buran | 1f026c4cbb2316d51d90d01dc50b531a6f52fa8424ce9b8298f01a3fac1a270d

Analysis

max time kernel
139s
max time network
141s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
03-08-2023 11:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f026c4cbb2316d51d90d01dc50b531a6f52fa8424ce9b8298f01a3fac1a270d.exe
Size

250KB
MD5

8298bea449a626ed8d9cd54d741075a7
SHA1

506c82cfd2d54e3684787aee836645788cf4dca3
SHA256

1f026c4cbb2316d51d90d01dc50b531a6f52fa8424ce9b8298f01a3fac1a270d
SHA512

74b7538a941f9008a84764a4b4e57d05f0b492015fa560fddfcef2a99d0227088300fa26d8b9e9a85f363164793ec9331b32d26044b069c885a5ef5b7ff9d1bd
SSDEEP

6144:PWfM6iKwtADM5njFGKfi/Xm51QCG8VG1XhmIQ4L:+l0LnjFGKf351rGagwhW

Score

10^/10

buran zeppelin persistence ransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Reserved email: [email protected] Your personal ID: 6DD-319-AA0 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran

Detects Zeppelin payload 24 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x000a000000012029-58.dat	family_zeppelin
behavioral1/files/0x000a000000012029-60.dat	family_zeppelin
behavioral1/memory/1740-69-0x0000000001120000-0x0000000001261000-memory.dmp	family_zeppelin
behavioral1/files/0x000a000000012029-96.dat	family_zeppelin
behavioral1/files/0x0008000000015e17-99.dat	family_zeppelin
behavioral1/files/0x0008000000015e17-101.dat	family_zeppelin
behavioral1/files/0x0008000000015e17-105.dat	family_zeppelin
behavioral1/memory/1740-129-0x0000000001120000-0x0000000001261000-memory.dmp	family_zeppelin
behavioral1/files/0x0008000000015e17-138.dat	family_zeppelin
behavioral1/files/0x0008000000015e17-137.dat	family_zeppelin
behavioral1/files/0x0008000000015e17-136.dat	family_zeppelin
behavioral1/memory/2928-144-0x0000000001150000-0x0000000001291000-memory.dmp	family_zeppelin
behavioral1/memory/2232-646-0x0000000001150000-0x0000000001291000-memory.dmp	family_zeppelin
behavioral1/memory/2040-3281-0x0000000001150000-0x0000000001291000-memory.dmp	family_zeppelin
behavioral1/memory/2040-6699-0x0000000001150000-0x0000000001291000-memory.dmp	family_zeppelin
behavioral1/memory/2040-10488-0x0000000001150000-0x0000000001291000-memory.dmp	family_zeppelin
behavioral1/memory/2040-13280-0x0000000001150000-0x0000000001291000-memory.dmp	family_zeppelin
behavioral1/memory/2040-17434-0x0000000001150000-0x0000000001291000-memory.dmp	family_zeppelin
behavioral1/memory/2040-21277-0x0000000001150000-0x0000000001291000-memory.dmp	family_zeppelin
behavioral1/memory/2040-23771-0x0000000001150000-0x0000000001291000-memory.dmp	family_zeppelin
behavioral1/memory/2040-24590-0x0000000001150000-0x0000000001291000-memory.dmp	family_zeppelin
behavioral1/memory/2040-27608-0x0000000001150000-0x0000000001291000-memory.dmp	family_zeppelin
behavioral1/memory/2040-30435-0x0000000001150000-0x0000000001291000-memory.dmp	family_zeppelin
behavioral1/memory/2232-30463-0x0000000001150000-0x0000000001291000-memory.dmp	family_zeppelin

Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
ransomware zeppelin
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (7338) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 4 IoCs

Processes:

hgfdfds.exeservices.exeservices.exeservices.exe

pid	Process
1740	hgfdfds.exe
2232	services.exe
2928	services.exe
2040	services.exe

Loads dropped DLL 2 IoCs

Processes:

hgfdfds.exe

pid	Process
1740	hgfdfds.exe
1740	hgfdfds.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

hgfdfds.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Windows\CurrentVersion\Run\services.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\services.exe\" -start"	hgfdfds.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

services.exe

description	ioc	Process
File opened (read-only)	\??\S:	services.exe
File opened (read-only)	\??\R:	services.exe
File opened (read-only)	\??\I:	services.exe
File opened (read-only)	\??\A:	services.exe
File opened (read-only)	\??\G:	services.exe
File opened (read-only)	\??\X:	services.exe
File opened (read-only)	\??\U:	services.exe
File opened (read-only)	\??\N:	services.exe
File opened (read-only)	\??\J:	services.exe
File opened (read-only)	\??\H:	services.exe
File opened (read-only)	\??\P:	services.exe
File opened (read-only)	\??\O:	services.exe
File opened (read-only)	\??\L:	services.exe
File opened (read-only)	\??\K:	services.exe
File opened (read-only)	\??\T:	services.exe
File opened (read-only)	\??\Q:	services.exe
File opened (read-only)	\??\M:	services.exe
File opened (read-only)	\??\E:	services.exe
File opened (read-only)	\??\Z:	services.exe
File opened (read-only)	\??\Y:	services.exe
File opened (read-only)	\??\W:	services.exe
File opened (read-only)	\??\V:	services.exe
File opened (read-only)	\??\B:	services.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
3	geoiptool.com

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Program Files directory 64 IoCs

Processes:

services.exe

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt.kd8eby0.6DD-319-AA0	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-templates.xml_hidden	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143743.GIF	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_FileOff.jpg	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGAD.DPV	services.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Guatemala.kd8eby0.6DD-319-AA0	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187883.WMF	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00234_.WMF.kd8eby0.6DD-319-AA0	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BLANK.ONE	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.nl_ja_4.4.0.v20140623020002.jar	services.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Riyadh	services.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Basic\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\PLANNERS.ONE.kd8eby0.6DD-319-AA0	services.exe
File opened for modification	C:\Program Files\UnprotectRestore.ps1.kd8eby0.6DD-319-AA0	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl.css.kd8eby0.6DD-319-AA0	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PULLQUOTEBB.POC.kd8eby0.6DD-319-AA0	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0216588.WMF	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18197_.WMF	services.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-util-enumerations.xml	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00442_.WMF.kd8eby0.6DD-319-AA0	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200163.WMF	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02743G.GIF	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WHIRL1.WMF.kd8eby0.6DD-319-AA0	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FORM98.POC	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105286.WMF.kd8eby0.6DD-319-AA0	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01157_.WMF.kd8eby0.6DD-319-AA0	services.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\en-US\FreeCell.exe.mui.kd8eby0.6DD-319-AA0	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\about.html.kd8eby0.6DD-319-AA0	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-options.xml.kd8eby0.6DD-319-AA0	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00704_.WMF.kd8eby0.6DD-319-AA0	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01242_.GIF	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18205_.WMF	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR49F.GIF.kd8eby0.6DD-319-AA0	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Riyadh87	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00129_.GIF	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR22F.GIF.kd8eby0.6DD-319-AA0	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\FiveRules.potx.kd8eby0.6DD-319-AA0	services.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\mosaic_window.html	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01172_.WMF.kd8eby0.6DD-319-AA0	services.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Guam.kd8eby0.6DD-319-AA0	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178460.JPG.kd8eby0.6DD-319-AA0	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\Microsoft.Office.InfoPath.xml	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\win32\jni_md.h.kd8eby0.6DD-319-AA0	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui_3.106.0.v20140812-1751.jar	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21365_.GIF	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Lindeman	services.exe
File created	C:\Program Files\VideoLAN\VLC\locale\az\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18252_.WMF.kd8eby0.6DD-319-AA0	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21333_.GIF	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-execution.xml	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY01253_.WMF	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02085_.GIF.kd8eby0.6DD-319-AA0	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLOOK.DEV_COL.HXC.kd8eby0.6DD-319-AA0	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Iqaluit.kd8eby0.6DD-319-AA0	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-tools_ja.jar	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectToolsetIconImages.jpg.kd8eby0.6DD-319-AA0	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.CN.XML.kd8eby0.6DD-319-AA0	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-masterfs.jar	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-profiling.xml	services.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Tirane.kd8eby0.6DD-319-AA0	services.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\WSS_DocLib.ico.kd8eby0.6DD-319-AA0	services.exe
File opened for modification	C:\Program Files\UnblockHide.mp4v	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.components.ui_5.5.0.165303.jar.kd8eby0.6DD-319-AA0	services.exe

Drops file in Windows directory 1 IoCs

Processes:

services.exe

description	ioc	Process
File created	C:\Windows\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	services.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Processes:

vssadmin.exe

pid	Process
1696	vssadmin.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

services.exehgfdfds.exe

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	hgfdfds.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	hgfdfds.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	hgfdfds.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	services.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid	Process
2272	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

hgfdfds.exeWMIC.exevssvc.exepowershell.exeWMIC.exe

description	pid	Process
Token: SeDebugPrivilege	1740	hgfdfds.exe
Token: SeDebugPrivilege	1740	hgfdfds.exe
Token: SeIncreaseQuotaPrivilege	1148	WMIC.exe
Token: SeSecurityPrivilege	1148	WMIC.exe
Token: SeTakeOwnershipPrivilege	1148	WMIC.exe
Token: SeLoadDriverPrivilege	1148	WMIC.exe
Token: SeSystemProfilePrivilege	1148	WMIC.exe
Token: SeSystemtimePrivilege	1148	WMIC.exe
Token: SeProfSingleProcessPrivilege	1148	WMIC.exe
Token: SeIncBasePriorityPrivilege	1148	WMIC.exe
Token: SeCreatePagefilePrivilege	1148	WMIC.exe
Token: SeBackupPrivilege	1148	WMIC.exe
Token: SeRestorePrivilege	1148	WMIC.exe
Token: SeShutdownPrivilege	1148	WMIC.exe
Token: SeDebugPrivilege	1148	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1148	WMIC.exe
Token: SeRemoteShutdownPrivilege	1148	WMIC.exe
Token: SeUndockPrivilege	1148	WMIC.exe
Token: SeManageVolumePrivilege	1148	WMIC.exe
Token: 33	1148	WMIC.exe
Token: 34	1148	WMIC.exe
Token: 35	1148	WMIC.exe
Token: SeBackupPrivilege	2640	vssvc.exe
Token: SeRestorePrivilege	2640	vssvc.exe
Token: SeAuditPrivilege	2640	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1148	WMIC.exe
Token: SeSecurityPrivilege	1148	WMIC.exe
Token: SeTakeOwnershipPrivilege	1148	WMIC.exe
Token: SeLoadDriverPrivilege	1148	WMIC.exe
Token: SeSystemProfilePrivilege	1148	WMIC.exe
Token: SeSystemtimePrivilege	1148	WMIC.exe
Token: SeProfSingleProcessPrivilege	1148	WMIC.exe
Token: SeIncBasePriorityPrivilege	1148	WMIC.exe
Token: SeCreatePagefilePrivilege	1148	WMIC.exe
Token: SeBackupPrivilege	1148	WMIC.exe
Token: SeRestorePrivilege	1148	WMIC.exe
Token: SeShutdownPrivilege	1148	WMIC.exe
Token: SeDebugPrivilege	1148	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1148	WMIC.exe
Token: SeRemoteShutdownPrivilege	1148	WMIC.exe
Token: SeUndockPrivilege	1148	WMIC.exe
Token: SeManageVolumePrivilege	1148	WMIC.exe
Token: 33	1148	WMIC.exe
Token: 34	1148	WMIC.exe
Token: 35	1148	WMIC.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeIncreaseQuotaPrivilege	2584	WMIC.exe
Token: SeSecurityPrivilege	2584	WMIC.exe
Token: SeTakeOwnershipPrivilege	2584	WMIC.exe
Token: SeLoadDriverPrivilege	2584	WMIC.exe
Token: SeSystemProfilePrivilege	2584	WMIC.exe
Token: SeSystemtimePrivilege	2584	WMIC.exe
Token: SeProfSingleProcessPrivilege	2584	WMIC.exe
Token: SeIncBasePriorityPrivilege	2584	WMIC.exe
Token: SeCreatePagefilePrivilege	2584	WMIC.exe
Token: SeBackupPrivilege	2584	WMIC.exe
Token: SeRestorePrivilege	2584	WMIC.exe
Token: SeShutdownPrivilege	2584	WMIC.exe
Token: SeDebugPrivilege	2584	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2584	WMIC.exe
Token: SeRemoteShutdownPrivilege	2584	WMIC.exe
Token: SeUndockPrivilege	2584	WMIC.exe
Token: SeManageVolumePrivilege	2584	WMIC.exe
Token: 33	2584	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1f026c4cbb2316d51d90d01dc50b531a6f52fa8424ce9b8298f01a3fac1a270d.exehgfdfds.exeservices.execmd.execmd.execmd.exe

description	pid	Process	procid_target
PID 2396 wrote to memory of 1740	2396	1f026c4cbb2316d51d90d01dc50b531a6f52fa8424ce9b8298f01a3fac1a270d.exe	28
PID 2396 wrote to memory of 1740	2396	1f026c4cbb2316d51d90d01dc50b531a6f52fa8424ce9b8298f01a3fac1a270d.exe	28
PID 2396 wrote to memory of 1740	2396	1f026c4cbb2316d51d90d01dc50b531a6f52fa8424ce9b8298f01a3fac1a270d.exe	28
PID 2396 wrote to memory of 1740	2396	1f026c4cbb2316d51d90d01dc50b531a6f52fa8424ce9b8298f01a3fac1a270d.exe	28
PID 1740 wrote to memory of 2232	1740	hgfdfds.exe	33
PID 1740 wrote to memory of 2232	1740	hgfdfds.exe	33
PID 1740 wrote to memory of 2232	1740	hgfdfds.exe	33
PID 1740 wrote to memory of 2232	1740	hgfdfds.exe	33
PID 1740 wrote to memory of 568	1740	hgfdfds.exe	34
PID 1740 wrote to memory of 568	1740	hgfdfds.exe	34
PID 1740 wrote to memory of 568	1740	hgfdfds.exe	34
PID 1740 wrote to memory of 568	1740	hgfdfds.exe	34
PID 1740 wrote to memory of 568	1740	hgfdfds.exe	34
PID 1740 wrote to memory of 568	1740	hgfdfds.exe	34
PID 1740 wrote to memory of 568	1740	hgfdfds.exe	34
PID 2232 wrote to memory of 2916	2232	services.exe	36
PID 2232 wrote to memory of 2916	2232	services.exe	36
PID 2232 wrote to memory of 2916	2232	services.exe	36
PID 2232 wrote to memory of 2916	2232	services.exe	36
PID 2232 wrote to memory of 2940	2232	services.exe	39
PID 2232 wrote to memory of 2940	2232	services.exe	39
PID 2232 wrote to memory of 2940	2232	services.exe	39
PID 2232 wrote to memory of 2940	2232	services.exe	39
PID 2232 wrote to memory of 3008	2232	services.exe	40
PID 2232 wrote to memory of 3008	2232	services.exe	40
PID 2232 wrote to memory of 3008	2232	services.exe	40
PID 2232 wrote to memory of 3008	2232	services.exe	40
PID 2232 wrote to memory of 2140	2232	services.exe	41
PID 2232 wrote to memory of 2140	2232	services.exe	41
PID 2232 wrote to memory of 2140	2232	services.exe	41
PID 2232 wrote to memory of 2140	2232	services.exe	41
PID 2232 wrote to memory of 2144	2232	services.exe	42
PID 2232 wrote to memory of 2144	2232	services.exe	42
PID 2232 wrote to memory of 2144	2232	services.exe	42
PID 2232 wrote to memory of 2144	2232	services.exe	42
PID 2232 wrote to memory of 2120	2232	services.exe	43
PID 2232 wrote to memory of 2120	2232	services.exe	43
PID 2232 wrote to memory of 2120	2232	services.exe	43
PID 2232 wrote to memory of 2120	2232	services.exe	43
PID 2232 wrote to memory of 2040	2232	services.exe	44
PID 2232 wrote to memory of 2040	2232	services.exe	44
PID 2232 wrote to memory of 2040	2232	services.exe	44
PID 2232 wrote to memory of 2040	2232	services.exe	44
PID 2232 wrote to memory of 2928	2232	services.exe	45
PID 2232 wrote to memory of 2928	2232	services.exe	45
PID 2232 wrote to memory of 2928	2232	services.exe	45
PID 2232 wrote to memory of 2928	2232	services.exe	45
PID 2916 wrote to memory of 1148	2916	cmd.exe	50
PID 2916 wrote to memory of 1148	2916	cmd.exe	50
PID 2916 wrote to memory of 1148	2916	cmd.exe	50
PID 2916 wrote to memory of 1148	2916	cmd.exe	50
PID 2120 wrote to memory of 2272	2120	cmd.exe	51
PID 2120 wrote to memory of 2272	2120	cmd.exe	51
PID 2120 wrote to memory of 2272	2120	cmd.exe	51
PID 2120 wrote to memory of 2272	2120	cmd.exe	51
PID 2144 wrote to memory of 1696	2144	cmd.exe	52
PID 2144 wrote to memory of 1696	2144	cmd.exe	52
PID 2144 wrote to memory of 1696	2144	cmd.exe	52
PID 2144 wrote to memory of 1696	2144	cmd.exe	52
PID 2120 wrote to memory of 2584	2120	cmd.exe	55
PID 2120 wrote to memory of 2584	2120	cmd.exe	55
PID 2120 wrote to memory of 2584	2120	cmd.exe	55
PID 2120 wrote to memory of 2584	2120	cmd.exe	55
PID 2232 wrote to memory of 1056	2232	services.exe	57

C:\Users\Admin\AppData\Local\Temp\1f026c4cbb2316d51d90d01dc50b531a6f52fa8424ce9b8298f01a3fac1a270d.exe
"C:\Users\Admin\AppData\Local\Temp\1f026c4cbb2316d51d90d01dc50b531a6f52fa8424ce9b8298f01a3fac1a270d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Users\Public\Videos\hgfdfds.exe
  "C:\Users\Public\Videos\hgfdfds.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe" -start
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Modifies system certificate store
    - Suspicious use of WriteProcessMemory
    PID:2232
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2916
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1148
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
      4⤵
      PID:2940
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      PID:3008
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
      4⤵
      PID:2140
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2144
    - - C:\Windows\SysWOW64\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:1696
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2120
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy ByPass -Command "Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}"
        5⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2272
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        WMIC.exe shadowcopy delete /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2584
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe" -agent 0
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      PID:2040
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe" -agent 1
      4⤵
      Executes dropped EXE
      PID:2928
  - - C:\Windows\SysWOW64\notepad.exe
      notepad.exe
      4⤵
      PID:1056
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:568

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Filesize
972B

MD5
24da030d9ee7b1d237076d61bbf6b997

SHA1
696bfb9da64e1ec3043c0adc1731b4782b30c588

SHA256
c38c01677efcb97f29d968918dd2fb99fd03c9ce98c9f219550aad4f4284da4a

SHA512
cb0f00abd93279ba74d86cafbf1cf760a08096fb2140c14924fb7ad301987bed3347abfc34da0d36ed8c244f86f83eb0c1ec6a5ff3276e573341074bd6716606

Download Submit
C:\MSOCache\.Zeppelin

Filesize
513B

MD5
8bff8f7ec2dee0630915c750011b1bad

SHA1
3f37e6bc23aba846bffa9d510bfd03024af53c73

SHA256
aca5c1161a85a45d36eaf2bceeff54a0d668bc04957b91f49665fe2a52857ef3

SHA512
e9f1100ee8ebb3614351f8300615fa9400198848502e7d67e8dce918d95a0ce7a245db2a9951fcb7baaeff9c8d0fe36b38d368c263e5daf34ddf0947470d9abe

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\Vdk10.lng

Filesize
23KB

MD5
768a902705ee98411cf0e0d597f8ecaf

SHA1
3ab569798a1ca9987b6f0e3591fbb242b9a874cd

SHA256
f4c7d8b98bcc5682c099f53633a52d5db7e5a08d37e3dc28be6fd262667a8c5d

SHA512
7d412c0f33b8c3e2909c4a9092d11cacf2bd61fb61db6b6a328c68e87c392153665ebea5dcbc56437f5f8457205b6c97ac00d5f04f9472ea1874c879becc8349

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt

Filesize
29KB

MD5
7193f3a13fd8f50fc84a0fa1ac90170a

SHA1
9f9d6693f4fd24b9c6852a18314087e88bbb4d39

SHA256
85c315ed9ad0ffcb9961a162d49b2774b7a32673a77ecdedf14634b5739d331b

SHA512
da5e4d5ca6847c2b9c750100f31c7581430e473c8dd0cd22406be73d8291cb7b5ebcc54a9a0218e8ae07165e7255de96fe345dc4996c3331b7fbc4824f131b3e

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca

Filesize
6KB

MD5
be1765bfd6f527dcf99cae8597615872

SHA1
278261b2d9abcf799aa80b90ee12dc329822a99d

SHA256
a2205862d0c71f8343c39093efcc1f31c2a2ea6c043364560207c9773cd7cbcb

SHA512
4af88dde7ead29bdbd6707384d811094822ccecb4d6a03e99be1f08cafecc64917b63590e9ba2af0d7efb62b34e44885f0948422d719d87fffc03a04786d7777

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME39.CSS

Filesize
122KB

MD5
445c318f25f315767b11f612adcd6a8d

SHA1
8447083a2aee4a663849e1248218283b17da7706

SHA256
bd7d5890befc6ad5c397a46a2898378bfda598cf32072b6829306ec684af986d

SHA512
2c74aa0cd64b3fb3d9baf661d37f0d6646ea4ffb51a9917485b937ed17c3fc927d3f684360cda558d721cb70371705b41d6440f7af80a470b637716be6db4067

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME54.CSS

Filesize
125KB

MD5
7c7a8f020cd0a63831cbbe97e717672a

SHA1
833b53fdb97622cde27ed6f8dcb65f64cee463ca

SHA256
1b36ee66e163128fbb78cfb1abcb34a44430a0141481dc54b7a8454f47737247

SHA512
6cb4f0c1bf9d45ea6cc5e0a1944b58ef07bce4e9bff8334b4b0d793608304621fafcb161055c10655248bbd4c7545994e1abf91e1aebd2040797d81ef88d6b9c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\ISO690.XSL

Filesize
258KB

MD5
c0c4425674a4ca81521d4ab58b1fa702

SHA1
2c0c48529afc47cba61a406decfd6118cdfad549

SHA256
66e0e09a01dcdd8d7df4260cc3ecfafc663f0513419a1abfa561d9ef758e04b0

SHA512
6ddd800eccbe27bb13fad299d001094ef65b94c07c448ee4fe327e028756bce3367a5b0c7204ca5129ebceacb02eb206ab3f741742edc217d1935d92d5b8aecd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\TURABIAN.XSL

Filesize
332KB

MD5
5e4436017dd8d68809bb5caa0ac72482

SHA1
fbbf7d37cf613031a8acb715bb5feae19d6f08f8

SHA256
b0288ca6794f109162dc3f8124f9c23b992b9ff58837b696b5871520a3b90240

SHA512
a6d331358c5009139badd2fc762d0575278e6d10ad80291c2b39aec1ccef7a0ce2cd80d9cd41f486829158ccc6ccba5fb6cb1034c85032cf185c0d8c3327a2e7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\EXLIRMV.XML

Filesize
78KB

MD5
d8646d27f2bc640b8640011e9a3fdcdc

SHA1
6ef05f6aa63c802f5faced02e9c8913d828e0f18

SHA256
2900465e78d122a21ee1381abdcff88417a5059cfaa4b8e3bffd2a01b8391e3f

SHA512
703b744f99b2c32ee0404cd0b8abcad13c35309a0f8e2e9f8ed10d6819ef3d4626dac20696bcad02830acf10d6ebb45a49c54318db84b4bed5f341ee483489ae

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataViewIconImages.jpg

Filesize
7KB

MD5
c245afeb5f18ec987b08903cce06e24f

SHA1
e75678825a8741de976df661c5d6d3f4b8f992f6

SHA256
1c0656227291c23947c76d0da5817886a2708e9abe1d54743e2b1fa0def5f5ad

SHA512
c87fffce99a700779badcef64688171e8765086d1a29a47ec4dd717988eebcaa2df4194736da8efb87bc5486a110457ef321ee0c24a054b8354688bcb6142781

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\IPIRMV.XML

Filesize
78KB

MD5
f68b9f0c79b9090c1dc3a1e094ee9ced

SHA1
dbcfff019438d5922d812dc2ad8f784dfa2d0322

SHA256
1433ad3b7d13f460b8ca63f1980c861f481d383523f61244103a745fbd920784

SHA512
2a3200bd917a35ec603fa58481736d390deb7956db4c1fc0f4c094aa237c334b40de0574a0e784c347921e508343bd7b35c80cb9cb360e3c2926d823daac671e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\Microsoft.Office.InfoPath.xml

Filesize
249KB

MD5
57f3750ac86b69332bd2f00036634c48

SHA1
c488940330a37b87f8577f5d0a20fac09ba808c1

SHA256
abd3d804f27d369d67c9f743b57096f731ca801d594b2ddfa5c90a2e1f812bc2

SHA512
0e45dd9bc79a311061fb4e34ca46b1ccafb53721724da940d73ebae97f9cf88e58f6ea21833e16714252d22bd4237f20a15e8fd809772dcc0f5fe558661a4afa

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OLKIRMV.XML

Filesize
78KB

MD5
3342bd317a15e1c002d1f75942408376

SHA1
99b9f15649c4ef6ae43f4caff2e05847bed86473

SHA256
036dd2b2055b8aa6ba7d4262ae1d629ef19126a9157fdffa487e88f168e70093

SHA512
2e408e99665787d14cf460063e312c21ec93a794beff73dab88e9765b859cddadd66a1909a3ece89548015ad587a75352d42e9c05a251dc9419f034d5d547f09

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\PPTIRMV.XML

Filesize
79KB

MD5
d94bcab76745a1bcb53b3fd1a56065a5

SHA1
d7cf31aab5bba301920a1694edcf4b003e148a94

SHA256
e97ca80abebfe38765f2493775cd31239ed09c3dee797ffaa333d3875d323329

SHA512
473b5dbad38d3569e9cc4b9bfd131ba0549e06cdeb28bd8d088ac52fff5474ab470095600cb7de2f2f5e636b005566eb5537f5684c18cd0d6147a53c0467692d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\WORDIRMV.XML

Filesize
78KB

MD5
9960aac557956d354c244203d4c3f952

SHA1
abcc262be58ac6eb7e0238de79e1a8bc834d6fd0

SHA256
b3285b6bab1558e40cb6635f55dab968c7c8e39633c3b4d47411f5ef75d61cf6

SHA512
abe28288a329905def66b6f8a1498785346a55d73e7803605a1947e34ad9b9d239e81a5930fd29e2bc6c8dffdb4f1084d0ad88e12e63cf6747717b32367cbe06

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\feature.properties

Filesize
7KB

MD5
4eafe5ca79880e61f93a151c8740367f

SHA1
c001b513eed4d2d889ed8a42dba1d9349f00ff11

SHA256
ba7613b010f0800e5bfd066273198da0f986278b6f7b4b675c5b454dc585c83c

SHA512
c7b8a1b235a812f0055a90af0c200115e3d55fce29d6125519ffd1fb97b2587206b100ccff61ea12b9118702cbb4fd3e300135558399a076221561d9c692a6c9

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\license.html

Filesize
7KB

MD5
965985692e279f8d055924504ff07b1b

SHA1
ff0bc3bcc8a195c2028a121f83bea3e3227d6be9

SHA256
e15af5020dec2cea02aadd80f5d62ee8844f36d702dfd4fad614590c9846dc6e

SHA512
5dce43be8611f1a3d8f240e71ad6e60d1c4a3de4f6e88870bb05507c25062b1e85d815f0477d587c6831136a6b5aacab9f695f978e21bbff4b8343764cc1de1c

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\license.html

Filesize
10KB

MD5
cbc1a0bce07ac5fdccdf168480f33c2e

SHA1
aef70dee3d00d4a643c329d0be9c753c778649da

SHA256
65b50928b5a7c0c41b0e270fa002fb317b530cc4428b619d87e75473a7e61c36

SHA512
55d81364bbb187d6a5e470bfacaf9585132dd1ceb6e42f187ed66cf8d9b30f0454e8204e9bb8993ca33731a645b5d76446a6b38a835584eb7bc69001f7ab667b

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\license.html

Filesize
10KB

MD5
81c996d6f2a8beb947d8912aa8b8db21

SHA1
5f187d3bc4bbe03e7ed1f1b4ea7d9d39402a2c80

SHA256
f2f07788f63331226530c511d1dad6817833448a8fda50ed36008605fc2e6231

SHA512
e0f99f8a71dd4c6fc5591413c7efe3076f26cc069224572dd89e9963ca2aec319f470ae1adce2ecaf6dc3c49a6263b40cfc137b88ac14ca60c3aa35e7dd89305

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\license.html

Filesize
10KB

MD5
2979bc57ff1bd22e23483d92c4f066e5

SHA1
61a66825584ade9c4fe4dea8abb0612151e42e0e

SHA256
7d978159cd18031298e646446cae81bc73d7c005c27fb72ef4a52abb92f05f69

SHA512
ede6fcc9cf6ce6899e39858633d2a4c854e988ec210933e912d4b91d91493fe0b18eceb18db9a1e4b45fc1cfee3d40778a4884a80c1eb3606c5262e8c0aa139d

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\epl-v10.html

Filesize
13KB

MD5
f0be2f2e9decf23e52c871b986040289

SHA1
b98b9d350d93a6dee607f059b91e72eddc37dc1b

SHA256
d33dde2b97ff2d9af35f035e8b395008e1407125ccb152fc2d3ab9c67bf8554b

SHA512
e8f7f731be3393d000d9ca8e1ff134a0035b1955b1ecf6e3b1bca7f24caab9d91d4f972b0dcc94e13f399de8716d71bd8a4898f194c651180e3d950a3dd2f7ba

Download Submit
C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\vlc.mo

Filesize
604KB

MD5
c4685a76fe116a3c950f90a30bd78eea

SHA1
05291e7a3813133cf6138a0f69d4396654b9b413

SHA256
263a2bba66597060e5e364084c0c0d85da8949ded568279ee211f2e37bd9ccf3

SHA512
23d368624cba70b01de27cceb76476d290ac040a832ecbb346166ac4d06ba26b0dcf7daef13deaa078461fd4ea72ea6939c592bd8b21143263c3f794b6eefde9

Download Submit
C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\vlc.mo

Filesize
606KB

MD5
9b50011421bb9e650268ee82463090b1

SHA1
7d5fb9bc2b76bc38670a775f57219d49f6bb7236

SHA256
09d0b606c16e54d5dbc4ec022306b510adb08f518a24c2ee0b3c5ec864ab2e47

SHA512
6b73e6404cfad2c0aba9a649cfe0c32e8edcc7cdff8bc914ff42002ded958c460f155138dc9c53a7e31eb51c5133f0e5bb29eeb04b4980692c93967884e02509

Download Submit
C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\vlc.mo

Filesize
785KB

MD5
3f53f6826958d669726f4971ab09241a

SHA1
5583e0033eaca2d6f57625f6f9ed832a029e6393

SHA256
2566e0ee76b28002d427cd57cc32afe0c9f6c2053edfaa50c15de99c48414405

SHA512
74917dbd47f7319e85fb8ab1567055b2947f48aac5bcc02a26a49cdd02501c9ff4763b21676738172a3784ca0e588be60ca2cf4d5a637ae19da763faadb01c61

Download Submit
C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\vlc.mo

Filesize
587KB

MD5
515897fb5ac0ef3a33401158f494ed70

SHA1
994e5d6b58b8ad5d2ba0a6bb74f7b10e2836c6fd

SHA256
af38f6b1cdd737d8a004cf7d4ecf864bf846e95caa8bac9619c8473b4d076768

SHA512
3f4e97137e751dd11ac92c5535ff0a969cfa9598f423c4b55821eeee2892238e0b721b0a37fe56b4a7bf93a31fddcb784984ee70c8ec3fd244f92aedc7b936d3

Download Submit
C:\Program Files\VideoLAN\VLC\locale\oc\LC_MESSAGES\vlc.mo

Filesize
528KB

MD5
7d5ccf1490263bc4ef0120aba3a7b40c

SHA1
f409255e446be0d89454d718cc213dd370b9fa85

SHA256
275c144c080862fc5f7d0c27bb2d7674df9e40d7cb4ae86e5a7acf1b315a0985

SHA512
f54acbd39253fdd58125b824074c2cea27683d97564ef0841157bf224de32aaaf80175ef0281cceb259e6bba36fd30dbe5dafbb0e08ad4c465f3785fba0fd9b1

Download Submit
C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\vlc.mo

Filesize
764KB

MD5
a15b837b7c7cc9a6553a8c10c1fb1d98

SHA1
2776c359bf58caf62aee76f245e0aca79c26048f

SHA256
8453a8a7cf4639272a6cb3c5b144b8f8e9985001ba85af5bf62ad3da0d24fa63

SHA512
2288c8f55909450318dfa5c86fc39c665fdbc9fab01066ca866c1f91988092cf5302f22f77bbc49fc94e48a6105ed719d586e76d186f23bca63b9d99f877d5ce

Download Submit
C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\vlc.mo

Filesize
771KB

MD5
305d6878b1599fa5a874babe87cbaae0

SHA1
180aec4e6e61ab7c51085d628bd6bfc153211ec3

SHA256
85720923b0c96878e3da090ae5cad025137fe110f3a3436d47f30bf7b5a0f7a6

SHA512
b6ac3ff2c3cf28129ddf5ee5954c08b27baecf61de43127adbd4179530253c0f6609b54febe5ffa69707f0423535908a3e5f094c9c3adea4024c811e219c08f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

Filesize
2KB

MD5
389c5a9b4af859b708d3b0762f5408c4

SHA1
401eb315b58043727aa27d08d1eec3152eb49db1

SHA256
252bd25dfb674aa51f3d9726b8b2a78e5e6e6912d17c309e141b39a1cb995bf8

SHA512
224eebb012f9f6aabaf0680c92265dfb99826cb70a3afc0b47612a6ac10abccb605574124c6e21e64f3630663908248dd5cab4097ccdf1e5b558e54cb96ab9c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_3F2A9DB42365395CA97CFD2FA38D17E4

Filesize
472B

MD5
0f03218f9670e6a42f50f68a3cbe8c3e

SHA1
979caec08a5c4bbb23de5a97226b5ff3ba595607

SHA256
172b3c7abf9f6493d57a32be0646ffcfa788793cff5d41f734fad0879a274f58

SHA512
5b6299d0e76b8dd7feedfb62703114b6405f5c71f3b6ffea368be99f3d53100b06f4189a0ef37ecd1ca55bcc564540ecf22c1aa1d5720501f627dd193f86828b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
2ac74d32fef934ceddc6a44b4ea0478b

SHA1
572ceb6de9d0b3e58aaa2903a56c4f4a2327a716

SHA256
64fedb27098214c70ac38a2cc7f226e8d4e3a7bf983de9040045625dc75ee424

SHA512
329c2251a90ee427d6fecb1a5740760cee28da2d5ad0cb10ef5dc2256e3af51443b7b482ce0c3ee8e253c48e29fb4b704082d8cde09fb4b1cf4382236920b9af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

Filesize
484B

MD5
0bd3cc1195abd8dfb9c5987218521671

SHA1
2a65717b38453f7669519d7b1619b23536cb7ea0

SHA256
fcde6dd82ec0aceb702484cb986a8fda71449fbcf8f087f621f9278e4784bf07

SHA512
75a5e5d4f0f2245b5cb22436866278b40a46507bb80f2dfc3d416c86f1b3a6cc89d5672970a5dbaee2f65dc6880de2784792dd01ad2d539ab1134d4536bb1ac0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_3F2A9DB42365395CA97CFD2FA38D17E4

Filesize
488B

MD5
42d0015a40ca2a2f720d100bb4c2d949

SHA1
2cd829e3ce0f032f5d0e7b1f12166b2dabfae800

SHA256
88bdc00931c42918cc7fcdaf1a87df1b7f693d66ba26924212a2f4ca330ac522

SHA512
ae73630ec87167dd879931f6b1b75c0d88a157b34fd9a5016baefae6cd670209ef87c65adefb4ebdf1c65a2f21422d74aa9f8c6b7f428e37ad4ec2a8a8d8f9df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
2437ab7c6429caf6af9e0dbafa6cfb56

SHA1
2a594b64f358a89fa8758e4947c7b8aa46ff9806

SHA256
6913f8504f3207c8687628d0e040e06197d5d9b3e83b556d54573d77d97cb0c0

SHA512
01a66467dc5138fb4f37e5b7fff0d71ca2237832b80a69d31a21309e39c2b361abc6b6ec3355f5102172e3c00b727bce43f597a1c182f60fe114cf5f319af6cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\977QBXKR\AILUOD1F.htm

Filesize
18KB

MD5
8615e70875c2cc0b9db16027b9adf11d

SHA1
4ed62cf405311c0ff562a3c59334a15ddc4f1bf9

SHA256
da96949ba6b0567343f144486505c8c8fa1d892fd88c9cbc3ef3d751a570724d

SHA512
cd9dfc88dc2af9438b7d6b618d1b62029b3bdf739fc4daa5b37397afd12c4528561b3bf2fc3f3f2adf3fd1f582d5524332441fd30248fcd078e41aa91e17cb73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B9M1KBX1\KMOPZ340.htm

Filesize
190B

MD5
6ebbeb8c70d5f8ffc3fb501950468594

SHA1
c06e60a316e48f5c35d39bcf7ed7e6254957ac9e

SHA256
a563426e24d132cd87b70d9cb5cd3d57c2e1428873a3f3eb94649cf42e37b6a1

SHA512
75cfab1c9f5a05c892cf3b564aed06d351c6dc40048faea03ae163154ff7635252817d66b72a6ef51c4f895eebf7728f302df51148acce2a0c285502bf13652c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE275.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE517.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat

Filesize
262B

MD5
e6545ccb3660f88529716ed4e647c713

SHA1
ecd628f29985599a24c5c1d23083c689917dd74e

SHA256
e802bf0c4481bef693d4d1f307aba48301e330d3728dd46a4ec97c4a96b4d4a7

SHA512
f745e7d5dd006083234e783dd5dc7fb83043a7d0479ea2a91a2ddbc8c20ca47343516efbd155271768c675a22b32e88febdfe51551ec42dfdb64805c62c3188d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe

Filesize
214KB

MD5
c14d403c9e9d6b6054e09ceee047fbf1

SHA1
2155b8d3b977f32641314207bb24126741b71d13

SHA256
005b00d41740f7b0327d4d5fe0402dcfc84ae0df44a2231a89a59909eeb30b23

SHA512
f5a0380cf6c7f3c14bd0efefeec1be88d0d92257ace44a97360e17c88e27c59cb424cd7283e2085431ba95d62eac30d017e3f41d7c1ccb4468a0bcaa3984d6d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe

Filesize
214KB

MD5
c14d403c9e9d6b6054e09ceee047fbf1

SHA1
2155b8d3b977f32641314207bb24126741b71d13

SHA256
005b00d41740f7b0327d4d5fe0402dcfc84ae0df44a2231a89a59909eeb30b23

SHA512
f5a0380cf6c7f3c14bd0efefeec1be88d0d92257ace44a97360e17c88e27c59cb424cd7283e2085431ba95d62eac30d017e3f41d7c1ccb4468a0bcaa3984d6d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe

Filesize
214KB

MD5
c14d403c9e9d6b6054e09ceee047fbf1

SHA1
2155b8d3b977f32641314207bb24126741b71d13

SHA256
005b00d41740f7b0327d4d5fe0402dcfc84ae0df44a2231a89a59909eeb30b23

SHA512
f5a0380cf6c7f3c14bd0efefeec1be88d0d92257ace44a97360e17c88e27c59cb424cd7283e2085431ba95d62eac30d017e3f41d7c1ccb4468a0bcaa3984d6d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe

Filesize
214KB

MD5
c14d403c9e9d6b6054e09ceee047fbf1

SHA1
2155b8d3b977f32641314207bb24126741b71d13

SHA256
005b00d41740f7b0327d4d5fe0402dcfc84ae0df44a2231a89a59909eeb30b23

SHA512
f5a0380cf6c7f3c14bd0efefeec1be88d0d92257ace44a97360e17c88e27c59cb424cd7283e2085431ba95d62eac30d017e3f41d7c1ccb4468a0bcaa3984d6d3

Download Submit
C:\Users\Admin\Desktop\AddConvert.aifc.kd8eby0.6DD-319-AA0

Filesize
861KB

MD5
671daa4a2e3d6fdd7032560e24fea74f

SHA1
6197e403c60842d0114f237c94ffcced0cfa19ea

SHA256
57370ca1cf013b518b5c1bc7d44351e2a73bb9674c4bc1656fe56c63317816db

SHA512
c04717a198286171243af304e09037577788b188ad43882ca6e967109e97e06da67ced8476fb93bc671e49a7f6ae8540500cab11118fe0c724e5041e2aa82cc1

Download Submit
C:\Users\Admin\Desktop\ClearLimit.wma.kd8eby0.6DD-319-AA0

Filesize
348KB

MD5
bfd2b06732fff4fa7af3e06a87da7f43

SHA1
525e162eef0289165ff456f6904a00e2c523a506

SHA256
377293c0beccf4c94d9cbc1de81c82e0eeb6fdad149b8dee5f33f6f9e43e96cb

SHA512
9b107a60f4fa45d911fd8610d61fd739df397082af03fe30eb3a5d5b9496a71e51f79fdc212dba004e81eaeb3fa2579f0c7aa91529f7b5a3e8553d995440dd38

Download Submit
C:\Users\Admin\Desktop\ConvertComplete.odp.kd8eby0.6DD-319-AA0

Filesize
529KB

MD5
420491f79276ab49e38aefc1536fc904

SHA1
5c5a952f5cbe0fac524f43210e89a7d484c0deb9

SHA256
8e9afe45e77c6e7c8d0727da110c9d5299d535252b72c2ee966ac04a298da116

SHA512
55380098192153fcd80a4560a259d0094ba4488050d28a687b7b9d18f6cf37cb02ee3b4435c637ddbc221ddb435c8f8f22dab54737d63dd88257f78705fa6ebc

Download Submit
C:\Users\Admin\Desktop\ConvertFromImport.midi.kd8eby0.6DD-319-AA0

Filesize
771KB

MD5
77bacd25bc29aea921892fb7665a5d8d

SHA1
31fede89dad8d70966efd64e5a74c4b320ae04f0

SHA256
ada920376fbb73bd1bb89ef12db7cb393b62b7d161209d5c981ff6c11a0ea1cc

SHA512
3f363c787bccc0e7035d8aee96e935c61afb6635632b5841738145f39d43c47a565c6ef9d75fb52e94623a1a70b7af193120ed0ef96210636950108706e4c1e1

Download Submit
C:\Users\Admin\Desktop\DisableReceive.bmp.kd8eby0.6DD-319-AA0

Filesize
831KB

MD5
20b02c8e69a4fdfbcaa547c82b1a07d0

SHA1
cf588c65cae2164660ad933098d8e1beb55ed202

SHA256
d189cf6f03edce145e2d924fee52435f4b1333e0f6c66daac62aa9694c1553e0

SHA512
dd336cf2710e65cd65548aef9db8b650568df5567568f6bfb8f91149c95785ab21c13dcc9d72b383f0992bc0c3f655d40faa3712ace65d52f0f3b5d3ac3063c6

Download Submit
C:\Users\Admin\Desktop\EditGrant.dotx.kd8eby0.6DD-319-AA0

Filesize
711KB

MD5
7b1d0894ed51e3253b8f9ce9a1bf35ac

SHA1
d27f0b2819a30286ca618e5219c7c7609fc1dca8

SHA256
33d5cb6d8ae495575bb56d51f8a6a87eb38a6420e6a40a20be56c0c5b7ab9c96

SHA512
2732b87d607b1a1c6fda631b84e8b668b273feb77d080f1daf3757be006f004e26136c2a0eb3ded06c05c2f877299bf951c71687a49a3d75baf5a843112a15bc

Download Submit
C:\Users\Admin\Desktop\EditJoin.mpeg.kd8eby0.6DD-319-AA0

Filesize
680KB

MD5
6229216db7583e5a9a5f1bc2b76730cc

SHA1
8c6e3e693e3f000e058e4a51f3e4e0049e76e1d3

SHA256
0f28e2e63e892bef63295a355d0b7b570a341a96fb16888fc95d5002ca87362f

SHA512
4a37c140c4af32fcb7fed055f0bf7abd1af84ed78403b2cfd275b0cc918b889714f89e10912d7470ad47d4516aa5a09513e0492b7bdd900b57168c91e4efe924

Download Submit
C:\Users\Admin\Desktop\ExpandRegister.ppsx.kd8eby0.6DD-319-AA0

Filesize
499KB

MD5
57c6a1e5978c4916f17ddfc9f07c1308

SHA1
dce2f296d4adcd170e7b5e9111fa5bdae5079cdb

SHA256
ccc918d95312e927f8e0aa121461173efc56519ea8a43880fab7a8cf03520a43

SHA512
cd148e7c1ab7f05a118e95e6840329e8d0e18ac4f23766d1ea27916646df982b4a59b298adbf2a5f3170198ad6e7aa48606c9a0a20e0bbad6252888140c5910e

Download Submit
C:\Users\Admin\Desktop\ExportPing.pptm.kd8eby0.6DD-319-AA0

Filesize
801KB

MD5
57ace5116ab4a6254c21d73a0eea63f1

SHA1
104eacb29b13f98826620581729a5a412a44ca61

SHA256
28614d6bdd37fb5bd53d15e9e10bd9fb4eeebc2bd7097819864c07c24247b899

SHA512
ee127d9b2f2c5169bbdcbc8f22533e3b89d4f6f481314952e6a73d621aa6760958e91bccd4960e7d428b98177663167097cff549de7bf63b36939ce8a97f5ca2

Download Submit
C:\Users\Admin\Desktop\InstallSelect.3gp2.kd8eby0.6DD-319-AA0

Filesize
650KB

MD5
31e77b7f128c87ce401e88c5cd55c61b

SHA1
53231e8e213a70b04546877c9adc1f5c34d088bc

SHA256
de6ac378bc1e8ad6af3a8f6cc6c2bed9e8c818cbb5b47a3f6960617f556a67fb

SHA512
b6b961d8c5d7f4bda00df3babbcc460f7c6d8f17c05dacd225b684fb1533f81bd5cc32dd77944e28a58848f73c4eff6397232ef08395ab3b5b1c9c9c14ad3918

Download Submit
C:\Users\Admin\Desktop\MountReceive.mpe.kd8eby0.6DD-319-AA0

Filesize
318KB

MD5
50720345f59fa0a724be0cfa5f8fe7ae

SHA1
e61f3b25cc5c45730f097694ea54e5a3cf1d66f8

SHA256
cbdee344b904c3d4637d72689ccd4a82c5728ed360cb9149d12cfe9e1834c138

SHA512
d1151456baf92715042755714d710479549c3187bfd82bd242605d8be8726e602d7eb668518152b5d6264749f950fb53c30b5ce6f1846938871365854dd03511

Download Submit
C:\Users\Admin\Desktop\OpenCompare.wdp.kd8eby0.6DD-319-AA0

Filesize
620KB

MD5
38d63ba573ac3829a6da08e039e29845

SHA1
6c3330eecab315c8353bba6ed20ef177e9fc7ab3

SHA256
77332ecbd1b11766c78d75aa542d89b8bf933bcb478fac1ec81191a66f932c56

SHA512
77b2f141176eef28f24fd2b3a8c1c902f82286496bc0e14dc40d9e16f65ea9a8a8213d9787c6b5f1fe84b494e768e7683cc3f03135b346d77638796c9107c898

Download Submit
C:\Users\Admin\Desktop\OpenTrace.dib.kd8eby0.6DD-319-AA0

Filesize
469KB

MD5
437bd5c6553436c2a361d2019fddb41d

SHA1
a2620894d1b5fe8f73f0c02acb91c2b9f229b4c5

SHA256
5970dd4fc52faaa437e9116b6a21b19a889540bbf7ee5544c14e4885b02f7f9b

SHA512
c7d50daf8ad41727cc8a50800b8b4177fe2177bbca0cc2a39d3b972291cad7fa222bafff934bc3b875a524ab326325c602ed9f25edf3b4cc7f43122c1980429a

Download Submit
C:\Users\Admin\Desktop\PingMount.asp.kd8eby0.6DD-319-AA0

Filesize
741KB

MD5
8a084bd8ce1c2a27e638c5783960eafb

SHA1
94e93972aa6cc1381ee1c1a427457888918332f3

SHA256
ff394cce2b72b8ae9e2a467481164ab6938dd727c25ea66cabaabb521a0e4415

SHA512
10532ae29bcdc8d81d0899eb3f259f1959288b8e868ee528a75ce482a6eeddb9e597cbf72cd20f1425671be38d73831bfb5ab4ee2ddbd5232f4818d37497d809

Download Submit
C:\Users\Admin\Desktop\RepairGrant.vsd.kd8eby0.6DD-319-AA0

Filesize
378KB

MD5
7d9c09a3c3fa339dcb554b5ae8e87a97

SHA1
3ac14634a7cf4171dbd2b0689764b3fac8bed259

SHA256
f54d6aeb48817687b0788f59f488b80a37366ba4afa08405d9e3ec20ec57d235

SHA512
8fca2546f3b5fd6d072ddca052b0fa4ff896a00c76354d5803753ed13614bb96f158d5e57a7d10964421f15f93052dd563caee261c24808421ebde1805c41a7d

Download Submit
C:\Users\Admin\Desktop\RepairImport.mp4.kd8eby0.6DD-319-AA0

Filesize
590KB

MD5
1b539d08bfb76c7ca856584e4d3f4845

SHA1
68c4ec2dc7a49de826133f8f137fa609c89e736b

SHA256
e6274c00790116f7924ad18626245538445949c96834c9a8cc09cd3995c2ef62

SHA512
1218629c00014530c02d305f03348570a80e469ebe39209418feb63fd5ecedacac6047235f89d55e004c22b43b3d969f0e6c929683f7ee15838edf7919c2b27c

Download Submit
C:\Users\Admin\Desktop\SkipRevoke.vsdm.kd8eby0.6DD-319-AA0

Filesize
560KB

MD5
ca0fd585ce03384dddb5834354f2b2ee

SHA1
1e596f08bf717cc2667624852a09e71105351a40

SHA256
1bd35c47db02fddc2a0bef1d31367ec3950b17903c487dca447646d1f51b1801

SHA512
76082844dada240c339814af79b22ebf6f2dc008ad668eedc7338beac5ecbb94863fe53ca11c442677ee6c4d4b4d8fc9b56e7f79e49d52914c956321ec7c8b57

Download Submit
C:\Users\Admin\Desktop\SkipUninstall.edrwx.kd8eby0.6DD-319-AA0

Filesize
892KB

MD5
726f12467d7c1b3c6baaf9b546327435

SHA1
ed80c7ea815366e90cac79dc6490b31ade4affd3

SHA256
1bf8c56d3708adf020396c927d02e4619540cfc4f52c3bf6f4ba10aea0f855f0

SHA512
df07876de571ff375dc48801812cf5a9f3fea37312d65cc40fe8e630c3488929d54c2d3a5766e60d9097ee9b7f49af2d009ec7f38f44777dea5ce597cee2cee3

Download Submit
C:\Users\Admin\Desktop\SwitchCheckpoint.wmf.kd8eby0.6DD-319-AA0

Filesize
1.2MB

MD5
1ea8ccd357c19d079d6d14ccdff1baff

SHA1
9a5b4c51382eb7eeaab7c7df2a919efa52aacb8c

SHA256
81e2514da65cee85cb01ef10f8e3bf3c7e2c7c86d920247ba771f6e6bb131ff3

SHA512
b8d6bbf9d2043ee63dd385e7e9f0de2e328bd39a160990e6641de2acc2d808775d2c4880453d3a86638d3a6c7fd14ff8a6c51c0f2e2dce472c0b36036b65117d

Download Submit
C:\Users\Admin\Desktop\UnpublishTest.ps1.kd8eby0.6DD-319-AA0

Filesize
439KB

MD5
b36cb501cdb94c1a0bc6d11e095996eb

SHA1
1bb18983085b646b8f35ed3512111078231df7d9

SHA256
e893d5e89526d35508757145d2350b1d4ab56ea70a73271a4f78d1a29d7b73b7

SHA512
ca3c40d883570d786f381f35827c343d3e461fb146c5cd71b981d3a919ae49f22a777ba7d8d9709057f5e42a1785fb53253addef4602d74af44839ed5ffe40f1

Download Submit
C:\Users\Public\Videos\hgfdfds.exe

Filesize
214KB

MD5
c14d403c9e9d6b6054e09ceee047fbf1

SHA1
2155b8d3b977f32641314207bb24126741b71d13

SHA256
005b00d41740f7b0327d4d5fe0402dcfc84ae0df44a2231a89a59909eeb30b23

SHA512
f5a0380cf6c7f3c14bd0efefeec1be88d0d92257ace44a97360e17c88e27c59cb424cd7283e2085431ba95d62eac30d017e3f41d7c1ccb4468a0bcaa3984d6d3

Download Submit
C:\Users\Public\Videos\hgfdfds.exe

Filesize
214KB

MD5
c14d403c9e9d6b6054e09ceee047fbf1

SHA1
2155b8d3b977f32641314207bb24126741b71d13

SHA256
005b00d41740f7b0327d4d5fe0402dcfc84ae0df44a2231a89a59909eeb30b23

SHA512
f5a0380cf6c7f3c14bd0efefeec1be88d0d92257ace44a97360e17c88e27c59cb424cd7283e2085431ba95d62eac30d017e3f41d7c1ccb4468a0bcaa3984d6d3

Download Submit
C:\Users\Public\Videos\hgfdfds.exe

Filesize
214KB

MD5
c14d403c9e9d6b6054e09ceee047fbf1

SHA1
2155b8d3b977f32641314207bb24126741b71d13

SHA256
005b00d41740f7b0327d4d5fe0402dcfc84ae0df44a2231a89a59909eeb30b23

SHA512
f5a0380cf6c7f3c14bd0efefeec1be88d0d92257ace44a97360e17c88e27c59cb424cd7283e2085431ba95d62eac30d017e3f41d7c1ccb4468a0bcaa3984d6d3

Download Submit
C:\vcredist2010_x86.log.html

Filesize
82KB

MD5
1176c3cc31b6e4f276d8315718065183

SHA1
f7e197767392369dabe642e3989e1863281b011b

SHA256
9af8e2b212932f3c676584a1a27a573118fef8cfcdce4737ddd1b36e5fab9c65

SHA512
60a280cd7698b75e533713b150ae2e3982a94468d7eb034677a0a2ba92bf416ab844878a6a1839789cd24f106fdd887e7a12a073dcdb625e6f77e0e4a611e632

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe

Filesize
214KB

MD5
c14d403c9e9d6b6054e09ceee047fbf1

SHA1
2155b8d3b977f32641314207bb24126741b71d13

SHA256
005b00d41740f7b0327d4d5fe0402dcfc84ae0df44a2231a89a59909eeb30b23

SHA512
f5a0380cf6c7f3c14bd0efefeec1be88d0d92257ace44a97360e17c88e27c59cb424cd7283e2085431ba95d62eac30d017e3f41d7c1ccb4468a0bcaa3984d6d3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe

Filesize
214KB

MD5
c14d403c9e9d6b6054e09ceee047fbf1

SHA1
2155b8d3b977f32641314207bb24126741b71d13

SHA256
005b00d41740f7b0327d4d5fe0402dcfc84ae0df44a2231a89a59909eeb30b23

SHA512
f5a0380cf6c7f3c14bd0efefeec1be88d0d92257ace44a97360e17c88e27c59cb424cd7283e2085431ba95d62eac30d017e3f41d7c1ccb4468a0bcaa3984d6d3

Download Submit
memory/568-112-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/568-106-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1056-30462-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1740-69-0x0000000001120000-0x0000000001261000-memory.dmp

Filesize
1.3MB

Download
memory/1740-129-0x0000000001120000-0x0000000001261000-memory.dmp

Filesize
1.3MB

Download
memory/2040-6699-0x0000000001150000-0x0000000001291000-memory.dmp

Filesize
1.3MB

Download
memory/2040-30435-0x0000000001150000-0x0000000001291000-memory.dmp

Filesize
1.3MB

Download
memory/2040-21277-0x0000000001150000-0x0000000001291000-memory.dmp

Filesize
1.3MB

Download
memory/2040-17434-0x0000000001150000-0x0000000001291000-memory.dmp

Filesize
1.3MB

Download
memory/2040-13280-0x0000000001150000-0x0000000001291000-memory.dmp

Filesize
1.3MB

Download
memory/2040-10488-0x0000000001150000-0x0000000001291000-memory.dmp

Filesize
1.3MB

Download
memory/2040-27608-0x0000000001150000-0x0000000001291000-memory.dmp

Filesize
1.3MB

Download
memory/2040-24590-0x0000000001150000-0x0000000001291000-memory.dmp

Filesize
1.3MB

Download
memory/2040-3281-0x0000000001150000-0x0000000001291000-memory.dmp

Filesize
1.3MB

Download
memory/2040-23771-0x0000000001150000-0x0000000001291000-memory.dmp

Filesize
1.3MB

Download
memory/2232-30463-0x0000000001150000-0x0000000001291000-memory.dmp

Filesize
1.3MB

Download
memory/2232-646-0x0000000001150000-0x0000000001291000-memory.dmp

Filesize
1.3MB

Download
memory/2272-819-0x00000000732B0000-0x000000007385B000-memory.dmp

Filesize
5.7MB

Download
memory/2272-449-0x0000000002330000-0x0000000002370000-memory.dmp

Filesize
256KB

Download
memory/2272-448-0x00000000732B0000-0x000000007385B000-memory.dmp

Filesize
5.7MB

Download
memory/2272-442-0x00000000732B0000-0x000000007385B000-memory.dmp

Filesize
5.7MB

Download
memory/2272-451-0x0000000002330000-0x0000000002370000-memory.dmp

Filesize
256KB

Download
memory/2272-818-0x0000000002330000-0x0000000002370000-memory.dmp

Filesize
256KB

Download
memory/2928-144-0x0000000001150000-0x0000000001291000-memory.dmp

Filesize
1.3MB

Download