buran | 332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a

Analysis

max time kernel
150s
max time network
124s
platform
windows10_x64
resource
win10v20201028
submitted
23-12-2020 19:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

42ea94ee3adca8b82fba15ecdde25f26.exe
Size

214KB
MD5

42ea94ee3adca8b82fba15ecdde25f26
SHA1

ca17412cd44d186db91c4b2fa7df03363533ffd2
SHA256

332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a
SHA512

cbec5875fdbcd1182ce9cb87728f36f9a36da032589394b20418229780a2182f6641519fd7545bd812257492a0fd9a68ebfd487d6ec5ebb9e3f666558bb81874

Score

10^/10

buran persistence ransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: uspex1@cock.li and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: uspex1@cock.li Reserved email: uspex2@cock.li telegram:uspex12345 Your personal ID: 6F2-647-C8C Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

uspex1@cock.li

uspex2@cock.li

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 2 IoCs

Processes:

services.exeservices.exe

pid process

1008 services.exe
2176 services.exe
Deletes itself 1 IoCs

Processes:

notepad.exe

pid process

2708 notepad.exe

pid	process
1008	services.exe
2176	services.exe

pid	process
2708	notepad.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

42ea94ee3adca8b82fba15ecdde25f26.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	42ea94ee3adca8b82fba15ecdde25f26.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\services.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\services.exe\" -start"	42ea94ee3adca8b82fba15ecdde25f26.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

services.exe

description	ioc	process
File opened (read-only)	\??\N:	services.exe
File opened (read-only)	\??\M:	services.exe
File opened (read-only)	\??\X:	services.exe
File opened (read-only)	\??\R:	services.exe
File opened (read-only)	\??\P:	services.exe
File opened (read-only)	\??\K:	services.exe
File opened (read-only)	\??\H:	services.exe
File opened (read-only)	\??\G:	services.exe
File opened (read-only)	\??\Y:	services.exe
File opened (read-only)	\??\T:	services.exe
File opened (read-only)	\??\L:	services.exe
File opened (read-only)	\??\J:	services.exe
File opened (read-only)	\??\F:	services.exe
File opened (read-only)	\??\A:	services.exe
File opened (read-only)	\??\Z:	services.exe
File opened (read-only)	\??\W:	services.exe
File opened (read-only)	\??\Q:	services.exe
File opened (read-only)	\??\O:	services.exe
File opened (read-only)	\??\I:	services.exe
File opened (read-only)	\??\E:	services.exe
File opened (read-only)	\??\B:	services.exe
File opened (read-only)	\??\V:	services.exe
File opened (read-only)	\??\U:	services.exe
File opened (read-only)	\??\S:	services.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 geoiptool.com

flow	ioc
7	geoiptool.com

Drops file in Program Files directory 24125 IoCs

Processes:

services.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-pl.xrm-ms.6F2-647-C8C	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Mobile\mobile_13h.png	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\Sounds\Camcorder_stop_5.wav	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x	services.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\cs_get.svg.6F2-647-C8C	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\jfxrt.jar.6F2-647-C8C	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Grace-ppd.xrm-ms	services.exe
File created	C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\about.html.6F2-647-C8C	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-api-progress.xml	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\MSOSEC.XML.6F2-647-C8C	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench.nl_ja_4.4.0.v20140623020002.jar	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-ul-phn.xrm-ms	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ul-phn.xrm-ms.6F2-647-C8C	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\HeroHelp\Scenario1.png	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupMedTile.scale-100.png	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-80.png	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreSmallTile.scale-200.png	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.nl_ja_4.4.0.v20140623020002.jar.6F2-647-C8C	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTest-ppd.xrm-ms.6F2-647-C8C	services.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\vlc.mo	services.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\SmallTile.scale-125.png	services.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\sk-sk\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	services.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\nb-no\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxSignature.p7x	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\MANIFEST.MF	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\boot_ja.jar.6F2-647-C8C	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-uihandler_ja.jar	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-threaddump_ja.jar.6F2-647-C8C	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_KMS_Client_AE-ppd.xrm-ms.6F2-647-C8C	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoasb.exe.6F2-647-C8C	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\TEE\Url.model	services.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-80_altform-unplated.png	services.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailWideTile.scale-100.png	services.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\editpdf.svg	services.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\TXP_HotelReservation_Dark.png	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-applemenu.xml	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_BypassTrial180-ul-oob.xrm-ms	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ul-oob.xrm-ms	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PIXEL\PREVIEW.GIF	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Moustache.png	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookMedTile.scale-150.png	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml	services.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ca-es\ui-strings.js.6F2-647-C8C	services.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-explorer.xml	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Retail-ul-phn.xrm-ms.6F2-647-C8C	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\sqlpdw.xsl.6F2-647-C8C	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\guicommon.respack	services.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\action_poster.jpg.6F2-647-C8C	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-pl.xrm-ms	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL012.XML	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\proof.fr-fr.msi.16.fr-fr.boot.tree.dat	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-24_altform-unplated_contrast-white.png	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\rain.png	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\MapDarkTheme.png	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppPackageStoreLogo.scale-100.png	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-40_altform-unplated_contrast-black.png	services.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\8498_40x40x32.png	services.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\line.cur.6F2-647-C8C	services.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themes\dark\close.svg	services.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\nb-no\ui-strings.js	services.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\cc_16x11.png	services.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\6365_40x40x32.png	services.exe

Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

2432 vssadmin.exe
2576 vssadmin.exe

pid	process
2432	vssadmin.exe
2576	vssadmin.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

42ea94ee3adca8b82fba15ecdde25f26.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	42ea94ee3adca8b82fba15ecdde25f26.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	42ea94ee3adca8b82fba15ecdde25f26.exe

Suspicious use of AdjustPrivilegeToken 91 IoCs

Processes:

42ea94ee3adca8b82fba15ecdde25f26.exeWMIC.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	756	42ea94ee3adca8b82fba15ecdde25f26.exe
Token: SeDebugPrivilege	756	42ea94ee3adca8b82fba15ecdde25f26.exe
Token: SeIncreaseQuotaPrivilege	1752	WMIC.exe
Token: SeSecurityPrivilege	1752	WMIC.exe
Token: SeTakeOwnershipPrivilege	1752	WMIC.exe
Token: SeLoadDriverPrivilege	1752	WMIC.exe
Token: SeSystemProfilePrivilege	1752	WMIC.exe
Token: SeSystemtimePrivilege	1752	WMIC.exe
Token: SeProfSingleProcessPrivilege	1752	WMIC.exe
Token: SeIncBasePriorityPrivilege	1752	WMIC.exe
Token: SeCreatePagefilePrivilege	1752	WMIC.exe
Token: SeBackupPrivilege	1752	WMIC.exe
Token: SeRestorePrivilege	1752	WMIC.exe
Token: SeShutdownPrivilege	1752	WMIC.exe
Token: SeDebugPrivilege	1752	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1752	WMIC.exe
Token: SeRemoteShutdownPrivilege	1752	WMIC.exe
Token: SeUndockPrivilege	1752	WMIC.exe
Token: SeManageVolumePrivilege	1752	WMIC.exe
Token: 33	1752	WMIC.exe
Token: 34	1752	WMIC.exe
Token: 35	1752	WMIC.exe
Token: 36	1752	WMIC.exe
Token: SeIncreaseQuotaPrivilege	864	WMIC.exe
Token: SeSecurityPrivilege	864	WMIC.exe
Token: SeTakeOwnershipPrivilege	864	WMIC.exe
Token: SeLoadDriverPrivilege	864	WMIC.exe
Token: SeSystemProfilePrivilege	864	WMIC.exe
Token: SeSystemtimePrivilege	864	WMIC.exe
Token: SeProfSingleProcessPrivilege	864	WMIC.exe
Token: SeIncBasePriorityPrivilege	864	WMIC.exe
Token: SeCreatePagefilePrivilege	864	WMIC.exe
Token: SeBackupPrivilege	864	WMIC.exe
Token: SeRestorePrivilege	864	WMIC.exe
Token: SeShutdownPrivilege	864	WMIC.exe
Token: SeDebugPrivilege	864	WMIC.exe
Token: SeSystemEnvironmentPrivilege	864	WMIC.exe
Token: SeRemoteShutdownPrivilege	864	WMIC.exe
Token: SeUndockPrivilege	864	WMIC.exe
Token: SeManageVolumePrivilege	864	WMIC.exe
Token: 33	864	WMIC.exe
Token: 34	864	WMIC.exe
Token: 35	864	WMIC.exe
Token: 36	864	WMIC.exe
Token: SeBackupPrivilege	1412	vssvc.exe
Token: SeRestorePrivilege	1412	vssvc.exe
Token: SeAuditPrivilege	1412	vssvc.exe
Token: SeIncreaseQuotaPrivilege	864	WMIC.exe
Token: SeSecurityPrivilege	864	WMIC.exe
Token: SeTakeOwnershipPrivilege	864	WMIC.exe
Token: SeLoadDriverPrivilege	864	WMIC.exe
Token: SeSystemProfilePrivilege	864	WMIC.exe
Token: SeSystemtimePrivilege	864	WMIC.exe
Token: SeProfSingleProcessPrivilege	864	WMIC.exe
Token: SeIncBasePriorityPrivilege	864	WMIC.exe
Token: SeCreatePagefilePrivilege	864	WMIC.exe
Token: SeBackupPrivilege	864	WMIC.exe
Token: SeRestorePrivilege	864	WMIC.exe
Token: SeShutdownPrivilege	864	WMIC.exe
Token: SeDebugPrivilege	864	WMIC.exe
Token: SeSystemEnvironmentPrivilege	864	WMIC.exe
Token: SeRemoteShutdownPrivilege	864	WMIC.exe
Token: SeUndockPrivilege	864	WMIC.exe
Token: SeManageVolumePrivilege	864	WMIC.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

42ea94ee3adca8b82fba15ecdde25f26.exeservices.execmd.execmd.execmd.exe

description	pid	process	target process
PID 756 wrote to memory of 1008	756	42ea94ee3adca8b82fba15ecdde25f26.exe	services.exe
PID 756 wrote to memory of 1008	756	42ea94ee3adca8b82fba15ecdde25f26.exe	services.exe
PID 756 wrote to memory of 1008	756	42ea94ee3adca8b82fba15ecdde25f26.exe	services.exe
PID 756 wrote to memory of 2708	756	42ea94ee3adca8b82fba15ecdde25f26.exe	notepad.exe
PID 756 wrote to memory of 2708	756	42ea94ee3adca8b82fba15ecdde25f26.exe	notepad.exe
PID 756 wrote to memory of 2708	756	42ea94ee3adca8b82fba15ecdde25f26.exe	notepad.exe
PID 756 wrote to memory of 2708	756	42ea94ee3adca8b82fba15ecdde25f26.exe	notepad.exe
PID 756 wrote to memory of 2708	756	42ea94ee3adca8b82fba15ecdde25f26.exe	notepad.exe
PID 756 wrote to memory of 2708	756	42ea94ee3adca8b82fba15ecdde25f26.exe	notepad.exe
PID 1008 wrote to memory of 3884	1008	services.exe	cmd.exe
PID 1008 wrote to memory of 3884	1008	services.exe	cmd.exe
PID 1008 wrote to memory of 3884	1008	services.exe	cmd.exe
PID 1008 wrote to memory of 904	1008	services.exe	cmd.exe
PID 1008 wrote to memory of 904	1008	services.exe	cmd.exe
PID 1008 wrote to memory of 904	1008	services.exe	cmd.exe
PID 1008 wrote to memory of 2824	1008	services.exe	cmd.exe
PID 1008 wrote to memory of 2824	1008	services.exe	cmd.exe
PID 1008 wrote to memory of 2824	1008	services.exe	cmd.exe
PID 1008 wrote to memory of 3560	1008	services.exe	cmd.exe
PID 1008 wrote to memory of 3560	1008	services.exe	cmd.exe
PID 1008 wrote to memory of 3560	1008	services.exe	cmd.exe
PID 1008 wrote to memory of 2652	1008	services.exe	cmd.exe
PID 1008 wrote to memory of 2652	1008	services.exe	cmd.exe
PID 1008 wrote to memory of 2652	1008	services.exe	cmd.exe
PID 1008 wrote to memory of 2296	1008	services.exe	cmd.exe
PID 1008 wrote to memory of 2296	1008	services.exe	cmd.exe
PID 1008 wrote to memory of 2296	1008	services.exe	cmd.exe
PID 1008 wrote to memory of 2176	1008	services.exe	services.exe
PID 1008 wrote to memory of 2176	1008	services.exe	services.exe
PID 1008 wrote to memory of 2176	1008	services.exe	services.exe
PID 2652 wrote to memory of 2432	2652	cmd.exe	vssadmin.exe
PID 2652 wrote to memory of 2432	2652	cmd.exe	vssadmin.exe
PID 2652 wrote to memory of 2432	2652	cmd.exe	vssadmin.exe
PID 2296 wrote to memory of 864	2296	cmd.exe	WMIC.exe
PID 2296 wrote to memory of 864	2296	cmd.exe	WMIC.exe
PID 2296 wrote to memory of 864	2296	cmd.exe	WMIC.exe
PID 3884 wrote to memory of 1752	3884	cmd.exe	WMIC.exe
PID 3884 wrote to memory of 1752	3884	cmd.exe	WMIC.exe
PID 3884 wrote to memory of 1752	3884	cmd.exe	WMIC.exe
PID 2296 wrote to memory of 2576	2296	cmd.exe	vssadmin.exe
PID 2296 wrote to memory of 2576	2296	cmd.exe	vssadmin.exe
PID 2296 wrote to memory of 2576	2296	cmd.exe	vssadmin.exe
PID 1008 wrote to memory of 2096	1008	services.exe	notepad.exe
PID 1008 wrote to memory of 2096	1008	services.exe	notepad.exe
PID 1008 wrote to memory of 2096	1008	services.exe	notepad.exe
PID 1008 wrote to memory of 2096	1008	services.exe	notepad.exe
PID 1008 wrote to memory of 2096	1008	services.exe	notepad.exe
PID 1008 wrote to memory of 2096	1008	services.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\42ea94ee3adca8b82fba15ecdde25f26.exe
"C:\Users\Admin\AppData\Local\Temp\42ea94ee3adca8b82fba15ecdde25f26.exe"
1⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:756

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe" -start
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:1008

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
3⤵
- Suspicious use of WriteProcessMemory
PID:3884

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1752

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
3⤵
PID:904

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
3⤵
- Suspicious use of WriteProcessMemory
PID:2652

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:2432

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe" -agent 0
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2176

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:2296

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:864

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:2576

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
3⤵
PID:3560

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
PID:2824

C:\Windows\SysWOW64\notepad.exe
notepad.exe
3⤵
PID:2096

C:\Windows\SysWOW64\notepad.exe
notepad.exe
2⤵
- Deletes itself
PID:2708

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1412

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
MD5
4e19bf0c03ce3953fdb5be54e6a22f35

SHA1
385b3bebf4d6df49a2d99ee9486921bb6bebfed8

SHA256
f4f869d5f04bba7bfed5ce6a0f32037621f46ef35afcb8cf6a9bb2a9c181edfe

SHA512
23bb6feb476ec5ef55fe7b1544fc9cf2bda0c14798070897f90a0a6df062dbe57109de99caac0e32c0586b41de51b11170484abfd0e297372cd392858e3426a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
MD5
75b88d0202e859a52bf202eafebbe0c4

SHA1
24a1603ccba645ded249983df14897803b538fb6

SHA256
835effde837d6182dd65867cb76119b6418ffa6868ab235dbbdc028ddb32ca20

SHA512
a37db7e053e819850b013862ce105e74a078081dd99bfe672406c9c3cba68f8e2e8cf7edea98402785e1751ddc0b21f5842b7be2873e8664bfd416cb20bee1f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
71938f18af4460ae7dfc95eaa7f86c41

SHA1
3c728520871d891f4ed95ae676fb4ef7d2202f45

SHA256
577745264b01a9e92767ed05946bf7825077e8303874f32893c09443c66cde65

SHA512
679f66ace333ec45c4541a226e482059f3fed3dcbd6b005c77fc8458f2c241294a95d6e3a6972e84978ce291eacec23c22f5e5295b5155b874cf5fcb53c8474c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
MD5
53780ec372a09f41690886bee3e299e8

SHA1
beab2ce9261ced619ca95f2997ee8c32d3e76786

SHA256
bdbae6d52c9f9c5ee83265dd275dde57478364cb774aba29a0412b4a0cb42a81

SHA512
6368dd5ea82ad4a5b72006e90c04d9d931be972645b0cfa6c0b344eed7371c02b16882c4c28584ce8568b69f2df200583ea4adb15ddbb13462e15d57dee1b030

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
MD5
3e9a6904aefefdc22e4f255b9053ff52

SHA1
5cbb891a4aafac900a2c4cb21526a9b3f02984fb

SHA256
47a93c94f7411dbbd030fc635e2ce868abeee5ff9dec2a4f9afad2625edda10a

SHA512
ca0ee7a4503c670db4c2274f4f13e5400933e29343cd03bb342c948c7e1a579dd478bf9619571f055ad52a1fe86d814a82cfae283e61b0608577c9679395013f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
8682526341b69644059a36ff12bc35b3

SHA1
38954a4a9948aaa1182d2c57be4752da1cc50857

SHA256
86c20afe5292c64a1cec0e2aa7112f1097d30f69ddc6058d764162f588ea1867

SHA512
a222586f955e78d18269fce54c3e67b6d7fdfdc42c8b5a9e863a1713cca4fc5c39a03a56c64b8763c7becf50365abe7bb5ab7840f954124edf91b8f4ab41ed00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\JGAO043J\YZY6ZLF9.htm
MD5
6b17a59cec1a7783febae9aa55c56556

SHA1
01d4581e2b3a6348679147a915a0b22b2a66643a

SHA256
66987b14b90d41632be98836f9601b12e7f329ffab05595887889c9c5716fbeb

SHA512
3337efd12b9c06b7768eb928a78caae243b75257c5aabe7a49e908a2f735af55f7257a40bd2330dc13865ead18ed805b54a6c5105740fdcbbaccacf7997bcbc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\S7PGJ114\BYZRZL1K.htm
MD5
b1cd7c031debba3a5c77b39b6791c1a7

SHA1
e5d91e14e9c685b06f00e550d9e189deb2075f76

SHA256
57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

SHA512
d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat
MD5
ef572e2c7b1bbd57654b36e8dcfdc37a

SHA1
b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

SHA256
e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

SHA512
b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe
MD5
42ea94ee3adca8b82fba15ecdde25f26

SHA1
ca17412cd44d186db91c4b2fa7df03363533ffd2

SHA256
332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a

SHA512
cbec5875fdbcd1182ce9cb87728f36f9a36da032589394b20418229780a2182f6641519fd7545bd812257492a0fd9a68ebfd487d6ec5ebb9e3f666558bb81874

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe
MD5
42ea94ee3adca8b82fba15ecdde25f26

SHA1
ca17412cd44d186db91c4b2fa7df03363533ffd2

SHA256
332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a

SHA512
cbec5875fdbcd1182ce9cb87728f36f9a36da032589394b20418229780a2182f6641519fd7545bd812257492a0fd9a68ebfd487d6ec5ebb9e3f666558bb81874

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe
MD5
42ea94ee3adca8b82fba15ecdde25f26

SHA1
ca17412cd44d186db91c4b2fa7df03363533ffd2

SHA256
332bca23e362f6c95326ecc943cb39e93d6fdcf454d72a5e60c9e14f5802ce5a

SHA512
cbec5875fdbcd1182ce9cb87728f36f9a36da032589394b20418229780a2182f6641519fd7545bd812257492a0fd9a68ebfd487d6ec5ebb9e3f666558bb81874

Download Submit
C:\Users\Admin\Desktop\BlockLock.DVR-MS.6F2-647-C8C
MD5
876a1e9eb1888cc462f603cb7afc1d53

SHA1
906f7e5f12f54632542e3f7d4a2c9e96ff230b39

SHA256
bdd8e10948581e97fe6a250048e728c0dfa663e800fc57e2b25eb1baf31056cd

SHA512
960f5beeb175061fc7586e5d388da190440039e49936154e2acb4047ccf1bbe499d6e006576d50f4b20fc48a860714f7d26257c52f36dec99e832dca5ee1bfcf

Download Submit
C:\Users\Admin\Desktop\ConnectRemove.temp.6F2-647-C8C
MD5
3946cd006aef8ca72949a855528a5c8a

SHA1
ee64f85ad03d5ce84f7c465b078047eb73ad762a

SHA256
aadc4a4717fdb2e86e52d648025c065cb44d19ff3d084aab30a80a4e055f3f6c

SHA512
807a70949bb25bb869006c57c81a20d075f72e2852fdc99e169201ddf2e52fec3fd8eb3c68c2721e5188186d53f6df8e421dee3a272c81510a86ebf70655946e

Download Submit
C:\Users\Admin\Desktop\CopyComplete.jpeg.6F2-647-C8C
MD5
2919013159bf54e3f654c0222c366379

SHA1
6bf2167c2603604ef6b16570cf3657ad0e9a976b

SHA256
6fbc4e3b54d2ba17e219f32d3c4ef7c38d9520b51f4940e6317057dbf3f43bb7

SHA512
02f5496fb62e81c76315cd5f8d6d7cb28a4a1eac3903cc8e8db3e0649d3462d4593da23e4511438db507a1bf79865d72079419fd681931a9c95c6e5f1e1080d8

Download Submit
C:\Users\Admin\Desktop\CopyOpen.emz.6F2-647-C8C
MD5
ee471454cd34ec33c6211ec1e69bebea

SHA1
47ee368bf82f313b5412701aeab00c63d4684e2f

SHA256
866c1ef0d3a9933c2903327e09f2dd8ec7fb1a926ed935daccec90325a30d6d1

SHA512
64d53fdecad2e876d504f650f4f5784a9c56962aee34adaa10035fa9080d0d46ef0d17bdb53e795f4b4d79653706f549f15f905d2cf26482add6adb2671502ff

Download Submit
C:\Users\Admin\Desktop\DisableProtect.vsd.6F2-647-C8C
MD5
43e87a5d104300c4a5349081cd0238d6

SHA1
ea2fe5796a7dabb12367bfc0d9c7cd0554588678

SHA256
5c516c898adf1bed2bd25ca0ee5d91775856ddc8e36c9b1360dd3dfe4bfff70d

SHA512
44f6eae23c6f813d1a0b42253a982c41a2108ebad80d4e086405686c92af1ef824b278410bb26adc9129fa11d8178abe62c217abfe6a19541cb8ad6cdeab06c4

Download Submit
C:\Users\Admin\Desktop\EnableResolve.raw.6F2-647-C8C
MD5
1c3446dd2d534c0747bea49161cdfbfa

SHA1
9ec3d563925d546fd1a19ce6a1c524c5ae53b520

SHA256
8e039db9486e707718383107212248314691858becd431bba717e5b0afc5d38b

SHA512
af587ba908cb4bab245c65dd1e2de8972faf3c258c4a723c436abc29195680a17631e7038bdcb3c2a9694c7f3ca132e6c12a02842cd8aec969ae4ae3a7eea8db

Download Submit
C:\Users\Admin\Desktop\EnableSkip.sql.6F2-647-C8C
MD5
3f3a58d4b00062970ae1c6044098870e

SHA1
7c344cae1e606446df0669295d5c3f246de7ac65

SHA256
ca0fa16425b7523f498298c4cdf56275888846862582c5613156718bca83c139

SHA512
a3d8b74431c767e247d3b6e756e6329838ca8342c37ca101c347b33b5c2561f150ec5c267ab9240b012f311e15dce1899cb087f105b14baefcf2d3617f78a3eb

Download Submit
C:\Users\Admin\Desktop\ImportCompare.pps.6F2-647-C8C
MD5
1cd78d9f6f4a76953f0992f909573f59

SHA1
a84bd846640c65703800b651e49ea81e729538e3

SHA256
0003456031704be220f4914c81836f9d2d7e27510a3e52363a499a5f6c890974

SHA512
3bd583ec7cee977feffebf54db43bd0380d57ff6c2d8dc80d2debd7f451453db3cb207e334ec2b8c3c2b167b909bb74f0388ff2bb6cc9bf4e0dc4f78445dde8f

Download Submit
C:\Users\Admin\Desktop\InvokeClear.docx.6F2-647-C8C
MD5
a1eba8c32d87aa35db28e8aabb2eebd1

SHA1
9abc01084b85a5f3e451d3aadb46e37b6451e6e5

SHA256
1dec577c629cb7fda609af503da8149f230274cbfdfbdf5d720e413c45d97508

SHA512
3caffba77c6a37a295d00c548c9e0874e5e5322d394835ae099d5dbd3e19052e5e4379887a042b5b0cc64863f4c7f8977c7d6e6f3dc822ee4df362de313e32f0

Download Submit
C:\Users\Admin\Desktop\OpenPush.jpg.6F2-647-C8C
MD5
cc45cdf72f65f9bbb6d93cb61aeff6d7

SHA1
e96ffd841118412933ef4f01571f4a213d08d057

SHA256
2c1e63dfe743a47caa37afd369d92d513bdfdf7a0a07d694d4b9da03fdc4be58

SHA512
44af518fc81827d96dc94d5ed3a5148b2a42ccdf162486d8bfcff8b4bb96b751c1becb7eb66f23b4b8410f2d71f4f7738f403acb71d778d78b8a06c629be31a3

Download Submit
C:\Users\Admin\Desktop\PublishHide.MOD.6F2-647-C8C
MD5
3d9200a35aee1d16df942fe2c49da39d

SHA1
61d2c2f92b75cda24432f5f1be0575b866818908

SHA256
961361be74b5546862dae88e4318d55bac5643a10c8148b836fc56aa6fb03e38

SHA512
08018fa8b7787c145f34386d771efda0e7111e3683f439975abac6771eb508c17e9dd2cd9a21b437746b80fb32015236f4272094389a6d99be84c7b6ec994253

Download Submit
C:\Users\Admin\Desktop\PushUnlock.mpg.6F2-647-C8C
MD5
e9e53809fd3e17e1055b36e8260c9ecf

SHA1
c3fe1d32f3e8554cd79d36dcdd6e5cfa892b92e0

SHA256
6959ad2b481b7895594da0e1e27c372a0f3d08ab121f3ceb1dacbaef7e94cce9

SHA512
1cfe2b75b9ac427a56c1a2ebdb9553655034c119c331942d80244884a1a4ba1a06d32f1147eef831d8b649900a556f7cc9bc62560bda9daf008708d192c6b6f9

Download Submit
C:\Users\Admin\Desktop\ReceiveImport.mov.6F2-647-C8C
MD5
f66f5e297597846fc97b550968eef96a

SHA1
4265e468e0c1e5b7179210e3e619536b986adcbb

SHA256
656c7df886c90ce130c819d405675ea75f632c2bb3ccf3fc3b24fda435b6e03f

SHA512
ae7637ce3c7dc5361863932d64c7ba2c789b30a195b72d1c241d130161423d1af8578e1ada4279b02ad6b01d7c3adfac51777d1091fc90efdeee82b426cbd648

Download Submit
C:\Users\Admin\Desktop\RegisterUnregister.mpeg3.6F2-647-C8C
MD5
9a9e65f246cd6f84678391e72fa9d189

SHA1
255470308771bfc1f3034b5fb316428a3c0a23ef

SHA256
f65567a9de69f2322ffb0e992d23ae43ba9ee1ed0a6d7a3880ca533074b4747a

SHA512
63d3dd4fbeec5b8478756553482084b527f8557e04a091b91ca0da1512a7692e36dc088ab2ea0b71925e62d186727f26d34b9859d6a200b7c1a20c6961374bd0

Download Submit
C:\Users\Admin\Desktop\RegisterWatch.M2V.6F2-647-C8C
MD5
76f2aa1a9f72281cf1b7b9727ef589df

SHA1
157bec22ed47652c37b77c530b3c406fd247e138

SHA256
221d3be95ef28f2b13a9b3b3a4316ab7c139003315e96f6b139e2dd036075b79

SHA512
3cefdaacc703cc165a98caa40fc0ab20efd87e507121fabe77397b6289926b5d2f7c10f901802b5ab09f4a3bc534290758c513fe1ed34952c94377cfb761def0

Download Submit
C:\Users\Admin\Desktop\RenameRestore.eprtx.6F2-647-C8C
MD5
f2b9d2d944534990e0c28275742e5b77

SHA1
b3bcd158503ee50e4d4b9f4240a77c7fa2addb6c

SHA256
3dc3e038794f890c1c3fa75b5d54c2f02362445b4477287c7be2cfac0aa1fab4

SHA512
779148c64788f5fb0137e45edaf7f393612e27eecbce39a98f4172a8faa4c70473a86a18dd45b33448bb64ed166c7eb1e535377625da7df74cdf59c465907a49

Download Submit
C:\Users\Admin\Desktop\RenameSwitch.docx.6F2-647-C8C
MD5
d449bfd5072a77d8c7df4e81e28d0e00

SHA1
908bb7270c48f3c13290d89d0dae45db2b6610a1

SHA256
b5f4b13bc9ab242bf918500bce8dbcae703d0396a956a6a74fc615f26c5fadfc

SHA512
144d613a11dc18c2ef4a0baf33d524571be7cd93265dbe4b5c746ab79e7bd2a99f402aa9a1383cf8da845f91a64ffcb20b764d589dc8f949255a4a43a0cbe325

Download Submit
C:\Users\Admin\Desktop\RepairTest.wmf.6F2-647-C8C
MD5
1c273addeca05cab9ecb1c783e025bde

SHA1
85c7e4246deb0c7f1ab47116d52aa6ed3d6c3307

SHA256
bb3b5a150ec52b4a19b6cd9e8dee954fd8d2b01591dc96a7577477fe27bcd006

SHA512
a3a338937fe06f517d7f1d0e17dfc861b04401f5accfeb7d8968dd07fecb89020393d3da2adf4b6c76323a2c9af7b379fee0a6cef24e0edf83e5225cd1bbd33f

Download Submit
C:\Users\Admin\Desktop\ResetPublish.TS.6F2-647-C8C
MD5
84255a9f8cdc9d21a747da8416587bb3

SHA1
0717c08d49257eb6d67a9bb53b9d7e2985417fc6

SHA256
d6d9b5ba2b903e763d16762cbc7dadc859c9ebcb318459ebdd54b23113a6489d

SHA512
fc74fa889933c4765f1a38263bcb91989bb7e1b3e38d8c63fbf54af109322a50211541b438876b79d4d69a03ab70ac9f91223c48043751878fe2a329b4025479

Download Submit
C:\Users\Admin\Desktop\ResolveUnregister.contact.6F2-647-C8C
MD5
3a7199c6bf45339bd963d8cd1a5d87ca

SHA1
c182cf5b3a317e02112dcc9f3e9c10d60ffaff3f

SHA256
19d424852a4dd5fee57080fe0c8cfda4ca435f47919f2557784890df7f3c5de7

SHA512
be5c2185c9b8e79e0b0397cb2c2989fcea4b92bd9b5bf0d1b6f4f722d6c0e1e4aec104ed753b0d02efd8fe76be3dcc558fc284a140115002857b65004968d369

Download Submit
C:\Users\Admin\Desktop\RestoreApprove.png.6F2-647-C8C
MD5
787c26405e44120b3a9236637269f95c

SHA1
94f23cd7b925e07b3be2f054a176784cd895bf5c

SHA256
147b8e29b5da04fa57d0f04a41ad91ef2c9343c092bc576ae34bfe18a126ada5

SHA512
33f55a5532cff787dec27a7ae83ae751edd343464a6574fe4067bd7801dc484476ae7ce5960fc66544a54afb3c3d1da47b23d650d2a408ff93b43991524dbdc2

Download Submit
C:\Users\Admin\Desktop\RestoreRevoke.vdx.6F2-647-C8C
MD5
d9ff133405319ce50b3c7281cd8297d1

SHA1
4aaf2bfea28614972a77e6765493622043963f8f

SHA256
8f906b1e6f7681f8d5ea1472b6f76cb33b6bbff1c0b889c86e521ee1a6951324

SHA512
7cfb1ef165be9945db725bbde3440c65acfdf00ce68e14e94e56b9eeb8a99b9a9b5026b993444d289640e2badcc487307ad29b139bf8b3e4c8c912c4bcd4c8c2

Download Submit
C:\Users\Admin\Desktop\RevokeTest.bmp.6F2-647-C8C
MD5
8f1cb58d12d25a2b74dd2eb173b2823a

SHA1
80864ab43d67c908d10f08f890cd3c1211b2a4f9

SHA256
096f3e602fcf1ce068b32ccc47d184edde1ec36e7fc9427d85b234ca64b6c38f

SHA512
81876b02c3c8b34fe3ee8c8f15f2392ee0a373f6e192c54b39bc3dd2dfb8be4a27cbcdd41d21d9b8142883c123de136c5c254660deb9d6a448db11e298cf716c

Download Submit
C:\Users\Admin\Desktop\SetBackup.au.6F2-647-C8C
MD5
651ed69981f52929e57ea8fbdc3eac0b

SHA1
1c4d031cd6ceaae4ed45e8e800272a6d9d8ef19a

SHA256
b4d6af271c7361e07fe4701c7b8c2fd75e4be93d88df62b1ceeb9ddb1b97751b

SHA512
38e92c6b8e14d6827d2dd12cc1a92de88904a40405c278bfdab903dd211a913c7954014cba93dd521faf5955c2adfe1238d091d9f730a5799db28837dca5bd41

Download Submit
memory/864-25-0x0000000000000000-mapping.dmp

Download
memory/904-16-0x0000000000000000-mapping.dmp

Download
memory/1008-2-0x0000000000000000-mapping.dmp

Download
memory/1752-26-0x0000000000000000-mapping.dmp

Download
memory/2096-52-0x00000000027F0000-0x00000000027F1000-memory.dmp

Filesize
4KB

Download
memory/2096-53-0x0000000000000000-mapping.dmp

Download
memory/2176-21-0x0000000000000000-mapping.dmp

Download
memory/2296-20-0x0000000000000000-mapping.dmp

Download
memory/2432-23-0x0000000000000000-mapping.dmp

Download
memory/2576-27-0x0000000000000000-mapping.dmp

Download
memory/2652-19-0x0000000000000000-mapping.dmp

Download
memory/2708-4-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/2708-6-0x0000000000000000-mapping.dmp

Download
memory/2824-17-0x0000000000000000-mapping.dmp

Download
memory/3560-18-0x0000000000000000-mapping.dmp

Download
memory/3884-15-0x0000000000000000-mapping.dmp

Download