Analysis
-
max time kernel
4294372s -
max time network
318s -
platform
windows7_x64 -
resource
win7-20220311-en -
submitted
25-03-2022 06:59
Static task
static1
Behavioral task
behavioral1
Sample
Taleb.Ransom.exe
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
Taleb.Ransom.exe
Resource
win10v2004-20220310-en
General
-
Target
Taleb.Ransom.exe
-
Size
10.8MB
-
MD5
ac09b7550eda13e03a55448fd8367e2d
-
SHA1
8266a12669a4a3952cb9af86e75ed74c27c71013
-
SHA256
4b78968928cfa5437ffdd56a39a5ea8c10a7b6dc5d3f342d003260088876b3cf
-
SHA512
44cace3038bd96fa36a9d3b16251573f625f5e7cb53f0233d87f6e8ab564e731bd8719088feec44f47a460c0a096b964c2c0e77f3f1c371b773e66407aef5d29
Malware Config
Extracted
C:\Decryption-Guide.txt
Folperdock@gmail.com
Signatures
-
Modifies Installed Components in the registry 2 TTPs
-
Modifies Windows Firewall 1 TTPs
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
Taleb.Ransom.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\FindPush.tiff Taleb.Ransom.exe File opened for modification C:\Users\Admin\Pictures\RegisterProtect.tiff Taleb.Ransom.exe -
Drops startup file 1 IoCs
Processes:
Taleb.Ransom.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini Taleb.Ransom.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 64 IoCs
Processes:
Taleb.Ransom.exeexplorer.exedescription ioc process File opened for modification C:\Windows\Media\Heritage\Desktop.ini Taleb.Ransom.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini Taleb.Ransom.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini Taleb.Ransom.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini Taleb.Ransom.exe File opened for modification C:\Windows\assembly\Desktop.ini Taleb.Ransom.exe File created C:\Program Files\Microsoft Games\Purble Place\desktop.ini Taleb.Ransom.exe File opened for modification C:\Windows\Media\Landscape\Desktop.ini Taleb.Ransom.exe File opened for modification C:\Windows\Media\Sonata\Desktop.ini Taleb.Ransom.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini Taleb.Ransom.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini Taleb.Ransom.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini Taleb.Ransom.exe File opened for modification C:\Windows\Downloaded Program Files\desktop.ini Taleb.Ransom.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-2199625441-3471261906-229485034-1000\desktop.ini Taleb.Ransom.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini Taleb.Ransom.exe File created C:\Program Files\Microsoft Games\FreeCell\desktop.ini Taleb.Ransom.exe File created C:\Program Files\Microsoft Games\Solitaire\desktop.ini Taleb.Ransom.exe File opened for modification C:\Windows\Globalization\MCT\MCT-AU\Wallpaper\desktop.ini Taleb.Ransom.exe File created C:\Program Files (x86)\desktop.ini Taleb.Ransom.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini Taleb.Ransom.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini Taleb.Ransom.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini Taleb.Ransom.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini Taleb.Ransom.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini Taleb.Ransom.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini Taleb.Ransom.exe File opened for modification C:\Users\Public\Music\desktop.ini Taleb.Ransom.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini Taleb.Ransom.exe File opened for modification C:\Users\Public\Libraries\desktop.ini Taleb.Ransom.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini Taleb.Ransom.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini Taleb.Ransom.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini Taleb.Ransom.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini Taleb.Ransom.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini Taleb.Ransom.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini Taleb.Ransom.exe File created C:\Program Files\desktop.ini Taleb.Ransom.exe File opened for modification C:\Users\Public\Pictures\desktop.ini Taleb.Ransom.exe File opened for modification C:\Windows\Media\Desktop.ini Taleb.Ransom.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini Taleb.Ransom.exe File opened for modification C:\$RECYCLE.BIN\S-1-5-21-2199625441-3471261906-229485034-1000\desktop.ini explorer.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini Taleb.Ransom.exe File created C:\Program Files\Microsoft Games\Chess\desktop.ini Taleb.Ransom.exe File opened for modification C:\Windows\Globalization\MCT\MCT-GB\Link\desktop.ini Taleb.Ransom.exe File opened for modification C:\Windows\Globalization\MCT\MCT-US\Wallpaper\desktop.ini Taleb.Ransom.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini Taleb.Ransom.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini Taleb.Ransom.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini Taleb.Ransom.exe File opened for modification C:\Windows\Media\Savanna\Desktop.ini Taleb.Ransom.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\GMEWETP4\desktop.ini Taleb.Ransom.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini Taleb.Ransom.exe File opened for modification C:\Windows\Media\Characters\Desktop.ini Taleb.Ransom.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini Taleb.Ransom.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini Taleb.Ransom.exe File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini Taleb.Ransom.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XIWRAWIU\desktop.ini Taleb.Ransom.exe File opened for modification C:\Windows\Media\Afternoon\Desktop.ini Taleb.Ransom.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini Taleb.Ransom.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini Taleb.Ransom.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini Taleb.Ransom.exe File opened for modification C:\Users\Public\Downloads\desktop.ini Taleb.Ransom.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini Taleb.Ransom.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\DL4J84XN\desktop.ini Taleb.Ransom.exe File opened for modification C:\Users\Admin\Links\desktop.ini Taleb.Ransom.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini Taleb.Ransom.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini Taleb.Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI Taleb.Ransom.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.my-ip.io 5 api.my-ip.io -
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory 1 IoCs
Processes:
Taleb.Ransom.exedescription ioc process File opened for modification C:\Windows\SysWOW64\regedit.exe Taleb.Ransom.exe -
Drops file in Program Files directory 64 IoCs
Processes:
Taleb.Ransom.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLOOK.DEV_K_COL.HXK Taleb.Ransom.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-split.avi Taleb.Ransom.exe File opened for modification C:\Program Files\Windows Journal\Templates\Memo.jtp Taleb.Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107090.WMF Taleb.Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00530_.WMF Taleb.Ransom.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-attach.xml.(MJ-PH7316520894)(Folperdock@gmail.com).Godox Taleb.Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\attention.gif Taleb.Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\SWBELL.NET.XML Taleb.Ransom.exe File opened for modification C:\Program Files\DenyRestore.html.(MJ-PH7316520894)(Folperdock@gmail.com).Godox Taleb.Ransom.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Seoul.(MJ-PH7316520894)(Folperdock@gmail.com).Godox Taleb.Ransom.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\leftnav.gif.(MJ-PH7316520894)(Folperdock@gmail.com).Godox Taleb.Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange.css Taleb.Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCDRESPL.ICO Taleb.Ransom.exe File created C:\Program Files\Java\jre7\lib\images\cursors\win32_LinkDrop32x32.gif.(MJ-PH7316520894)(Folperdock@gmail.com).Godox Taleb.Ransom.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\PREVIEW.GIF.(MJ-PH7316520894)(Folperdock@gmail.com).Godox Taleb.Ransom.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-sampler.jar Taleb.Ransom.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_cloudy.png Taleb.Ransom.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PAPYRUS\PAPYRUS.ELM Taleb.Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0237759.WMF Taleb.Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsBlankPage.html Taleb.Ransom.exe File created C:\Program Files\Java\jre7\lib\zi\Pacific\Noumea.(MJ-PH7316520894)(Folperdock@gmail.com).Godox Taleb.Ransom.exe File created C:\Program Files\VideoLAN\VLC\lua\http\index.html.(MJ-PH7316520894)(Folperdock@gmail.com).Godox Taleb.Ransom.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PAPYRUS\PREVIEW.GIF.(MJ-PH7316520894)(Folperdock@gmail.com).Godox Taleb.Ransom.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Pyongyang Taleb.Ransom.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\FDFFile_8.ico Taleb.Ransom.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core.nl_zh_4.4.0.v20140623020002.jar.(MJ-PH7316520894)(Folperdock@gmail.com).Godox Taleb.Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Thatch.dotx Taleb.Ransom.exe File opened for modification C:\Program Files (x86)\Windows Media Player\Skins\Revert.wmz Taleb.Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LETTHEAD.XML Taleb.Ransom.exe File created C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\SpiderSolitaire.exe.mui.(MJ-PH7316520894)(Folperdock@gmail.com).Godox Taleb.Ransom.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libadf_plugin.dll.(MJ-PH7316520894)(Folperdock@gmail.com).Godox Taleb.Ransom.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system_m.png Taleb.Ransom.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\shuffle_up.png Taleb.Ransom.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Search.api.(MJ-PH7316520894)(Folperdock@gmail.com).Godox Taleb.Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01761_.WMF Taleb.Ransom.exe File created C:\Program Files\Java\jre7\bin\jaas_nt.dll.(MJ-PH7316520894)(Folperdock@gmail.com).Godox Taleb.Ransom.exe File created C:\Program Files\7-Zip\Lang\ta.txt.(MJ-PH7316520894)(Folperdock@gmail.com).Godox Taleb.Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSOCF.DLL.(MJ-PH7316520894)(Folperdock@gmail.com).Godox Taleb.Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_mid_disable.gif Taleb.Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\NUMERIC.JPG Taleb.Ransom.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt Taleb.Ransom.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\MANIFEST.MF.(MJ-PH7316520894)(Folperdock@gmail.com).Godox Taleb.Ransom.exe File created C:\Program Files\VideoLAN\VLC\plugins\meta_engine\libfolder_plugin.dll.(MJ-PH7316520894)(Folperdock@gmail.com).Godox Taleb.Ransom.exe File created C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA6\VBE6EXT.OLB.(MJ-PH7316520894)(Folperdock@gmail.com).Godox Taleb.Ransom.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_ro.dll.(MJ-PH7316520894)(Folperdock@gmail.com).Godox Taleb.Ransom.exe File opened for modification C:\Program Files (x86)\Common Files\System\msadc\es-ES\msdaprsr.dll.mui Taleb.Ransom.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\menu_style_default_Thumbnail.png Taleb.Ransom.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.IO.Log.dll Taleb.Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\BlackTieLetter.dotx.(MJ-PH7316520894)(Folperdock@gmail.com).Godox Taleb.Ransom.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_ta.dll.(MJ-PH7316520894)(Folperdock@gmail.com).Godox Taleb.Ransom.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateOnDemand.exe Taleb.Ransom.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.71\psmachine_64.dll Taleb.Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01265U.BMP Taleb.Ransom.exe File created C:\Program Files\7-Zip\Lang\zh-tw.txt.(MJ-PH7316520894)(Folperdock@gmail.com).Godox Taleb.Ransom.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-options-api.jar.(MJ-PH7316520894)(Folperdock@gmail.com).Godox Taleb.Ransom.exe File opened for modification C:\Program Files\Java\jre7\lib\images\cursors\win32_LinkDrop32x32.gif Taleb.Ransom.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\feature.xml.(MJ-PH7316520894)(Folperdock@gmail.com).Godox Taleb.Ransom.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\bg_sidebar.png Taleb.Ransom.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\settings.js Taleb.Ransom.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Boa_Vista.(MJ-PH7316520894)(Folperdock@gmail.com).Godox Taleb.Ransom.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\Microsoft.Build.Engine.resources.dll Taleb.Ransom.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\drvSOFT.x3d.(MJ-PH7316520894)(Folperdock@gmail.com).Godox Taleb.Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsImageTemplate.html Taleb.Ransom.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_postage_Thumbnail.bmp Taleb.Ransom.exe -
Drops file in Windows directory 64 IoCs
Processes:
Taleb.Ransom.exedescription ioc process File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security.Resources\1.0.0.0_ja_31bf3856ad364e35\Microsoft.PowerShell.Security.Resources.dll Taleb.Ransom.exe File opened for modification C:\Windows\inf\mdmusrf.PNF Taleb.Ransom.exe File opened for modification C:\Windows\Media\Heritage\Windows Battery Critical.wav Taleb.Ransom.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\peverify.dll Taleb.Ransom.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\legacy.web_lowtrust.config.default Taleb.Ransom.exe File opened for modification C:\Windows\ehome\loadmxf.exe Taleb.Ransom.exe File opened for modification C:\Windows\Media\chimes.wav Taleb.Ransom.exe File opened for modification C:\Windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll Taleb.Ransom.exe File opened for modification C:\Windows\assembly\GAC_MSIL\system.io.log.resources\3.0.0.0_fr_b03f5f7f11d50a3a\System.IO.Log.Resources.dll Taleb.Ransom.exe File opened for modification C:\Windows\Help\mui\0C0A\perfmon.CHM Taleb.Ransom.exe File opened for modification C:\Windows\inf\ts_wpdmtp.inf Taleb.Ransom.exe File opened for modification C:\Windows\Media\Characters\Windows Hardware Fail.wav Taleb.Ransom.exe File opened for modification C:\Windows\inf\ServiceModelService 3.0.0.0\0407\_ServiceModelServicePerfCounters_D.ini Taleb.Ransom.exe File opened for modification C:\Windows\Media\Characters\Windows Pop-up Blocked.wav Taleb.Ransom.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\AppConfigHome.aspx.it.resx Taleb.Ransom.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\es\System.ServiceModel.Install.Resources.dll Taleb.Ransom.exe File opened for modification C:\Windows\IME\IMESC5\DICTS\PINTLGCF.IMD Taleb.Ransom.exe File opened for modification C:\Windows\inf\usbcir.PNF Taleb.Ransom.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Win32.Primitives.dll Taleb.Ransom.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\netmemorycache.ini Taleb.Ransom.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\App_LocalResources\addUser.aspx.fr.resx Taleb.Ransom.exe File opened for modification C:\Windows\Fonts\serifeg.fon Taleb.Ransom.exe File opened for modification C:\Windows\Globalization\ELS\Transliteration\malayalam-to-latin.nlt Taleb.Ransom.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0000000010\9.0.0\ul_msvcr80.dll.98CB24AD_52FB_DB5F_FF1F_C8B3B9A1E18E Taleb.Ransom.exe File opened for modification C:\Windows\it-IT\bootfix.bin Taleb.Ransom.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\XPThemes.manifest Taleb.Ransom.exe File opened for modification C:\Windows\Help\Windows\es-ES\appman.h1s Taleb.Ransom.exe File opened for modification C:\Windows\inf\acpipmi.PNF Taleb.Ransom.exe File opened for modification C:\Windows\inf\netimm.inf Taleb.Ransom.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.5\SQL\ja\SqlPersistenceProviderLogic.sql Taleb.Ransom.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\legacy.web_mediumtrust.config Taleb.Ransom.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\EditAppSetting.aspx.fr.resx Taleb.Ransom.exe File opened for modification C:\Windows\assembly\GAC_MSIL\System.Data.Services.resources\3.5.0.0_de_b77a5c561934e089\System.Data.Services.resources.dll Taleb.Ransom.exe File opened for modification C:\Windows\Boot\EFI\pl-PL\bootmgfw.efi.mui Taleb.Ransom.exe File opened for modification C:\Windows\Help\mui\0411\ipsecpolicy.CHM Taleb.Ransom.exe File opened for modification C:\Windows\Help\Windows\de-DE\basics2.h1s Taleb.Ransom.exe File opened for modification C:\Windows\Media\Garden\Windows Battery Low.wav Taleb.Ransom.exe File opened for modification C:\Windows\Cursors\up_m.cur Taleb.Ransom.exe File opened for modification C:\Windows\Help\Windows\it-IT\journal.h1s Taleb.Ransom.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml.XPath\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Xml.XPath.dll Taleb.Ransom.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.Commands.UpdateDiagRootcause.Resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.Windows.Diagnosis.Commands.UpdateDiagRootcause.resources.dll Taleb.Ransom.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Serv14259fd9#\b6a1466f4c910dd8d83b4592bef36aff\System.ServiceModel.Activities.ni.dll Taleb.Ransom.exe File opened for modification C:\Windows\Help\Windows\it-IT\uap.h1s Taleb.Ransom.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\navigationBar.ascx.it.resx Taleb.Ransom.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\WebAdminHelp_Internals.aspx.fr.resx Taleb.Ransom.exe File opened for modification C:\Windows\Fonts\vgafix.fon Taleb.Ransom.exe File opened for modification C:\Windows\Help\Windows\en-US\sniptoo.h1s Taleb.Ransom.exe File opened for modification C:\Windows\Help\Windows\ja-JP\wu.h1s Taleb.Ransom.exe File opened for modification C:\Windows\inf\prnlx00b.PNF Taleb.Ransom.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Office.Interop.OutlookViewCtl\14.0.0.0__71e9bce111e9429c\Policy.12.0.Microsoft.Office.Interop.OutlookViewCtl.config Taleb.Ransom.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.CSharp\7f0531cbaadefd63fb9c1f7ae51fc668\Microsoft.CSharp.ni.dll Taleb.Ransom.exe File opened for modification C:\Windows\diagnostics\system\WindowsMediaPlayerMediaLibrary\en-US\CL_LocalizationData.psd1 Taleb.Ransom.exe File opened for modification C:\Windows\Fonts\mriam.ttf Taleb.Ransom.exe File opened for modification C:\Windows\Help\mui\0409\ipsecpolicy.CHM Taleb.Ransom.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\wizardInit.ascx Taleb.Ransom.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallRoles.sql Taleb.Ransom.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.Tpm.Resources\6.1.0.0_ja_31bf3856ad364e35\microsoft.tpm.resources.dll Taleb.Ransom.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Activities\39f02628df6b23733fbe777a55e7ffdc\System.Activities.ni.dll Taleb.Ransom.exe File opened for modification C:\Windows\diagnostics\system\WindowsMediaPlayerConfiguration\DiagPackage.dll Taleb.Ransom.exe File opened for modification C:\Windows\Help\Windows\it-IT\appman.h1s Taleb.Ransom.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll Taleb.Ransom.exe File opened for modification C:\Windows\Help\Windows\es-ES\Windows.H1T Taleb.Ransom.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\System.Management.dll Taleb.Ransom.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\DE\caspol.resources.dll Taleb.Ransom.exe -
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe -
Modifies registry class 11 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\TV_FolderType = "{0B2BAAEB-0042-4DCA-AA4D-3EE8648D03E5}" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\TV_TopViewVersion = "0" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_Classes\Local Settings explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
Taleb.Ransom.exepid process 1844 Taleb.Ransom.exe 1844 Taleb.Ransom.exe 1844 Taleb.Ransom.exe 1844 Taleb.Ransom.exe 1844 Taleb.Ransom.exe 1844 Taleb.Ransom.exe 1844 Taleb.Ransom.exe 1844 Taleb.Ransom.exe 1844 Taleb.Ransom.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 840 explorer.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
explorer.exedescription pid process Token: SeShutdownPrivilege 840 explorer.exe Token: SeShutdownPrivilege 840 explorer.exe Token: SeShutdownPrivilege 840 explorer.exe Token: SeShutdownPrivilege 840 explorer.exe Token: SeShutdownPrivilege 840 explorer.exe Token: SeShutdownPrivilege 840 explorer.exe Token: SeShutdownPrivilege 840 explorer.exe Token: SeShutdownPrivilege 840 explorer.exe Token: SeShutdownPrivilege 840 explorer.exe Token: SeShutdownPrivilege 840 explorer.exe Token: SeShutdownPrivilege 840 explorer.exe Token: SeShutdownPrivilege 840 explorer.exe Token: SeShutdownPrivilege 840 explorer.exe Token: SeShutdownPrivilege 840 explorer.exe Token: SeShutdownPrivilege 840 explorer.exe Token: SeShutdownPrivilege 840 explorer.exe Token: SeShutdownPrivilege 840 explorer.exe -
Suspicious use of FindShellTrayWindow 30 IoCs
Processes:
explorer.exepid process 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe -
Suspicious use of SendNotifyMessage 53 IoCs
Processes:
explorer.exepid process 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe 840 explorer.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
explorer.exepid process 840 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Taleb.Ransom.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exedescription pid process target process PID 1844 wrote to memory of 816 1844 Taleb.Ransom.exe cmd.exe PID 1844 wrote to memory of 816 1844 Taleb.Ransom.exe cmd.exe PID 1844 wrote to memory of 816 1844 Taleb.Ransom.exe cmd.exe PID 1844 wrote to memory of 816 1844 Taleb.Ransom.exe cmd.exe PID 816 wrote to memory of 1756 816 cmd.exe net.exe PID 816 wrote to memory of 1756 816 cmd.exe net.exe PID 816 wrote to memory of 1756 816 cmd.exe net.exe PID 816 wrote to memory of 1756 816 cmd.exe net.exe PID 1756 wrote to memory of 556 1756 net.exe net1.exe PID 1756 wrote to memory of 556 1756 net.exe net1.exe PID 1756 wrote to memory of 556 1756 net.exe net1.exe PID 1756 wrote to memory of 556 1756 net.exe net1.exe PID 1844 wrote to memory of 392 1844 Taleb.Ransom.exe cmd.exe PID 1844 wrote to memory of 392 1844 Taleb.Ransom.exe cmd.exe PID 1844 wrote to memory of 392 1844 Taleb.Ransom.exe cmd.exe PID 1844 wrote to memory of 392 1844 Taleb.Ransom.exe cmd.exe PID 1844 wrote to memory of 2000 1844 Taleb.Ransom.exe cmd.exe PID 1844 wrote to memory of 2000 1844 Taleb.Ransom.exe cmd.exe PID 1844 wrote to memory of 2000 1844 Taleb.Ransom.exe cmd.exe PID 1844 wrote to memory of 2000 1844 Taleb.Ransom.exe cmd.exe PID 1844 wrote to memory of 2016 1844 Taleb.Ransom.exe cmd.exe PID 1844 wrote to memory of 2016 1844 Taleb.Ransom.exe cmd.exe PID 1844 wrote to memory of 2016 1844 Taleb.Ransom.exe cmd.exe PID 1844 wrote to memory of 2016 1844 Taleb.Ransom.exe cmd.exe PID 1844 wrote to memory of 1824 1844 Taleb.Ransom.exe cmd.exe PID 1844 wrote to memory of 1824 1844 Taleb.Ransom.exe cmd.exe PID 1844 wrote to memory of 1824 1844 Taleb.Ransom.exe cmd.exe PID 1844 wrote to memory of 1824 1844 Taleb.Ransom.exe cmd.exe PID 1824 wrote to memory of 1656 1824 cmd.exe net.exe PID 1824 wrote to memory of 1656 1824 cmd.exe net.exe PID 1824 wrote to memory of 1656 1824 cmd.exe net.exe PID 1824 wrote to memory of 1656 1824 cmd.exe net.exe PID 1656 wrote to memory of 1344 1656 net.exe net1.exe PID 1656 wrote to memory of 1344 1656 net.exe net1.exe PID 1656 wrote to memory of 1344 1656 net.exe net1.exe PID 1656 wrote to memory of 1344 1656 net.exe net1.exe PID 1844 wrote to memory of 1996 1844 Taleb.Ransom.exe cmd.exe PID 1844 wrote to memory of 1996 1844 Taleb.Ransom.exe cmd.exe PID 1844 wrote to memory of 1996 1844 Taleb.Ransom.exe cmd.exe PID 1844 wrote to memory of 1996 1844 Taleb.Ransom.exe cmd.exe PID 1996 wrote to memory of 1900 1996 cmd.exe net.exe PID 1996 wrote to memory of 1900 1996 cmd.exe net.exe PID 1996 wrote to memory of 1900 1996 cmd.exe net.exe PID 1996 wrote to memory of 1900 1996 cmd.exe net.exe PID 1900 wrote to memory of 316 1900 net.exe net1.exe PID 1900 wrote to memory of 316 1900 net.exe net1.exe PID 1900 wrote to memory of 316 1900 net.exe net1.exe PID 1900 wrote to memory of 316 1900 net.exe net1.exe PID 1844 wrote to memory of 1784 1844 Taleb.Ransom.exe cmd.exe PID 1844 wrote to memory of 1784 1844 Taleb.Ransom.exe cmd.exe PID 1844 wrote to memory of 1784 1844 Taleb.Ransom.exe cmd.exe PID 1844 wrote to memory of 1784 1844 Taleb.Ransom.exe cmd.exe PID 1784 wrote to memory of 1540 1784 cmd.exe net.exe PID 1784 wrote to memory of 1540 1784 cmd.exe net.exe PID 1784 wrote to memory of 1540 1784 cmd.exe net.exe PID 1784 wrote to memory of 1540 1784 cmd.exe net.exe PID 1540 wrote to memory of 1556 1540 net.exe net1.exe PID 1540 wrote to memory of 1556 1540 net.exe net1.exe PID 1540 wrote to memory of 1556 1540 net.exe net1.exe PID 1540 wrote to memory of 1556 1540 net.exe net1.exe PID 1844 wrote to memory of 840 1844 Taleb.Ransom.exe cmd.exe PID 1844 wrote to memory of 840 1844 Taleb.Ransom.exe cmd.exe PID 1844 wrote to memory of 840 1844 Taleb.Ransom.exe cmd.exe PID 1844 wrote to memory of 840 1844 Taleb.Ransom.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Taleb.Ransom.exe"C:\Users\Admin\AppData\Local\Temp\Taleb.Ransom.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSDTC2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop MSDTC3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSDTC4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop SQLSERVERAGENT3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLSERVERAGENT4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSSQLSERVER2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop MSSQLSERVER3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLSERVER4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop vds2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop vds3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop vds4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set currentprofile state off3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable2⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop SQLWriter2⤵
-
C:\Windows\SysWOW64\net.exenet stop SQLWriter3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLWriter4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop SQLBrowser2⤵
-
C:\Windows\SysWOW64\net.exenet stop SQLBrowser3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLBrowser4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSSQLSERVER2⤵
-
C:\Windows\SysWOW64\net.exenet stop MSSQLSERVER3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLSERVER4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO12⤵
-
C:\Windows\SysWOW64\net.exenet stop MSSQL$CONTOSO13⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$CONTOSO14⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x18c1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Drops desktop.ini file(s)
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\BlockPublish.asp.(MJ-PH7316520894)(Folperdock@gmail.com).GodoxMD5
55964659a42a1e48e5b3c89507e283b3
SHA16fd8fc71f5941598914025adb356311d31c146ff
SHA2565ecc7e40f281011fb6bf3a3fa402f28adf8724b7a7d10c9e473b4c91fc4dedc6
SHA51220711979d33744432752b303e710e9e968ac66a2f1c85bd2d49697e4200b5a467941b7d8b6d82ad2c0a3053021ec1383d1efc9522d4b753a599108ed18da9286
-
C:\Users\Admin\Desktop\CheckpointUse.3g2.(MJ-PH7316520894)(Folperdock@gmail.com).GodoxMD5
fec650a6e169935ce5246ceca1f3621f
SHA17c988106d56bdb6c480f7597a1eb5d655c18330d
SHA256b8734a7839833c3a62c62048e859689a9f8557ff4817b3280a08bf62d3d13cfa
SHA5123385eb59a46954240c6dd5d237a3d00ade016589911813d0d37965aaead1c6dc13b861054e046ed98b42010bd8a4e982747800993c6ca50db2c2383abb5d11e6
-
C:\Users\Admin\Desktop\ConvertResolve.png.(MJ-PH7316520894)(Folperdock@gmail.com).GodoxMD5
560e134b21de5661407c0739ec074ad5
SHA182fae3727ded389ca61cfc8227b3eab0b3140a4e
SHA256c9eda1d67213f50973e54adfa324207a397b47f4223c1cd29fd85b87cb0b3700
SHA5126d65c8b25a2c14dd0697de283e04702fa7ce9d6ba8784f4505d27190d5907ef90625567008e0a8b3bc2cb0942b7daedbf542a7e1087e34052c430d828b3b32f1
-
C:\Users\Admin\Desktop\ConvertUnpublish.midi.(MJ-PH7316520894)(Folperdock@gmail.com).GodoxMD5
53586863cb6e46df86455b35e60410c9
SHA1021d1a2c6920dfd809a4b8377e355c5150e2cd6c
SHA2562ea1b42283d101026eea86cf6909cf24b5124443393b4295536d61e4b32f217d
SHA512300dd9b85950868f3223276afc4ce42082d4f7ecdfcb526ccd3da71147f08c09abe99ac2ffa53367f29b5a9f544926d5cb1090996867975cbbcfe29203b2d929
-
C:\Users\Admin\Desktop\DismountRegister.png.(MJ-PH7316520894)(Folperdock@gmail.com).GodoxMD5
5c0b775775a1e4a5da1abc7b52fe10e9
SHA1f7b68f87a49329e47cb2a81e560ceb0032443fdd
SHA256d0fb0c0281180d65aea94902c28890113966d23ffc07a92f73e987a826e17861
SHA512f88680135d8b6d3303e8e6599b2479d51653c2686a74a1b1763390cc486460e40fd90bfe1cc720d864b8122a1ccb7b2ee575f0b58a89bd85d0171bc197385023
-
C:\Users\Admin\Desktop\EditUndo.gif.(MJ-PH7316520894)(Folperdock@gmail.com).GodoxMD5
b2418145e4dc27c1ea8df94f1defe1aa
SHA13207861195ec6583246f72da0a847204e0312302
SHA2563e12f5cd3157dcffa1aef394a077cb477e83dcdc43706af719dec2cfa95dae2e
SHA512f8d6955889575e4d3ac37785331e1efaf2b903de5025e337fea7942b22e328d576fa7efcc7ef382cc588f9bab9f855b1227ab060b2f82b5a0da760d623a1b82a
-
C:\Users\Admin\Desktop\ExitConnect.jpe.(MJ-PH7316520894)(Folperdock@gmail.com).GodoxMD5
1d42848e857b54f4c4a709d63d49daa4
SHA14945a351c9dbf24137392298fae6051c7138c86b
SHA256c697dada51532b62c3f3514acc542e6a325ef68a198b4237489c2a46aad41222
SHA512d723dfcc7f531b80834e7a3b8ec39c548377d1f3979509d81018ad8fc1e0d674f2a16f05119e9666757713cc29bd4d9597541394f719fcbe05c70e9cddbbb847
-
C:\Users\Admin\Desktop\HideUnpublish.css.(MJ-PH7316520894)(Folperdock@gmail.com).GodoxMD5
64da50ef0581ee266930943d78ec53c0
SHA1c58d9c10a8cd9b9a290d9a8492e874abd82c0c3c
SHA2565d2c8be397e18be01a6506513f9f2dfac92b2e58235cb570fae709e2c4fcec0d
SHA5123099f2c815cf29b4e17bbc913af16ac4624191f0d3b206a17a7115c5e6b2a7c355f57c2158ee88710343c537a6f453f980f8ff51082b06633fbb5d9249f14062
-
C:\Users\Admin\Desktop\ImportEdit.wm.(MJ-PH7316520894)(Folperdock@gmail.com).GodoxMD5
fb42c0a00d8bf7e6eb5888715c616aed
SHA10adb31ff2b0aed6c3df0369c7ec7da5a370f5e27
SHA2565e35f196eb067e4aed90642b00d6444240e5cb549f386630443c8d60add8fae8
SHA512c35a56cc8d325e78180c07242ab91b2a3110799205533e623781b91bf7c25372ed796e4083ef220bfcda2b51260682b316bfcc8ff5343a432744d3499be26890
-
C:\Users\Admin\Desktop\LimitInitialize.rm.(MJ-PH7316520894)(Folperdock@gmail.com).GodoxMD5
89066e9b639436a990fda6c78a021433
SHA1dfffc86f1f13a06e95efd6e57f0cf84dd9be953f
SHA2562ca90f57015fe6be3a50dbe1e95fe992b23620c8989aba90216e635be461336b
SHA51203c68867da851b3f2a2a98dc00114ec2e7553ae07a8afcf2ad146ba57baba44ee060948c0c8df6a227a5f570d795eff052da73f33746875b7fd3d0e0c1d589ef
-
C:\Users\Admin\Desktop\LimitWait.reg.(MJ-PH7316520894)(Folperdock@gmail.com).GodoxMD5
ea846ea0b3010982799e83c56ee7e353
SHA13862baf799b556d91d14de9f9f97e5a5f9886e95
SHA256114a1dbe549b6b5b7f5afc8da01a02a996e952b3d1db2f494ac3d9a86b466d8f
SHA5126324b25b3b254923b114d66eec6018ab921fa4528e9f06e715adebd8268196ef1a36745dfbe98a5199f74abb1742c6a34d51ac09df850c5bcf943face1fe7319
-
C:\Users\Admin\Desktop\MountConnect.xml.(MJ-PH7316520894)(Folperdock@gmail.com).GodoxMD5
7caaae337f33182a7763ce737e8652b9
SHA1833bd65ad15b4b76fdc8f469a48d4ef83f4fe499
SHA256fe3b26044e3a9bc3ef52bfca16da7f9fc12c186950cdd582dc82314fd375ecb1
SHA5123e62a98fb31e39af8bc9c3061be7c471967a92890cf630bcc1a81375b1ff79a878e452097339980842f5f6a383796005721a6160a4cb81bb5d59eb041c817e6a
-
C:\Users\Admin\Desktop\MountUnblock.3g2.(MJ-PH7316520894)(Folperdock@gmail.com).GodoxMD5
5e0b1942e4909dfd2ec430a4f71cfb07
SHA10b50da8d514813d4142ef9da55b85b78b5811f13
SHA256d169ff9f10c7554d7e8798ea63bc6036693101bc99df79c897e6494bfe800826
SHA5120bd4ee2a381571f97d0354cae849f7e90838047cca80ff4ded9d13f20bdf28e5e89aba3920a3596cbf9a6a8d1f8384c8670a6efbcf541f3c579496ad04e51584
-
C:\Users\Admin\Desktop\PopUndo.vdx.(MJ-PH7316520894)(Folperdock@gmail.com).GodoxMD5
a615bf81e9919f7fce92a42f2d688f22
SHA1a85348ed9f7da44e57cbb5cfc5bad2091b8c8db6
SHA256b01d677b98bf05967b5a1e4d9fb0a4a8d61dc971999c85201ff1910091a08194
SHA512bc7da4655e0c9c34f299c65e4d4574229605c9827f8861f78d22ddd3a0c665f2203c240b45e8df8b775d4670f5572a2dd492509577cd5273bd32a24321478f22
-
C:\Users\Admin\Desktop\ProtectGroup.wps.(MJ-PH7316520894)(Folperdock@gmail.com).GodoxMD5
0ef83ec0bb56a2388cb9bb376f086b64
SHA125ed0e87750274418a6d876132fa73e4062d944a
SHA256266b8d4321c4849e1535c68d166e4ad1e3e2c9e877bcbebfc870c54d1aefbe0f
SHA512032016b2266f01c08cd292731230b37a0292d913b4bf5621f5447db476e398433ad01ccd17518d3e256fa806363acda86845a17da6112551e5d0358f49ee4ca9
-
C:\Users\Admin\Desktop\PublishConvert.tif.(MJ-PH7316520894)(Folperdock@gmail.com).GodoxMD5
bbe09d5cd39ac248b20aba4500f0b83f
SHA1e74c52bb3dcf6dda2d382d2cc35346e8bc94b916
SHA2566160e5a97e2a86ba2818b6dfc2a3332567ccce4552d5ab5aa2801c57caf0e2c4
SHA51245b958078e1b75f05cfdf101af0fdb7f7c567271effe4a3b25303a24f564480d8b62d557b6ca284d7fe7a86fa03633e954ea0b2ef307060d839b8df2cd69a7c1
-
C:\Users\Admin\Desktop\RenameReset.vbs.(MJ-PH7316520894)(Folperdock@gmail.com).GodoxMD5
34782303290c683cc48d3128a9a25005
SHA1dc08ac02740ceeda83c367e65fa6fe8cd715affd
SHA256aced6df376cf8d15b0b2e1710646aa08298d82cd4541563ee91f1394ed188c91
SHA512fcc559742bbb1781c124537f53e57515ff33f6098221975186cb6fe277876cd7b6514c0f68fb8da7783681e21f3450a72d7b68343459b84d5a8ed48fe911c1dd
-
C:\Users\Admin\Desktop\SearchSubmit.vst.(MJ-PH7316520894)(Folperdock@gmail.com).GodoxMD5
71b5b79ab36ca0c9126192ebb9681085
SHA1bf8ae441490190102cd239dacfb17423339ec05c
SHA25698bdeb6903435034351edd8541caee73ee4fd3fc233d03c94dde07e83080de5c
SHA512dfeb5017c65163d458704a9754700eae019ca7ec3ad5dd28bc989889b7b542e4e5e0d4c6ebd9aa29fe7bed34241c13dea8534c60f948d15e2a8331499ebbf498
-
C:\Users\Admin\Desktop\ShowConvert.vst.(MJ-PH7316520894)(Folperdock@gmail.com).GodoxMD5
c0cde2d0681662d8d4e24432dcdb67f1
SHA16592984dde39ee4b09ace61291ee73aa0d76adcd
SHA2560e49cb3cb9cc0c9199fc2c737d05785011a22b7a04471785a45e0c35dbaa8fd6
SHA512172d0102c732f573d0612220cfd7d937f332a7e44ecf03a6ed2f4fd54fbc4159a5c619224de0e20e5e919acc62e9cb5971761110228b1390086e0a1bfef0b7f5
-
C:\Users\Admin\Desktop\ShowPop.xml.(MJ-PH7316520894)(Folperdock@gmail.com).GodoxMD5
5646b9539e22f56103493f90ef4b95fe
SHA198812293f45f1be645ca98b12dd36f4b73af1ed4
SHA256b9ca7293484365a84f6044cc2b6ce3684d89da48abf3bb06e1eb4e4213b9c8ea
SHA5120a18167ed35ce7d42252f2ea752dc7efde4bf55ab275374929dc6d5185278f7c9c423dc88331ef0efea6f785588ab188c997f930493d00d3f2b44e3e3283ea21
-
C:\Users\Admin\Desktop\TraceTest.mpv2.(MJ-PH7316520894)(Folperdock@gmail.com).GodoxMD5
394ea8b57a1eb3b835d273e1de392643
SHA17af52bbcb88f777737f5bef7cf19266c8c5eb6f1
SHA2565d91fb8e7830775e2368846a50e6fd95b14add4b6aa48bbbbe71ac3342eacece
SHA5126bbb9e8499c94d82d37c3636612ab430b43b72f92b1435152587f83b858ace60ac1e2f62ed093eb9665d9f132d013f636b3b7432039f94d448706ed05615cdf1
-
C:\Users\Admin\Desktop\TraceUpdate.jpe.(MJ-PH7316520894)(Folperdock@gmail.com).GodoxMD5
b9489996c4e30f2230cd53b9e20da849
SHA18b2eaa76ce28c7760e47521fa9d71b5c3fa9c55a
SHA2569ce2321873fe1f239937cfe48a99a1573ef1918054e0121643552d3df875fc71
SHA51268d74ec9fb43d8412b65b13dd22e77310cabe2f93805cc5f3000ceaf514dfff26692de009bfd1c71b4dce6bef3ff6c3830170089c06b64c3cc00a59166b015a5
-
C:\Users\Admin\Desktop\UnblockCopy.zip.(MJ-PH7316520894)(Folperdock@gmail.com).GodoxMD5
00a34062880fb48928c10b843fbcd098
SHA1ba886a652a3d7ec8fcaa6d3ae9f386f21aa61b1f
SHA2568d94dc0b134d403caedc6e43a35719d13dca1c7a544b3617573b2cf38a35077d
SHA51269fe68e7d6c82e2261d90b740ef838231a4e476251cf561d2c6829ccb4bf0675a510a61bf6d577b66b913351128dd82105f82cb379335aa89393ea7eb5543523
-
C:\Users\Admin\Desktop\UndoRestart.wdp.(MJ-PH7316520894)(Folperdock@gmail.com).GodoxMD5
5653e26163573683778c38421742fe6c
SHA18bb1557ed55d17d18f94f7dbb236ab8e1933341e
SHA256b4555ee349a443ec9a61c93a96a26593106453cc54639ba3e46ce33c904dd1e5
SHA5125c5b4bd4ec110485dab62214c8d7cfd8b350e33d4c402b7fb0b67868defa59b69cd018cee8117060da1d13e4df207578b98bdff67d8a34de9f86f45f50c9ac7d
-
C:\Users\Admin\Desktop\UnregisterRepair.aiff.(MJ-PH7316520894)(Folperdock@gmail.com).GodoxMD5
44c03e07306e25ece3e814582a4ecfbe
SHA12f187f16943b25cc525eb383390da4b044387854
SHA256e4571b58281f014ded8d48c0c22900ff6387fe384dfa2d00b8c9f5aabe08d444
SHA5127be5e9067a946ef36baafe5e48fbf888a4f6ffb53da591d51e386fbfb3d703013aa23cffc8098aa6ed04a643fca2b237bc35b6cfef267e4a5e7b47ad591ec724
-
C:\Users\Admin\Desktop\UnregisterRestart.wmv.(MJ-PH7316520894)(Folperdock@gmail.com).GodoxMD5
93883ab43be93d1264dd3c1aba1b24ac
SHA1fec17a915f1628f5409994979bbba303f626769f
SHA25647e7cdf65c25832202a5effcf674823eb85013db5e1a8ab568806ebf5c4f04ae
SHA51213fe9efa6a1472ee101dd29cc5e492e898f67b35231e5c3db6b5c339c8a145071a4652c7d4991e141dc6e2b453ff755df120c040f2508f80305abe3b14bcc3eb
-
C:\Users\Admin\Pictures\ApproveInstall.jpeg.(MJ-PH7316520894)(Folperdock@gmail.com).GodoxMD5
94e4785430d89884874631ce9cd91345
SHA1df57de1788f32fc52331bb85fc288acdd9a99f62
SHA256182b59319a1ae56d2bd2e81b8f3aa0fe217f089f61f9f99f40887bf951b0966d
SHA512a94ee218c5a623f8d14e8e33fbd31bdfc8ed128ca04fb6d96825b278ad4e902ec129b58b22a9c5c1c70ce3351e72f0530d88b9b97c3fdca3b0d32958119b5d12
-
C:\Users\Admin\Pictures\ClearDeny.ico.(MJ-PH7316520894)(Folperdock@gmail.com).GodoxMD5
036e3598bcdb510e2641fb3e86afaf52
SHA16b0ee0e2c437f4fee89e094b87e99314d933bf74
SHA2568b3247039b51308e475eedc9208dc6294fd378ed4bb295a74765f61a5f753a62
SHA5121eecf3138e09c3a8e258d2d0565dbca63af87929d45544d93d74b81e26f124a8f95f82acbf28c5f366fe5e692d067482bcc76ef6adc5102273017a192abfaa4d
-
C:\Users\Admin\Pictures\CompareGroup.ico.(MJ-PH7316520894)(Folperdock@gmail.com).GodoxMD5
41324f3a063562a3659571abd6e03b2b
SHA180660825f97f58f86e2156f581722590b96172c4
SHA2561d8f3dcd7e9c980c8f314cf364014dc4694ac00372ba5e6cea5e29f31da2fc88
SHA512a9dba4f4c3e2d606f685d988080426d005008564d43d15506bd970d411c88d547a8121f5989dc0b2cfede581dc1638ef71405226cd3b11c0cf22cc88a5235153
-
C:\Users\Admin\Pictures\CompareRename.ico.(MJ-PH7316520894)(Folperdock@gmail.com).GodoxMD5
cbe739ab0502c53054a8759d3fffe0c0
SHA17501ad96d8564b7be5cb3577b6bfe2fb1144e4ef
SHA2566a4abb89b1b2ba9725b5811cae3e45d66f39743d7fd2582481c0d7d96dddbf19
SHA512d38239da9a61a8452e3b8137c5c0d085e889b461e02f0a9ce29e4705e923371871e2b71deba9979cc0cf56efd06b491278f1989347e13194e014edcdedbb1d85
-
C:\Users\Admin\Pictures\CompareUndo.svgz.(MJ-PH7316520894)(Folperdock@gmail.com).GodoxMD5
28c40cc7ec7b9ec2d64a49ccd8aea04e
SHA171bc9cf1f9391d9d0479f9fc829de7dc509b87f1
SHA256e0ec133e0e8d6a82ca6486b4b8db02a0a809f47645d95d7bc5710156dbe76fc2
SHA5129bc5884d30451d571c9f6abd286d7213d99b23a59d4c9b40c41861d5aecd8419be8733c144df871b312d6d950d0d4bc7c37a2f5afd266a02b236696fd0e39fee
-
C:\Users\Admin\Pictures\CompressMeasure.emz.(MJ-PH7316520894)(Folperdock@gmail.com).GodoxMD5
e22b55cc06944d9c8e473e9f7ef0a1f0
SHA1c0399b9fda28e79ea9ad6c873a12fbbd0e1abbab
SHA256ce5dd4fa1f1757694b2cb42eb2f44083a98c356abef1245ea2493e9b3332e216
SHA512582546afd1f40aed43f59aec9e488af833a5c7a7a46ed051a43b540828e46c5cdb47d7a5072c33690f8b1184363c50ea149bbb3d6a97ab2372d1e36ad497ff9d
-
C:\Users\Admin\Pictures\ConnectUpdate.bmp.(MJ-PH7316520894)(Folperdock@gmail.com).GodoxMD5
9bf752f87d8c103d26d3ab2513563935
SHA1608df090fe49a4229c43ab3c79fc90d7862df859
SHA256faac8359c7ae8c1deb261908c46e055dcfb5a0cfbff3535ba2d1b86b4f29ff4b
SHA51295b9f8c17efce3b9b233aa7a35bfa8bad7b89f4e28d6d52bdb472cbfdb2c1dd740220d87c0e281a89a5d4541e0fca8ab93828782e50883c523c70999d6adc6ed
-
C:\Users\Admin\Pictures\CopyFormat.tif.(MJ-PH7316520894)(Folperdock@gmail.com).GodoxMD5
ef2eb036b56350e6647a6d5bc5f6b1f8
SHA112d85d1c40903b01ad4e773566bc374522fd422b
SHA256a342322e84b46570013ac5220d945b459afe2a166503eef7528c624461018730
SHA512ce60aea79f4b9b9f6d30b339e9174bd35b1d2064bf8d2577c7e7f1e61ec86400ad9102efaf1a167f4e71955de0fd127b55d13b91b2b56765586285e3cdbbe1fc
-
C:\Users\Admin\Pictures\DismountRepair.ico.(MJ-PH7316520894)(Folperdock@gmail.com).GodoxMD5
ef00b38e6fb32bb0cd2f3ac3503ae056
SHA138a2c57c0f54025e90bf0d20cc62077efccf290f
SHA2565e69b7bbd4557042cab0f942a11ad6dacfe911c481a922108471f27ebc40ea72
SHA5126528738f878f216d8447750c25587868d4cfe2cc4b4cbb1c809b8e8fc0ebd5ad6bdaa5b360e15c18d84f11344145ae4fb21dbf47dba8bbabd85ae1b6adc8ff5e
-
C:\Users\Admin\Pictures\EnableInitialize.wmf.(MJ-PH7316520894)(Folperdock@gmail.com).GodoxMD5
6e1f3fed3f75dfe8da900b108f921323
SHA16a4de4076c13965cb15fcf0e93f70d6d89e99787
SHA25667954dc0b53941d2125650d8d2b7aff90c2e0f3688bf467b6b8e7a6e47c58bef
SHA512e71691117a2703fdda8e6bf21e00a78a2352057aa511134ff70ddd048e7f1cda3702ad31a2490c9619dd9fa989b8dd2a0afb0f62e764c48398cd234481862b8e
-
C:\Users\Admin\Pictures\FindPush.tiff.(MJ-PH7316520894)(Folperdock@gmail.com).GodoxMD5
2bce8bd028ff0193b5cfdf5939827b60
SHA12c78cedd84e0412b8cacb32bb6984d1f73f9ab70
SHA256bdcf7493456d0a8a6c4ff8ff481552e87ac925aad83ad3f52aa23d41dfbea463
SHA512084157ab57ee9f213f6118f041d370f797300569cfd385cb82ea8f1805f57a805d606b68bf35b9930b05255d3b912290c3d2de0e51b17f2e1f68c623c960dabd
-
C:\Users\Admin\Pictures\GetWait.jpeg.(MJ-PH7316520894)(Folperdock@gmail.com).GodoxMD5
53649e45b473a5ea2c98a2e4d533d4b4
SHA155f48ec9fb6cffe5ac8cd363e0ea58eb1b7d3081
SHA256c875afea2284eacc9724ec5623b42afbbe83852537f9dbbccbbf571b31699290
SHA51257cdedb734c7881ae1d8baa6664de27c9cae8b2f3dcbf1d1c8caa98835b4849c5804d2148ee3c85251b893c7bf22de7dbfcc91fb5b5c26a1cbf37a4706b1148f
-
C:\Users\Admin\Pictures\GroupStart.dxf.(MJ-PH7316520894)(Folperdock@gmail.com).GodoxMD5
2d676624f8e0b8612d55bef7b595c08d
SHA1c7d11bc8faafa7ea1009911cca0f39337a70ec22
SHA2567ec7e4e1edab20795848b71a1b22dae35404376c7d4cd4a9e089656926fd6466
SHA5129425e73694992f83b1388f4b8844889598b410dd3223a22650f0e0591e43a3dc211a4f32893659e5c71ba12199b262c8ee3863cbd69a8f21e8fcaa5ea537eb1d
-
C:\Users\Admin\Pictures\JoinAdd.jpg.(MJ-PH7316520894)(Folperdock@gmail.com).GodoxMD5
c1788b6b3019e3371d2f32d6949a6fae
SHA195e1b272cd4d77db58e45d68979c83e25d116731
SHA25642c99838b2a597af0a883f63935f44dd95660199451715493467e752cf3f882b
SHA5126cea83d9787bcac8d0f5b45180b2d9cdbf03dd708633ef7d3ade82653ceee204e465571c57aeb44e1bb1a99961ccf4884d82356559b7f64c664a9d5479c26d0a
-
C:\Users\Admin\Pictures\MeasureStep.crw.(MJ-PH7316520894)(Folperdock@gmail.com).GodoxMD5
cb7ec99b03200adb619381c1938f932f
SHA1d46522eb68a20a6092ca07104d7f2b348e31efb0
SHA256988c838a0ec9498fa4062b05aee34647b9112398c7bbdb4f5dfdf3cb4e807845
SHA512e18f5f3bd534b24df7f0c993da13bd3994d27837f6228029bf29a80bc867b6a7d712e28545359872a52e7b4cefaed57b28d62f8786f677c13d9ed6e712c97b7e
-
C:\Users\Admin\Pictures\MountHide.raw.(MJ-PH7316520894)(Folperdock@gmail.com).GodoxMD5
912a2eb32c73b1ab27583a52a124b39d
SHA1bd34ec2490d51445652f65aff4a4672bdb7f32f4
SHA256fd1996ce270b2b105b93962ddf9efd0981c2c4146665dfda940e4465f18ec68a
SHA512ffc6ebf365844fa21b707e7d11b51b1d39d599ba6eeee2281dcd521fb470131fdc4c897b614137e922b95c400a9b6d6df1c418cd307f5c35cc8703e0e39c5142
-
C:\Users\Admin\Pictures\MountLock.jpg.(MJ-PH7316520894)(Folperdock@gmail.com).GodoxMD5
636476f186736c14933d78dc34ca1f24
SHA19fb48598fffa9a09cec5c930268d34d29b3dcd02
SHA2560a34b02c8cdf2c8fa9cb13df224042d81d5f3fa2cfd2677a44ed95508b14f2aa
SHA512db58445a7428ab0359a0e4eb8567edef5e7aae49cbbe0ca66d3a7194cf7b0f1a8c47e31cbd2ad037300836fc69e7cbc8be3ab1260d367baa7028835f6694cca3
-
C:\Users\Admin\Pictures\OpenEnable.cr2.(MJ-PH7316520894)(Folperdock@gmail.com).GodoxMD5
6d35c2fe5a9f7793bb8db3804fe406ae
SHA11652f9f6fcf78083dd450ac17756c69c3376efec
SHA25606cdfc43995706b08a35158f4ee0a311bcb52ddf06d3bf3bb1b4ea51aa9ee4bb
SHA51206c602c7dd1bd1e1373e5741d75834cff4a4b01c367cc2c996f5bab90c8b5c83a26a1954db41926e5c342814383026d7bc480f768383ae290a9d32f1b2e66771
-
C:\Users\Admin\Pictures\OpenInitialize.jpeg.(MJ-PH7316520894)(Folperdock@gmail.com).GodoxMD5
aae3122d18a012e27070617f478eafc8
SHA187aebb35718cbbc0cdc6761d0a52a63a6e897d3b
SHA256ed51e50f9af24e8fe5ddd4982e1d05ce81480c71a06127a4d5d79078c1e9b36c
SHA51221a8a9484eb440db666909bcdf718f30febc5a18f64aa3dbb5824882e99f50784841a0b74cf534e30c298b8431464373e2efc592665755b782c4cb6b9af5139f
-
C:\Users\Admin\Pictures\PopConvertTo.emz.(MJ-PH7316520894)(Folperdock@gmail.com).GodoxMD5
1015ac542709c401cf1fe7a1268a91f2
SHA1fca436f2dabedba006aa4555ae71597d074997c1
SHA2568442ada02f3c62f34eb9f6c0c1b0cab17ede95344e1ac02f411edaa5db3a58d8
SHA512bb0b2ab7740fa9823efc1b4964544743065eb46847ac0378b1e6ec1551a28d635b5a015417b84aa017203eeb3dd200c28796e3c850fe8c0221a2c4cb4b1179d2
-
C:\Users\Admin\Pictures\ReadNew.pcx.(MJ-PH7316520894)(Folperdock@gmail.com).GodoxMD5
fe638bd4af86b319201fd1e290511e02
SHA1207ddfda78d64d85dfa6b5c64da365d161a42db0
SHA256a651e34de49eed28e37b418110559cf5092d6aedc013541ecde30c3ed471f557
SHA512cee9c841971612d2f6db879641b6c648f435bec21b2c043a9642e905391521b5b2b4c00eaec706ec931c9909721ce842fcf859b5905d290c26f52e4a1d1137e0
-
C:\Users\Admin\Pictures\RegisterProtect.tiff.(MJ-PH7316520894)(Folperdock@gmail.com).GodoxMD5
d7ebb7679debf842da45b524f2ddcd71
SHA1538309af4b93cea1129a3afa91ee8661d3280336
SHA256a62c0c93ac4db0c37b9face888af7750712a97c863a8ce0ad23455cc7b189c1e
SHA512db86c7e2d2c9e87ad77a69179c3524b25892947ca73d146de1e0c95327e2b0d1d4edc82e2b74702e91408ef271e08f75c404a8d31362288fba6340ae6f796338
-
C:\Users\Admin\Pictures\ResolveInstall.dwg.(MJ-PH7316520894)(Folperdock@gmail.com).GodoxMD5
241e7369697a3d289837edcb2776e14f
SHA100c06e81480cfda44b4fde3bba6efb6929b7ffb0
SHA256ad6d603ef454570f65e0eb89ee0171be194b9e8cf6fe9f76c000727a447b9f9e
SHA5121ce72f264a89665969dafeddf8d39c30936ccd04ec75811040bfa6b362e52cd8a1df0610ab2f301a16dedc2785817a36f2b52774ebda1147cf741dcf02fe0fe2
-
C:\Users\Admin\Pictures\SaveInvoke.jpeg.(MJ-PH7316520894)(Folperdock@gmail.com).GodoxMD5
f2b5a62374ad554833ac925250322fab
SHA1800f1c0f1b7c30639c47855ed64c43b6ca677591
SHA25672fe27e19082863898a748ebc157e001cff8e4506cf383982853caef05335b67
SHA5128ac721b4874100560e24269a05f469522210bd6beba96060cab22993dc5027217af2acba774a1148b72241704ddea31e5878b6317856123f8683e1bc4736fa08
-
C:\Users\Admin\Pictures\SplitOpen.svg.(MJ-PH7316520894)(Folperdock@gmail.com).GodoxMD5
231456fa949dc9b904f796fe95440ff5
SHA1578aefeb83e2264585b73d1b53aa58ee0861a0d9
SHA256cedbd80f53a5490db3dc11255046230a5a3e348868fae47b740cfde0691c0624
SHA512234a5fa1488fc9744ecf51c49e8df21a531280782d54c064bf5537980553db0f582110debecb13bb59ec31f1ec421c8f2470f6aaa5542656f407e2c31c301d41
-
C:\Users\Admin\Pictures\SplitTrace.bmp.(MJ-PH7316520894)(Folperdock@gmail.com).GodoxMD5
ae9932e0886a943ad9ea3c1bbf4baee2
SHA151a744fbcd6b6c7bbbc2d28a1fe5e01b668880d5
SHA2560d7c7c1630942e1a235de10128fae38091c3d10db4bdf4c01da60cd653632187
SHA51240be2122e215a11f1f109b012e3a8916edf00d9ed54fe640168bd1eead1fdefcbe7a4b0ccfcfe2e4d0bc8726ede86065b464bf5a239edb215749e4ccbacd90a1
-
C:\Users\Admin\Pictures\StepRestore.bmp.(MJ-PH7316520894)(Folperdock@gmail.com).GodoxMD5
825c6bc32f13873a75e91f35b5b879a0
SHA195b25b3b4f752db165b6b1ef49a8fd35fd8ee5cf
SHA2569be2483e3ce3be86464a44bca386438fd0557b0fd62617f4f2738f4341b7db27
SHA5127e2a277ccd0ca62b5c1f5858f08ae9de13aed4063fa7e149072ffb449862d0d8708db82520806f3c2406c6824a33193536e4aacd2a747ee909c1eca58475cdda
-
C:\Users\Admin\Pictures\SubmitPublish.raw.(MJ-PH7316520894)(Folperdock@gmail.com).GodoxMD5
07edc795f8d8109144975d34af484aa6
SHA1547780f6ac24f20b13e3e2dcdd9cec735d1c7ee5
SHA256382c0720472c2a6070029a72645d0c529d0ff65b8b4f3370a63c35519279c505
SHA512d7bb726a1eecdfecca8c25fe8359a89b163a456485fcdc7446a66caebd14e0b70a7cbb97468a0c46dc694c96a4933affa87baabf7814073a92eaf3043b0c73a1
-
C:\Users\Admin\Pictures\TraceTest.bmp.(MJ-PH7316520894)(Folperdock@gmail.com).GodoxMD5
1c80ae37d9a6e7f3595161fd4120d288
SHA14ccf2f26211a00e52b3fd26b01331e0aa99c44d2
SHA2569f722c2b878d8499fd14d4068b218d1b135228836daee1028dab6e60b8999806
SHA5129c136201bca01693125b6add99b7c89e4e456cc8973f10da49c5bf8e94cc1f43a33381ea2a6ecce5680d6c560a2f52f8e0724921c154d398a2d63f068a0f386f
-
C:\Users\Admin\Pictures\UnlockMount.bmp.(MJ-PH7316520894)(Folperdock@gmail.com).GodoxMD5
23ecbaa5dea41ac26a69e9529e66ced0
SHA10e6c26282aabe9f793c1c0255662af874574c0f2
SHA256f7969d55afa8f9a148e68dc832e97ace85d50a9f2c120f12668a3b2e8d20d6a0
SHA5122a0354051b9b4f18c5761389840f07e579edbeb542334fef4d4547da7a52c2227754e7f730cb6d1d45625aa17f1ac51aef171ae985db70f7f48796a76facbcf1
-
C:\Users\Admin\Pictures\UnregisterStep.png.(MJ-PH7316520894)(Folperdock@gmail.com).GodoxMD5
97439b783de46dbbe57fd870ebbb60a4
SHA184448bb05a870de0cb1d1f2e9c02593654ab02c1
SHA256bfc38930ba3fd5d6e196c30690eb400cf22c52dd0db4281c3182dbd0876da30a
SHA512dee1ecabec7a5caddc4c46d3d75db879c1b2a52846a1e21d97b74edabc6eedb964c855446fc947dd309af2965b40781b4660416d7fc7f67dd68bd353a0e69c4b
-
C:\Users\Admin\Pictures\UpdateConfirm.svgz.(MJ-PH7316520894)(Folperdock@gmail.com).GodoxMD5
cde44a1830a2d34c72cbd2afd7e7b29a
SHA1298b2340f44fd7e640b00fd5f719fe4e113a846d
SHA2567768c46105d9929cab9d3dd02685ce936de5cab631e5dbbd88d5e433df2ac3fb
SHA5121af9dafc69f344c6b83fe76968d1081a56fa0e84b7158871941491be8ebe3ad78c71454eaf2707592bfb49fce671b24b68c88b2f94d9817c774c624f051d3d61
-
C:\Users\Admin\Pictures\UpdatePublish.png.(MJ-PH7316520894)(Folperdock@gmail.com).GodoxMD5
af33aad9aa36fd5c9899956defd88877
SHA15fa7c8f2d98e934f0400c8ff6d650534931fa6d0
SHA256d5dadebd32e60bc62bea5cbce8abdd7f5504ec5686fb630c34814a88d17af6b6
SHA512ddb8118e4c8f6f312e7e44667354b5575de8c3a71be053c8c13ff0cc1a7a4c895eb174b4093b2471aaa986dab86a2de4cb297c7dc50db946e5ba24b815aa9d4c
-
memory/308-86-0x0000000000000000-mapping.dmp
-
memory/316-65-0x0000000000000000-mapping.dmp
-
memory/392-57-0x0000000000000000-mapping.dmp
-
memory/556-56-0x0000000000000000-mapping.dmp
-
memory/560-76-0x0000000000000000-mapping.dmp
-
memory/816-54-0x0000000000000000-mapping.dmp
-
memory/832-73-0x0000000000000000-mapping.dmp
-
memory/840-69-0x0000000000000000-mapping.dmp
-
memory/844-77-0x0000000000000000-mapping.dmp
-
memory/1344-62-0x0000000000000000-mapping.dmp
-
memory/1436-82-0x0000000000000000-mapping.dmp
-
memory/1504-72-0x0000000000000000-mapping.dmp
-
memory/1524-78-0x0000000000000000-mapping.dmp
-
memory/1540-67-0x0000000000000000-mapping.dmp
-
memory/1556-68-0x0000000000000000-mapping.dmp
-
memory/1596-87-0x000007FEFB8B1000-0x000007FEFB8B3000-memory.dmpFilesize
8KB
-
memory/1656-61-0x0000000000000000-mapping.dmp
-
memory/1684-75-0x0000000000000000-mapping.dmp
-
memory/1756-79-0x0000000000000000-mapping.dmp
-
memory/1756-55-0x0000000000000000-mapping.dmp
-
memory/1776-80-0x0000000000000000-mapping.dmp
-
memory/1784-66-0x0000000000000000-mapping.dmp
-
memory/1820-85-0x0000000000000000-mapping.dmp
-
memory/1824-60-0x0000000000000000-mapping.dmp
-
memory/1900-64-0x0000000000000000-mapping.dmp
-
memory/1948-84-0x0000000000000000-mapping.dmp
-
memory/1976-81-0x0000000000000000-mapping.dmp
-
memory/1996-63-0x0000000000000000-mapping.dmp
-
memory/2000-58-0x0000000000000000-mapping.dmp
-
memory/2000-83-0x0000000000000000-mapping.dmp
-
memory/2016-59-0x0000000000000000-mapping.dmp
-
memory/2044-70-0x0000000000000000-mapping.dmp
-
memory/2044-71-0x0000000075611000-0x0000000075613000-memory.dmpFilesize
8KB