buran | 6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408

Analysis

max time kernel
150s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27-10-2022 11:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
Size

215KB
MD5

e71825acc5c0dbf948ec73b12c397a23
SHA1

efe7521f2f6f06840418ca99b57989ec7dd797c5
SHA256

6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408
SHA512

c9369d2a89f54250149b3a92d1d12b2f1a38fcf76e961d08f5ea4c3aec29bc338d8d5113df0bdd35aed5ff2d4c2d71ac3195e27d72489d9275553833314d7fe5
SSDEEP

6144:cyJE1yd7WEJmcyf70PWna4DQFu/U3buRKlemZ9DnGAevIGn+:cU/d7WRvIPWa4DQFu/U3buRKlemZ9DnG

Score

10^/10

buran ransomware

Malware Config

Extracted

Path

C:\ALL YOUR FILES ARE ENCRYPTED.txt

Family

buran

Ransom Note

ALL YOUR FILES ARE ENCRYPTED ***All your data has been compromised. Documents, photos, databases and other important files are encrypted. ***You cannot decipher them yourself! The only method for recovering files is by purchasing a unique private key. Only we can provide you with this key and only we can restore your files. ***The decryption key fee is charged only in bitcoins, we CAN assist in buying bitcoins by giving instructions on how and where to buy. ***In case of non-payment, all data will be put up for auction on the darknet. Beware of data leaks. ***To make sure we have a decryptor and it works, you can send an email to [email protected] or [email protected] and decrypt one not important file for free, DO NOT send files containing databases, any XLS / XML documents for the test. ***Beware of dishonest middlemen. as well as buying a decryption key through intermediaries increases the final cost of the key. ***Do you really want to restore your files? Write to email: [email protected] Your personal ID: 789-C67-E35 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\ResolveApprove.tiff	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe

Deletes itself 1 IoCs

Processes:

notepad.exe

pid	Process
3492	notepad.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe

description	ioc	Process
File opened (read-only)	\??\P:	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened (read-only)	\??\N:	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened (read-only)	\??\H:	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened (read-only)	\??\A:	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened (read-only)	\??\U:	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened (read-only)	\??\S:	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened (read-only)	\??\O:	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened (read-only)	\??\I:	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened (read-only)	\??\E:	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened (read-only)	\??\X:	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened (read-only)	\??\Q:	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened (read-only)	\??\V:	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened (read-only)	\??\M:	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened (read-only)	\??\J:	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened (read-only)	\??\G:	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened (read-only)	\??\Z:	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened (read-only)	\??\W:	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened (read-only)	\??\R:	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened (read-only)	\??\L:	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened (read-only)	\??\K:	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened (read-only)	\??\F:	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened (read-only)	\??\B:	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened (read-only)	\??\Y:	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened (read-only)	\??\T:	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe

Drops file in Program Files directory 64 IoCs

Processes:

6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LTHD98SP.POC	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libmp4_plugin.dll	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00200_.WMF	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185828.WMF	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198025.WMF.vn2.789-C67-E35	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14983_.GIF.vn2.789-C67-E35	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Civic.xml	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaBrightDemiItalic.ttf.vn2.789-C67-E35	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs-nio2.xml.vn2.789-C67-E35	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00564_.WMF.vn2.789-C67-E35	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0241781.WMF	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Thatch.thmx.vn2.789-C67-E35	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0222021.WMF	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Cairo	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Thunder_Bay.vn2.789-C67-E35	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Khandyga.vn2.789-C67-E35	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.forms_3.6.100.v20140422-1825.jar	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099162.JPG.vn2.789-C67-E35	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.configuration_5.5.0.165303.jar.vn2.789-C67-E35	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-sendopts_zh_CN.jar.vn2.789-C67-E35	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Fakaofo.vn2.789-C67-E35	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SpringGreen\TAB_ON.GIF	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Country.css.vn2.789-C67-E35	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00578_.WMF.vn2.789-C67-E35	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00482_.WMF	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-windows.xml	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0241019.WMF	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0278702.WMF	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01064_.WMF	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02443_.WMF	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0305493.WMF.vn2.789-C67-E35	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tr.txt.vn2.789-C67-E35	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\sports_disc_mask.png	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans.nl_ja_4.4.0.v20140623020002.jar	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\messages_zh_CN.properties	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\ChkrRes.dll.mui.vn2.789-C67-E35	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Eucla	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\soundcloud.luac.vn2.789-C67-E35	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\attention.gif	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-oql.xml	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened for modification	C:\Program Files\Java\jre7\lib\management-agent.jar	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00814_.WMF.vn2.789-C67-E35	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0186364.WMF	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\INFOMS.ICO	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened for modification	C:\Program Files\SubmitCompare.mp2v.vn2.789-C67-E35	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Niue.vn2.789-C67-E35	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN092.XML	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\OriginReport.Dotx.vn2.789-C67-E35	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00241_.WMF.vn2.789-C67-E35	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216540.WMF.vn2.789-C67-E35	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL.DEV_COL.HXC	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\plugin.xml	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\messages_es.properties	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-12	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sk\ALL YOUR FILES ARE ENCRYPTED.txt	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Bold.otf	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR9F.GIF	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.nl_zh_4.4.0.v20140623020002.jar	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\plugin.properties	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Juneau	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400004.PNG.vn2.789-C67-E35	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\CNFNOT.ICO.vn2.789-C67-E35	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\ALL YOUR FILES ARE ENCRYPTED.txt	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02742G.GIF	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe

Drops file in Windows directory 1 IoCs

Processes:

6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe

description	ioc	Process
File created	C:\Windows\ALL YOUR FILES ARE ENCRYPTED.txt	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exe

pid	Process
916	vssadmin.exe
932	vssadmin.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeWMIC.exevssvc.exe

description	pid	Process
Token: SeIncreaseQuotaPrivilege	980	WMIC.exe
Token: SeSecurityPrivilege	980	WMIC.exe
Token: SeTakeOwnershipPrivilege	980	WMIC.exe
Token: SeLoadDriverPrivilege	980	WMIC.exe
Token: SeSystemProfilePrivilege	980	WMIC.exe
Token: SeSystemtimePrivilege	980	WMIC.exe
Token: SeProfSingleProcessPrivilege	980	WMIC.exe
Token: SeIncBasePriorityPrivilege	980	WMIC.exe
Token: SeCreatePagefilePrivilege	980	WMIC.exe
Token: SeBackupPrivilege	980	WMIC.exe
Token: SeRestorePrivilege	980	WMIC.exe
Token: SeShutdownPrivilege	980	WMIC.exe
Token: SeDebugPrivilege	980	WMIC.exe
Token: SeSystemEnvironmentPrivilege	980	WMIC.exe
Token: SeRemoteShutdownPrivilege	980	WMIC.exe
Token: SeUndockPrivilege	980	WMIC.exe
Token: SeManageVolumePrivilege	980	WMIC.exe
Token: 33	980	WMIC.exe
Token: 34	980	WMIC.exe
Token: 35	980	WMIC.exe
Token: SeIncreaseQuotaPrivilege	556	WMIC.exe
Token: SeSecurityPrivilege	556	WMIC.exe
Token: SeTakeOwnershipPrivilege	556	WMIC.exe
Token: SeLoadDriverPrivilege	556	WMIC.exe
Token: SeSystemProfilePrivilege	556	WMIC.exe
Token: SeSystemtimePrivilege	556	WMIC.exe
Token: SeProfSingleProcessPrivilege	556	WMIC.exe
Token: SeIncBasePriorityPrivilege	556	WMIC.exe
Token: SeCreatePagefilePrivilege	556	WMIC.exe
Token: SeBackupPrivilege	556	WMIC.exe
Token: SeRestorePrivilege	556	WMIC.exe
Token: SeShutdownPrivilege	556	WMIC.exe
Token: SeDebugPrivilege	556	WMIC.exe
Token: SeSystemEnvironmentPrivilege	556	WMIC.exe
Token: SeRemoteShutdownPrivilege	556	WMIC.exe
Token: SeUndockPrivilege	556	WMIC.exe
Token: SeManageVolumePrivilege	556	WMIC.exe
Token: 33	556	WMIC.exe
Token: 34	556	WMIC.exe
Token: 35	556	WMIC.exe
Token: SeBackupPrivilege	608	vssvc.exe
Token: SeRestorePrivilege	608	vssvc.exe
Token: SeAuditPrivilege	608	vssvc.exe
Token: SeIncreaseQuotaPrivilege	980	WMIC.exe
Token: SeSecurityPrivilege	980	WMIC.exe
Token: SeTakeOwnershipPrivilege	980	WMIC.exe
Token: SeLoadDriverPrivilege	980	WMIC.exe
Token: SeSystemProfilePrivilege	980	WMIC.exe
Token: SeSystemtimePrivilege	980	WMIC.exe
Token: SeProfSingleProcessPrivilege	980	WMIC.exe
Token: SeIncBasePriorityPrivilege	980	WMIC.exe
Token: SeCreatePagefilePrivilege	980	WMIC.exe
Token: SeBackupPrivilege	980	WMIC.exe
Token: SeRestorePrivilege	980	WMIC.exe
Token: SeShutdownPrivilege	980	WMIC.exe
Token: SeDebugPrivilege	980	WMIC.exe
Token: SeSystemEnvironmentPrivilege	980	WMIC.exe
Token: SeRemoteShutdownPrivilege	980	WMIC.exe
Token: SeUndockPrivilege	980	WMIC.exe
Token: SeManageVolumePrivilege	980	WMIC.exe
Token: 33	980	WMIC.exe
Token: 34	980	WMIC.exe
Token: 35	980	WMIC.exe
Token: SeIncreaseQuotaPrivilege	556	WMIC.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.execmd.execmd.execmd.exe

description	pid	Process	procid_target
PID 1980 wrote to memory of 2024	1980	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe	28
PID 1980 wrote to memory of 2024	1980	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe	28
PID 1980 wrote to memory of 2024	1980	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe	28
PID 1980 wrote to memory of 2024	1980	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe	28
PID 1980 wrote to memory of 1568	1980	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe	30
PID 1980 wrote to memory of 1568	1980	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe	30
PID 1980 wrote to memory of 1568	1980	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe	30
PID 1980 wrote to memory of 1568	1980	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe	30
PID 1980 wrote to memory of 1424	1980	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe	32
PID 1980 wrote to memory of 1424	1980	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe	32
PID 1980 wrote to memory of 1424	1980	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe	32
PID 1980 wrote to memory of 1424	1980	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe	32
PID 1980 wrote to memory of 1560	1980	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe	33
PID 1980 wrote to memory of 1560	1980	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe	33
PID 1980 wrote to memory of 1560	1980	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe	33
PID 1980 wrote to memory of 1560	1980	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe	33
PID 1980 wrote to memory of 1452	1980	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe	35
PID 1980 wrote to memory of 1452	1980	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe	35
PID 1980 wrote to memory of 1452	1980	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe	35
PID 1980 wrote to memory of 1452	1980	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe	35
PID 1980 wrote to memory of 1676	1980	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe	40
PID 1980 wrote to memory of 1676	1980	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe	40
PID 1980 wrote to memory of 1676	1980	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe	40
PID 1980 wrote to memory of 1676	1980	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe	40
PID 2024 wrote to memory of 980	2024	cmd.exe	38
PID 2024 wrote to memory of 980	2024	cmd.exe	38
PID 2024 wrote to memory of 980	2024	cmd.exe	38
PID 2024 wrote to memory of 980	2024	cmd.exe	38
PID 1980 wrote to memory of 580	1980	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe	39
PID 1980 wrote to memory of 580	1980	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe	39
PID 1980 wrote to memory of 580	1980	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe	39
PID 1980 wrote to memory of 580	1980	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe	39
PID 1452 wrote to memory of 916	1452	cmd.exe	42
PID 1452 wrote to memory of 916	1452	cmd.exe	42
PID 1452 wrote to memory of 916	1452	cmd.exe	42
PID 1452 wrote to memory of 916	1452	cmd.exe	42
PID 1676 wrote to memory of 556	1676	cmd.exe	43
PID 1676 wrote to memory of 556	1676	cmd.exe	43
PID 1676 wrote to memory of 556	1676	cmd.exe	43
PID 1676 wrote to memory of 556	1676	cmd.exe	43
PID 1676 wrote to memory of 932	1676	cmd.exe	46
PID 1676 wrote to memory of 932	1676	cmd.exe	46
PID 1676 wrote to memory of 932	1676	cmd.exe	46
PID 1676 wrote to memory of 932	1676	cmd.exe	46
PID 1980 wrote to memory of 3492	1980	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe	48
PID 1980 wrote to memory of 3492	1980	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe	48
PID 1980 wrote to memory of 3492	1980	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe	48
PID 1980 wrote to memory of 3492	1980	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe	48
PID 1980 wrote to memory of 3492	1980	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe	48
PID 1980 wrote to memory of 3492	1980	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe	48
PID 1980 wrote to memory of 3492	1980	6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe	48

C:\Users\Admin\AppData\Local\Temp\6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
"C:\Users\Admin\AppData\Local\Temp\6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe"
1⤵
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:980
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
  2⤵
  PID:1568
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:1424
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
  2⤵
  PID:1560
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1452
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:916
- C:\Users\Admin\AppData\Local\Temp\6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe
  "C:\Users\Admin\AppData\Local\Temp\6a4c8a0b7622b3621900bf47acb16725c4a8dafde394f2bf2bf7112bd90a3408.exe" -agent 0
  2⤵
  - Modifies extensions of user files
  - Drops file in Program Files directory
  - Drops file in Windows directory
  PID:580
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1676
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:556
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:932
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  - Deletes itself
  PID:3492

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~temp001.bat

Filesize
406B

MD5
ef572e2c7b1bbd57654b36e8dcfdc37a

SHA1
b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

SHA256
e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

SHA512
b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

Download Submit
C:\Users\Admin\Desktop\ApproveBlock.contact.vn2.789-C67-E35

Filesize
389KB

MD5
8456e82168e3f9587dcf0c5ce479effd

SHA1
991d1c4a14d98d369df9dad31fadd7e3ae3fc5d0

SHA256
fb0d1acf0459502b871565127b714b353b8fb469b29e4d50553607b72d24abda

SHA512
e741082c4c5cf5869c7097014dd1f69eea56ff388a49f6c90cc7a26b4a65d4efa189aa663769eef4dfc8eb720e221254c4bf6d5dbd691e9fd04640062673f415

Download Submit
C:\Users\Admin\Desktop\BlockEnable.temp.vn2.789-C67-E35

Filesize
516KB

MD5
b75909b650ffcfde26536876684efed6

SHA1
32ebd5124870a21a774354593adaddef4cc452a5

SHA256
49c5a8c738f928bef0df5ec93049347ee674fb05d0b48aca3963146743e93246

SHA512
9233c79d96334b49dbbc07d4abf1507c5409d70506726adabfa0256fa3b0dc3a83eeb97dc232fcf58f207740ed4e2dc980d04c367b7f0c4af71890229f523e3d

Download Submit
C:\Users\Admin\Desktop\ClearUpdate.png.vn2.789-C67-E35

Filesize
484KB

MD5
5d98531dba2400dff96208e91bca93c9

SHA1
9e2b1a78217084bdded306eb5d36cfb2fa3108c5

SHA256
544fe3a4135f762417588e4af34e8c7ed570be184f22d9bddcc9812c06174bad

SHA512
8dda44e023f902b07a3158ab900dc5ab64d8a84452698f641f11b33e9501bf7475536fddd73eef18a04e0f52f76d145c3e218b13c678516834fc28d687a0bed6

Download Submit
C:\Users\Admin\Desktop\ConvertToRevoke.avi.vn2.789-C67-E35

Filesize
247KB

MD5
40f47100755a639134a433901596cbfd

SHA1
fb622d2fbe41dd5149a00d675f12c515a2849b76

SHA256
7599eed99470e3aaacb5577c57d4dbdab5094265bc9f2df3e6276bebb16be394

SHA512
d1b6effbb8980fed12285b8a859f0fbad44f9895fa2756c5cda731f48427d35af5d21fec7d31f966543ddd595a82fbddbc7f0500b9959a4aafc3cf77efffe4aa

Download Submit
C:\Users\Admin\Desktop\ConvertToWait.rle.vn2.789-C67-E35

Filesize
310KB

MD5
834e3e63faae646328831aea985cf63d

SHA1
c91deadaa163d618590c433fd122c747a29aa5eb

SHA256
c55646e4d5df5b5836f1b998b41014fb68fee2e81ff15e0aeac4cf19b61b25f8

SHA512
316d3bced4d0f0bc81d1270ece3071a777fab05fba8eda271fd66d9ddf67317b9c71184014dd09f05aaa3489db1b8eb1e51d3c23f5ea681d4e23bd7e5e409ce8

Download Submit
C:\Users\Admin\Desktop\DisconnectBlock.mhtml.vn2.789-C67-E35

Filesize
563KB

MD5
ee114cc3dd7ee8df34962300c579dc2b

SHA1
a8867eac1ab6bb917ed89dd03f4654ce34151ae0

SHA256
25544a22cb8d857139c7f831d06ae3292957f2f0b9d7906d8f355396c77ba49d

SHA512
e69cbde5da66da4b8816a53ba4f57bdca844215f4280f418c0a81fc1a804ad3ab127372f689066187def8972d970899fd82d5dcd5848399ce38e378f9bb1b705

Download Submit
C:\Users\Admin\Desktop\ExitSend.wav.vn2.789-C67-E35

Filesize
531KB

MD5
1ce4c83eee30a6c88074313f9ea8001e

SHA1
8937e7e2fc32a66892edf560c3711a1fc22056db

SHA256
dbf792a952760401f5591d4a7423f40fd5e3ccf49d0f154cc7f7c540402bbcc8

SHA512
3d47af40d8579f33e38d0890c6814b06ad534cc4c27b53c0391108c59f6769adae5a8c037e7c7e16a0887155a2e7f97134d865b72558d56f8a6ab2f07e1b506b

Download Submit
C:\Users\Admin\Desktop\ExpandAssert.mp4.vn2.789-C67-E35

Filesize
579KB

MD5
2793a4e1e5e49cd2e94b8c88d9d48eb1

SHA1
e60df2fc3b4fbdbbb0bcfa3950605f10d17b5b81

SHA256
023351dd5468def129f42ce2e02c0e6457c4cf2756b11ca77132653594cc3183

SHA512
65a27a1989569efec8fcb4a20d6221f3ac19c7b08ae2f9a0dc17f46db00ae2d2e6531f543d9d6d938980437d03d2c86bb9ae9fb4d14affe7ed06fb82b6cd204f

Download Submit
C:\Users\Admin\Desktop\FindTest.odt.vn2.789-C67-E35

Filesize
341KB

MD5
1f5a26277c641bf7a6d97e477fde2898

SHA1
72b30ae92eaa952f0641f07807213bde7f4cf702

SHA256
fee4a40ff5a6ddd54103b316be506325fc6eda201917a1d74eed43f2b6567f12

SHA512
d938561f897a198f3e1ee4b0487c2f34350c6aa25f207c48aba8a06cb0950ef87c081ad4bd224239dc5e79c95bd1565ae53208f86f1b62f12d77c2cd31c00082

Download Submit
C:\Users\Admin\Desktop\FormatUnprotect.pptx.vn2.789-C67-E35

Filesize
262KB

MD5
c34c752499ef2cfeeef78df1bc95d4c3

SHA1
86d9a3c465d98eaed45a05647835a1fe8054d3e3

SHA256
86c0d7ff70b9a382b85bf68473cf41bd4cca0eb995ac4c076f9839719e284b58

SHA512
bbe34bbeae872857bf0af0a514fcbcada7cf01c1d525fdd2eaaf352afb9a4a7fce7557becccffa1c1a292d4f9a371ae750bb716420158ce713c1f22ebd4e8423

Download Submit
C:\Users\Admin\Desktop\ImportRepair.vssm.vn2.789-C67-E35

Filesize
326KB

MD5
8a4c735813d77dcccd3e5e9e6c393190

SHA1
ca69e1042dd97cefa0eae0d068235018d173bbc4

SHA256
07f53d39230b7f0d3f75f027e16865971f3f9b9de3c8feb295b18f6ba8a6d4c4

SHA512
9f6f79161f2c67b1e6927c26e1edf97ef23f15218c52ae20754add91e5e2bc583cc7bb329e071c6f5595316a5ed40ac78c2c681e18bf2cf911770928cb19144e

Download Submit
C:\Users\Admin\Desktop\OpenConvertTo.mpg.vn2.789-C67-E35

Filesize
903KB

MD5
ea12723e97b7da19e8f0b5be26a6ce58

SHA1
cc64638eb806602d79440a28b8890f4c109ab59a

SHA256
7a7078c1c94f820ad71d52ef93ca6bf8e86063602ed627536d4fa310e3eaac0f

SHA512
e68b78db4f06fccbba5321137efa34877afd52ac23524eab7618306d73641c8f9654285ea4d9e1ca8a1b50055a7ed5f6edff503ea1ddcddd02c2894589aa0172

Download Submit
C:\Users\Admin\Desktop\OpenSelect.pot.vn2.789-C67-E35

Filesize
405KB

MD5
4c375b0c7b25af11fe7abf090b1cdccf

SHA1
f8d30b1a2f5b9bb416026dd40702e20190428451

SHA256
6a6db30ac8c1ebd6315fea132a2226c6624cfe83573b39c60fcfbc8ec5431d0f

SHA512
c025c7f74176e06f6cfa01140d8fcd60d6026db919a9d0f402e0c30b6c0bd163d95781d0d7b4b3b3dbd42d1c656ef43a78aea9ce5473c15bb1bc98a123ba4acc

Download Submit
C:\Users\Admin\Desktop\OutEnable.mpg.vn2.789-C67-E35

Filesize
278KB

MD5
0bbe855e44a244bb5477b5799fcf66bf

SHA1
86205d78109c07c86fd263ee6704366331fbf155

SHA256
41f01b80de598bbcdbae7175a9c48fa103033cd6b305a24990a6b65b0fe94cc3

SHA512
957444c24727fb26753877160df6c7414b8ef646a4bdc312a7cf162618ba2e0786f36daec2bd1d486fb12c7cb6fd1cb18ed993e27b98daa47be73d54026f2c66

Download Submit
C:\Users\Admin\Desktop\PingConvert.zip.vn2.789-C67-E35

Filesize
436KB

MD5
f7cc3fb6f4b97e6d2223712d4443ab64

SHA1
21f6b9763eabfbfb9e90248649c8f94bdf90fb95

SHA256
9d50a7d881883934b562fc328c1d606bead8ae3f46a954f11550b1f19e07a28d

SHA512
47fba6b0e7a96fee9bd51cd0b34134e827bfd7808963fa6f4477f4fad46c4623529ba4d6b120f354b381ec491d5d042801c43e8a33626d2f3c2939e8b9ab8051

Download Submit
C:\Users\Admin\Desktop\PopGroup.emz.vn2.789-C67-E35

Filesize
231KB

MD5
c561a4a1a75ea315fe11ad3dbfda845f

SHA1
4b2da205cec3440555a3145d557e1f432c1fff5e

SHA256
d3cb1f80851c2e6f08617faf591c33d6ad2f7a4d9fc62bfdf94d8132e56f9c0f

SHA512
e17ae00e4253aa4fa3af38f929ca038ba33f203d9edc590787036cafa97f21761931843ca5671d5ec1fdb866d074eabb7e4bd8b196380ad03b40c170ff845f12

Download Submit
C:\Users\Admin\Desktop\PublishMerge.zip.vn2.789-C67-E35

Filesize
500KB

MD5
e9f9f6bed88da4ab32c4da3c7a6a4cd3

SHA1
dbd5c7c8299e72d6401df53cd87da1f03fd795cf

SHA256
0a20129698f114d9bce05ffa048db323cc2f86ff84b1476914e6d9d708548d9c

SHA512
7a786f4af3d2d89e50fb387942538cedc4ca55912bac17a9694c0fea184452dbec07ca3e11410e6692905ae7bfebd068a8f5a3ca38603a9b230de67a829f54d7

Download Submit
C:\Users\Admin\Desktop\RedoPop.wpl.vn2.789-C67-E35

Filesize
468KB

MD5
3c5549fe779180ed7a3b33d470d0cbf9

SHA1
87f86d71831190c9fb27b0b322e1ef78d5b87e4c

SHA256
79a5f90b73c3aae7115bf10216b4430f3a2e1db9d0768e3f5ef1e5a11fb8450a

SHA512
a6bd4bd0e230e156763258fba5f7b2b16364df6e4c12497d61169b4201b30be5adcda2ad1176bfb48ba621e9e1cf8a49437d123fcc075081c8c5b45780f84d3b

Download Submit
C:\Users\Admin\Desktop\RegisterEnable.xht.vn2.789-C67-E35

Filesize
595KB

MD5
7039f4cae49d3d8f358dc8b77575105c

SHA1
32ae25861ed2729846e468e78035450fc04b284f

SHA256
b7feb6716e3a4d4cc56167df736c1837abf1290ca17b232faa33be103eb53225

SHA512
6fade88ed69162113610a5dbf8f680428442d00867eca6d678ffc4839ef9014c06ec620b25f3b3af9235c2290c06bf63e8ce59cf82c863da277de29b120d9a38

Download Submit
C:\Users\Admin\Desktop\RegisterSelect.M2T.vn2.789-C67-E35

Filesize
452KB

MD5
507595bc85a8bdd910a9d07029b6999d

SHA1
9a07ace88e77e68691e0f77d33b8bb03a31a5a1c

SHA256
2fed07e6b51384eeb46027812843bce879b08ea37b420dc55c67c570de128ab9

SHA512
2216c959f5838451c3f0c834902476b59c3133654341cc49ea284d4696d2420d60b5615b0f43880b1fc065ce72477ef971bc487d664dae461ca7648405f1ad9c

Download Submit
C:\Users\Admin\Desktop\RenameImport.wdp.vn2.789-C67-E35

Filesize
373KB

MD5
419dc987ca19926b398845c84f5fd50a

SHA1
01beae54afe87482e338dc00effbd30cc3835726

SHA256
7b6ee719678cf28cb7002ca1043df5eb24cb7f610bf2b7342b205ff0b8940e9b

SHA512
62ae5614b53528596b3492ef4e3ea8ff1c0ed599187866cc6c5ab8e9b5cc4f6d674a4cb6de43a8d0d2055cb89078b92c04ab5ac38466170374fd0a87b58621d4

Download Submit
C:\Users\Admin\Desktop\RequestRestore.cr2.vn2.789-C67-E35

Filesize
642KB

MD5
6444f424d911905f8090ba2f666397a6

SHA1
fb82c50cf96fecb1450b87c1608195d536fe6ef7

SHA256
a64d3cf06c314d96a808eb8f760c4764ce9175ad45c6b896432882efe313c992

SHA512
52e98561d67ce078ec9c36245c682dcff82b54e24d5024f1f22a6d612ba2c944a1998fde6e30efa7c967dc0481fad28d840dbc53cdbc7e6f1ef0d3f1a582b129

Download Submit
C:\Users\Admin\Desktop\ResolveRead.MTS.vn2.789-C67-E35

Filesize
547KB

MD5
6deabdbcfb0f4b0e68214a32f417b6db

SHA1
fe5dfe09b10e40f1c6fdbb70e7e6b251f2a17faf

SHA256
e74551a25c395a569750f1273061b8df9e7dba3abd24c7f3b0296655f4e616ca

SHA512
297784fb35a6c4299e519ea230dacbb6e84a91e681644ffe022165357b652e7c997b5e9170b0395275563b4e679f204c8ca2c6564ebe087307c4a6691afc5820

Download Submit
C:\Users\Admin\Desktop\RestoreProtect.mpg.vn2.789-C67-E35

Filesize
421KB

MD5
b83e43befe607a8efc36138e8ae6c6ee

SHA1
f636571df19ce75fae74ae88c18071a8495505f6

SHA256
d2f8047765c1478ba745b6b1a3d22f08d000fe7ae8c44fa0912c344282e31624

SHA512
db9421662b2ab5427739422d32000b55b8de3d487b54e8c3fcbf758afbb6237cfe7d7fa1c3c3148dc8bc8ad140cded5bee7cffae1c98fa9a50cd0de018cb18e5

Download Submit
C:\Users\Admin\Desktop\SwitchInstall.aif.vn2.789-C67-E35

Filesize
357KB

MD5
04cbbe7745fa626c0ce4aa127191f03e

SHA1
e36ce8ed6763daddca68949d88201b1ff41dd8f8

SHA256
48bb5ef4efad3100a568b125adaaf02bcd4ce2d56d04684e2cff11b447b18473

SHA512
65f794c76a87de814453d21c8dd6cc6b7837449cf96357807b159533f7cd688a596dbb1159e273ccad595ae304656fd7f67971ae36eed60303f4ab225fd18a0a

Download Submit
C:\Users\Admin\Desktop\UnblockUndo.xml.vn2.789-C67-E35

Filesize
658KB

MD5
4f68080cf0dc7a32d46a9c8f75e03fc9

SHA1
89b23c938f66d14004f4d1b83b255d8d340dd547

SHA256
111d9561a64219cbb1dfde64565865b8274841a94015445109b0ef3a1adc3fbc

SHA512
c52058aea50d53f168d3740e01179ec9418a93972fdbe7fba5b5bfa44821f7b56fbd2106f4312784fc33af6a45d89a7a9ccbe00c842de330375b33de6de8420e

Download Submit
C:\Users\Admin\Desktop\UnlockGroup.vsdm.vn2.789-C67-E35

Filesize
611KB

MD5
406025333b08c7ad4b16ad8531c7c147

SHA1
d29b17d84e44685fbeeab27013581b56702b8dd8

SHA256
d048f5d7f130a15ab3be41c9a618b5180c048d54e1991ffbde08458a48c1e225

SHA512
c6b3596f5acc366c54b0b5c83ac0a67665d41cfa3ccbbeb7471b719998eb42242225671b18922cf94c46055f4cb7bf01dc836bbefc4b039947fa6e7a2fca6faf

Download Submit
C:\Users\Admin\Desktop\UpdateRemove.M2TS.vn2.789-C67-E35

Filesize
626KB

MD5
bcd2d90195478b072705f1d20bfb9f79

SHA1
b026d06fcda6b5083a0cd935e442511860b0fd2b

SHA256
666ec2cec42273896fe17a7fd47cd4f10924242f12b485d8716864f96e313ba4

SHA512
7b176056927709a245189d3fb630d05c8c685f6f2a898a27e20e7317155c865f2feb3c091ff2bf5d1fe340a8563ebe563559358600a2104377dd7a4daaece22c

Download Submit
C:\Users\Admin\Desktop\WatchUnpublish.mp4.vn2.789-C67-E35

Filesize
294KB

MD5
d1e437700e099f5a12fb34b0fe0610a8

SHA1
ffcb3d9c60dca02b566f9000d7852fcafeac1d6a

SHA256
eb981338f21cd7e6d7e5d83c9b0931e304616748754d48ae329cab70c4ea496a

SHA512
25e3056d350d387820eddff228d014f83c709aca177ca569b2997f67d0cf76dd038f9018a13ea0ef644f53997330d13f3a744a839476f8d711dc88933cb295e7

Download Submit
memory/556-66-0x0000000000000000-mapping.dmp

Download
memory/580-62-0x0000000000000000-mapping.dmp

Download
memory/916-65-0x0000000000000000-mapping.dmp

Download
memory/932-67-0x0000000000000000-mapping.dmp

Download
memory/980-61-0x0000000000000000-mapping.dmp

Download
memory/1424-57-0x0000000000000000-mapping.dmp

Download
memory/1452-59-0x0000000000000000-mapping.dmp

Download
memory/1560-58-0x0000000000000000-mapping.dmp

Download
memory/1568-56-0x0000000000000000-mapping.dmp

Download
memory/1676-60-0x0000000000000000-mapping.dmp

Download
memory/1980-54-0x0000000076031000-0x0000000076033000-memory.dmp

Filesize
8KB

Download
memory/2024-55-0x0000000000000000-mapping.dmp

Download
memory/3492-97-0x0000000000000000-mapping.dmp

Download