buran | e416fe29a9007d96f7f268aa01d37382ce4581b55d9fae2947df79df34a7e440

Analysis

max time kernel
84s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27-10-2022 11:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e416fe29a9007d96f7f268aa01d37382ce4581b55d9fae2947df79df34a7e440.exe
Size

211KB
MD5

19111728bd752688482ffb91eba51913
SHA1

d3f742f64a6d419b2e96651c9993d60f93bdafa9
SHA256

e416fe29a9007d96f7f268aa01d37382ce4581b55d9fae2947df79df34a7e440
SHA512

a9cb2e7c98a4847e15b1a0dcd675df9b407c46f82fe623e3cdbdc99d7b9d3af2dd76c9b51541da9ea024acd95efcd74c0be8e37584b91d17b8a97f97e24dce2f
SSDEEP

6144:hia1gMHOPDWIhID8X/4DQFu/U3buRKlemZ9DnGAetTsB+g0+:hIMH06cID84DQFu/U3buRKlemZ9DnGAI

Score

10^/10

buran zeppelin persistence ransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Your personal ID: D45-927-D16 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran

Detects Zeppelin payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x000d0000000054a8-55.dat	family_zeppelin
behavioral1/files/0x000d0000000054a8-56.dat	family_zeppelin
behavioral1/files/0x000d0000000054a8-58.dat	family_zeppelin
behavioral1/files/0x000d0000000054a8-62.dat	family_zeppelin
behavioral1/files/0x000d0000000054a8-64.dat	family_zeppelin

Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
ransomware zeppelin

Executes dropped EXE 2 IoCs

Processes:

svchost.exesvchost.exe

pid	Process
732	svchost.exe
1740	svchost.exe

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

svchost.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\BackupFind.tiff	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\PingComplete.tiff	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\SubmitStep.tiff	svchost.exe

Deletes itself 1 IoCs

Processes:

notepad.exe

pid	Process
1492	notepad.exe

Loads dropped DLL 2 IoCs

Processes:

e416fe29a9007d96f7f268aa01d37382ce4581b55d9fae2947df79df34a7e440.exe

pid	Process
1532	e416fe29a9007d96f7f268aa01d37382ce4581b55d9fae2947df79df34a7e440.exe
1532	e416fe29a9007d96f7f268aa01d37382ce4581b55d9fae2947df79df34a7e440.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

e416fe29a9007d96f7f268aa01d37382ce4581b55d9fae2947df79df34a7e440.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	e416fe29a9007d96f7f268aa01d37382ce4581b55d9fae2947df79df34a7e440.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\svchost.exe\" -start"	e416fe29a9007d96f7f268aa01d37382ce4581b55d9fae2947df79df34a7e440.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	Process
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\A:	svchost.exe
File opened (read-only)	\??\F:	svchost.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe

Drops file in Program Files directory 64 IoCs

Processes:

svchost.exe

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00669_.WMF	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21435_.GIF	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\OOFTMPL.CFG	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\messages_sv.properties	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0278702.WMF.D45-927-D16	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_alignleft.gif	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Servers\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Biscay\TAB_OFF.GIF.D45-927-D16	svchost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\PreviousMenuButtonIconSubpi.png	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\trusted.libraries	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00918_.WMF.D45-927-D16	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21435_.GIF.D45-927-D16	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\stopNetworkServer.D45-927-D16	svchost.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY01253_.WMF	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGSTORYVERT.XML	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01138_.WMF.D45-927-D16	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EN00319_.WMF	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\InformationIcon.jpg	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif.D45-927-D16	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101859.BMP.D45-927-D16	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14581_.GIF.D45-927-D16	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Bishkek.D45-927-D16	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-visual_ja.jar	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\RPLBRF35.CHM	svchost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-border.png	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Cayman	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.emf.common_2.10.1.v20140901-1043.jar	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.TLB	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_K_COL.HXK	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSTORE_K_COL.HXK.D45-927-D16	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsBlankPage.html.D45-927-D16	svchost.exe
File created	C:\Program Files\Microsoft Games\Purble Place\it-IT\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\vlc.mo.D45-927-D16	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN01039_.WMF.D45-927-D16	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-nodes.xml	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\org-openide-filesystems_ja.jar.D45-927-D16	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Urumqi	svchost.exe
File created	C:\Program Files\Microsoft Games\Chess\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00382_.WMF	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.BusinessApplications.Runtime.xml.D45-927-D16	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\button_left_over.gif.D45-927-D16	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Havana.D45-927-D16	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Baghdad	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WNTER_01.MID.D45-927-D16	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_SlateBlue.gif.D45-927-D16	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\MST7MDT.D45-927-D16	svchost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Moscow	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_ContactLow.jpg	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FORM.ICO.D45-927-D16	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvm.xml.D45-927-D16	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\meta\reader\filename.luac	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD10972_.GIF	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_increaseindent.gif.D45-927-D16	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB5B.BDR	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\setNetworkClientCP.D45-927-D16	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00012_.WMF	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.IE.XML	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB10.BDR	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSTORE_K_COL.HXK	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SECRECL.ICO.D45-927-D16	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00445_.WMF	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00449_.WMF.D45-927-D16	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

e416fe29a9007d96f7f268aa01d37382ce4581b55d9fae2947df79df34a7e440.exesvchost.exe

description	pid	Process
Token: SeDebugPrivilege	1532	e416fe29a9007d96f7f268aa01d37382ce4581b55d9fae2947df79df34a7e440.exe
Token: SeDebugPrivilege	1532	e416fe29a9007d96f7f268aa01d37382ce4581b55d9fae2947df79df34a7e440.exe
Token: SeDebugPrivilege	732	svchost.exe
Token: SeDebugPrivilege	732	svchost.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

e416fe29a9007d96f7f268aa01d37382ce4581b55d9fae2947df79df34a7e440.exesvchost.exe

description	pid	Process	procid_target
PID 1532 wrote to memory of 732	1532	e416fe29a9007d96f7f268aa01d37382ce4581b55d9fae2947df79df34a7e440.exe	27
PID 1532 wrote to memory of 732	1532	e416fe29a9007d96f7f268aa01d37382ce4581b55d9fae2947df79df34a7e440.exe	27
PID 1532 wrote to memory of 732	1532	e416fe29a9007d96f7f268aa01d37382ce4581b55d9fae2947df79df34a7e440.exe	27
PID 1532 wrote to memory of 732	1532	e416fe29a9007d96f7f268aa01d37382ce4581b55d9fae2947df79df34a7e440.exe	27
PID 1532 wrote to memory of 1492	1532	e416fe29a9007d96f7f268aa01d37382ce4581b55d9fae2947df79df34a7e440.exe	28
PID 1532 wrote to memory of 1492	1532	e416fe29a9007d96f7f268aa01d37382ce4581b55d9fae2947df79df34a7e440.exe	28
PID 1532 wrote to memory of 1492	1532	e416fe29a9007d96f7f268aa01d37382ce4581b55d9fae2947df79df34a7e440.exe	28
PID 1532 wrote to memory of 1492	1532	e416fe29a9007d96f7f268aa01d37382ce4581b55d9fae2947df79df34a7e440.exe	28
PID 1532 wrote to memory of 1492	1532	e416fe29a9007d96f7f268aa01d37382ce4581b55d9fae2947df79df34a7e440.exe	28
PID 1532 wrote to memory of 1492	1532	e416fe29a9007d96f7f268aa01d37382ce4581b55d9fae2947df79df34a7e440.exe	28
PID 1532 wrote to memory of 1492	1532	e416fe29a9007d96f7f268aa01d37382ce4581b55d9fae2947df79df34a7e440.exe	28
PID 732 wrote to memory of 1740	732	svchost.exe	29
PID 732 wrote to memory of 1740	732	svchost.exe	29
PID 732 wrote to memory of 1740	732	svchost.exe	29
PID 732 wrote to memory of 1740	732	svchost.exe	29
PID 732 wrote to memory of 888	732	svchost.exe	30
PID 732 wrote to memory of 888	732	svchost.exe	30
PID 732 wrote to memory of 888	732	svchost.exe	30
PID 732 wrote to memory of 888	732	svchost.exe	30
PID 732 wrote to memory of 888	732	svchost.exe	30
PID 732 wrote to memory of 888	732	svchost.exe	30
PID 732 wrote to memory of 888	732	svchost.exe	30

C:\Users\Admin\AppData\Local\Temp\e416fe29a9007d96f7f268aa01d37382ce4581b55d9fae2947df79df34a7e440.exe
"C:\Users\Admin\AppData\Local\Temp\e416fe29a9007d96f7f268aa01d37382ce4581b55d9fae2947df79df34a7e440.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe" -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:732
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Modifies extensions of user files
    - Drops file in Program Files directory
    PID:1740
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:888
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  - Deletes itself
  PID:1492

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe

Filesize
211KB

MD5
19111728bd752688482ffb91eba51913

SHA1
d3f742f64a6d419b2e96651c9993d60f93bdafa9

SHA256
e416fe29a9007d96f7f268aa01d37382ce4581b55d9fae2947df79df34a7e440

SHA512
a9cb2e7c98a4847e15b1a0dcd675df9b407c46f82fe623e3cdbdc99d7b9d3af2dd76c9b51541da9ea024acd95efcd74c0be8e37584b91d17b8a97f97e24dce2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe

Filesize
211KB

MD5
19111728bd752688482ffb91eba51913

SHA1
d3f742f64a6d419b2e96651c9993d60f93bdafa9

SHA256
e416fe29a9007d96f7f268aa01d37382ce4581b55d9fae2947df79df34a7e440

SHA512
a9cb2e7c98a4847e15b1a0dcd675df9b407c46f82fe623e3cdbdc99d7b9d3af2dd76c9b51541da9ea024acd95efcd74c0be8e37584b91d17b8a97f97e24dce2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe

Filesize
211KB

MD5
19111728bd752688482ffb91eba51913

SHA1
d3f742f64a6d419b2e96651c9993d60f93bdafa9

SHA256
e416fe29a9007d96f7f268aa01d37382ce4581b55d9fae2947df79df34a7e440

SHA512
a9cb2e7c98a4847e15b1a0dcd675df9b407c46f82fe623e3cdbdc99d7b9d3af2dd76c9b51541da9ea024acd95efcd74c0be8e37584b91d17b8a97f97e24dce2f

Download Submit
C:\Users\Admin\Desktop\AddUpdate.snd.D45-927-D16

Filesize
1.4MB

MD5
ac49542aa2e709270da2cfa4e9620b88

SHA1
a591e58d9368ddb2f3e11760a32d30b2792aa11a

SHA256
04bf6ae0c4567e987c1a2f1c668eb978418a1fa08b52e8bf2065aafaa30a9933

SHA512
f2829a8e3a569a9e201f62084a7873a17a7ea615aef4c32f2b9e9529cb1fd978f60e08fc2b9839916d2f2e8516b0b8f1829b7841f3e886a337cc71d8ddb8a55b

Download Submit
C:\Users\Admin\Desktop\BlockClear.fon.D45-927-D16

Filesize
468KB

MD5
9a682a6efaa20a1e2fff78f7545f8176

SHA1
8b5a1927f5dec53f7ac950e212caa0d3e114721b

SHA256
4b287f4507e298bceb547adc0ccc1c41a26c079f163f960a1c62c8d80525f137

SHA512
1e5e60bc19963fef5cef2a27ef904078879df77c2cd0e1ad280daae8353ee9466ee6154d4838626a8ca792a02b31b53fbbc3069cd5f546a13f89a12440ac9816

Download Submit
C:\Users\Admin\Desktop\CheckpointOut.pptm.D45-927-D16

Filesize
388KB

MD5
14c1bcb98d5a10176d1deb564d7da647

SHA1
d02f23b01d5b11596b26b5260fb839cc4657a184

SHA256
5373aea5ba9f518b48c50a9b13d24f32737e2ae1ec8ae101524463bc043f0975

SHA512
209918cd6dc16bead58b1ca27dc535ef9025754fb658837c9e1d2e045f22b81b21d0ec5d80ac3f325178a6b6ad082fd4f995be4e25246d2a0d82f6fd65eebbf4

Download Submit
C:\Users\Admin\Desktop\CompareSet.fon.D45-927-D16

Filesize
788KB

MD5
fbd8cc60c3ef3d054ed8771188382cad

SHA1
470178c5e6330a19fd9fc9e24246944cf261f999

SHA256
f6a32a495cbe1ff4a680e2022917742d985ca90e9aac3b327f69ed189bed56f2

SHA512
2bd94727507c68af853bb06234d8ec2f047edaee87b8af9f781d62891e3a6e5b752e6bf7f2b1f2c3af7e55b1c5261cfc1e701bae9c1eb680b0ac380fb7f4daf8

Download Submit
C:\Users\Admin\Desktop\ConvertToAdd.mp2v.D45-927-D16

Filesize
842KB

MD5
07255c51e708080b522a3cf0f866c38e

SHA1
2f187c0658ddc20a4b5bd5351449e708a60181e9

SHA256
fb141c937dd3d98697d4543c6a1e0a5af097c671bd33163c6f1661ba146cfc0a

SHA512
a27e2925343fbaf09a63ff73e9aa988086cd09440e82a4235f5cf8e2129faef3cf8273ab1531b6daa21a76845bf41223334bb9ad3a9030f47844def28348572e

Download Submit
C:\Users\Admin\Desktop\DenyExport.gif.D45-927-D16

Filesize
895KB

MD5
795434f107166f0cf44b160611357215

SHA1
375bf8a7993343234b4a10878b78014f02e90262

SHA256
f3b9f818544422257da4829b5e8d0a9ae90e755e32c9f8844c87f6614d7f82ca

SHA512
1a0e229519f4c281422fe9a72584efe5e4145e1148cf10498da2524b81cf59c7063a473655a20ead1e6ea01cd0c6e7d0aa43ae163db10fdd3eceae8d60bdf90d

Download Submit
C:\Users\Admin\Desktop\ExportCheckpoint.svg.D45-927-D16

Filesize
602KB

MD5
c151ea4d8f71fc4970dad465c367bfcd

SHA1
e9d109faf6e525b19d3ab5ffe85d20fc70ec7d0c

SHA256
bc9a4dc325282b5a86076fea55be9f207ac820c30f000e6e1da3745ef6fc174f

SHA512
abbf477ebb0813c2f84ce30bfcbf592eb6cae56aa81853699aad412ea20e3f9b0f97a99f82ca23d2bebacf7f78bacd7e10385e44cbb44de232d12a81c6a78a72

Download Submit
C:\Users\Admin\Desktop\FindRemove.pps.D45-927-D16

Filesize
628KB

MD5
84a5eacce7da10b9a856c8a84c1a0a0f

SHA1
fd7a210a2a906015edadb130e2f600b0bdc6c812

SHA256
59ba85b15babe4675954056acfba5e1763d1a55daa71a947d6b126d0697d9b87

SHA512
2c011ec486527aceef32e07d4d1559abf6e7f7c0531b34f92894bbea9dbd2288b6e622f14ea5a2d502458c34261859cce96ec32bd4a1472850ce4ddbe0e9f44a

Download Submit
C:\Users\Admin\Desktop\FormatImport.temp.D45-927-D16

Filesize
415KB

MD5
4c214fbb24506a0980525d2827a2ccb3

SHA1
76cd07cca7d3164727d14ea9c6ea35c87305012f

SHA256
a3040c38b1e7ea3b2019f765807853d2c92329f9c3d1c5bd0570ab09edd20fe1

SHA512
9bd97460111af06756b868d50c41beac74bb7220d7f09c3ad1782429d1b712de7e446bee10cc72a9d28cf2f40db991ea3ad57db71fc49c6896fb9431cea548c8

Download Submit
C:\Users\Admin\Desktop\GroupCompare.mpeg2.D45-927-D16

Filesize
655KB

MD5
ab47984bb15b0389d968a2122cb2b7fb

SHA1
199a0eb42c817671a71ed893a78cfaaef136423a

SHA256
980b2ff905e409efdd8c1b8bdd4086f999f0905664b2d9942b1b37d1ec9f822d

SHA512
a49133885696f5a369aca8f2da143193260b88a07562826b81b3cac8fbbf852f35b1a517529ec39782107ff1b2aa7e2be06f6d002baeadfe07d17899c63d22f5

Download Submit
C:\Users\Admin\Desktop\InitializeFind.contact.D45-927-D16

Filesize
682KB

MD5
5a0307bcdaadb1d6d9daf52d12ad1ab7

SHA1
8fb65d91f6aa882493f39a225836d36d51d735e4

SHA256
e3dd41fb9aec4e3481237add8b936f7f40c25b6407c2f89087f3e63eb5f17e45

SHA512
bcd00738450b5ea9ccc278aed7ae1fe58daf660ed94c89209143a8cdd6cdbd15934ad1f04f87cadc83ba825af8c1294ac6072528daec9fcff7eeb1830f007712

Download Submit
C:\Users\Admin\Desktop\InstallCompare.mpeg.D45-927-D16

Filesize
361KB

MD5
1c28f9bb6aa1129242307e2e69ed5856

SHA1
f2f7e9a734b7992eb8bdb4139a02af89760260c4

SHA256
03b6398814380376a36f61f5b57b9566c739215f039b46c0494aa701d9488af9

SHA512
6315ea13dc467def73c86354a14b9f3a54772f0a795861a286dbcd51ce8a4b8a1a71a4547c18747500c9df282e49301d44651f0db8bbe698fdadcac2602ee332

Download Submit
C:\Users\Admin\Desktop\MoveUnprotect.ods.D45-927-D16

Filesize
869KB

MD5
a141d09cf394ad606c8a95a23b8c4757

SHA1
c4732780feb43ffc8a44f053922bad92f945ba81

SHA256
55ce19b4b57888d42caec1d89280226f1eb51e0663b569cd5a7d64080ea4ff4e

SHA512
985cec54515dd37d1d998954e2b41a6bacecfed3206d11434ad50480ff06c6449c05190291da1ffd208d7e47183285b6e3998e7c1f896395b24e2e7b5c7e3a21

Download Submit
C:\Users\Admin\Desktop\NewDisconnect.clr.D45-927-D16

Filesize
548KB

MD5
71a4e9b93355c23720367d518bb9c55d

SHA1
56ae09588718989861758291484fe3838eee0500

SHA256
83499531c3b92bba25197c809cb276ed14a31c40230709696fabe90f0dadc52c

SHA512
6f6228775d8e059e8255633a6137b6413c4f67f6b2723dc2f860e4b86e2fa4ef386b6db626f1460d727d099691c9feda4266fe91492913441eabc34bb36e8493

Download Submit
C:\Users\Admin\Desktop\OutStop.xps.D45-927-D16

Filesize
762KB

MD5
0e1fa2bb6876d9638544189df46e61ce

SHA1
2af4c7e6b8c31553ebe2f7365b7ca36c47276edd

SHA256
0666f69c1d8a96f9fb4683cb42d13f98a8a7f3b9e744b2ccd524b751172a286b

SHA512
5070398db0f43b1144c225af2a10a38f5766edfcc50e9a327f9564d964d7ff5e78a3e1873fb7a58abc066ff703721807b086bc8b96d02c96e135ecbf54ced118

Download Submit
C:\Users\Admin\Desktop\PushCompare.mov.D45-927-D16

Filesize
442KB

MD5
d76b8c6449149f6537e2d354ede54fe0

SHA1
eb3d8ee462346e1e519c4d9dd0058b1fbbb37ffb

SHA256
1a382f649ec7f7e9a137f752f410ab84275665ded257fcf0a3ee764892be6a31

SHA512
b5c0801d225597834039332307a2c07dd29490dde7ab8c67644f0acc8964bf900dde9e3ebcd1b72a47c8e477a3fe7fdc83d2a6c147923e6c09328b91200a5603

Download Submit
C:\Users\Admin\Desktop\RedoUninstall.rmi.D45-927-D16

Filesize
575KB

MD5
5cef91a87de0e03d184ee5f7e7ebeb9c

SHA1
66bdc55ceb75fdafd8907d4c86bee175c43eac65

SHA256
0b8a4d616f18f1182a7a8944f66611ceb9c4d0006c7190ac6f8c1414b86fc511

SHA512
b3669b334c67d72cf5a669f4386fd4b6f6d7cc460eef0f7ff3e38f60bcadbabb3d1cd80fbd87c84bb0b0e6ea88b93c75c98d97106a629ef7551df4574d52c098

Download Submit
C:\Users\Admin\Desktop\RenameAdd.dwg.D45-927-D16

Filesize
1002KB

MD5
d5db073fc58f53e8624ffb2f24e5ecf8

SHA1
f340a0374826a99d29ca9234053fb29946d7d6af

SHA256
b043dc1592c4b6d9d83bf60f4963e58fe305357cf58e7b36a4c6f764769c435f

SHA512
626434437beb1320dae8aa4c7d5f22d3a36de6002e1456a602dddf2c551877211bfdfdf31605eaebfcc4e64204c85ca7b36732cdcbcba370624c6b5355946532

Download Submit
C:\Users\Admin\Desktop\RenameRepair.7z.D45-927-D16

Filesize
1.0MB

MD5
263c1dccd0a8c575dfb395440b91c31e

SHA1
003879b696cb2e9d182ddaac9722cf03f22e5c70

SHA256
2f063785765757b10a9f3041bca4d1dccb4dac699572a14392b13b9f07582bed

SHA512
4ee95a8871f93229bd795bb2829306d8bf0149c59d9c4b8aff64c183505f7c63503215c4e678784f7b88051e577974db29ed7960fc5dc0f62fac4e7c5489bde2

Download Submit
C:\Users\Admin\Desktop\ResumePop.vb.D45-927-D16

Filesize
975KB

MD5
03dca4d49e86a2227d4d131bfa7592d3

SHA1
824d03bc103a7a3dab2a37874198850c38d6d3cf

SHA256
fdc028102d761e4a24bf6da5b685bc85be54759250320530e084aa57470c405c

SHA512
9a45bb3c3b1d7c045cfe2a335173a806d93d9be310367cc0db4cd0136b8bbd15a518ba5cbd0d3fc6d0b3374ae78dc0e1907de36ece8250d6ea6013cc4a43d3d3

Download Submit
C:\Users\Admin\Desktop\SetConvertFrom.jtx.D45-927-D16

Filesize
735KB

MD5
d6b0c67a5fe98eb0a2f890bb6bb717dc

SHA1
633fd95ac505c63c0ee967845750efafa37b56fe

SHA256
e49cdd0af3d32c8b36ef9f0870620c6edaf0a5c161ec81c50c3fe57eec01855d

SHA512
f7d7d0102040bc40b2cf9728eff2d88759197d551abc4cf37b59d151c4ba888b0c92bb40baee4f1c3ba3fc61489e8e1df20cb29c3d67673262210095346aacd6

Download Submit
C:\Users\Admin\Desktop\ShowMeasure.dib.D45-927-D16

Filesize
949KB

MD5
6f6e4f0391b93b445005b338b3cf4452

SHA1
47619bd6a737a3b4bb482fced4a88f63e350fe78

SHA256
d3d1ad292fb273a4278c2f5c1cbef76dee5f925d6e1b40a95450accccaed51f5

SHA512
ec39ef77074101dfb7a79b8321a59346ffb1ee2d7c57227eb575828e5228492d039d296a3e1e8e6dc59c2ffbdcd9a5cb969cdd8f3be537270a7a255417bfa974

Download Submit
C:\Users\Admin\Desktop\SyncImport.3gp2.D45-927-D16

Filesize
522KB

MD5
2f3c82451bfa68c51453158772661874

SHA1
c94795c7a8c6276928104a8ba200589d017e2826

SHA256
001263856dd1fcaf68497c26325c33917a4750ab10d595ff53366a7fed86affb

SHA512
e5c147e69614355cbb39af34fec5858d62ca6f55a6db9760d87bd5ad4161c6233ca469b6ef0d834704afed4a4b55b1e49e1839556a6a39eba5b158fd8f35bf13

Download Submit
C:\Users\Admin\Desktop\UnblockWatch.mpv2.D45-927-D16

Filesize
708KB

MD5
055da2511d740f278a774789e74dc849

SHA1
e27eba26cb203348d440ac84ac24d2d148f8998a

SHA256
db230d483766406ebb6b80f6e37a8324e552e53e05f218613446668f7ff28887

SHA512
b965fcf1d46b0ca5f5ba1b9408073a6737fbb926a1e08b8a427130eb1e2cc19d3606598088ab64e9592cd38417c275a5b4c0c0af043cb2b5a986b01bffa5dbe0

Download Submit
C:\Users\Admin\Desktop\UndoSend.mpeg.D45-927-D16

Filesize
815KB

MD5
c601f1ed2f75a962927ebcf5386131f0

SHA1
7bd66a1d9094bcbb087974bc09b904b1eec7b0e8

SHA256
8433532d5864d09283f6e7ef7765391e44fd4293f37dda58d7e35ea13187acb7

SHA512
6daf5e25ccb7c643182344fae69efe13ddc62a4501262748f72675bcc20088be51a8211cb92e5a0863a7806ead7cfcf3bb630d098277d22af63bb60c22a57a2e

Download Submit
C:\Users\Admin\Desktop\UseGet.MTS.D45-927-D16

Filesize
922KB

MD5
9bb461bb92d51bd7ddd5edfda35d44de

SHA1
aacc1f697d98f5a6cfc3ac78d580fafb2f720387

SHA256
262f28a6319d2cfae3e3d867f0c07d29b32719736386e281c285cf2f50949c61

SHA512
78d524b24c1443ed5b636a196d788a8d2d3729ab682b9ceafe0db271626583558883817a06fc7b08978ba5c151391e5b7ffafc8031a741539017bfafccbbc25a

Download Submit
C:\Users\Admin\Desktop\WaitApprove.ttc.D45-927-D16

Filesize
495KB

MD5
81867c6006df7cf8121e1c758b931a69

SHA1
f5da388ac98d4182ecd4a70b9506e831e7c6ae1c

SHA256
76b65e163b81f239c92c5154aae678ce3e50679e5b7269a2621d1bddafba4a89

SHA512
5f10fd1a8f58969484369262feb0bb973100d34ad61bb9aa9d77e014e752443bf71d2b0aeb9decb4fc280cf73c60d24213a25aa68950196d28bc2cef00749e0a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe

Filesize
211KB

MD5
19111728bd752688482ffb91eba51913

SHA1
d3f742f64a6d419b2e96651c9993d60f93bdafa9

SHA256
e416fe29a9007d96f7f268aa01d37382ce4581b55d9fae2947df79df34a7e440

SHA512
a9cb2e7c98a4847e15b1a0dcd675df9b407c46f82fe623e3cdbdc99d7b9d3af2dd76c9b51541da9ea024acd95efcd74c0be8e37584b91d17b8a97f97e24dce2f

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe

Filesize
211KB

MD5
19111728bd752688482ffb91eba51913

SHA1
d3f742f64a6d419b2e96651c9993d60f93bdafa9

SHA256
e416fe29a9007d96f7f268aa01d37382ce4581b55d9fae2947df79df34a7e440

SHA512
a9cb2e7c98a4847e15b1a0dcd675df9b407c46f82fe623e3cdbdc99d7b9d3af2dd76c9b51541da9ea024acd95efcd74c0be8e37584b91d17b8a97f97e24dce2f

Download Submit
memory/732-57-0x0000000000000000-mapping.dmp

Download
memory/888-93-0x0000000000000000-mapping.dmp

Download
memory/1492-60-0x0000000000000000-mapping.dmp

Download
memory/1532-54-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/1740-63-0x0000000000000000-mapping.dmp

Download