09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138

Analysis

max time kernel
82s
max time network
24s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19-02-2024 13:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SnakeRansom.exe
Size

3.7MB
MD5

d659325ea3491708820a2beffe9362b8
SHA1

6e7f725401c33332beb2383a6802a7e4b2db30a9
SHA256

09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138
SHA512

958f4a72530703131be2f25dc906ab7fc8ee174e9cbd13f9c976af7e986593b56a768e0413e6a85d06f2bdc057ac7d9617f6c25cbf8f13cc2f8348bcf441eeb5
SSDEEP

24576:9ypcVmmyK+Y8J0r1dpvZlGhiUTPQOMoezwFnKS1yb0zrs7HjeAzgeJENrud9qcju:ecV8Ytr1dhrwierOjeAzAruTqQt02+

Score

10^/10

persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Public\Desktop\Decrypt-Your-Files.txt

Ransom Note

-------------------------------------------- | What happened to your files? -------------------------------------------- We breached your corporate network and encrypted the data on your computers. The encrypted data includes documents, databases, photos and more - all were encrypted using a military grade encryption algorithms (AES-256 and RSA-2048). You cannot access those files right now. But dont worry! You can still get those files back and be up and running again in no time. --------------------------------------------- | How to contact us to get your files back? --------------------------------------------- The only way to restore your files is by purchasing a decryption tool loaded with a private key we created specifically for your network. Once run on an effected computer, the tool will decrypt all encrypted files - and you can resume day-to-day operations, preferably with better cyber security in mind. If you are interested in purchasing the decryption tool contact us at [email protected] ------------------------------------------------------- | How can you be certain we have the decryption tool? ------------------------------------------------------- In your mail to us attach up to 3 non critical files (up to 3MB, no databases or spreadsheets). We will send them back to you decrypted. ------------------------------------------------------- | What happens if you dont contact us within 48 hours or refuse payment? ------------------------------------------------------- We publish sensitve databases and documents we collected from your network. -------------------------------------------------------

Emails

[email protected]

Signatures

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Active Setup\Installed Components	Explorer.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\1047x576black.png	SnakeRansom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormToolImages.jpg	SnakeRansom.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\js\slideShow.js	SnakeRansom.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.xml	SnakeRansom.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\feature.properties	SnakeRansom.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist.json	SnakeRansom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00142_.GIF	SnakeRansom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0090783.WMF	SnakeRansom.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-queries.xml	SnakeRansom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00121_.WMF	SnakeRansom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107288.WMF	SnakeRansom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE01191_.WMF	SnakeRansom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01299_.GIF	SnakeRansom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105506.WMF	SnakeRansom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF	SnakeRansom.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_blue_windy.png	SnakeRansom.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\js\calendar.js	SnakeRansom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	SnakeRansom.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-javahelp.xml	SnakeRansom.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-sampler.xml	SnakeRansom.exe
File opened for modification	C:\Program Files\Java\jre7\lib\images\cursors\win32_MoveDrop32x32.gif	SnakeRansom.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\blank.png	SnakeRansom.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\setEmbeddedCP	SnakeRansom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL105.XML	SnakeRansom.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Asuncion	SnakeRansom.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Matamoros	SnakeRansom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01160_.WMF	SnakeRansom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\CURRENCY.GIF	SnakeRansom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Assets.accdt	SnakeRansom.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\Other-48.png	SnakeRansom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Urban.xml	SnakeRansom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\EquityMergeLetter.Dotx	SnakeRansom.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\settings.css	SnakeRansom.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\THANKS.txt	SnakeRansom.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\DEEPBLUE\DEEPBLUE.INF	SnakeRansom.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATERMAR\PREVIEW.GIF	SnakeRansom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\EXLIRMV.XML	SnakeRansom.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Riyadh89	SnakeRansom.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+8	SnakeRansom.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_mru_on_win7.css	SnakeRansom.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\vlc.mo	SnakeRansom.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\38.png	SnakeRansom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_Premium.gif	SnakeRansom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Form.zip	SnakeRansom.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.http_8.1.14.v20131031.jar	SnakeRansom.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\vlc.mo	SnakeRansom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14996_.GIF	SnakeRansom.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Luxembourg	SnakeRansom.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-api-caching.xml	SnakeRansom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101863.BMP	SnakeRansom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02296_.WMF	SnakeRansom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR51B.GIF	SnakeRansom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00157_.GIF	SnakeRansom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD08808_.WMF	SnakeRansom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03257_.WMF	SnakeRansom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\REC.CFG	SnakeRansom.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Metlakatla	SnakeRansom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01245_.GIF	SnakeRansom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD.DEV_COL.HXT	SnakeRansom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ASCIIENG.LNG	SnakeRansom.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143744.GIF	SnakeRansom.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\grid_(cm).wmf	SnakeRansom.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\White_Chocolate.jpg	SnakeRansom.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\flyout.html	SnakeRansom.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_Classes\Local Settings	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1720	SnakeRansom.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2796	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeBackupPrivilege	2392	vssvc.exe
Token: SeRestorePrivilege	2392	vssvc.exe
Token: SeAuditPrivilege	2392	vssvc.exe
Token: SeShutdownPrivilege	2796	Explorer.EXE
Token: SeShutdownPrivilege	2796	Explorer.EXE
Token: SeShutdownPrivilege	2796	Explorer.EXE
Token: SeShutdownPrivilege	2796	Explorer.EXE
Token: SeShutdownPrivilege	2796	Explorer.EXE
Token: SeShutdownPrivilege	2796	Explorer.EXE
Token: SeShutdownPrivilege	2796	Explorer.EXE
Token: SeShutdownPrivilege	2796	Explorer.EXE
Token: SeShutdownPrivilege	2796	Explorer.EXE
Token: SeShutdownPrivilege	2796	Explorer.EXE
Token: SeShutdownPrivilege	2796	Explorer.EXE
Token: SeShutdownPrivilege	2796	Explorer.EXE
Token: SeShutdownPrivilege	2796	Explorer.EXE

Suspicious use of FindShellTrayWindow 30 IoCs

pid	Process
2796	Explorer.EXE
2796	Explorer.EXE
2796	Explorer.EXE
2796	Explorer.EXE
2796	Explorer.EXE
2796	Explorer.EXE
2796	Explorer.EXE
2796	Explorer.EXE
2796	Explorer.EXE
2796	Explorer.EXE
2796	Explorer.EXE
2796	Explorer.EXE
2796	Explorer.EXE
2796	Explorer.EXE
2796	Explorer.EXE
2796	Explorer.EXE
2796	Explorer.EXE
2796	Explorer.EXE
2796	Explorer.EXE
2796	Explorer.EXE
2796	Explorer.EXE
2796	Explorer.EXE
2796	Explorer.EXE
2796	Explorer.EXE
2796	Explorer.EXE
2796	Explorer.EXE
2796	Explorer.EXE
2796	Explorer.EXE
2796	Explorer.EXE
2796	Explorer.EXE

Suspicious use of SendNotifyMessage 21 IoCs

pid	Process
2796	Explorer.EXE
2796	Explorer.EXE
2796	Explorer.EXE
2796	Explorer.EXE
2796	Explorer.EXE
2796	Explorer.EXE
2796	Explorer.EXE
2796	Explorer.EXE
2796	Explorer.EXE
2796	Explorer.EXE
2796	Explorer.EXE
2796	Explorer.EXE
2796	Explorer.EXE
2796	Explorer.EXE
2796	Explorer.EXE
2796	Explorer.EXE
2796	Explorer.EXE
2796	Explorer.EXE
2796	Explorer.EXE
2796	Explorer.EXE
2796	Explorer.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\SnakeRansom.exe
"C:\Users\Admin\AppData\Local\Temp\SnakeRansom.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1720

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2392

C:\Windows\Explorer.EXE
"C:\Windows\Explorer.EXE"
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\Office14\Custom.propdesc

Filesize
1KB

MD5
0b22cf56afece0e68f5583a407a711f0

SHA1
9105799be493f3b26521fb7f92325f6a8067bb1c

SHA256
677d173b1947737667035b47c8ab0143ba4cf4df2b58e4a293319f5ac3fafe5b

SHA512
f17e9b0470e7016f3bd052b8f29a6beafbe5c45df6cbfdb71a943fb1c427c129acb908d55a6b0c4344eb575cd94123182712a03a39807e952f23158ad1c2c6c4

Download Submit
C:\Program Files\Microsoft Office\Office14\VisioCustom.propdesc

Filesize
1KB

MD5
e2855d0a929c0da33563310c6af3809f

SHA1
eef7b4d667e22375cd939844040aecc01a886146

SHA256
661653da08576a76d2afbf9e215646e302e7f04f2473f8e64b131030e05b3335

SHA512
a96009a561ef2ab974660fa81735d8d5efa0e5497d1334bd9ace93b33689b3a1ca8c6459d3481b0b28adbe28de807a431beccfceba70466b3886a78a09590ddc

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user.bmp

Filesize
48KB

MD5
39b4e3f3573f3c6b5476c9c6d6781a00

SHA1
d0e8270689bd5c00d4f700285f3c53fbe557671b

SHA256
9c1db9882505cfb96c88d923bf5359e091462dcfc89e3d784d29c9453c190bf1

SHA512
a5075333d7f64f356bdf23426d7c682494a835187258e842f564aa964ba7ce1c5e2071e7bb15f2b890c259f6d68e51001a1a55f4b7f8fe14d45b48c6188b2a0a

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\cversions.2.db

Filesize
16KB

MD5
93c625d40644e043b14533fb2320c5ca

SHA1
df2e6017ba0f0a1fdff0e9d95f3e1d57a1f31240

SHA256
d977c12434fedb4867691d8b135e664d02ddec4466b7b79d8a8c013f3a73a8e0

SHA512
29af0469fff551cc76066c24eb05a72d959ae2006fa09c68bef06b7f2df88953b420f17ce18d961b672fcde1657441b650e4d1de47e802cab56628033130d292

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{650282AD-EEA7-45CD-9A93-1FD7E786D60D}.2.ver0x0000000000000001.db

Filesize
2KB

MD5
17cae48c122f31a926d256a3632a39aa

SHA1
aab475be34fbe929653b69d7f2b2335fee1a840c

SHA256
fbe3c107b26b456f057a662f5ceb1761f4172eaecf9c3e8038d9fc25e3d67469

SHA512
25a8e11e896737b5fc3023cf307628e8712008e9b8d0f85c76541abca5d051b938f4a2492b4b6a92f771f99b1a74b59ce321a7f10ca9b1e888581f9b7ec7d094

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000015.db

Filesize
189KB

MD5
010110558fdc67ac2f62cec990feb44e

SHA1
69b09d7736d05b1536af40945646d111a6858d05

SHA256
ee6c5a2e214bafecb079334c0873217b9595e349a895765af7cbc37dd726ea93

SHA512
71fb127163838a1eea87d1624541a5b00ae936cbe733665e3403637f4f01ebf3cea85b46993417aee2a3df0918ded73db928ecedf32b4d7966502378dbe7f525

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db

Filesize
405KB

MD5
93c70f460d4c298d06ef9056e7b6ae56

SHA1
f74738f58dab8411828ef8d7d3c33bf3ddb0941f

SHA256
bf46a53e7499d6a2291f299cfdf06520d5c90aabd1327c16efaf2cf2d514b76b

SHA512
0fc51b7fd4a4a15b5d62666b1999a21f91119c06e2a8cd82c8212013e8f97c3fb077b9f8cc175b51be34c3592b24b753b511cc09956b5afbec279e56bc7dfe1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1024.db

Filesize
470B

MD5
bbed678aba460c6329bebe5896be3701

SHA1
e4a2dd1baf05209e561037f21ab16270e87c3b5c

SHA256
4d72ab39a631c9e26563503fadd16eb41a2b6b9a68c0b70ffbf83d417926453b

SHA512
478c232e9c5bda67e418f152df15e64fb4de1b65f9772b34cfa10bdbf29d74037b92d710982d518578d162741a1ee83c139478ef45d86ede5529653ae0bfd396

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db

Filesize
1.0MB

MD5
eed9dda1900d8a59d063df3ff9c1df29

SHA1
1af4e024d22d39dd23371108520b27ff736ca405

SHA256
440444ddc534ead1aa8e2291df527632a3e97ab4bee13ceb6a54cda2bc24428d

SHA512
6e360b24c92efaeb9c4db9e3a91fc1a67ae50660dd93b49d0101c81408c28a90022560bd627ec761c976d75fd42ae14e3d972bedf6b5d645051a556146dd5385

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db

Filesize
468B

MD5
df1a04b28f84ff1e3adaec1091c15ed9

SHA1
95a1a4b4b3fb5da7102420e2f90a6a236bb6b804

SHA256
c4f8797803fe91ff190bbef165ee2429702ac21571569272798f3d372a1aa571

SHA512
0bab40846e3617436c44439917caa535a301389f77d2a6ba90a42711e684250204f07529c2bcca06de3e253f2e6840b44c0e80ddc8dd6651493771faceb64e77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db

Filesize
468B

MD5
44e5b4da222e8163bfa2145e2faa6a67

SHA1
add9b68f7309374b41df56355aeb7f194d0c0d1b

SHA256
2b58816052741741583f2cbf692550e0b86f9f75fb7d8c20f784e4514f3a9e2d

SHA512
a120bd5bad254541bd121cbc260456fbe2a4b9736ac9b7b2b4874299c439e86c1c8bcaae9feb8ad3e0d5f54be1e5132c7823280faaaf00b40d9aecd00ebf9c90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

Filesize
3KB

MD5
8b7824e203494b9f2cd62e3e6386b289

SHA1
0dc572eb1e1d4cf7fe11363cb86aff5b1fb64bff

SHA256
ff7b0f31630de94848e7f88efc5bef620f5f9d54f7ca4ccccb336fa1df6e20e6

SHA512
b41a688a8679383e48f90cc69c853ed162e9498852ae5710240382c87eaa5b4a0fa689d47ed055f0fea89a2d9eb8651996dc0fcfd36fd50f99c81601c4e733d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db

Filesize
468B

MD5
9003fcd0bce135b45d91dd293561e763

SHA1
1f1df65f47049a61baffad23269ce3bdbb140dbb

SHA256
aa8319fc1ecf8fc3dfa503040bb5de3d2f6ce069fcce154de588ab05be827a5e

SHA512
57e21c5cb660cf562617035db2a51ebb44b968ae12a120096f36446d05b25d69777bfb9cbea00f9c16b81d95b77c3d1500339a7fcf0fca7130b7480e2e06d8d2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\Documents.library-ms

Filesize
3KB

MD5
027cec7b6cbbecfe548a1ef804e74cc0

SHA1
6a78bf24e072bdeedfd50d5b51d82c344cd38026

SHA256
2809ccbf1f0ca5cf28400d25eb0538031d194a6c4f030bb09a0899397ec55ed8

SHA512
30767305ffd5862ae47942e232bdadd10e2580abf72fe0da9d2892c7397c2fb0e2b3cf12610b057d0ce885b956f2af6489ba7a153261b2209af7fa6ecb822dd0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\Music.library-ms

Filesize
3KB

MD5
3562ffa553b989a05f01c544867f9640

SHA1
59b82bb6b5397a1268403b49e1a81f0e19b83068

SHA256
0f737ec4d6ec2d34b460b1ac0b6e158922d7322657302bd8d60ccb4d09e36a95

SHA512
4dc607d722b1bf24c363476cc929506234a718e1f144a202317f25a19dc5a8b377cf06cdecc80cad6bd1e7a96998fd5a66e868410c14c7822f87379e06f43e9e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\Pictures.library-ms

Filesize
3KB

MD5
0ddc20a0dd7d770e28cb2952aef86cf9

SHA1
5486a13d3084a6b15259ca3db737a10ea8de45a7

SHA256
ee436a6361f5edbd27d2a841430707624ffbfdb11ef73c430f00a0d6bac669e6

SHA512
797e53782911238c3c7a194433a404373ddfdb9c4e68256c2d069d0c4c3db6cc69e909e8faaceaf4830dda3cbcf7699cdb3aa67f130fa8e402fa3da195529668

Download Submit
C:\Users\Admin\Desktop\ApproveUnlock.gif

Filesize
355KB

MD5
557e792048fddd6310e8e5af98380039

SHA1
731ac4fa3c87e191e147247dee09b3b9dd74e32e

SHA256
b009b3c831ae9dfcd781bdd2f7f28d02978975e19a2af60631c3a1948bf41c43

SHA512
744ce9047e2e743482a26d55985204b732a70c2f358271315cb066094bd2d891535eddcfc3e55a501ad95f7e7b2595487464b362d1e40ffe968052ab0f91153f

Download Submit
C:\Users\Admin\Desktop\ClearStop.mpeg2

Filesize
267KB

MD5
294876fee33c6b50485c7bd9a958892f

SHA1
6b1521c00d51639b4d7037c24dc08bfa8f28df9b

SHA256
a02c67442df3eafd82477d3c48030ea42502da92ebee72960343e9afc4a9f821

SHA512
b4918d15f4698b2288396c08ec8e87480e643d3abc7a4306fd4bf7daa220ad67a0161611ae2278dd408f618e04c0b4685666f6b3b0d457533671e52f6e68f333

Download Submit
C:\Users\Admin\Desktop\ConfirmRepair.wma

Filesize
409KB

MD5
4042eabf6a1c34f8971e455426989763

SHA1
45ed4287cd808c8a41f3c61affc7e0fdf029c1fa

SHA256
be1633d93e0eccfb24d8d9d4bf40d59408bb54e11d6722ea1a53e625566cb52b

SHA512
44f1da7a845be148a3914d075bc1510d0faa3f8eea4695f747349525970f4aafd4f997037a76ca3ec52b6f9404c52987ef6508064b18693b0ef22c3b2d7f7d78

Download Submit
C:\Users\Admin\Desktop\ConvertCopy.emz

Filesize
427KB

MD5
c24aaef5bfc2f2e056c25326af25e995

SHA1
18653997bd13c518189af062aa69d247859626d0

SHA256
ab6db18356eca2139302e9108b51b1e8d26a836aaf5a2efab6ad57fd65c03034

SHA512
2f88ae17522d8dd193c42ddb44303b6d7b8d79ee0f3bcffaf11bf316125a8816043366148c8c63d1d2848b0067aa7954dd24e0f9ad3405148d05db79177f0584

Download Submit
C:\Users\Admin\Desktop\ConvertToUpdate.dll

Filesize
444KB

MD5
6e4f9886ee9d6a265a7f6fb38b518048

SHA1
6c13a68b756b65260d8feae9ef1bd812cd4d5f8e

SHA256
6678ee0a1dbf28193bfda635da8aa78eef06578036372e06a0ae949ae9e973ef

SHA512
9978147d9c66827a91f7bd6995fb499a1b25942073fdd22ce868714d256355f9e429a4375420b776901eb7260854a385d06014438492dc48364ff123b0cde877

Download Submit
C:\Users\Admin\Desktop\EnableNew.wmx

Filesize
498KB

MD5
8702d8244e055900cee36400eab929eb

SHA1
a3f44acd8d184d7544a15aeafd205705a189a1da

SHA256
64f82c691de09d5f8ea231f6b8103138767f1901863e18e6bb18da8d75838b7c

SHA512
14450c7ce3d77f2efa98eddb8c8a762ec0a78b76f737e0e6425d7b3f88a213e4bb1edd32813297c9318f9a7d78996fa81de0ab754281cef81bce8191e071be74

Download Submit
C:\Users\Admin\Desktop\ExitUnprotect.wav

Filesize
604KB

MD5
7f6168f552ded8819ab4cc186abb41f3

SHA1
daacd45146dc500c837c6374cd3783b596533337

SHA256
5060de260aa16704dce644ffff6ea5700e5f37d297c9b75770b0c35c2644955b

SHA512
c97a8a54d9a876a5ee9989e5ff64ca4df4d6b57569eba8ac1a2fd293b7903794f44f4652e00854bfe8f5eae78eda44d35480dd774e0d2fe3a7f19eb275f310f1

Download Submit
C:\Users\Admin\Desktop\FormatDisconnect.cr2

Filesize
249KB

MD5
6a6e5741dbcbca4585a5ab370d5b7907

SHA1
2fc7fe9a6cdbe2ba1b69a330c342431d719b1992

SHA256
e0c96e0e0c41b81b65b3956c3fd7774b463a477241185ee497cbc3f1bf9ed699

SHA512
e0839ec6b332e6664b7c151106195138e4b6b9f79bf0bb1c884a4c468350c377510ac430b03c2a1c33eef0ebd2a20b62b835167314e5e7ee584c169a80356865

Download Submit
C:\Users\Admin\Desktop\GetResolve.vstm

Filesize
551KB

MD5
0431f7176ecd07e001230e03fd9eb4f6

SHA1
88096517c538194a4bd926875f7c1aef629dad22

SHA256
f019c737e2dabcfa60bf2fddab983ac7e3f13d9f311459bdef93dd5eb6e9af05

SHA512
b8dc0f019f0d5bc19af9de4402baf9b817a263e5123f21e3392237ad14d3cd0a8a7177e3c907fde7df857f840fdae40711a418fb382688cc2bdb0c57f837e018

Download Submit
C:\Users\Admin\Desktop\HideSwitch.wma

Filesize
533KB

MD5
c53ce756640a9998e66cfe5dbb361d03

SHA1
62680ef9755d5f6c5f88489e86cf6758e39c34ab

SHA256
a28b43a2816f9f5752f4b4bf280bc9183cb8d14cdb99055f00bf3fd6ef7bc02e

SHA512
04fc46b38950684b68573b8a43ad64cd0a451e1f4b20d7fa8400ef882e672588abb727deb5869a12e56e0dcd1a3ce7e8dc875d50742d1f17e0e2e5e1f884c8f9

Download Submit
C:\Users\Admin\Desktop\InitializeBlock.jpg

Filesize
569KB

MD5
2c18f9a4be66f83a99115da708727f39

SHA1
7d1083046c84f5d3b8a37763f57a3727a217fb50

SHA256
40c1c8c1b9a4a385c58496f965e6b3d9e0da9f04b5fa6502ff87c0d73ee08ad8

SHA512
dd20a3c4c008acc1d606560c22a34a7e33dd61ac757d299b3ac1a3a0cbd799b51760ca18dce14bb57bfee2b1587410507915f4705224d490daa9531e4d87d7bc

Download Submit
C:\Users\Admin\Desktop\MeasureSuspend.7z

Filesize
338KB

MD5
5d191278025ded80da653932f9449ab5

SHA1
b11f3aa3e976f5c8d836b0ce3c48d9532ceb56c0

SHA256
351ed8b0cea04ab2546accca936e940720e502cc1c196645c32223c8344db29e

SHA512
8c49c9db4ebdced5d4f1fc0278af9fd555132c2dc61d60a4d7bd7921eb64ffe82c24dc6d0aab682f2617b2b77625a7ca788a9e0d9c8424665d7b585ff6faf085

Download Submit
C:\Users\Admin\Desktop\RenameImport.mpg

Filesize
213KB

MD5
f630f9a1909f6728451d231d992dc620

SHA1
f459eb80d6c4454de127ff66138504864e3f6aa5

SHA256
a802884e8db4b05e80d26ca77867835c5ba4543962666fd15c67c4bc02ccce45

SHA512
9ad3aa5cf7639a3deadef6d2c9ee87b0010161de982cb17374a3ad49b8e931f70c7d6df41836326be43f67052583c3b3817ad3f6b9afc5ac71a50f27dacf6b3a

Download Submit
C:\Users\Admin\Desktop\RepairRemove.vbe

Filesize
480KB

MD5
6c127beed9ea0fbc7aa6705fdb125bfc

SHA1
2ed57add8308fb113457f4082a26bba5a600e0b6

SHA256
6cdfeca12201e4e7346d7578a74afbf8b49c8c818cc414351fe4981cc15a7108

SHA512
5086e6871755c55b8db14e9fa38ba539d959efb6a77db5beceb532c9ffdb4b7c58b694e6c7f21e7d89431400e743adc888090ddeb93ea331775318171b070e97

Download Submit
C:\Users\Admin\Desktop\ResolveUninstall.vdw

Filesize
391KB

MD5
2a43a3ba559a477ce243ecd31b17797e

SHA1
9f657fbd112741ac0bf717d00330a4513c04c139

SHA256
4255c6cc24c0e1bb2068c9ac813c610d60849c0da0de6241cbb91b42b1e1535a

SHA512
3afe273ac180884d01371913cde7553fd9100b73be412667efab1e96469cd0bbbaf4a37a892037829b3c5fd6fca01698a6bad700150d02f7a7f38adcaef74206

Download Submit
C:\Users\Admin\Desktop\RestartShow.zip

Filesize
836KB

MD5
cdd295d31a5dcd626a47f8076a3c3bd5

SHA1
09e07f5043debc855d18967485a44e6af85a37c1

SHA256
d04cf9b4c7fb282028a26a75085a7ea04b2ffdc2d6d2afe71da23ced4a64b231

SHA512
cd0722ea0909911a07d07ccb3a455586f3deeff4e3eac7602f9729e4fd91518cc62a800d4300147c862fe610f24c0a4fff7c3e8948b7b8c641abdd93c6e61c5f

Download Submit
C:\Users\Admin\Desktop\SelectUnpublish.mhtml

Filesize
320KB

MD5
776ffabd09b8d26c1563d74bd7adcf26

SHA1
dcac6028324252bf74d884e1331985f60f28496d

SHA256
fd77d31d585e7c8f9961f7f5822c878a7803f5b5952aa3098be9d58fea2d6d69

SHA512
4b9bd740e8f3f1777fd834bac2fe103c9abf7f482b6f92ccbd1b5ff3b4be20d20ba4829d0ab57c94cd1f8d2072f4ebe673fd9d7f1935012e4a26c69f6e9ba7e9

Download Submit
C:\Users\Admin\Desktop\SendRegister.m3u

Filesize
373KB

MD5
1ea38a6b6556f1b7023a94c61cf58560

SHA1
58d2b7e7373087268f5f13eda11e603c4bfaa275

SHA256
96a68666f8a91c5d499615be7b0d1b5549d836fcc822fea2072b04633631c3e5

SHA512
3138e59f73fdc25a2555f117f408efede36af2231c8c31cb2a9bdbe6fc4dd0048fe98585d68c949e5f902a01eaedc996cf36f4d0a87ef32fc3abba397d95dbe4

Download Submit
C:\Users\Admin\Desktop\SkipLimit.bin

Filesize
462KB

MD5
0d1d8800de956d4dd670b9bd76612a7c

SHA1
bcc9d2e203a5464ae300c275ca46b389991bb6c8

SHA256
123b6e513da5cf529af18204114b7e3523ffaa23efc4473b31ca432ebde1d548

SHA512
dfab590b50a39da3905c790316a47717217d72280eee2c7e86b16da0bbfdc478f9d44790456f8901c986a35c4be978819e6435142cd22d03043a71cdefa9d109

Download Submit
C:\Users\Admin\Desktop\SplitUninstall.dotm

Filesize
515KB

MD5
488cefe473e66b349dc9b9c360303cee

SHA1
a5ce12bf27f7648599a5811e81f497e330dfe770

SHA256
7d96431b5d66a7405e6a370e3680bb2bbe7ed55ea1321a64841386fa17079505

SHA512
b917a49901b9d931ae67b876afe3ba3a7e5db37b5aa29a9ba8ddb4c1421b6fbe4001af7115aec7d4efdaf8fac917f9ced8ef2c056b4dce23ab8d11d42665c7d6

Download Submit
C:\Users\Admin\Desktop\StepRestore.snd

Filesize
302KB

MD5
f73af88a8b360402a876b8ab65eb5704

SHA1
4f833a6502676f1d81cd56a9b590f68e1c620f04

SHA256
1b79c8ef345d4452d55fdcf436b8b1e79d12a0a92d645c89a6c0265024966bdf

SHA512
7ccc0314055e530fedbb1f65441d26c0cb9a3abdb9b1f3c48535bdf54ef52966ad83236bf7472bc0d1959bdb6cf3975267c55a8684d809e11644cb352773f752

Download Submit
C:\Users\Admin\Desktop\UndoInitialize.dib

Filesize
587KB

MD5
8c54d2d5f33d42cefa6e274ae6dc4af5

SHA1
257aedc144139238a573e08838a44b929bcc1993

SHA256
9dd94c257c2625c7eb9ec2f081b3fc48396959fd867f6dcfa321758a9d38148d

SHA512
bfba3dec9b466e0a90630b91c58db3dbc50b219648b023f5858babd692d19721fd82e3a881dc8104a162a11ca2d960839b54ccd97a66eeb2c64b1b10731dbde7

Download Submit
C:\Users\Admin\Desktop\UninstallSkip.sql

Filesize
231KB

MD5
c7425f4de6ec8c5603435db47c5e295c

SHA1
8bac00d8f7084f29a98659c2df6b9e14a096ca91

SHA256
88ce07e2172236c3920c32a440685283b96b947c964fc81446d4664f103573fe

SHA512
2513734de1c22196df775b43bf5e177957b1cadd368e33f6282f9d553751728c40c121eaf165d992fd6cfb29ae81c1dc3a2810fb1780c603f6e4a1f8739e4b2e

Download Submit
C:\Users\Admin\Desktop\WatchMount.wax

Filesize
284KB

MD5
ffaee06f0a69b684f313895b26e8822e

SHA1
648a2828b3f903f146d0d4415ad79050b2902360

SHA256
5b4b5926bec87e789a426545679968a5c7bb3c8ec249c1733fc086a9c8d38459

SHA512
ca9ae6d88e3a8b96650df7ed9fdb9d40c3e92d854afb21dce6c110f0eea1afa8363eb6cf70a2f7ef67f3ed89c10566c41207040adf1042197e4af3a9ec8dcfaf

Download Submit
C:\Users\Admin\Pictures\My Wallpaper.jpg

Filesize
24KB

MD5
0a66494badfff89f17570a1c5cf02670

SHA1
e78f104e243b054f4893c1d6ef198e7daa9df542

SHA256
3b2ee53293d15b471b35e41dc3747f23d5d1f8c90514e1c365de072d58025c99

SHA512
04edbb519ce55c766f6eabb7a94a779a4c19c707f8bccc27297a595f9ae7d0f2334c0dc51a3d551743ee5416c3eb0dafe0d2d9390115c29d08f23f5a16e27d79

Download Submit
C:\Users\Public\Desktop\Adobe Reader 9.lnk

Filesize
2KB

MD5
7d03a1a0d4d6e6a489927761f81fa1db

SHA1
fcfc8b3d05ce97370f6110cf1fedbc417f5bb02b

SHA256
bf07f89fdfd114edddf52ca868d0e3dbe782fdec3db876f7cc15060e0828c4c9

SHA512
54a3804c71d16146ee08b9dbf95b7b058a957b8473ffcef3a1fed73f75d0abb0cbac92f5e56cb905f40709c7b1d9eb829487ca51d8431126779948fc51ed33f2

Download Submit
C:\Users\Public\Desktop\Decrypt-Your-Files.txt

Filesize
1KB

MD5
5fc1ac37c51f54fa9e77c5343dfe3119

SHA1
03e96d277ee28872a63fdc36522b49d821f54e98

SHA256
22c5532151f9cdba790b94510a46f9e21182a528ef74be5e3e95274beb52fa78

SHA512
f0b829173cb327b2a17c20f4ba8f40b4640e2591485b331e1c4719c5b7093e3900d71ea5016f5973bc23fdbe08c771516304cb54559b2693b73f7d15a11e468e

Download Submit
C:\Users\Public\Desktop\Firefox.lnk

Filesize
1KB

MD5
cc74c62c2c58631764b3d6fe27bdd74a

SHA1
41ac5549df20509d1f9eb1da917be6b7d918b6e2

SHA256
c058413880a5f6e5df255e349ee5f8198ac3b6167bfa6357f39e2c115ee9f1f2

SHA512
285689665e2d22429c7e54404b94bc8db244ff7bd887c1107d88411ac8f75cd7898423813752c3f31d5e70ecbf6caa540c435cb7096b10aed60110cf2bd1ee69

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
7fb295dfc1ede85386b044272477e1f7

SHA1
394ac64c0d2f4ce9a6d6f709684f7fc49b810ac2

SHA256
e3445940748fe36d385f2fb8b18ea74b9cc6acb50e0be3921fbcf74d5c4e95b8

SHA512
73a4be4e6d52dd7f9bd42a5dfae87cd4173cc8c03606df7851c620a0e8008a6fffaa859c8a009a217d3575e9c1fceca5a3437ad98ff58b146bfef79b8f3fdcc5

Download Submit
C:\Users\Public\Desktop\VLC media player.lnk

Filesize
1KB

MD5
69a0d710d5291878a6cddc1c1562e064

SHA1
f5d76a29e21c15aefe66511082cfb54b7c0e940e

SHA256
9b48718ea941832abf2ed232534a5bf05774ac69f3558d5253d9d1d28755dd3b

SHA512
74b71f26cfd1eb094efb1cb341760218a83f032854f5ad829febbbc8b966b1164c4ffc6fada2bc411206d444ca0f722e278f851907f7eb4aa6cdfe3505d11a6d

Download Submit
memory/2796-8224-0x0000000004400000-0x0000000004401000-memory.dmp

Filesize
4KB

Download
memory/2796-16344-0x0000000004400000-0x0000000004401000-memory.dmp

Filesize
4KB

Download