buran | 60b290310f67adb0ae186b4b938ca466a6b55653b2519261fa425127f5500a1f

Resubmissions

21-06-2024 19:37

240621-yca7cszgnd 10

09-06-2024 17:07

13-05-2024 17:36

12-05-2024 17:17

12-05-2024 16:15

10-05-2024 18:05

10-05-2024 17:48

Analysis

max time kernel
148s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
12-05-2024 16:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ransomware/default.exe
Size

211KB
MD5

f42abb7569dbc2ff5faa7e078cb71476
SHA1

04530a6165fc29ab536bab1be16f6b87c46288e6
SHA256

516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd
SHA512

3277534a02435538e144dea3476416e1d9117fcddef3dcb4379b82f33516c3e87767c3b0d2b880e61a3d803b583c96d772a0bdeecbfc109fe66444e9b29216af
SSDEEP

6144:zia1vcaEaA+HPsISAzG44DQFu/U3buRKlemZ9DnGAeWBES+:zHctWvVSAx4DQFu/U3buRKlemZ9DnGAn

Score

10^/10

buran zeppelin defense_evasion execution impact persistence ransomware

Malware Config

Extracted

Path

C:\Program Files\dotnet\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] or [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Your personal ID: F3A-925-CD0 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran

Detects Zeppelin payload 11 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe	family_zeppelin
behavioral16/memory/4488-35-0x0000000000CD0000-0x0000000000E10000-memory.dmp	family_zeppelin
behavioral16/memory/2516-45-0x0000000000910000-0x0000000000A50000-memory.dmp	family_zeppelin
behavioral16/memory/3328-48-0x0000000000910000-0x0000000000A50000-memory.dmp	family_zeppelin
behavioral16/memory/2516-3138-0x0000000000910000-0x0000000000A50000-memory.dmp	family_zeppelin
behavioral16/memory/1448-6539-0x0000000000910000-0x0000000000A50000-memory.dmp	family_zeppelin
behavioral16/memory/1448-13455-0x0000000000910000-0x0000000000A50000-memory.dmp	family_zeppelin
behavioral16/memory/1448-16480-0x0000000000910000-0x0000000000A50000-memory.dmp	family_zeppelin
behavioral16/memory/1448-22723-0x0000000000910000-0x0000000000A50000-memory.dmp	family_zeppelin
behavioral16/memory/1448-26041-0x0000000000910000-0x0000000000A50000-memory.dmp	family_zeppelin
behavioral16/memory/2516-26071-0x0000000000910000-0x0000000000A50000-memory.dmp	family_zeppelin

Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
ransomware zeppelin
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (6085) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

default.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation default.exe
Deletes itself 1 IoCs

Processes:

notepad.exe

pid process

1616 notepad.exe
Executes dropped EXE 3 IoCs

Processes:

lsass.exelsass.exelsass.exe

pid process

2516 lsass.exe
3328 lsass.exe
1448 lsass.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	default.exe

pid	process
1616	notepad.exe

pid	process
2516	lsass.exe
3328	lsass.exe
1448	lsass.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

default.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" -start"	default.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

lsass.exe

description	ioc	process
File opened (read-only)	\??\T:	lsass.exe
File opened (read-only)	\??\K:	lsass.exe
File opened (read-only)	\??\A:	lsass.exe
File opened (read-only)	\??\X:	lsass.exe
File opened (read-only)	\??\Q:	lsass.exe
File opened (read-only)	\??\L:	lsass.exe
File opened (read-only)	\??\G:	lsass.exe
File opened (read-only)	\??\Z:	lsass.exe
File opened (read-only)	\??\Y:	lsass.exe
File opened (read-only)	\??\W:	lsass.exe
File opened (read-only)	\??\U:	lsass.exe
File opened (read-only)	\??\S:	lsass.exe
File opened (read-only)	\??\P:	lsass.exe
File opened (read-only)	\??\O:	lsass.exe
File opened (read-only)	\??\M:	lsass.exe
File opened (read-only)	\??\I:	lsass.exe
File opened (read-only)	\??\E:	lsass.exe
File opened (read-only)	\??\V:	lsass.exe
File opened (read-only)	\??\R:	lsass.exe
File opened (read-only)	\??\N:	lsass.exe
File opened (read-only)	\??\J:	lsass.exe
File opened (read-only)	\??\H:	lsass.exe
File opened (read-only)	\??\B:	lsass.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

29 iplogger.org
31 iplogger.org
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 geoiptool.com

flow	ioc
29	iplogger.org
31	iplogger.org

flow	ioc
1	geoiptool.com

Drops file in Program Files directory 64 IoCs

Processes:

lsass.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe.F3A-925-CD0	lsass.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\sl-si\ui-strings.js	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\SkypeMedTile.scale-125.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\resources.pri	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorSplashScreen.contrast-black_scale-200.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubSmallTile.scale-200.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarMediumTile.scale-150.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\_Resources\14.rsrc	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-gb\ui-strings.js	lsass.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\THIRDPARTYLICENSEREADME.txt	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MUAUTH.CAB.F3A-925-CD0	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GameBar_StoreLogo.scale-125.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedAppList.scale-200.png	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\css\main-selector.css	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\custom_poster.png	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\pl-pl\ui-strings.js	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\duplicate.svg.F3A-925-CD0	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sl-si\ui-strings.js	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART1.BDR.F3A-925-CD0	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL108.XML	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\excelmui.msi.16.en-us.boot.tree.dat.F3A-925-CD0	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\AccessCompare.rdlc	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\AppxSignature.p7x	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-GoogleCloudCache.scale-100.png	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_gridview-hover.svg.F3A-925-CD0	lsass.exe
File opened for modification	C:\Program Files\DenyProtect.vb.F3A-925-CD0	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial-pl.xrm-ms.F3A-925-CD0	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsWideTile.scale-100.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\StoreLogo.scale-100.png	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sk-sk\ui-strings.js	lsass.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\cs-cz\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	lsass.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\ext\sunpkcs11.jar.F3A-925-CD0	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\joticon.exe	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeBadge.scale-125.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreSmallTile.scale-200.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-64_altform-unplated_contrast-white.png	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ul-oob.xrm-ms.F3A-925-CD0	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\MSOSEC.XML	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarSmallTile.scale-400.png	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\Close.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-24.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-20_contrast-white.png	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\PlayStore_icon.svg.F3A-925-CD0	lsass.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\jopt-simple.md	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcDemoR_BypassTrial365-ppd.xrm-ms.F3A-925-CD0	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Trial-ul-oob.xrm-ms	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-256_contrast-black.png	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ca-es\ui-strings.js	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\core_icons_retina.png.F3A-925-CD0	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\zh-cn\ui-strings.js	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\WideTile.scale-200.png	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pt-br\ui-strings.js.F3A-925-CD0	lsass.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Checkmark.png.F3A-925-CD0	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\39.jpg	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalAppList.targetsize-48_altform-unplated_contrast-black.png	lsass.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\OrientationControlMiddleCircleHover.png	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_da_135x40.svg.F3A-925-CD0	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ro-ro\ui-strings.js	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\sk-sk\ui-strings.js	lsass.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\zh-tw\ui-strings.js	lsass.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\vlc.mo	lsass.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 50 IoCs

Processes:

default.exelsass.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	4488	default.exe
Token: SeDebugPrivilege	4488	default.exe
Token: SeDebugPrivilege	2516	lsass.exe
Token: SeIncreaseQuotaPrivilege	2568	WMIC.exe
Token: SeSecurityPrivilege	2568	WMIC.exe
Token: SeTakeOwnershipPrivilege	2568	WMIC.exe
Token: SeLoadDriverPrivilege	2568	WMIC.exe
Token: SeSystemProfilePrivilege	2568	WMIC.exe
Token: SeSystemtimePrivilege	2568	WMIC.exe
Token: SeProfSingleProcessPrivilege	2568	WMIC.exe
Token: SeIncBasePriorityPrivilege	2568	WMIC.exe
Token: SeCreatePagefilePrivilege	2568	WMIC.exe
Token: SeBackupPrivilege	2568	WMIC.exe
Token: SeRestorePrivilege	2568	WMIC.exe
Token: SeShutdownPrivilege	2568	WMIC.exe
Token: SeDebugPrivilege	2568	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2568	WMIC.exe
Token: SeRemoteShutdownPrivilege	2568	WMIC.exe
Token: SeUndockPrivilege	2568	WMIC.exe
Token: SeManageVolumePrivilege	2568	WMIC.exe
Token: 33	2568	WMIC.exe
Token: 34	2568	WMIC.exe
Token: 35	2568	WMIC.exe
Token: 36	2568	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2568	WMIC.exe
Token: SeSecurityPrivilege	2568	WMIC.exe
Token: SeTakeOwnershipPrivilege	2568	WMIC.exe
Token: SeLoadDriverPrivilege	2568	WMIC.exe
Token: SeSystemProfilePrivilege	2568	WMIC.exe
Token: SeSystemtimePrivilege	2568	WMIC.exe
Token: SeProfSingleProcessPrivilege	2568	WMIC.exe
Token: SeIncBasePriorityPrivilege	2568	WMIC.exe
Token: SeCreatePagefilePrivilege	2568	WMIC.exe
Token: SeBackupPrivilege	2568	WMIC.exe
Token: SeRestorePrivilege	2568	WMIC.exe
Token: SeShutdownPrivilege	2568	WMIC.exe
Token: SeDebugPrivilege	2568	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2568	WMIC.exe
Token: SeRemoteShutdownPrivilege	2568	WMIC.exe
Token: SeUndockPrivilege	2568	WMIC.exe
Token: SeManageVolumePrivilege	2568	WMIC.exe
Token: 33	2568	WMIC.exe
Token: 34	2568	WMIC.exe
Token: 35	2568	WMIC.exe
Token: 36	2568	WMIC.exe
Token: SeBackupPrivilege	3592	vssvc.exe
Token: SeRestorePrivilege	3592	vssvc.exe
Token: SeAuditPrivilege	3592	vssvc.exe
Token: SeDebugPrivilege	2516	lsass.exe
Token: SeDebugPrivilege	2516	lsass.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

default.exelsass.execmd.exe

description	pid	process	target process
PID 4488 wrote to memory of 2516	4488	default.exe	lsass.exe
PID 4488 wrote to memory of 2516	4488	default.exe	lsass.exe
PID 4488 wrote to memory of 2516	4488	default.exe	lsass.exe
PID 4488 wrote to memory of 1616	4488	default.exe	notepad.exe
PID 4488 wrote to memory of 1616	4488	default.exe	notepad.exe
PID 4488 wrote to memory of 1616	4488	default.exe	notepad.exe
PID 4488 wrote to memory of 1616	4488	default.exe	notepad.exe
PID 4488 wrote to memory of 1616	4488	default.exe	notepad.exe
PID 4488 wrote to memory of 1616	4488	default.exe	notepad.exe
PID 2516 wrote to memory of 1448	2516	lsass.exe	lsass.exe
PID 2516 wrote to memory of 1448	2516	lsass.exe	lsass.exe
PID 2516 wrote to memory of 1448	2516	lsass.exe	lsass.exe
PID 2516 wrote to memory of 3328	2516	lsass.exe	lsass.exe
PID 2516 wrote to memory of 3328	2516	lsass.exe	lsass.exe
PID 2516 wrote to memory of 3328	2516	lsass.exe	lsass.exe
PID 2516 wrote to memory of 1032	2516	lsass.exe	cmd.exe
PID 2516 wrote to memory of 1032	2516	lsass.exe	cmd.exe
PID 2516 wrote to memory of 1032	2516	lsass.exe	cmd.exe
PID 2516 wrote to memory of 3504	2516	lsass.exe	cmd.exe
PID 2516 wrote to memory of 3504	2516	lsass.exe	cmd.exe
PID 2516 wrote to memory of 3504	2516	lsass.exe	cmd.exe
PID 2516 wrote to memory of 1300	2516	lsass.exe	cmd.exe
PID 2516 wrote to memory of 1300	2516	lsass.exe	cmd.exe
PID 2516 wrote to memory of 1300	2516	lsass.exe	cmd.exe
PID 2516 wrote to memory of 4008	2516	lsass.exe	cmd.exe
PID 2516 wrote to memory of 4008	2516	lsass.exe	cmd.exe
PID 2516 wrote to memory of 4008	2516	lsass.exe	cmd.exe
PID 2516 wrote to memory of 4912	2516	lsass.exe	cmd.exe
PID 2516 wrote to memory of 4912	2516	lsass.exe	cmd.exe
PID 2516 wrote to memory of 4912	2516	lsass.exe	cmd.exe
PID 2516 wrote to memory of 2028	2516	lsass.exe	cmd.exe
PID 2516 wrote to memory of 2028	2516	lsass.exe	cmd.exe
PID 2516 wrote to memory of 2028	2516	lsass.exe	cmd.exe
PID 2516 wrote to memory of 4976	2516	lsass.exe	cmd.exe
PID 2516 wrote to memory of 4976	2516	lsass.exe	cmd.exe
PID 2516 wrote to memory of 4976	2516	lsass.exe	cmd.exe
PID 4976 wrote to memory of 2568	4976	cmd.exe	WMIC.exe
PID 4976 wrote to memory of 2568	4976	cmd.exe	WMIC.exe
PID 4976 wrote to memory of 2568	4976	cmd.exe	WMIC.exe
PID 2516 wrote to memory of 3372	2516	lsass.exe	cmd.exe
PID 2516 wrote to memory of 3372	2516	lsass.exe	cmd.exe
PID 2516 wrote to memory of 3372	2516	lsass.exe	cmd.exe
PID 2516 wrote to memory of 4516	2516	lsass.exe	notepad.exe
PID 2516 wrote to memory of 4516	2516	lsass.exe	notepad.exe
PID 2516 wrote to memory of 4516	2516	lsass.exe	notepad.exe
PID 2516 wrote to memory of 4516	2516	lsass.exe	notepad.exe
PID 2516 wrote to memory of 4516	2516	lsass.exe	notepad.exe
PID 2516 wrote to memory of 4516	2516	lsass.exe	notepad.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Ransomware\default.exe
"C:\Users\Admin\AppData\Local\Temp\Ransomware\default.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4488

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -start
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2516

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -agent 0
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1448

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe" -agent 1
3⤵
- Executes dropped EXE
PID:3328

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
PID:1032

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
3⤵
PID:3504

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
3⤵
PID:1300

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup
3⤵
PID:4008

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup -keepversions:0
3⤵
PID:4912

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete backup
3⤵
PID:2028

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
3⤵
- Suspicious use of WriteProcessMemory
PID:4976

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2568

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
3⤵
PID:3372

C:\Windows\SysWOW64\notepad.exe
notepad.exe
3⤵
PID:4516

C:\Windows\SysWOW64\notepad.exe
notepad.exe
2⤵
- Deletes itself
PID:1616

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3592

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
1⤵
PID:1372

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\aic_file_icons_retina_thumb.png
Filesize
64KB

MD5
1bfa06f16e016763c89a1f577b212182

SHA1
acebe0e09b8516add8583d31c0e4dec8116127a1

SHA256
dc4ede2f0f2586f05336487c9a535151ef933ed4a20c4dffb3eddb55c4b7dde6

SHA512
706435c075ee2ee66e621cd84810a3cd195557ed4a199d23664f317535c5e1c6b73cdfedef1b14f74acfc2cc7984749711c3d60f9189746f1341fbf7e109763b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_retina_thumb_highContrast_bow.png
Filesize
52KB

MD5
a633cfd3135b8f2579afb053c8219517

SHA1
3e574eb714899bec6bbe64a5ec2c6cfdae7b6335

SHA256
5072f92b3b2df84b1fdfdbffd2334c4d5e6cc354f78a82663d2db7e31187e091

SHA512
ab697c857cfa14027dd43d44dc4a07313c82f08e3a7fb8e5cf6b80437aacfb3d91e076856927fd28383b3599d0310881f60e15d066280e141b62e8274eac263d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_retina_thumb_highContrast_wob.png
Filesize
52KB

MD5
cace6371cfcd232562a1ef19b35f9658

SHA1
5c620c8f435b619911d307c6c50fb7d9908ed806

SHA256
fd9a0f8e2eefedb58197f5930c953e74e85ffc652453d871ed7cf7f329865d75

SHA512
7474b304751e461307ad88304badd4e9b2e6dcb53c5d9e5e3c635d3a7684a462604712af444b45a4683fca9b251bd7c61d233da923df88e7dad4fa134160b41e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons.png
Filesize
52KB

MD5
47192a9b87f5befd31391aff5823fc5e

SHA1
9bc9623afa07f1453efbcea64b032b5c269a42a2

SHA256
01d66f98e40705356f51856be35222f9efe6c04bb0647b2db6fd7c00e9c227ad

SHA512
894600cf12bdca0ffc7f07817a287cdcbde6b44ffcfc43a525a05bbb8e368a83a51b5a4ff30bbc9c5a2c3862f924220eba1151c2723c47b6d457829f793ec8f3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-il\ui-strings.js
Filesize
29KB

MD5
e1b9947db67caa971c0ddc124e30c255

SHA1
755083b20186010aaecb439ff395accc0e93de4f

SHA256
7ddbbbe19108687e61b2b8bbc1b78ecfd6b18e355f2b1edfc202331a142872fa

SHA512
dfd1c005f0f75d2c89db18e7b66d1675d279dfcde2a70c195dd65a62723ae075382f56919c3a76185106de82ba17430072a0e758d6605fd16db402ca9e941446

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-ma\ui-strings.js
Filesize
34KB

MD5
6fbe61b237371310e931ed4877f3e6be

SHA1
4808c2c70c142cee8c9b236804645eb0b80d5022

SHA256
36bd7bb4806eaf0ac886954375a296a40f47d7d8aec4fa9aa6c05022d5ae6237

SHA512
61a1f4f9b60bb9552b0255784b6362bb0372259378001125994d29ddd10933a5274f57c319692ae64ad19f885d2ce8626fc7c5d321d2c098e3c880cb355ae173

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-ma\ui-strings.js
Filesize
10KB

MD5
30a936fc4a0c2bdc6842253a19e5c46f

SHA1
7e4935b3859d5b09b7204b923503c917ebfaa7a6

SHA256
700b5f83935cf68f0ba06d0fde3a43544c6181b9dddfe86667ea85ec03d0ff28

SHA512
bb505f80bd72287791cf11371322ec7243191a053e306df2efb15ab506a2618824edd18ec8a3553f6df5e0b2dfa6c61b99d96bf7dfdfe8b98f3f26cd3b9f5788

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-ma\ui-strings.js
Filesize
6KB

MD5
0b7e00c4c80461678231e08fcb43738d

SHA1
3baa63b0f1fe25868145822dc17d2daf603099f5

SHA256
fe51e1d50d4f6b4f93c7d2c3ccb2bce1d3797c669b003a135b8eec2072cc4f94

SHA512
61c23de53142d20ea76033b7cb034a92adcc2ff08df9682458053768d8e87f1b1887c1932d7a4659a97c2c64f3e3ff6978b19ce6a752adcdc5ca119f971b4130

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons_retina.png
Filesize
16KB

MD5
48c3bd3836a06692c3edf6f08038d984

SHA1
6f1ca79d5cb864b155a9b08bf2922ff6f0030c7c

SHA256
1ca94360c55e39cb882f59cb0d42c7dc2d0f2d35532e729e50eb1280568f88f1

SHA512
2b80bfa28afb63de5c6993f95b8e1c2e82cccaf7258058ed8571e2eb91a7ea9293f02efbf3f26ecc1fb26a97ae998fb073b8c2e298ad1cf9d6cf9b90e55895e1

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\exportpdf-selector.js
Filesize
175KB

MD5
c2c321db32a38bbf9797ef7fe4f94d64

SHA1
77259472e6ece4a95769169cf842af68c8e5c7c2

SHA256
af373d8b8962ede188e2227742a9f6a927aa98bc135b104719854e2e2bad02d3

SHA512
de596403a0ccb4e32620677e474240b13d55334a53e10329def79987ab364ba3242c5eac6bf9ea0d5e6aeb1eb6273bd14a9c61ed0c73cd366ac6bddf93809d72

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\exportpdf-tool-view.js
Filesize
395KB

MD5
e7055a65efd3408f8398820c2fe50539

SHA1
00a81b640f29327dc87d7ba648b4e0393c86191a

SHA256
a7a09c97a5311544d6d5d4e60ebb22d2e0da3a1fd9cf879ac1844ad4746f967b

SHA512
c4c04b8e3de968e5702168a38f3f297e94a8942d9764a3ef42bd8fbac98c09de7d24c605d0e41bca0a8ce0d3fe128da42a197915e294e59b8ba979c8b05346af

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-il\ui-strings.js
Filesize
10KB

MD5
8ed8eae93c4bc5efa760e14e52e0247f

SHA1
07c8d4e996d53a844d602174aa1e0cae0c797f81

SHA256
668d716826585919ed15fdc641ed617b11357306464c6430f96e999df34d69a7

SHA512
af801ad4b29f3d35243565a53209aac813e0b44ab8e127ebc024ae2c75bf3e1636ea09d21e8ff9448f7e9ac452718a12aface6724c509387a84c52cc8f19b164

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-ma\ui-strings.js
Filesize
12KB

MD5
ddadfccb1831063c3b65811ef25711d1

SHA1
ec14a2be3317565ef82f932ff627583a48b9f308

SHA256
104bac764c16e373640c6559c03541642c6193220c36ee84d0e72549854961a8

SHA512
3dbffe01303be8af8646910b22a62c789045a7385d3bc0eb8951c2f8b0243f28244b1da199feccf5bb5bfbe531023de7009f41afb1342d8d5e6889ce4292dbfe

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\icons.png
Filesize
9KB

MD5
4d0c6ef093c6a323dc088ea0f8ec4285

SHA1
2ec66bf459acbf8c14f0d0f4e7324b3d309be031

SHA256
76c62219dc0573231893d13a822e8e8ab62469779863c7deb3713028ad267f6c

SHA512
f8f9c2dfa982a7f311095b2c498473631c71a1d2e46f632b6840cad79e4af76fc3e53f63a8c5715781c8aa4ea7cd5f5c9bd473f87e49fa02078fdc65ae4c18a1

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\fr-ma\ui-strings.js
Filesize
7KB

MD5
de58bb6263df88c7b303dbee7a8647c5

SHA1
046ee464d4a94cbd47a01ab3e770fdeb5f5d2a47

SHA256
e7d00c89b42ff57cf57ba1eb3d97675899aa67b876bc755343adae38350deb83

SHA512
ae2ba0ac5d7e9f347856fdaecbe04955e35dc1fd64d0568fd0cfa259ae8d155731771f75fe71073ee4ec1491b7c50fd7d0f3748d100329653bd51d99a8f1b0de

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\selector.js
Filesize
48KB

MD5
9260f35e30bfd70baaa6f9290c3aaea2

SHA1
16dddc5f6ad951789f830c30091f6731bb55bc5d

SHA256
3110b9d2f56e4303ba32c1eb8cc932c6b868335a523a2053f54715b9fa7974c6

SHA512
0c43d37111fdc468623f2f2180958ce19c5907ff576958ffc134dc5399fb71cf22e101d1ee31045702d8eec76c6f1895354d8563f4956d7f71c98711b414ca64

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileAcrobatCard_Light.pdf
Filesize
381KB

MD5
aa61c456a17db5451a89b9e57a25d396

SHA1
be3d4b45186d501e548c9c86d4876ecbdf715e83

SHA256
fbb8d142bcef080d9796a36bf55f14c6e77d6638459534894f024be477317fcb

SHA512
a47ab49292577fbadac6f1a3941b479c7d49388b3ac09c11a5b7b67c5e929b96cfda968c6bfb3b628bbaf4cd1fcda5a78254d7459c70b629e0795fcb91fc347b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileScanCard_Light.pdf
Filesize
56KB

MD5
796b4c769f9bf1aa7631f2fd43f9df01

SHA1
1daae79c964b73dae28b1ec8d56be9df6b2a9117

SHA256
3e356640b92c14b64b29091edc7013a36ad3d92ed794b20949b6ab4eef012724

SHA512
c97f5cc4d9be2c14af29a8611aaf8e8983901f5fc8accd8df6c3558c6bc06e61557a1ca9d4de4f3d577ffd14f8d9d68311959653b440af1ce9dea871a19737c9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-il\ui-strings.js
Filesize
14KB

MD5
6588de673df320a49ac6674f14e584bc

SHA1
78812e6099d55204b8052c116c2ad2fdaabcf29e

SHA256
c453669ab04e6e952dd3dfd5b10ff2afbca3275ea84b855c4ff980276730f9fb

SHA512
8c15d3b069f46c46a21d6437e8f8e5cd739d382bda0f60125049f24d334f409e80042175d9fe2f6ccc1e04dde70e7017ed7ef749412273f292144059f6b20734

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fr-ma\ui-strings.js
Filesize
17KB

MD5
cf72025a4dc72a991dc1c499277cf33d

SHA1
88f84cb0de212ae3fd6abf72f6eda1a5e0d2aed6

SHA256
e87efc754b8c01475391f81d3bd7903844b025df46b2455103bb4fd9c7f6733f

SHA512
7c7245f42382ec4bd729e9dc5587dcac1d80dd12da54bf016ae8b5565a38f4492e61a62c8884dce34f6b7fede9e312c1b0a67ba2684c070067b7a7a27a6f8b20

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-il\ui-strings.js
Filesize
15KB

MD5
70b7f97571caa772fad79c8597dac35c

SHA1
eb6475a2d8e6e86a7b618bb5bf11fdfc696d5b68

SHA256
2c1875d1ffe7d42f18d131687c9be1dd1692c608a3b88ccc4c30d0e039233c8a

SHA512
06b35422d514cb74532746ad6f634851c14d582bd8f1b633f7d45164893974659dcdb36032c5876f66f6087d10f93e43e50ac39c8abb496143e536adb218e23b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fr-ma\ui-strings.js
Filesize
18KB

MD5
b301113d257e43f2ba6d29aff39a15de

SHA1
7fa171bd8f847081babada46b6fbcedc53cc0d45

SHA256
543cbff367eba24e0f9cc532f17b13562c7247dd96ddab2b62cbb06c0ca2b2d7

SHA512
a156c71e86eba13d1c3afd4115fd7cb93698b4073cb450a4af54f1e86c71224b56f7563b20bb79234938c95ba7d3026f93b02c60477e093bc7e23788871c6324

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-il\ui-strings.js
Filesize
9KB

MD5
de698373a8c504f55a514cf3fdfdd42e

SHA1
7d1052a78034dac262fcd26118304c7e133b7533

SHA256
8197d353071aee7151b146b9a4b8a98f7da1b7e33b89cd23ce4d10f8a91e879c

SHA512
f98f18121772fc524ccd3089d74809b93cbe7e86f513c41c771ad6d922f8d8f362f606d0ff08a3cd0436498367718f367a5998b6f7c1093b4ebfe67a724ed2c6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fr-ma\ui-strings.js
Filesize
11KB

MD5
3197da47ef945f169a04883d464f9c9c

SHA1
6338668fa12081fd3e6b8441a2c687ddd10fdf8f

SHA256
496334f369e00dec95aa2cf42c4b46743afa45afe869f56cf09042f9d64cbc6a

SHA512
12dc5f124bfa5a3ec46453ba7bea1289341af4388ac41749d0ae88d71ce7014aafacfb205446ea1c2d9c70f172388ffcd34901f07418dc03e39f74a8fbbdbd9a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-il\ui-strings.js
Filesize
15KB

MD5
c5aed818ba1799fce41c0512400b1121

SHA1
94dd4b179638f72ab129f8c6fff6ec94eb08879b

SHA256
2d83cdf33f2cd0bc9eacd9340b04705bc8173b3b7c7e4362005db5efd6c2a55b

SHA512
ad96deb7c2b1753f76aecfee397f056a7a9aaab35503899b5223dcef2d2219ccc654c910890408ba404b5444cb248a466e7d45eab26c8dcbed5f5997e1f51f63

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fr-ma\ui-strings.js
Filesize
17KB

MD5
8a8a101f827f404e02a2b5dcd3b023f5

SHA1
d4ad466a4290f26f325690531fa5a122f87ea553

SHA256
c16a6e0fc7d7a2f95768ff076d4298ae834cff38e26ff3a89d1e0cf4170ab4c7

SHA512
5312ac0844366b7a84f68d9925006ce2c11af94864d80937ec63ef0b882b477e76e89a51c464b5c8d9b3f2835ab450469bdd3bf0b22b85f4f4d0447bdb64f216

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-il\ui-strings.js
Filesize
15KB

MD5
7d72414d4d5b203c662593d3337f2c51

SHA1
f594dfa7400acf487395428a4547427fa0c95996

SHA256
3cdfbc9e74be158a0f74eaed2be2d154363c8ed62f95c975e71426152f96840b

SHA512
f679e8434d5d6a99a9c2ed690dfa8f74c3f0f6c8c17122dc94a5590907d4f9e95f180d452ecf1083768e6a57a7c84ca3e15afffc813d78fb04966b818e9b5063

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\fr-ma\ui-strings.js
Filesize
18KB

MD5
c339164974b54f70bdb88438323a01c5

SHA1
d2efc29b98d176b145e55cf5c8534aa6e761d5f3

SHA256
ec87436131f283bb9ab19a8b4ffd8c77b60011358cd0c6d1a47ad9b97ce86ec0

SHA512
ae80da97b3b48c38e766ed313bbbfcc50e2c0b6ff237139c408c27241d9a1ccbeb4300aa1e814d7c4f6190209172f71c31fe07fb8cd88f10adb4f15a8d1c4429

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\en-il\ui-strings.js
Filesize
19KB

MD5
651bcb9661d6fd8d790d958865bc565d

SHA1
e60870413b081aacd4df85d98c5c23170e316955

SHA256
fb870bd8434e28bfbc95eba9fc6e3ee941a2f8e9627f9f919e5aeb1104e8859b

SHA512
cf28ae6cf6888a1e31b979729a67c4fc72e67553136310ca36e6f6a65a1d4b513e6f0747019f0fa859afe4a4220c2a17a54ac7659b45098f588e86dee4f82436

Download Submit
C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\US_export_policy.jar
Filesize
9KB

MD5
3e001c79bd5f2b7226efe3e3e9419531

SHA1
72f239785d47a8fa157a5e49f6be60469ed27194

SHA256
72d0243a036ce8fb03fb1494c254ed43c1a124019a7481f1afd1aa9a842db218

SHA512
c8099c6211d48f6f55dc002fbc81dfa8c3cb213a48c7e731854d54372bbb702424f089f15d8eb40666cae0f2fa79b392fd6fe645dad0b093b4da7e15724211e2

Download Submit
C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe
Filesize
4.1MB

MD5
a3f2e97538134a86d621839d71e49a7e

SHA1
82a203fc677b35442ea240f703b88b0dadcb8b8c

SHA256
e77f667c6d0bae644fdf0411e7b1c5c154a849e3ced9db6e689a3b08226b4de3

SHA512
42436b3d505a63b20a973311af2f3c8df8dc9aa318c7756767dfef12a4a7e3a363088722e935b61fba9b3876fe2769bd3228319c208599aea1b54c348644c504

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\PREVIEWTEMPLATE2.POTX
Filesize
292KB

MD5
17fa16edb0cc80735027a5b68084fd00

SHA1
ec96ffde8ec6651d0e1ca076ba6c5e95597a455b

SHA256
61a7590c01d96eb4e55a3b866a2af42442b0b37574b06d401253bfa611a0a300

SHA512
cdce542fe89bdc06781934d20054d059a363e8da910132d1406925248b29aebd6071286dec697bbd53627fa05a7353ed5ca737a9ff9aed359f5fb05981857925

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\osmdp64.msi
Filesize
2.4MB

MD5
4c4e9385183785a70cb638d46b0808fc

SHA1
f43de83d871d9945f504b6b941fd456587876271

SHA256
8e86bb56fa23bc39d1c6dc933292bdff0df95c2f7ef2148ea4383da38672afa1

SHA512
59add4ce2e5abe54cf1df3a4009509a6b3ec03a44f02528dd6ee327fa290b66e511853f157da69501bb9f0041b44a3a075e28bc1b4e14279eb4756c1e239c4fa

Download Submit
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\misc.exe
Filesize
1015KB

MD5
0c43824f97e80960a766453eec52ee10

SHA1
47e120451d4f34cfe45cef2b039f92255e6f6261

SHA256
8005835aa8d1f8ef7cc6fcefe6f11f626d50091de2551a38b6ca365be410b62c

SHA512
184b9df03e144d83c8c13648c438c2154ca1ebda75d573380ffb3654c27faba5e45fb793d51fe618d887172abe1920a94f04483387dbdfa3476cd78191833412

Download Submit
C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\vlc.mo
Filesize
606KB

MD5
6722b4368091561f642cba9d89c28065

SHA1
02b16af86d32bfd7c0a8e6405a9baa2cf5e52cae

SHA256
93612b3bec0c50be8ed7d12a993a3b99e9e36cafb25e386b9d31ca21ae91500b

SHA512
22385c6f449de1d618c6d2a7612118774c28e061166949a2edd78eb8da36c4f80c6adaa4b7ea9426859d0a54c99099899cd97f327d917913fa80cd88218c9dd3

Download Submit
C:\Program Files\VideoLAN\VLC\locale\es_MX\LC_MESSAGES\vlc.mo
Filesize
610KB

MD5
d11d2c79cff6cb2fb90a2b4949450d56

SHA1
d23b216de561152a1b5612cf4ccd0274fc25cf20

SHA256
22bde589f14cc69a39a4c3f3ad9cf187c5faf4cefe3b073fd5efe4e2345b1c46

SHA512
cfc595b659b6350a42f605e1689c35f30ed0dc86547c96dab6143e73ec4de47b57bdbf4a6cfbcb507ea8fda682ed81bf0e01cff2c3afe3e7429e7757cfac80f3

Download Submit
C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\vlc.mo
Filesize
674KB

MD5
dd9bd155582c6cee9fd9033c0ffaa7a5

SHA1
98a6ed79a04b1b4e4ef6bd38a7f735148521754a

SHA256
fa971031727e1b841d4405908e192bfc82c9a2fbb5fcb00ed344b7ed6c6a4280

SHA512
dedef409c05504dddcf7a99713c34300cd46f39ebd46dbd41e4b53c73a082b10e108e73344fb61782307ed0c4d953419d75c5827416fa668c5a819dfc207e0bf

Download Submit
C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\vlc.mo
Filesize
1.1MB

MD5
a9cd1a86091c5f1fb6e93e34c40800ee

SHA1
b2c70a8491da9ab45627ee1517b11403710beab0

SHA256
02ef38edef36d4b36520d1a1a6ec80b59dc8784e3399466084e1b0d333a04829

SHA512
ec7ac31f1b2e675c60360dd46b097aec60c84d180877b772761d75fbf41df9b9b818761560fb57e014039fed7c77022f471b798a21265cab3210489a47f651ef

Download Submit
C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\vlc.mo
Filesize
595KB

MD5
db7355ea77c2e743ac1a07a7ae9efd26

SHA1
fa728f24f1b85ce49648bbbff1d7fb6deffd734f

SHA256
949b310bd6d96711719ff477e6165666d486c7b98d3437cb3e58f16452624ada

SHA512
f6429b7397efd2f5fd55b18266fe9492de4ef623b446c5be37342f92b6a07b5a4806739593f4ded199408678f1d5d2466157d2985e198e87996226c1df178b27

Download Submit
C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\vlc.mo
Filesize
617KB

MD5
a2c7b07a52beeb0ca55319912f569332

SHA1
5d2129315505ef7b16b39af839f1f1c1830e7bf2

SHA256
ff20a218dbdfb1f55dfb17b48dbfba2a3ccea00e212c41ecdbc05b90ee3f9647

SHA512
cebc6ab655dc8d0cfee4f5ca7d51b22e31224e00e7ddd05aa8e3cade37aea9577f9ec46c10502f9360aacbb5100a214c1cc47c4133d533b28752de159d3b393a

Download Submit
C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\vlc.mo
Filesize
780KB

MD5
ade95a1217ecfef9ec1bbc144938ea30

SHA1
0cdcc351eb8c67e6f7a983cfe7239d668fc089e2

SHA256
61dc6162a97abbfcb1298ae4253327c4268281a597b217ccfae716dac083f54e

SHA512
2f29dc0ae8fb2d0af3d99117dc9ebdff7c09676af0bd1c04d372eb9b2d5e24b7f0f04bf9fd0307eb423f6320af1824ee4cb6042afc8d2551ed7ea41b3a4aabf5

Download Submit
C:\Program Files\dotnet\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
Filesize
985B

MD5
172f3b9645e6c757696724a5ac90c30f

SHA1
0f09d689a316980265fbfcfc516d0966991f738f

SHA256
80b16fc1a77184fb879ebf13226a90b8786c4bdb92116904a51d57e04cd1d113

SHA512
3b00c7de6a1c423835e91d69c97430ed3d16bbe95ba6aff07a34031c131fc4ffb34551700f4eba222915b5ce5b8802757dcddbec62e5db29a8049efe20e3facd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
Filesize
2KB

MD5
793f91b724d85cfbee31286611d24276

SHA1
7ea041859f49b0ddbe169ba8cfae7a012566e901

SHA256
1670d1c6d9364e85bbcc0fed25ee15d08f776ff0cda2faa922d2332bbdefe8e2

SHA512
1a2a569ea31e129b74d72c88a82c4fababbaf1594035587be2c4605635cbe5b208ee8cc5320ff14b9381861be6eba06423c928bc097c9fd7ef6278bb9b4feec3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_3F2A9DB42365395CA97CFD2FA38D17E4
Filesize
472B

MD5
28441017ed2172f154d6a0eb6ee6cd87

SHA1
b2a96dc105d2603b76c8a06da371fe207f44ada7

SHA256
0eb597a1106d9f406c3a235763137119b0c2ecbf4c5ed4776b38742f85cddcb0

SHA512
69f5ad19f1104a9d2918ba113e49bd27f9047a9c5a9300a06dcfbeb76e6cc5161cf53225816d6df1b4b3b680e86e9eb0ad1791189dfd0f1a351250924b6d3923

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
1KB

MD5
a26045c60badc3ea12344117b7bc4403

SHA1
e042d0cb3844ca44869d5e01a2e427144b458556

SHA256
69872c2a3c0bdca24598431943ea06f46d2a28bee615698ae09ba335b1cfa925

SHA512
7b0e7562480066d929e4dce2201ced8be9e7d309d28ada04d7779a9ab232ee4bf5a8ba89317865eb382250f8f529c0c0b95d8eb80cff800e595280f2f395d7bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
Filesize
484B

MD5
5a4db1199b9ed57201935436761797d1

SHA1
030592d2b581d51cf73c3601495272005ef67022

SHA256
8cd5b42504781638608ca85f36ad32689ca16d026ada7233bf523373fde2318c

SHA512
fdf27eb30db84ff789f8fc6b984365a46d94e99fa287ce38ed8a80b8ccc5257cc0988a1ed5dcc729069c0a0554af9f6f15c799630e9059f8ffe0ae83d0afb01e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_3F2A9DB42365395CA97CFD2FA38D17E4
Filesize
488B

MD5
85db3215d56a1c763e9a3d98e4edc022

SHA1
c01f14d39d6b4ed1fe9029646fdbb328a7d4403d

SHA256
f32f6539d7df95c3cd3ee590447775ee5550f98e55bd4030dc6ca41d882be4e6

SHA512
581965af1519babb373a007338bad6c07e2a0f8c4bb3068b9d8885e5373e935fbff0d9f309cd12a2f1027ed58c228f595a21dd2265673b563a3c13f0aafd9349

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
482B

MD5
8aa31e8d48baef556e849e1dc4fea81a

SHA1
51fefb10601dc94511dde15658ede9df5bca77d4

SHA256
b2cc4fbf2fa6a3c785f0d9784d9d1252ee03524f124beb8f9e1ff46e5247bcc0

SHA512
7388c5f3066af1ee42c02c108c86f04b256982299f0f71f135a01442094e7263417ef09ea6c66c21b4d5b3985ff32c40d8a0452c60da6dd7794c5f55cfbf9f88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\2IX84YPE\PSKE76JX.htm
Filesize
190B

MD5
6ebbeb8c70d5f8ffc3fb501950468594

SHA1
c06e60a316e48f5c35d39bcf7ed7e6254957ac9e

SHA256
a563426e24d132cd87b70d9cb5cd3d57c2e1428873a3f3eb94649cf42e37b6a1

SHA512
75cfab1c9f5a05c892cf3b564aed06d351c6dc40048faea03ae163154ff7635252817d66b72a6ef51c4f895eebf7728f302df51148acce2a0c285502bf13652c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VLW1SL5J\G9ZT3G9M.htm
Filesize
18KB

MD5
46e7f28a55cdab07533424725a04b9e5

SHA1
48a915fe8958b0882f364b1e0ceb37e7b7948319

SHA256
e40cc25f9a709e182c284705b0b50b448deb4b1b81b456a633638003db77068b

SHA512
717be51be74aa8b36d714f35942d40c8c18bea13a49d293681e16f1b10dfbdf3887a887ca40688348eee38b10ec80c96a17c338378c315c70d4abebfd42e9076

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\lsass.exe
Filesize
211KB

MD5
f42abb7569dbc2ff5faa7e078cb71476

SHA1
04530a6165fc29ab536bab1be16f6b87c46288e6

SHA256
516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd

SHA512
3277534a02435538e144dea3476416e1d9117fcddef3dcb4379b82f33516c3e87767c3b0d2b880e61a3d803b583c96d772a0bdeecbfc109fe66444e9b29216af

Download Submit
C:\Users\Admin\Desktop\ApproveSync.wvx.F3A-925-CD0
Filesize
191KB

MD5
42ca828b11b4bb3f9fa74e5f8974f271

SHA1
d581ee459920156d7cceca8f50422a8b0639ff6c

SHA256
bc986653cea8c12df78801dcf5b1ba47dd667312ad7aa19649915506afd5ce0d

SHA512
bead4e357f3b41dd969954f485d2e6104a5f067362dbcd94084e8f4edf31e39aa236cf5c79b5dc40e8f675b4a221fcc831133517db73e908288b2e87ff8af2e7

Download Submit
C:\Users\Admin\Desktop\BlockApprove.emz.F3A-925-CD0
Filesize
256KB

MD5
33b813abf7a60f3cf2a18bcd030365de

SHA1
3ea9f3f84762a424feb3e7c2ca38a4e5a1cd86da

SHA256
3ab72b79eca2cbdd1fe3ec95df8f5bb65c6947691c62ae7b88854af34cd6d2ed

SHA512
77a2d840078678d2f1fd72976b7a77f9abbbf542586a41f47ed56109b9c5741d9dc2ff7b3fd1abed9f14160a0238b0fc279d28b479045ed1df1a049b9598ae07

Download Submit
C:\Users\Admin\Desktop\ClearConfirm.scf.F3A-925-CD0
Filesize
125KB

MD5
1cb5a6875251211fcbd763875ef8dd1e

SHA1
d9edbedbe8d79f83ad81d4fbaa4a99283ddb3d7a

SHA256
b547f0fd00eb8dc02aac3d9a31b2dd42f2c36e560a4493c00c2f123af6a01a1d

SHA512
68a369a4f9e8f0752ec032b46a2811bf99459c0d060f051cde720de29cb39f17c344fee94b4060d31eb33ef19b30d9185fb4fdb4aead00239c431f2145da5c57

Download Submit
C:\Users\Admin\Desktop\ConfirmSkip.jtx.F3A-925-CD0
Filesize
164KB

MD5
9f9085d405e03604ef73fd73d15d21eb

SHA1
fb12bd35a9f782b9b9eec3d1b4e3546dd9eca1dc

SHA256
1a4706f6a5342b3dcbac051d33c233ecc2246f793b05d00e64cdf0de2b0b138b

SHA512
82e4a752b9a9cee5f042fb1688abc07454d2a25d77d3b79131c9084efe66d3fc95b630b6808bd82def38944d6bee07ad5114950a40f8623e4587cf22da35fe40

Download Submit
C:\Users\Admin\Desktop\ConnectUnpublish.ttc.F3A-925-CD0
Filesize
106KB

MD5
f6129a1cb3a2c3f5b7752ae167877f39

SHA1
9923175298f8b62ad88a2d4df0706154bd2a1801

SHA256
51ad487d579b4b7da0252e626fd0eea4b487ea1849e0ebc8d119b4350284f2b7

SHA512
83726f2032886c6eb092fdfde8c94e9033dbbb98a1ffaac122010e88fc459bbdcfa90019139768b9a0ac3b9fcad475e8db5a81c7d2c37db99c7dc1fadc1b6741

Download Submit
C:\Users\Admin\Desktop\ConvertFromCompress.mpv2.F3A-925-CD0
Filesize
145KB

MD5
4eac06131cfd4fbc100771de2828c366

SHA1
076b4f867c28d35439e51c5cd41cd07107cf339d

SHA256
924fa419e0f11f23a96cab00386631a930933f65c21a9c7bf157cc8eb07339ed

SHA512
2375dba28acb4aaae8ad6b21f29b48b63cb89aa8685b8ec00e85511e596e69a55b34ce006f7045d9843847d690229534e6b6264e3745bc839b94621257ce448b

Download Submit
C:\Users\Admin\Desktop\ConvertToLimit.mht.F3A-925-CD0
Filesize
210KB

MD5
4a699ad4a7dd3c2cd6c23928f24e60bd

SHA1
0318b622d3848abdc68648a4dfe2ad8c15cd5834

SHA256
219bc6d271eabd8c545fd999c1687d05b9d0d5f02f0d1745fde930bff179645e

SHA512
e34a3fb75dfbb2cb3d09372e32db91a08bd8c6b940f7226d998ccfbdd7fdcaad4974663d53550032989eb4717714959fa2857f799a400f75ab811b9f7a544666

Download Submit
C:\Users\Admin\Desktop\DenyUse.css.F3A-925-CD0
Filesize
243KB

MD5
0605bfcc082523c18af1293105bc046a

SHA1
8e34f5eb5644dec5a29a822fef617727e3e24b8c

SHA256
bc9c9b211f7c397140cbbac8b6b7edf3e27f684825f39a25449d88e3573f3470

SHA512
8b7a5c55b905b35fa3f2037a1c2ccffe15b4e0b56d5a4d21a87cce457f807d0bbbfa3f14b312cc34c81d40aaec0768561d39cb4dc44114a467e306a73243c81d

Download Submit
C:\Users\Admin\Desktop\ExitConfirm.txt.F3A-925-CD0
Filesize
197KB

MD5
8d7104dbc67660f18a026016eeb855b8

SHA1
9661908c79a510cb41eab33b613fe8c8eb752680

SHA256
b79938865009a3e46a834862809d919a38e8298a891f8d62d91040d6808c3ee7

SHA512
471eb433e0cc366962f25c2ac59b0a642491222a6899cd13cbfb01914eaf8eb82eb31a87d386461e6a3c75d2e746b2c7c58165c6cd3fcd0ebe803bb3b166b9da

Download Submit
C:\Users\Admin\Desktop\ExportMove.mp2.F3A-925-CD0
Filesize
204KB

MD5
5fc8c5533fed1c7dc6cccd529aab422e

SHA1
420756ffc3755af1e4d8e2544e7076a83761e467

SHA256
d2734fbb5d22f6489ece1f791ea751b102ec5e9f62ed079f2268c4168c53f8de

SHA512
72666e48d73e977d99ba824c3ae133fd3862ab3780c266c3c5fb93f1e8c832625b7d32d437149a90dbe95db140c963aec4f5eb7e2b8eea2b966b9fd59911ccc1

Download Submit
C:\Users\Admin\Desktop\FindGet.mp4.F3A-925-CD0
Filesize
230KB

MD5
bb14da2a85324d84365e7dd4058c0ab1

SHA1
f87636e25f645abdb46a584c7b7a540cafc9cd25

SHA256
2c43b3c896dbc80c3e9ca0af43893a07dcb9aac1e40436a823dfabb13048f279

SHA512
1bde6f10402a26961416604659cccb98fbc6ed40c53fadc1b2c1ab15e31fc60aaafb6167342b0808ae7898030988f7a864afd1b2038db63b370967606470abeb

Download Submit
C:\Users\Admin\Desktop\ImportLimit.ADTS.F3A-925-CD0
Filesize
93KB

MD5
c4523e531f0cf1134b99b3e80894614e

SHA1
7c9860e37b86fb8f3dd2ef64ce57cb4da31b3003

SHA256
8b76ea0e6edd9495e59dea7a5b81efd6877546b83ce15620eba7a7d1d8b86c54

SHA512
8bd6031b2f827a94d04c29c3c679d3678a8bbfe0ebaa67aa3ee6931626d64407743ee617a5dffe1706b8eb71103b5cf56e25f3b69596a84168d602bc22fa459f

Download Submit
C:\Users\Admin\Desktop\ImportOut.ram.F3A-925-CD0
Filesize
217KB

MD5
98fe5867ec8cc60018c978b06887d2d1

SHA1
74efa1de5ffde7a567dae14bcab9a6e09cdf9e98

SHA256
033af22f5348d89393a4961b6009e71b18967838dfc793a2ba17f4b471c944bc

SHA512
2b6643d22c42fdd652c9c3d215d532538bfb60d3f5f2bb71639ca03a606e5669286dbeca31483fc687abb60f5168d5f686ea39228840aa93241650672b293282

Download Submit
C:\Users\Admin\Desktop\MoveInstall.mpa.F3A-925-CD0
Filesize
171KB

MD5
c3dbb3a542440a88af88ba81c36a43c2

SHA1
3cf765acedf9e2541d4fef41e0ece120b1345ed8

SHA256
25e3f844128769b8d83c7014a58b71941baa5e234b0be4e528099bc847475545

SHA512
7b7de4aff9007c93aaa9ed90e5c4683145bf88d7979b11fc7f81a47e366b94338cf41098cb1884ad7e5025fbca14d5a877fc55e462a7772139b4beee12049938

Download Submit
C:\Users\Admin\Desktop\OutImport.gif.F3A-925-CD0
Filesize
361KB

MD5
faff52db4ae5ef911d028fd4c6fd3e46

SHA1
21d926234230343905e8d6f0374ceb4f6dc166e7

SHA256
8fd17044bba515146713fabab1a66fa7db7ec1f2ca4026dc2b75cd3f738d5e6c

SHA512
440ab1909d22c1db4307665ce516f88b725c503c83a30737e6b651900c20d148e36a24e8daaca188f4280f319dd9545c7d80f148679af2e1993d877412097209

Download Submit
C:\Users\Admin\Desktop\OutRestart.mp2v.F3A-925-CD0
Filesize
223KB

MD5
dbf0529ecf0f7534c801ac253733616a

SHA1
43ee4c9b0a38f8ddcbff3035f23c70fa0ee4cf39

SHA256
c442227f8a5ee851b94c22b15dd1f8d784bc49d41f3b7e54b9e8a1c969390cfe

SHA512
605d75c57c3f5f664f002683939944adae3dfbdb0fbe657544394ce610dfc876602b67c29af4c8020654ff00e2edd11e4b41994a68383396a90d9011cdfb6ecd

Download Submit
C:\Users\Admin\Desktop\PopUpdate.xlsx.F3A-925-CD0
Filesize
119KB

MD5
57410d6663a77c4029918563483d9efe

SHA1
52e436b390aaad65a81b9a7486d9eb07044c4e1b

SHA256
ab790232cdd2f3e440e25920ccb72546393c2e151c314a8a3915f4e1b9833b1b

SHA512
92bb8ee9ec37e29ebfb3ba82df4876fdd107e007e0d8d90d9b749e43fd018d37894cd5089e6fd5223381959f60558c84a24c7c6513e91a60633d717136f8b541

Download Submit
C:\Users\Admin\Desktop\ProtectSync.eps.F3A-925-CD0
Filesize
184KB

MD5
43b278380e78a3b90c6ff1d6066b5a23

SHA1
a273d18ad8dc55759c3916b53430262c9c7ce719

SHA256
9df1e1474987cf36935244fedc93ab2074139c06416bf417858b3d517fe0841e

SHA512
655eded9277ae747a78d46f967b43ef6b8ba5d0510dcde1d03dc722d261727a3d8330b762c2310c8f53c766b69d112ed8391eb390ac4962ea1db488384703eb6

Download Submit
C:\Users\Admin\Desktop\RepairDeny.xlsm.F3A-925-CD0
Filesize
262KB

MD5
08cd15ea6b6b090691b1a32a411ffbc7

SHA1
dcee5d2fdfd24140968f97083563ed6cbe96112d

SHA256
cec1820ae6856487cc242120d6a395cab36f39b6a7d0b4d0fdc9ab6ad8ae46ee

SHA512
2c373bdfbf8203fb23090c13571055d74a0fe209d97082fa04e4bbb595502de46b42eb451d791aa6ddf8391e3749e2e262814cefe7af011d357b1247956fd77b

Download Submit
C:\Users\Admin\Desktop\RequestAdd.odp.F3A-925-CD0
Filesize
151KB

MD5
8756515bb7486c2d6882cb4beea68160

SHA1
3da4ea0fb9d04a5ae4878294edf27c7ac39233f3

SHA256
777f2c6ad4d3841324e89995d9dbd12cb1bb724eb3df64d87bcac76f97f828a8

SHA512
6a3db44f990ff741ac77f609cbed6f019cf70f92ec839247bc9c9722407d110eaa5513e0550a1c3d313018a1c526d614bb82f8812588b84e9dde4b984717f23c

Download Submit
C:\Users\Admin\Desktop\ResizePing.xhtml.F3A-925-CD0
Filesize
249KB

MD5
43160c85df6e08214260c5da9a3fc968

SHA1
5c14e3e63e0450f82fe8e2f339155db3194bb9fd

SHA256
9b525c6480ade5957cc97b0d104cef1d397e8a6f88f0cdc7ce43eeffca3f142b

SHA512
007b4228ceada90b79e9222df5422ea0fdc7f2a38d91de0f1d20bdddde50832209a0309982c3f07eec251eda8d1d63ce9c11976c55a6de4c0f0908b420c7a44b

Download Submit
C:\Users\Admin\Desktop\RestartMerge.txt.F3A-925-CD0
Filesize
132KB

MD5
e2a4c788a38c7b51a772ab9fb99bb6ca

SHA1
11cc1bcde0ac10079064d214c17407d3dfd15d98

SHA256
9a5c268d5a87a5917a6e42e5b8b9fa0e51ffa9f118161edd3c54334df9925417

SHA512
895b2bf324d8c8d5b5d532abab6ab4443d9101b022483c5810bafc98e09a02660dfbadb5b861282dfbc2383ca4a7dd56f7d0b5b01719aacfeab52c572f52d719

Download Submit
C:\Users\Admin\Desktop\StopPublish.xht.F3A-925-CD0
Filesize
112KB

MD5
3a388012cf331a6482be2ec1b2827d62

SHA1
6af182cd38a7294604cdce55a4334edfeed5a500

SHA256
20ea0f80f3e2f9d7c166a1e470adebdf3cb62aa17dbf775b10e2294aaa0240df

SHA512
054f194be7456c226c6b2e5df8dbbbc1c0ec723d03bab37bb5e968252e8579c1a6237fa9d8f687e615eabc301984996d4e293a1c0e17a050d370925c3471ecb1

Download Submit
C:\Users\Admin\Desktop\SuspendDisconnect.ttf.F3A-925-CD0
Filesize
236KB

MD5
67c9be83f72bcbc871e4d5661f750639

SHA1
0d645124ed94c6bacd63f1f916b99c9996776ddb

SHA256
5d4d91bfa15fbd5dc4082fa0ac08119c24380ccefaae6597909207e3c1b2782f

SHA512
7fb04dab93951817c2f18d41c1df515b5a02c89a325d17fbec9a5e4ba1b4a3088c6f14b589e4884eee31304082a3514cdaccaf84517c4a7738cbcb23a0d24967

Download Submit
C:\Users\Admin\Desktop\TraceExport.pps.F3A-925-CD0
Filesize
138KB

MD5
71abecbba8c066e243b11dd29263f463

SHA1
24b4eb1b5045d500b81f523a1ed4d6f6e27ae280

SHA256
6efcf94db42f4badf950a235cb82c2be9d4c8b3932791c71e2102cbd90d66fe1

SHA512
b5ed80687dec6e1c66a8f754f00d50e6e141c968121ade18458cbf13b59e65c1a69ea02c1ea0a8965b74e6ec936faca3d831a5216702a0c5628b8330bce1547a

Download Submit
C:\Users\Admin\Desktop\UninstallStep.pub.F3A-925-CD0
Filesize
99KB

MD5
413b54e6d5b859f994f3ffb24979b899

SHA1
4a8e2eeba16267ac6aaba1c4db2998a70dc6b13f

SHA256
ddfc006b36fb3fee921a7dfa6387472befe321bb0092638ed8c2af16c5fc15eb

SHA512
c9f0ddd080746bb890ae41bd7eeeb0bd8e41d800a0dfec7711cace43bc3d1df2360a33b7d3787ae3922dd1e60ec050ddc070724251753fc9b972766485d02537

Download Submit
C:\Users\Admin\Desktop\UnregisterRestart.html.F3A-925-CD0
Filesize
177KB

MD5
6ab965746ba6502de2176eec641c0f5e

SHA1
39605f2cb363dcc39597afafe426ff1afabe626c

SHA256
b9cecb80b6bfab7a93f2beac71fdfa92a4c4f5296000138bcafbf9faecf42c9b

SHA512
c4c246c1613d72e4685197cc19dd5e1e5868ff1fd20c97fd5ba96377b29e447834e147398c8a83b37dc647bce2a8d5bfde6253f44edee0a60c29979844abb88b

Download Submit
C:\Users\Admin\Desktop\UpdateEnable.mp3.F3A-925-CD0
Filesize
158KB

MD5
4c89596f0130cfcc03c1745ba5f44563

SHA1
13772f66e37cdd6010f7e5b0679a2a09a068c27b

SHA256
dcb69b6055829aa46d0d82a99fd0937f9a60028793c57ef8fd03dc91a7e6c7d6

SHA512
1764dd9b4a7b09a2c06100204988804b9fa960044e804f6e7f327a990b02c12877a8b739a24e438a9cc322ea7b27385800c416d4f73705fa976d60e4a61340a1

Download Submit
C:\vcredist2010_x86.log.html
Filesize
82KB

MD5
122b3d3f90edc2c59e57da0067f0cb9d

SHA1
42b8ef6a781a34989b8922aa9ba8f8efdce2ef06

SHA256
10a832827d897b4fa4e27a0cae2a6bfd8682db1303a02ebd22d28886010faaff

SHA512
d4d39e5a215f782978c38acf143a5e307d02d6d7767d18b54ce1d39dd7db9fc90ec8c5ae67dd2cd31e1595f7b22359ba8399d4bc561fef9eaf2689f1eee64c8f

Download Submit
memory/1448-26041-0x0000000000910000-0x0000000000A50000-memory.dmp

Filesize
1.2MB

Download
memory/1448-16480-0x0000000000910000-0x0000000000A50000-memory.dmp

Filesize
1.2MB

Download
memory/1448-22723-0x0000000000910000-0x0000000000A50000-memory.dmp

Filesize
1.2MB

Download
memory/1448-6539-0x0000000000910000-0x0000000000A50000-memory.dmp

Filesize
1.2MB

Download
memory/1448-13455-0x0000000000910000-0x0000000000A50000-memory.dmp

Filesize
1.2MB

Download
memory/1616-23-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/2516-45-0x0000000000910000-0x0000000000A50000-memory.dmp

Filesize
1.2MB

Download
memory/2516-3138-0x0000000000910000-0x0000000000A50000-memory.dmp

Filesize
1.2MB

Download
memory/2516-26071-0x0000000000910000-0x0000000000A50000-memory.dmp

Filesize
1.2MB

Download
memory/3328-48-0x0000000000910000-0x0000000000A50000-memory.dmp

Filesize
1.2MB

Download
memory/4488-35-0x0000000000CD0000-0x0000000000E10000-memory.dmp

Filesize
1.2MB

Download
memory/4516-26070-0x0000000001310000-0x0000000001311000-memory.dmp

Filesize
4KB

Download