0-36C-F53	Buran.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Origin.xml	Buran.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BORDERBB.DPV.7E0-36C-F53	Buran.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\vlc.mo.7E0-36C-F53	Buran.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00525_.WMF	Buran.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\QP.XML	Buran.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_f6f6f6_1x400.png	Buran.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02862_.WMF	Buran.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_65_ffffff_1x400.png	Buran.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\JNGLE_01.MID.7E0-36C-F53	Buran.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01244_.GIF	Buran.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Equity.xml	Buran.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18214_.WMF.7E0-36C-F53	Buran.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL.DEV_F_COL.HXK.7E0-36C-F53	Buran.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_ja.properties.7E0-36C-F53	Buran.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Port_Moresby	Buran.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes.nl_zh_4.4.0.v20140623020002.jar.7E0-36C-F53	Buran.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL082.XML	Buran.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.SF	Buran.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\uarrow.gif.7E0-36C-F53	Buran.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02124_.WMF	Buran.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKACCL.ICO.7E0-36C-F53	Buran.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PICTPH.POC	Buran.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Casey	Buran.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	Buran.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ENV98.POC	Buran.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Argentina\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	Buran.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Atlantic\South_Georgia	Buran.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\viewDblClick.js.7E0-36C-F53	Buran.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\modules\sandbox.luac.7E0-36C-F53	Buran.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR31F.GIF.7E0-36C-F53	Buran.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107734.WMF	Buran.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02748U.BMP	Buran.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Goose_Bay	Buran.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\eclipse.inf.7E0-36C-F53	Buran.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10267_.GIF.7E0-36C-F53	Buran.exe

Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

1560 vssadmin.exe
1776 vssadmin.exe

pid	process
1560	vssadmin.exe
1776	vssadmin.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Buran.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Buran.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Buran.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Buran.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Buran.exe

Suspicious use of AdjustPrivilegeToken 85 IoCs

Processes:

WMIC.exeWMIC.exevssvc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	520	WMIC.exe
Token: SeSecurityPrivilege	520	WMIC.exe
Token: SeTakeOwnershipPrivilege	520	WMIC.exe
Token: SeLoadDriverPrivilege	520	WMIC.exe
Token: SeSystemProfilePrivilege	520	WMIC.exe
Token: SeSystemtimePrivilege	520	WMIC.exe
Token: SeProfSingleProcessPrivilege	520	WMIC.exe
Token: SeIncBasePriorityPrivilege	520	WMIC.exe
Token: SeCreatePagefilePrivilege	520	WMIC.exe
Token: SeBackupPrivilege	520	WMIC.exe
Token: SeRestorePrivilege	520	WMIC.exe
Token: SeShutdownPrivilege	520	WMIC.exe
Token: SeDebugPrivilege	520	WMIC.exe
Token: SeSystemEnvironmentPrivilege	520	WMIC.exe
Token: SeRemoteShutdownPrivilege	520	WMIC.exe
Token: SeUndockPrivilege	520	WMIC.exe
Token: SeManageVolumePrivilege	520	WMIC.exe
Token: 33	520	WMIC.exe
Token: 34	520	WMIC.exe
Token: 35	520	WMIC.exe
Token: SeIncreaseQuotaPrivilege	520	WMIC.exe
Token: SeSecurityPrivilege	520	WMIC.exe
Token: SeTakeOwnershipPrivilege	520	WMIC.exe
Token: SeLoadDriverPrivilege	520	WMIC.exe
Token: SeSystemProfilePrivilege	520	WMIC.exe
Token: SeSystemtimePrivilege	520	WMIC.exe
Token: SeProfSingleProcessPrivilege	520	WMIC.exe
Token: SeIncBasePriorityPrivilege	520	WMIC.exe
Token: SeCreatePagefilePrivilege	520	WMIC.exe
Token: SeBackupPrivilege	520	WMIC.exe
Token: SeRestorePrivilege	520	WMIC.exe
Token: SeShutdownPrivilege	520	WMIC.exe
Token: SeDebugPrivilege	520	WMIC.exe
Token: SeSystemEnvironmentPrivilege	520	WMIC.exe
Token: SeRemoteShutdownPrivilege	520	WMIC.exe
Token: SeUndockPrivilege	520	WMIC.exe
Token: SeManageVolumePrivilege	520	WMIC.exe
Token: 33	520	WMIC.exe
Token: 34	520	WMIC.exe
Token: 35	520	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1584	WMIC.exe
Token: SeSecurityPrivilege	1584	WMIC.exe
Token: SeTakeOwnershipPrivilege	1584	WMIC.exe
Token: SeLoadDriverPrivilege	1584	WMIC.exe
Token: SeSystemProfilePrivilege	1584	WMIC.exe
Token: SeSystemtimePrivilege	1584	WMIC.exe
Token: SeProfSingleProcessPrivilege	1584	WMIC.exe
Token: SeIncBasePriorityPrivilege	1584	WMIC.exe
Token: SeCreatePagefilePrivilege	1584	WMIC.exe
Token: SeBackupPrivilege	1584	WMIC.exe
Token: SeRestorePrivilege	1584	WMIC.exe
Token: SeShutdownPrivilege	1584	WMIC.exe
Token: SeDebugPrivilege	1584	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1584	WMIC.exe
Token: SeRemoteShutdownPrivilege	1584	WMIC.exe
Token: SeUndockPrivilege	1584	WMIC.exe
Token: SeManageVolumePrivilege	1584	WMIC.exe
Token: 33	1584	WMIC.exe
Token: 34	1584	WMIC.exe
Token: 35	1584	WMIC.exe
Token: SeBackupPrivilege	1680	vssvc.exe
Token: SeRestorePrivilege	1680	vssvc.exe
Token: SeAuditPrivilege	1680	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1584	WMIC.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

Buran.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1832 wrote to memory of 564	1832	Buran.exe	cmd.exe
PID 1832 wrote to memory of 564	1832	Buran.exe	cmd.exe
PID 1832 wrote to memory of 564	1832	Buran.exe	cmd.exe
PID 1832 wrote to memory of 564	1832	Buran.exe	cmd.exe
PID 1832 wrote to memory of 1424	1832	Buran.exe	cmd.exe
PID 1832 wrote to memory of 1424	1832	Buran.exe	cmd.exe
PID 1832 wrote to memory of 1424	1832	Buran.exe	cmd.exe
PID 1832 wrote to memory of 1424	1832	Buran.exe	cmd.exe
PID 1832 wrote to memory of 1200	1832	Buran.exe	cmd.exe
PID 1832 wrote to memory of 1200	1832	Buran.exe	cmd.exe
PID 1832 wrote to memory of 1200	1832	Buran.exe	cmd.exe
PID 1832 wrote to memory of 1200	1832	Buran.exe	cmd.exe
PID 1832 wrote to memory of 944	1832	Buran.exe	cmd.exe
PID 1832 wrote to memory of 944	1832	Buran.exe	cmd.exe
PID 1832 wrote to memory of 944	1832	Buran.exe	cmd.exe
PID 1832 wrote to memory of 944	1832	Buran.exe	cmd.exe
PID 1832 wrote to memory of 1152	1832	Buran.exe	cmd.exe
PID 1832 wrote to memory of 1152	1832	Buran.exe	cmd.exe
PID 1832 wrote to memory of 1152	1832	Buran.exe	cmd.exe
PID 1832 wrote to memory of 1152	1832	Buran.exe	cmd.exe
PID 564 wrote to memory of 520	564	cmd.exe	WMIC.exe
PID 564 wrote to memory of 520	564	cmd.exe	WMIC.exe
PID 564 wrote to memory of 520	564	cmd.exe	WMIC.exe
PID 564 wrote to memory of 520	564	cmd.exe	WMIC.exe
PID 1832 wrote to memory of 1928	1832	Buran.exe	cmd.exe
PID 1832 wrote to memory of 1928	1832	Buran.exe	cmd.exe
PID 1832 wrote to memory of 1928	1832	Buran.exe	cmd.exe
PID 1832 wrote to memory of 1928	1832	Buran.exe	cmd.exe
PID 1832 wrote to memory of 1056	1832	Buran.exe	Buran.exe
PID 1832 wrote to memory of 1056	1832	Buran.exe	Buran.exe
PID 1832 wrote to memory of 1056	1832	Buran.exe	Buran.exe
PID 1832 wrote to memory of 1056	1832	Buran.exe	Buran.exe
PID 1152 wrote to memory of 1776	1152	cmd.exe	vssadmin.exe
PID 1152 wrote to memory of 1776	1152	cmd.exe	vssadmin.exe
PID 1152 wrote to memory of 1776	1152	cmd.exe	vssadmin.exe
PID 1152 wrote to memory of 1776	1152	cmd.exe	vssadmin.exe
PID 1928 wrote to memory of 1584	1928	cmd.exe	WMIC.exe
PID 1928 wrote to memory of 1584	1928	cmd.exe	WMIC.exe
PID 1928 wrote to memory of 1584	1928	cmd.exe	WMIC.exe
PID 1928 wrote to memory of 1584	1928	cmd.exe	WMIC.exe
PID 1928 wrote to memory of 1560	1928	cmd.exe	vssadmin.exe
PID 1928 wrote to memory of 1560	1928	cmd.exe	vssadmin.exe
PID 1928 wrote to memory of 1560	1928	cmd.exe	vssadmin.exe
PID 1928 wrote to memory of 1560	1928	cmd.exe	vssadmin.exe
PID 1832 wrote to memory of 1920	1832	Buran.exe	notepad.exe
PID 1832 wrote to memory of 1920	1832	Buran.exe	notepad.exe
PID 1832 wrote to memory of 1920	1832	Buran.exe	notepad.exe
PID 1832 wrote to memory of 1920	1832	Buran.exe	notepad.exe
PID 1832 wrote to memory of 1920	1832	Buran.exe	notepad.exe
PID 1832 wrote to memory of 1920	1832	Buran.exe	notepad.exe
PID 1832 wrote to memory of 1920	1832	Buran.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\Buran.exe
"C:\Users\Admin\AppData\Local\Temp\Buran.exe"
1⤵
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1832

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
2⤵
- Suspicious use of WriteProcessMemory
PID:564

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:520

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
2⤵
PID:1424

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
PID:1200

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
2⤵
PID:944

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:1152

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1776

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1560

C:\Users\Admin\AppData\Local\Temp\Buran.exe
"C:\Users\Admin\AppData\Local\Temp\Buran.exe" -agent 0
2⤵
- Drops file in Program Files directory
PID:1056

C:\Windows\SysWOW64\notepad.exe
notepad.exe
2⤵
- Deletes itself
PID:1920

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1680

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~temp001.bat
MD5
ef572e2c7b1bbd57654b36e8dcfdc37a

SHA1
b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

SHA256
e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

SHA512
b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

Download Submit
C:\Users\Admin\Desktop\ApproveMove.shtml.7E0-36C-F53
MD5
f7b882ddd8d5ab4f1ea14dfbb2d72ca7

SHA1
be10059073a674e367c08ac268b444b3215e160e

SHA256
a8cda1fa51f6f8dbedaedc9a7f0b47f471efc2162b4c7256828cb20f986fc01c

SHA512
5b6223a5fce6272bf4a6da15aa1fda425de34ff42fc2ebd1e4324ebb5c08e9d7ce5e0c6c03ec37529b6342011b733632bf34894e2c63688f83d44b1b8e22680d

Download Submit
C:\Users\Admin\Desktop\CompareUninstall.pcx.7E0-36C-F53
MD5
208757717818c604932f535ca7c694d8

SHA1
d60eda8e3580e511c1e5c7cd10ffb54c4b8d4733

SHA256
0865cdc499060a24e0353d5a17524beb5fbbd5f0bada5dbd313f97eaf4a0315d

SHA512
03156c1697db9a069a10234b7928af8eb1900c83ee5e093e823e44c250d0783eec32edb1c245517418ec7e5bdbbab25abeedb02890ef84808ad2103c31a9d115

Download Submit
C:\Users\Admin\Desktop\CompleteProtect.mpg.7E0-36C-F53
MD5
be5e118952c4e429932de2c57faee918

SHA1
c64f4853674e4916d2820b0f435f6f2817cbc81a

SHA256
526f7395ff4b4e01769faf1b37de7919eaef06748b2c2721208aa862e07aaccc

SHA512
5a7997e18d5853ca26150425349e711dab43038954c98b067c2aff0885d42d75d73c0ffdf07a46a8adba484ffad4cefdc6fcabc98000f0a523218e7f380f4800

Download Submit
C:\Users\Admin\Desktop\DisableMeasure.ttc.7E0-36C-F53
MD5
a879da0ab221b24d5aa825b9d4dedb8b

SHA1
2b6f7012c70f831b8482144ee5916e122bfd3b84

SHA256
fee89af0ff61722a83e2c97f7d970651f2411abd6cd69f44a0061d2242bc8939

SHA512
50b032e219038d6d7e2908cb52d4234353218c021d9da6d8223d7071a61837f2f20cff2e2c28253e9a5676d0d49a1d9dd798fd5e88e760b332a12590595e326d

Download Submit
C:\Users\Admin\Desktop\DisableSplit.mpe.7E0-36C-F53
MD5
57070c58bf2b83e6219c177b51dbfdb6

SHA1
06693c29f85e90a3ac340ac399291e7ec678e736

SHA256
7c7ecf73d835f586433e76db2537e523f35b5fd92ee2b7cdd7b2779ba91d0f34

SHA512
ced7b2254bd1439dd4a49864deaa3fab3bdf4b85a5604a46d5f84501cd61ad85a2e8aeddf5cfca6e50ba921940d32e3bd175c2c82a5e9d11633d59cf25543634

Download Submit
C:\Users\Admin\Desktop\EnableExpand.doc.7E0-36C-F53
MD5
83a46b0a11cb2c39a64ef0e38adc6773

SHA1
396f2c55f9433147fcf721f95b4ef82aa37de12c

SHA256
a2c344d6afaa74d6ad2663423411a8b1ec9a09efc86e10173936da094ce7baa9

SHA512
32eb1593861e7c34caa9cfdac76697d15002cd536ca21c137815a873f0ac8eb9d7ac8b173bcd99e1707468c889948d9e94115ab80a3aac1b753f606d70455c10

Download Submit
C:\Users\Admin\Desktop\FormatBackup.contact.7E0-36C-F53
MD5
4e9fca423deaa6db9de5372f8ff48c72

SHA1
72f4efafee378b3e1e0487188f2ef7099de14aad

SHA256
6d92b324478b2db0f5772b207d880cacc5deee07c6b2afa615611679921bc219

SHA512
4a9d519f344ebdd404d611c58e529c6a9ebab0655959019b797116624b496b701dea18b37725f9e1f63242e8ccb06cab9c22b024d0a19f349cc48c347358e083

Download Submit
C:\Users\Admin\Desktop\GrantSwitch.xlsx.7E0-36C-F53
MD5
3e2e626fa2b0aa5417668cc9ee1ffd61

SHA1
92ce90cfb74f2a71fab670f41a177a6ae32a1233

SHA256
ae7456acff18c4c722cc563cbe91189ae215e8be4299042c7f249af7e682708d

SHA512
4059250dc2710badb44a8213b3ac31bcaf1212b584a32f2fab2c3a7c6edffdae0bf41c12f5128e2dfbbc4ed993fe32a0c1beea8a3e96818500d83f468409b6f4

Download Submit
C:\Users\Admin\Desktop\ImportDebug.rmi.7E0-36C-F53
MD5
eecc8f2190a6d1b3c48194db2b4e0f3a

SHA1
cc7c29b8580df8bb757de5e8ac2ab5aaedd4778b

SHA256
a13b053282323009e402f7d561c5835e8ada602f36d4d5eab10cebff10ee86dd

SHA512
d664ac42d42a3356ee045ed376007670af3b243f190ccfb4dfc91744916271462bcfac48ab65ea883dadca427295aca2e6d0ad6e881b34c27ec552174d71166f

Download Submit
C:\Users\Admin\Desktop\MountOpen.dwg.7E0-36C-F53
MD5
badeda870da6318c56121bff313ea0aa

SHA1
ee3097f7939ee2d8f6dc313e2159e49ba54a668e

SHA256
f4800057a2523d2e12fe4dce611fb25e0cb9bc880847e61a6aa685a6b4cb2360

SHA512
d133c7eabf07f7a4558f2548fcc2854c956c5e2dbbfd598c7c91afb583205db0c4230ba15e6fc797d0fda7d0946efb7e05f49be08b060bce1f6ded9406c13945

Download Submit
C:\Users\Admin\Desktop\ResolveStop.gif.7E0-36C-F53
MD5
3be1bc48a891e5bbbe243b7297fe9b65

SHA1
02f8f32a398367db07ad8cf5e1aed70fd28190c1

SHA256
6e03e3b2a60a322881454d785c739b41ef68a3e9ca7888ec7c636ba769c16a61

SHA512
4a7fe11b7c23399ae49f5aab79b9dd4c486b295edf2c099961163ccac0f137d976480a4e654eca7fc2d595eaaef55859c4c09169d4be89b6dec9bc372e2cb3d0

Download Submit
C:\Users\Admin\Desktop\SplitStep.xps.7E0-36C-F53
MD5
3083ba574099123231891e69813bc245

SHA1
5b1dc3b562d81549eaa9d5f6a29265c2b374af1f

SHA256
3769a1dbd33790d803671bccc20a8d83e70cfbcaf435ffce2fcf16f44d442aab

SHA512
4582e26293e2d0860a2489422a573e0d53101076d5eae5e647da1c4d485e392033cd0c59702e4f996cd67257a698bfac535622f2e56acaed247f192945caf662

Download Submit
C:\Users\Admin\Desktop\StartReset.nfo.7E0-36C-F53
MD5
e3f0ad21d0a653e773a1f372da1fd97c

SHA1
8538b650b51d92737e3b9b60460ca3bb62fe112a

SHA256
31b9432cd723a85c3c4316a8631bcc448d09790bf2bfb5b1cd03ff921d06b441

SHA512
492f9ab9680e6dd117921b65af8ccc5533a5aa2ff81c6ec7769c86dc722697cfa39ee23a0c3a60ce3763e28910abf663264188e29aabc7f54544387ea5041670

Download Submit
C:\Users\Admin\Desktop\SubmitGroup.fon.7E0-36C-F53
MD5
c5928cd76ef9e9757229993bb45e4302

SHA1
3763598538968b055afc111cb25ad3584049f77b

SHA256
94b124427ee8e47d4f722704260cf9fc20d6c93fdf165e874cb2284fe6997a77

SHA512
0ea3a3292b14f5772d54f66f057cd88cc55e0d4d37ad4bf46516372ebd92185ded0df82514cd9b05ef9785c85d50d127ae14bc0af1a87ebf426e4b0c77c57682

Download Submit
C:\Users\Admin\Desktop\SuspendRestart.ex_.7E0-36C-F53
MD5
711bc1bdc730759437e68591a51f94a9

SHA1
8dd4084e20f572bafc0c2d0774d8276a6e1427c2

SHA256
26bb6d19919c86c12e5e47df93a5b61ee0034839264f5ec71e9ac90e3d0c71f1

SHA512
b241690f946025146f260d9fc6eac82a19a47e6a7cc6a792b79182120e62479527782f26ac4ee84e0af9f30e25b0217ed559ba79d8756c53787b5189a2b2af95

Download Submit
C:\Users\Admin\Desktop\TestHide.M2V.7E0-36C-F53
MD5
065ee64e220c21f4792ff8ffea00b909

SHA1
01c18e333d1e493af690ae6ebd8e2350e3260802

SHA256
fdc831ff7363572df73106cfa2a8888dd2df3f01755efd001fc241836703cfa2

SHA512
7005f5af9d33c40408ac5ba2e1f440d905318feda7bc5ce77ca8241e82cd0c3f7b8a0d6e98a7709196c7d7afbd6054cfc2af1dcecdc2f7fc52705bb51f99ae8c

Download Submit
C:\Users\Admin\Desktop\TestSave.easmx.7E0-36C-F53
MD5
7c4045cdf60c2ccdf2cc9a8088ebfb2f

SHA1
7f7c78ceaa57cc31c5d4032df996c1a26e1fc497

SHA256
d012451ae8c35478f542565aa2633eea2ef1a39defe89388c1bebeab41e01264

SHA512
dc2f35f58b7e5571d352a49a15f30ec4f51c67c38ad668f179b4a11a09af2748309abd4b74b1942d3ea15eae66ccb0dc2cc79dc858918c9ccba21b1c8b36caea

Download Submit
C:\Users\Admin\Desktop\TraceOptimize.svg.7E0-36C-F53
MD5
dd342f932b6f552a0f08c6be392d574e

SHA1
9126393b635fae291718272ead1d211507d1acd5

SHA256
39b5134c0de35bea8a98bb8f199e913d1f34b85e4c8576c29950ab832b37024d

SHA512
b9e0cab75f2ccc4fde1b46656e9c60148e5a9a3be27f85179c38c00fc86856648f5091223a4e687760f1adeae79ff90542fbf48f04aed0426bb2604cd3a6ea5c

Download Submit
C:\Users\Admin\Desktop\UnregisterAdd.otf.7E0-36C-F53
MD5
ac5400460807cbc4c2472be3bf5cc176

SHA1
0dc05adc7fe2591fe61ec7a8b4360e0f4ff08815

SHA256
5de1c1d0675a2b68dd049aa347483f0fb9055ae6d7c459a629ae959ef3149c96

SHA512
994ce8ccf082ad1b5a78fe6cec3a3ac27414d36fb2b7995938017ae67b510760f3246aba658b6fc45e29ef2072692f8dbcc8c0ff753f3491a6a81bcb5af53be8

Download Submit
C:\Users\Admin\Desktop\WriteResume.mpeg3.7E0-36C-F53
MD5
1ae5b07fd6859aa7a309d4e0d5feb8e0

SHA1
acaa48027d26e681817c2796c3ac197b2c61e285

SHA256
16528a839218568217a05d9c369148e0416ed674b5d472ccc738d000536f3cec

SHA512
a2f0f0612ca04b4bf71fe39f1d887389a2fabbbfdf8d05fc33d8e237f07368c588e8f77d65feec5168c9602875db873d90ecfb94b7ae5c34053681703f57ed95

Download Submit
memory/520-8-0x0000000000000000-mapping.dmp

Download
memory/564-3-0x0000000000000000-mapping.dmp

Download
memory/944-6-0x0000000000000000-mapping.dmp

Download
memory/1056-10-0x0000000000000000-mapping.dmp

Download
memory/1152-7-0x0000000000000000-mapping.dmp

Download
memory/1200-5-0x0000000000000000-mapping.dmp

Download
memory/1424-4-0x0000000000000000-mapping.dmp

Download
memory/1560-14-0x0000000000000000-mapping.dmp

Download
memory/1584-13-0x0000000000000000-mapping.dmp

Download
memory/1712-2-0x000007FEF5D50000-0x000007FEF5FCA000-memory.dmp

Filesize
2.5MB

Download
memory/1776-11-0x0000000000000000-mapping.dmp

Download
memory/1920-35-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/1920-36-0x0000000000000000-mapping.dmp

Download
memory/1928-9-0x0000000000000000-mapping.dmp

Download