buran | 64c665b2dbdaca4a20aaef96d625091757008c88b49d71070e4eefcd45d986d8

Resubmissions

10-05-2024 17:13

240510-vrrk4sgd7t 10

10-05-2024 17:09

240510-vphv7abd29 10

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 17:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

default.exe
Size

211KB
MD5

f42abb7569dbc2ff5faa7e078cb71476
SHA1

04530a6165fc29ab536bab1be16f6b87c46288e6
SHA256

516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd
SHA512

3277534a02435538e144dea3476416e1d9117fcddef3dcb4379b82f33516c3e87767c3b0d2b880e61a3d803b583c96d772a0bdeecbfc109fe66444e9b29216af
SSDEEP

6144:zia1vcaEaA+HPsISAzG44DQFu/U3buRKlemZ9DnGAeWBES+:zHctWvVSAx4DQFu/U3buRKlemZ9DnGAn

Score

10^/10

buran zeppelin defense_evasion execution impact persistence ransomware

Malware Config

Extracted

Path

C:\Program Files\dotnet\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] or [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Your personal ID: 23F-00B-36E Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran

Detects Zeppelin payload 11 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe	family_zeppelin
behavioral14/memory/2368-33-0x00000000004D0000-0x0000000000610000-memory.dmp	family_zeppelin
behavioral14/memory/4700-43-0x0000000000640000-0x0000000000780000-memory.dmp	family_zeppelin
behavioral14/memory/876-46-0x0000000000640000-0x0000000000780000-memory.dmp	family_zeppelin
behavioral14/memory/4700-3100-0x0000000000640000-0x0000000000780000-memory.dmp	family_zeppelin
behavioral14/memory/2396-8524-0x0000000000640000-0x0000000000780000-memory.dmp	family_zeppelin
behavioral14/memory/2396-13857-0x0000000000640000-0x0000000000780000-memory.dmp	family_zeppelin
behavioral14/memory/2396-17700-0x0000000000640000-0x0000000000780000-memory.dmp	family_zeppelin
behavioral14/memory/2396-24068-0x0000000000640000-0x0000000000780000-memory.dmp	family_zeppelin
behavioral14/memory/2396-26104-0x0000000000640000-0x0000000000780000-memory.dmp	family_zeppelin
behavioral14/memory/4700-26129-0x0000000000640000-0x0000000000780000-memory.dmp	family_zeppelin

Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
ransomware zeppelin
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (6101) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

default.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	default.exe

Deletes itself 1 IoCs

Processes:

notepad.exe

pid process

5116 notepad.exe
Executes dropped EXE 3 IoCs

Processes:

taskeng.exetaskeng.exetaskeng.exe

pid process

4700 taskeng.exe
876 taskeng.exe
2396 taskeng.exe

pid	process
5116	notepad.exe

pid	process
4700	taskeng.exe
876	taskeng.exe
2396	taskeng.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

default.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskeng.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\taskeng.exe\" -start"	default.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskeng.exe

description	ioc	process
File opened (read-only)	\??\M:	taskeng.exe
File opened (read-only)	\??\H:	taskeng.exe
File opened (read-only)	\??\G:	taskeng.exe
File opened (read-only)	\??\E:	taskeng.exe
File opened (read-only)	\??\W:	taskeng.exe
File opened (read-only)	\??\Q:	taskeng.exe
File opened (read-only)	\??\K:	taskeng.exe
File opened (read-only)	\??\R:	taskeng.exe
File opened (read-only)	\??\N:	taskeng.exe
File opened (read-only)	\??\U:	taskeng.exe
File opened (read-only)	\??\O:	taskeng.exe
File opened (read-only)	\??\L:	taskeng.exe
File opened (read-only)	\??\J:	taskeng.exe
File opened (read-only)	\??\I:	taskeng.exe
File opened (read-only)	\??\A:	taskeng.exe
File opened (read-only)	\??\X:	taskeng.exe
File opened (read-only)	\??\V:	taskeng.exe
File opened (read-only)	\??\T:	taskeng.exe
File opened (read-only)	\??\S:	taskeng.exe
File opened (read-only)	\??\P:	taskeng.exe
File opened (read-only)	\??\B:	taskeng.exe
File opened (read-only)	\??\Z:	taskeng.exe
File opened (read-only)	\??\Y:	taskeng.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

39 iplogger.org
41 iplogger.org
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 geoiptool.com

flow	ioc
39	iplogger.org
41	iplogger.org

flow	ioc
5	geoiptool.com

Drops file in Program Files directory 64 IoCs

Processes:

taskeng.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre-1.8\lib\charsets.jar	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-64_contrast-black.png	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Cortana.exe	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-72_contrast-black.png	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\new_icons.png	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\jni.h.23F-00B-36E	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Grace-ul-oob.xrm-ms.23F-00B-36E	taskeng.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\vlc.mo	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-ul-phn.xrm-ms.23F-00B-36E	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\AccessCompare.rdlc.23F-00B-36E	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-24_altform-unplated_contrast-black.png	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyShare-Dark.scale-400.png	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailBadge.scale-100.png	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-pl.xrm-ms.23F-00B-36E	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00.UWPDesktop_14.0.27629.0_x64__8wekyb3d8bbwe\AppxSignature.p7x	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_2019.1111.2029.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-ma\ui-strings.js.23F-00B-36E	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\es-es\ui-strings.js	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt.23F-00B-36E	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\LinkedInboxWideTile.scale-100.png	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\next-arrow-down.svg	taskeng.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\tzmappings	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SLATE\PREVIEW.GIF	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\FUNCRES.XLAM	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\msjet.xsl	taskeng.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\en-il\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\hijrah-config-umalqura.properties.23F-00B-36E	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-ul-oob.xrm-ms.23F-00B-36E	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_folder-down_32.svg.23F-00B-36E	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\A12_Spinner_2x.gif	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\s_radio_unselected_18.svg.23F-00B-36E	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\dd_arrow_small2x.png	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Yahoo-Dark.scale-200.png	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-30_altform-lightunplated.png	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win7.wmv.23F-00B-36E	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\SlowMotionEditor\UserControls\SpeedSelectionSlider.xbf	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailLargeTile.scale-125.png	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-256_altform-lightunplated.png	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\large_trefoil.png	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ui-strings.js	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe.23F-00B-36E	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\security\blacklist	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\pt-br\ui-strings.js.23F-00B-36E	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	taskeng.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\javafx\jpeg_fx.md.23F-00B-36E	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ppd.xrm-ms.23F-00B-36E	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleMedTile.scale-200.png	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\core_icons_hiContrast_wob.png.23F-00B-36E	taskeng.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\sv-se\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\jfxswt.jar.23F-00B-36E	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_KMS_Client-ul-oob.xrm-ms.23F-00B-36E	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\acrobat_parcel_generic_32.svg.23F-00B-36E	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\comments.win32.tpn.23F-00B-36E	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Weather_LogoSmall.scale-100.png	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\MakeAccessible.api.23F-00B-36E	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\fi-fi\ui-strings.js.23F-00B-36E	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\PeopleApp.exe	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-48_altform-unplated.png	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-16_altform-fullcolor.png	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\invalid32x32.gif.23F-00B-36E	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\FREN\MSB1FREN.ITS	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-48_altform-unplated.png	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\TXP_DiningReservation.png	taskeng.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 50 IoCs

Processes:

default.exetaskeng.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	2368	default.exe
Token: SeDebugPrivilege	2368	default.exe
Token: SeDebugPrivilege	4700	taskeng.exe
Token: SeIncreaseQuotaPrivilege	4072	WMIC.exe
Token: SeSecurityPrivilege	4072	WMIC.exe
Token: SeTakeOwnershipPrivilege	4072	WMIC.exe
Token: SeLoadDriverPrivilege	4072	WMIC.exe
Token: SeSystemProfilePrivilege	4072	WMIC.exe
Token: SeSystemtimePrivilege	4072	WMIC.exe
Token: SeProfSingleProcessPrivilege	4072	WMIC.exe
Token: SeIncBasePriorityPrivilege	4072	WMIC.exe
Token: SeCreatePagefilePrivilege	4072	WMIC.exe
Token: SeBackupPrivilege	4072	WMIC.exe
Token: SeRestorePrivilege	4072	WMIC.exe
Token: SeShutdownPrivilege	4072	WMIC.exe
Token: SeDebugPrivilege	4072	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4072	WMIC.exe
Token: SeRemoteShutdownPrivilege	4072	WMIC.exe
Token: SeUndockPrivilege	4072	WMIC.exe
Token: SeManageVolumePrivilege	4072	WMIC.exe
Token: 33	4072	WMIC.exe
Token: 34	4072	WMIC.exe
Token: 35	4072	WMIC.exe
Token: 36	4072	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4072	WMIC.exe
Token: SeSecurityPrivilege	4072	WMIC.exe
Token: SeTakeOwnershipPrivilege	4072	WMIC.exe
Token: SeLoadDriverPrivilege	4072	WMIC.exe
Token: SeSystemProfilePrivilege	4072	WMIC.exe
Token: SeSystemtimePrivilege	4072	WMIC.exe
Token: SeProfSingleProcessPrivilege	4072	WMIC.exe
Token: SeIncBasePriorityPrivilege	4072	WMIC.exe
Token: SeCreatePagefilePrivilege	4072	WMIC.exe
Token: SeBackupPrivilege	4072	WMIC.exe
Token: SeRestorePrivilege	4072	WMIC.exe
Token: SeShutdownPrivilege	4072	WMIC.exe
Token: SeDebugPrivilege	4072	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4072	WMIC.exe
Token: SeRemoteShutdownPrivilege	4072	WMIC.exe
Token: SeUndockPrivilege	4072	WMIC.exe
Token: SeManageVolumePrivilege	4072	WMIC.exe
Token: 33	4072	WMIC.exe
Token: 34	4072	WMIC.exe
Token: 35	4072	WMIC.exe
Token: 36	4072	WMIC.exe
Token: SeBackupPrivilege	1592	vssvc.exe
Token: SeRestorePrivilege	1592	vssvc.exe
Token: SeAuditPrivilege	1592	vssvc.exe
Token: SeDebugPrivilege	4700	taskeng.exe
Token: SeDebugPrivilege	4700	taskeng.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

default.exetaskeng.execmd.exe

description	pid	process	target process
PID 2368 wrote to memory of 4700	2368	default.exe	taskeng.exe
PID 2368 wrote to memory of 4700	2368	default.exe	taskeng.exe
PID 2368 wrote to memory of 4700	2368	default.exe	taskeng.exe
PID 2368 wrote to memory of 5116	2368	default.exe	notepad.exe
PID 2368 wrote to memory of 5116	2368	default.exe	notepad.exe
PID 2368 wrote to memory of 5116	2368	default.exe	notepad.exe
PID 2368 wrote to memory of 5116	2368	default.exe	notepad.exe
PID 2368 wrote to memory of 5116	2368	default.exe	notepad.exe
PID 2368 wrote to memory of 5116	2368	default.exe	notepad.exe
PID 4700 wrote to memory of 2396	4700	taskeng.exe	taskeng.exe
PID 4700 wrote to memory of 2396	4700	taskeng.exe	taskeng.exe
PID 4700 wrote to memory of 2396	4700	taskeng.exe	taskeng.exe
PID 4700 wrote to memory of 876	4700	taskeng.exe	taskeng.exe
PID 4700 wrote to memory of 876	4700	taskeng.exe	taskeng.exe
PID 4700 wrote to memory of 876	4700	taskeng.exe	taskeng.exe
PID 4700 wrote to memory of 1988	4700	taskeng.exe	cmd.exe
PID 4700 wrote to memory of 1988	4700	taskeng.exe	cmd.exe
PID 4700 wrote to memory of 1988	4700	taskeng.exe	cmd.exe
PID 4700 wrote to memory of 3084	4700	taskeng.exe	cmd.exe
PID 4700 wrote to memory of 3084	4700	taskeng.exe	cmd.exe
PID 4700 wrote to memory of 3084	4700	taskeng.exe	cmd.exe
PID 4700 wrote to memory of 5048	4700	taskeng.exe	cmd.exe
PID 4700 wrote to memory of 5048	4700	taskeng.exe	cmd.exe
PID 4700 wrote to memory of 5048	4700	taskeng.exe	cmd.exe
PID 4700 wrote to memory of 2964	4700	taskeng.exe	cmd.exe
PID 4700 wrote to memory of 2964	4700	taskeng.exe	cmd.exe
PID 4700 wrote to memory of 2964	4700	taskeng.exe	cmd.exe
PID 4700 wrote to memory of 2808	4700	taskeng.exe	cmd.exe
PID 4700 wrote to memory of 2808	4700	taskeng.exe	cmd.exe
PID 4700 wrote to memory of 2808	4700	taskeng.exe	cmd.exe
PID 4700 wrote to memory of 1964	4700	taskeng.exe	cmd.exe
PID 4700 wrote to memory of 1964	4700	taskeng.exe	cmd.exe
PID 4700 wrote to memory of 1964	4700	taskeng.exe	cmd.exe
PID 4700 wrote to memory of 4860	4700	taskeng.exe	cmd.exe
PID 4700 wrote to memory of 4860	4700	taskeng.exe	cmd.exe
PID 4700 wrote to memory of 4860	4700	taskeng.exe	cmd.exe
PID 4860 wrote to memory of 4072	4860	cmd.exe	WMIC.exe
PID 4860 wrote to memory of 4072	4860	cmd.exe	WMIC.exe
PID 4860 wrote to memory of 4072	4860	cmd.exe	WMIC.exe
PID 4700 wrote to memory of 4076	4700	taskeng.exe	cmd.exe
PID 4700 wrote to memory of 4076	4700	taskeng.exe	cmd.exe
PID 4700 wrote to memory of 4076	4700	taskeng.exe	cmd.exe
PID 4700 wrote to memory of 4084	4700	taskeng.exe	notepad.exe
PID 4700 wrote to memory of 4084	4700	taskeng.exe	notepad.exe
PID 4700 wrote to memory of 4084	4700	taskeng.exe	notepad.exe
PID 4700 wrote to memory of 4084	4700	taskeng.exe	notepad.exe
PID 4700 wrote to memory of 4084	4700	taskeng.exe	notepad.exe
PID 4700 wrote to memory of 4084	4700	taskeng.exe	notepad.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\default.exe
"C:\Users\Admin\AppData\Local\Temp\default.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2368

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe" -start
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4700

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe" -agent 0
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2396

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe" -agent 1
3⤵
- Executes dropped EXE
PID:876

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
PID:1988

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
3⤵
PID:3084

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
3⤵
PID:5048

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup
3⤵
PID:2964

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup -keepversions:0
3⤵
PID:2808

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete backup
3⤵
PID:1964

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
3⤵
- Suspicious use of WriteProcessMemory
PID:4860

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4072

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
3⤵
PID:4076

C:\Windows\SysWOW64\notepad.exe
notepad.exe
3⤵
PID:4084

C:\Windows\SysWOW64\notepad.exe
notepad.exe
2⤵
- Deletes itself
PID:5116

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1592

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\aic_file_icons_retina_thumb.png
Filesize
64KB

MD5
94c21a6f3db67dea84241b28a142d24f

SHA1
9fa7b3c8ac8c16fdde134a4e910707c5a68aedf7

SHA256
9315ffdef6b42fb7f5ad7d0b761a18d9b389be218b64e0b98ae224cf1713a8b7

SHA512
22f5263f26ac141b52635844ac790a9d3751c67a22b20221b5778d21b7c74c578094ea69b8d17f6c7f2801e9709e5b8d38906276ccc29441d2e187d2d48367bc

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons_retina_thumb.png
Filesize
52KB

MD5
d12464f8915fb6f8aa024ef90b458529

SHA1
bffbe2edb574d88135ada4beda8bc18d60c7fcd7

SHA256
794747bd30a84514ec330c5c9557bae65d22c0e64e4f9ce1314c97c8a9a8436a

SHA512
8c27f915ab32a3ba18f50952aaf8a6f7130765f4c22c234c02771534fceba857b55f2a1a7ad256a2b4da5d539e326917b1c1877fb9e9cd4ad854b2eaf573afa0

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-il\ui-strings.js
Filesize
29KB

MD5
a811f561701fbd58aeac3a112baa3498

SHA1
714f73ba65d9c3131fc09928b69777447a1b554d

SHA256
03c6362f5e69623bb796b3726556730b17a78bb45ebe48ffa2e7caa13879b33f

SHA512
0e4841ff2b4a3fbe64d3f015ed6395238bb3830ec047043007be29afa2c2ff6904693c9de002605489655e56d58981fcd997915364ff9e3b366e71dbdc018860

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-il\ui-strings.js
Filesize
9KB

MD5
6a1b635f2aff72ceabd3f1d099b3e057

SHA1
14e7d0470d8297cc106648bfcc6dd5f5252ab7cd

SHA256
75bc47ff5110eab39298122a9bb604f81c90f6148f2ae27a4ccb3779553e67bb

SHA512
349cf21a14f9662c15294ce4f974ba84279002c114fd5affc3dd828af841beabebd865a55772e3d9a913af0c590f868a7318877520340c6deb10e6f7f44caed1

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-il\ui-strings.js
Filesize
5KB

MD5
6cf5f6584a198c0381b9f241816effef

SHA1
05a4204f474c89f0b04be4c39062d29f829b0347

SHA256
da07f79719068f54a74ecc55dc574cde03b88510010bdaeafb6bb5cf3fb49d68

SHA512
516cc7f89272b53bb58d8dd861adeb7abc8ca7f407474be2ba6256b3f8d82e2c677e8b92892cdced21dff4f4bba7a969e79ad6761b80bfff0664beb27328e4f2

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-ma\ui-strings.js
Filesize
6KB

MD5
0a36e97bf1a3ed2ffd0df5ea675ec394

SHA1
b3b1441172e3bf5c5ad57a43c0c16165fcad1c1d

SHA256
f44a6a9954cce6c6d1c98a241e432c43dffae438d8bb531ea6d920bd865882c0

SHA512
95aa159707a8a29d9e8444f2874630dfb407470577f4daf2f65c27da120a4080a47b773cf9993b0a6db2d9e1e68387f14b2e2db99c0ea246f0d3ef6717789679

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\exportpdf-selector.js
Filesize
175KB

MD5
4ab55dedc8b990865f5c6e14f1f0b90e

SHA1
28bf47c4a7586f3da7ef2db767956d16abc4e929

SHA256
b82bbd44faa5e0a14733d6a24be509aba8be469427a4a4686aae8155603a7dd7

SHA512
a5d02d4422c9d8a04d5c9ba3fc0a98c17c531f4d35055e71f13a6a0e931ab13b861ec5d641ee8c36ca4de24702a52114ef884294776d7f0b5582e39bf7bdef49

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\exportpdf-tool-view.js
Filesize
395KB

MD5
75c791757db29de16eebdc6319e12805

SHA1
0a3566f5d4243d2beb5673c32a3f1faeffc92e71

SHA256
ee232ba0242fbc1b9124c85a860a105f7bc6e2971ca844111ef9690a9718d845

SHA512
cb21c972cbc997190deb8b80dd4c741545dbc2743e6984043e9c6e4e2bed3c8afe41c784d6a15c32171f812d465119f272bee0feb43596618a457d4cd6e18d44

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-il\ui-strings.js
Filesize
10KB

MD5
6c82be4fc80e83c95990f88a72648f3b

SHA1
9a64f1759b95a93b3d9ff9ad72d83a52d18d5eaf

SHA256
8972daba16a11954af0be9cf46afb2f617624d65315255a920d0a6791bdf8751

SHA512
7aaf3d1714f89663f62707d38c8a9df4ba01ee3db83e4d783b87562d3117b9cd2883b4482f0b6f7f1f5db06efe0372a1a77d24aca2fdaee6ea62cc6ca44aeb10

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\illustrations_retina.png
Filesize
20KB

MD5
b30872b33ebd6e8565dcf11258300d81

SHA1
bf912a311b096d5e99f3035b081966df76b588be

SHA256
9e9b8c2b15fb1301cd03de7a15f7d85b2ec822db4e54d90fbca4d12b9b647d83

SHA512
8a02b9732329fc001eac15ec15d488125d8393b5c788f26d8c21f7979a21efe54756e32daef7ca0e6e795c44c65aa3eacd047182c313e46529627f306b2aa5c1

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-il\ui-strings.js
Filesize
6KB

MD5
d2ad2e2466770a67458947755c70c0a5

SHA1
06927a070ddb95643c3d6cba64e5942aedaeddd3

SHA256
565e59cd9a39aa39a54625f39951b303be76172e9b631329f1a0fdfc00f0b45e

SHA512
23cb195e3794bb69d7ee49b247c4242cfcf3000fdec56c6e07529a89a6fea6f03e715bc5875f64fe2ea8ee1b7e91f58b274db0c111975a5e01808e4440398406

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\fr-ma\ui-strings.js
Filesize
7KB

MD5
7c08f0ab39081e9735d399cbce564e66

SHA1
57d14826386c6bbccdf15f9a53301f20a6a1bad1

SHA256
ab66089416c9e56c585f878756685937754302776f38b6da72fc65792066d059

SHA512
f5c7f147030f174e2dda4cdec2f9ac9042d6d0615461e43df1caae41934482840fbf66ab65e13520c6d2185e68a29018bc1721739adaf1eeaf68eb3565c4d2a9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\selector.js
Filesize
48KB

MD5
3383c6f47d7dcb51daec856b2f308017

SHA1
679392e00c74a420e930ee7e70227b22dc07d952

SHA256
11d7203fafd769fc013e884b5a04f2f3d840eadb90a78f291ca5b7d4e4e1331e

SHA512
bc288491c4ced947948a9cbd46636d9f5fec3a60cbbf7faeade49a2dfa4b6dd2d49fb65c57660fa4cdb11fc88c90b0b36ada78dfbcc6b590b4036057bd155d9b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileScanCard_Light.pdf
Filesize
56KB

MD5
4fe3fa13140b81e30f5e8fb951b834fe

SHA1
e4d004a7cf3b51ae73247146edd540bbabb8c400

SHA256
5a5dc1a81404e4d1da365ef9382e44351e848d13a02cb208bff2a7b9d180b8dc

SHA512
4b521cb2752e2e878073cc0480710bb74ccd75e112b3bba1750c67d1c985076cd8069e120847ba49b6075565c8fc1d15576d84de88be99ec221c6794e68c51f0

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-variant2-2x.gif
Filesize
813KB

MD5
b8ab6ee6ebc7b967f0c3ff675d1956ba

SHA1
55b3920462417640fec120514d882eaca51f8988

SHA256
0e893aaa3aa99a7266dbefdff06a7209d3a1df9af397b6d3ef87821df2bb59c0

SHA512
ba41a0891d0593398b5787ff837b66674bce4f4e956715d2f0832a8275624e8fd33a1db395328e99f209e948238772446eaf2bd120d3029c3d0243b44e6fb7e8

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-variant2.gif
Filesize
404KB

MD5
9719a454388300745c127398f0852fd8

SHA1
2b40684c3d4561445230cf67771b2af89295bbfe

SHA256
8269b003676c4658e81b159c4d36d6376e0e05dcb6a799b71f57ec8fa3dfbbd5

SHA512
7688e643b273d3154d9c6602af962932a5bfcf42a6d6542ba9c6f1372b8298540f7996ded92c3548ed03b38a2fd3f75701af656b67bdb1381f1a8c1c33d7605e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fr-ma\ui-strings.js
Filesize
17KB

MD5
464455e63ffbb3377b2660047b906e64

SHA1
a4945884a8a3d3b29b0f7cce3bc430328093e7a8

SHA256
490ef80fc9f110b1f491171a48b9cfb1eb43ae04b96907b9bd20e0fd5a4bbb39

SHA512
566c67d70123ea963444bffe78a72ae8f71890d2ae3532aa349e9aadf67c3ca75164f3a65cc7e2f9cced6b7a85844c55cea1a3a4e8fe91a6f6f22247251c64a1

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fr-ma\ui-strings.js
Filesize
18KB

MD5
a28db32857b35b3dacb68c56687d6aea

SHA1
14ef5a1dd1e45c39bc6b3f023e88eeb9390489d6

SHA256
39da7d11f1d7fa69a581319ff8fac09df566a48a200d5fc151fcf13ac948b4b2

SHA512
abbddd5dac93442b1eea99adb0928f7ea3764be3c80b6dd49f4d4bd7b9a7fecedc1e68e560f82fe23f34dd990324d46cf0bbb1f608afd301c6f150655d06314f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-il\ui-strings.js
Filesize
9KB

MD5
6e2dda6e87441177610a9b7b204718d6

SHA1
8ce4dac69c2b038a43e6b5b88e81770437477b66

SHA256
0621e711b02aabd2bf695a94aa6f4fd0cc5bce4556e23915000138262f586460

SHA512
52af226cdd707207fbb3338b5335bde2111c94d8e10a5576d14564c7f31319612b2ae838e5a7c1865d3eec3a26f2cd9413b87ae24daa19662505998b0d0c1e74

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fr-ma\ui-strings.js
Filesize
11KB

MD5
78aec00fbfc915853d8169446d4fc5ec

SHA1
07c39698ff192d46df969f5371301ea5df7ef3ff

SHA256
f53d6971482ab104e446f5d1c03cfd85aabb30865b22dae9c5888cc9b8dbb5b8

SHA512
24a59cb5d1900d62fe61b364d003a4cc5478a1ed14cc724601f57b08622ae7e70c8f84659c43e7f6ff51259e82efb1c543d34d276169ac531431904963164472

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-il\ui-strings.js
Filesize
15KB

MD5
ea809d510b570a719b56c0da24c37d4d

SHA1
ef0fb22e5ef8f31175154eea6916cfc724d2fb30

SHA256
88c4674cc27c72bc507a21ec7d7e627e8f774324be2443ac56ecc4178b1f76ab

SHA512
5b4677b4eea8cbe8e32053c474dd510e3b6a168c7526385eff6de07235a9a63b732f4983fd9dcc618e7a149bed2db9f97d7e04da6ebcf6537192180b1d3a541c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fr-ma\ui-strings.js
Filesize
17KB

MD5
44e128068ca80bf0b5a3e874ce541f4b

SHA1
d6c42248e09e90480f0464d07f942b720211a2b3

SHA256
d6730898b2dd7ffcadbec5e7a905b594114280c285ca7fbb3b6a1ca15ab96fb8

SHA512
e2d5add5e2c469a90d89e5f2bf9c07325f323b99eb1e730a59bad3cab47d0396e857871721d63576f1cb7380e556bb4580e0486a2120523a65ad8ae8858b18cb

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-il\ui-strings.js
Filesize
15KB

MD5
cf0484066249e7d850699768228bfd99

SHA1
477209bd771227a6b8381bf61d049d4ec233e843

SHA256
3169552e3772f7b8f84c19a0dfedf4c6cc0d2142dd22a35ec0843dc709d61654

SHA512
7e41d6acc4ed44076b67a7f4e8dd5bd2ca1daab6b047e3237c4c7b4143c7ebf2755222e3daf791484a39f5696e4fcb3a50d033489d9fee7c93285776a8a88c3b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fr-ma\ui-strings.js
Filesize
23KB

MD5
e4e2c3c816e5e17415066ac55cd48ae1

SHA1
81032c5d0fef3ee634aa0e62a9a888160f05b4b8

SHA256
7740ee348f07e2d6da0ad42a8274c57eda6f3d1eb3b5980c85ec14ed089c9731

SHA512
436f358b2897138dc89e0d1594324475295e4f9fb00d6ccdf465911f21c4307ad671323b8d00e3da58ac83a35f73440e98a17a701d6ae9c3c40a7879ec593786

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\PREVIEWTEMPLATE2.POTX
Filesize
292KB

MD5
55d4f911163e682e83a26228d8f55eb1

SHA1
ac8cdf9e1d211ea4b550e2093ea7228ea02fad31

SHA256
be446ba0ca91a974149bd378493941499142d8b1a9b430def44dbe558eacfc49

SHA512
b3a47890fb735162c9fdb008177e9af0fa1cdf092b0433bdc8631728bb306ddbaef490c36c61523ea4785ebdd0dfef32e5cc043ae679f253a9756d8b464071e1

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\osmdp64.msi
Filesize
2.4MB

MD5
22657ff398399b58b2fe16fa6259244b

SHA1
db956a2afef4e2292d0d71a5ff295bc8bbda1c93

SHA256
6eec098bcf9b2e5a1c5e76b61ab663d60be53244dc046f0d2b1e2b4e2c0b036e

SHA512
1ce30fbbe1c7f0afc08e3d7da077c192ee535d9528bc8ed8fcc690fc874d28a49de6a6595e4ca60780328bacd106603fecc04111a923738f0e0df3e0761b5c3a

Download Submit
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmclienticon.exe
Filesize
62KB

MD5
079833b480136be89f09d27794a9ade1

SHA1
fd655ee9c62522e99d4c9c9f7ad368dabfdca49d

SHA256
653122150c3a6d6226412bff807d38ea468f831aab1672413c8897d46bda4b26

SHA512
5b72021b2c553eb69d9c4ee50f172b742258df5ef6b6683c7c1ca19b4875ad350d07133c7b21edf25295cd3af619122df7d0948f9edb85faae48981b63562e94

Download Submit
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exe
Filesize
1015KB

MD5
020dcc88a8efa0aff2c1906678640e0a

SHA1
bfe88d00d81cf3ec03a45d5a0d34899df2f601a0

SHA256
7119b6fdb9b0717956eabcbe1dc43e1e3a1a5810d43ee05c7bc697ae98f7b0ed

SHA512
017487badbf41ea9eb60981a6631dd9db5c321dcae61d6a2a4e6ddac2324b4209007bd1a7f6da6854dba32b3c4f5e21a95b76876872b75289ce99b147e16b330

Download Submit
C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\vlc.mo
Filesize
609KB

MD5
ace27054ac1b419489d68cba769d8571

SHA1
c799cc76b4f1f861432416a4e2ea2033e7195b39

SHA256
02485d669f487093a2bde174a7a11e4b8104d8239b3610c849fe0f78ec6bb394

SHA512
4a09e17448ea279c8d6a4bc082c4346715b4af57b18de8c0e46486b82888c036b43944b9e3803b21c050c3e9815168e583c77d98e3eaa064333aa7d8202ed2fd

Download Submit
C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\vlc.mo
Filesize
615KB

MD5
7cd55afe919f582f74fec1019c865d36

SHA1
2ab7016426491baa93fb8af72c6b1ad8dd5b757e

SHA256
ddb2ca4aa64fd2c086a78664cc9925f33ca7c910d98c5938f7734e19aa24edd2

SHA512
234d54ce97ecd418262853ce985e2e8eea9e4931eca044b348e7fdc0c48664a60dba0df1d7047acff824e238a24ccb25215e4e2702f3358472589b50ac1e9764

Download Submit
C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\vlc.mo
Filesize
612KB

MD5
31125fc6c11422a857487e5fc8463b70

SHA1
6a3416fcfe0015766b556ffa592c93421e3f5576

SHA256
b481bc8c01bf7a083a7d5c2586c4c0343fb0322a96e5ee8cd2ae1b24468de15a

SHA512
7e5dfad530a1239127eb0984b66321d6ea03d8afee539628298ff8ba665677fcfb548355c03bfdf53f16cc6c3caed2acc49382871f09a2dd5259213737507398

Download Submit
C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\vlc.mo
Filesize
613KB

MD5
23eba4b45ad97bfdc224b7b6f8e518bd

SHA1
a6471c794a73fbd0bad0ddd7217aea7082da8ea0

SHA256
dba073216ad3ae90a09000cef33195cf1af07d5791baf3343937707e3a053998

SHA512
6ed00b412f9a3fa029b8d33b26a533cef34bf5bfe77507ba241e22859489312b7b936fd3aff3fc7b193da6ce48de6923c974cb5aae09e3f7ce017438ece317ba

Download Submit
C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\vlc.mo
Filesize
579KB

MD5
75441211f87a57a0a0f12399f3c42184

SHA1
bff9e48f821157b31c489d244bbed013a4375053

SHA256
b3fad74fe0bee58235018eaa98000858cf2794e4efb91f26a3296da2a981fd79

SHA512
091bb69067ea44f675462b5fd201e7c8efb064589b4a9e2fc7158834af2a1903e8279ee269ba1a5f383157cbd20bc66e2cfda5719f13ad528ff409fd272e68f1

Download Submit
C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\vlc.mo
Filesize
615KB

MD5
3b2420a48cd04d2f3f2c46adc2d1b9ae

SHA1
61a4cf900eb9a2f2f4711452056c01d4b74acc6f

SHA256
5b915309ddf2fee0269f1096ad171ccac0a0f06f1b009a11f0ad2e19174d4986

SHA512
97e70459752575cb40ad12f2f8b83fe430cc83486a49f71c22db86c7bcc7dcda5b63e4c46e90ad4fb77013fec0b55ecc1dc7503c4ac290b3b51c9fe615a4e4d5

Download Submit
C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\vlc.mo
Filesize
552KB

MD5
a376579000a9db85946db1487e45957a

SHA1
89054e85758bdf913a23d2f56c002fd2bf530dd2

SHA256
dfc122146b00608b101f9efffc578bd5f389e18961c0daf8aaed64887e372f73

SHA512
ea91ebd8a6dfd352b8e17e762c017d5159c72496920eff34ddae63cff0c2818b2c68b14844c42c2831d282350e1ebee32aaf701240b5b6ec4bc7db0985626edc

Download Submit
C:\Program Files\dotnet\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
Filesize
985B

MD5
a3724cb751929ccd41c94317540f5977

SHA1
27e96b731501a03d3f52dfe4447c7174b1e76471

SHA256
8f889471a8a4c9613d02cfd0e4797a8e2ce64f0c9f9d12336eead9d3d2356b76

SHA512
5f70c04b3f32e326cdc4e714f3c7825d44a565e2ec85e8363a4d029bb94e6fdf82e045d440306bdb364ea3e8337867a8f30ee278ec60e89f442c600f9c4652e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
Filesize
2KB

MD5
c8bba7924f37fd3d5c549ad50f16a2ad

SHA1
a199efd5291fd7503e0b4e7362ba863bbe29efca

SHA256
f8d1b39724533e12eb12277a4be596b50af71e83693f6099d131d32c04c2c4e3

SHA512
9f7813de321580e241dfb0765804bde11e88bddad94ff33d7b89b8454107708f488e965e5b1be1847ab3e3e1080f137816f7ae2762a9478a7fa033a01866b163

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_3F2A9DB42365395CA97CFD2FA38D17E4
Filesize
472B

MD5
a08472e3b6458d84da6ea50aaa44ec02

SHA1
624f1766112acb8f45224b0658d512801eb93756

SHA256
3eec2f4519bbfa97b8ecc3d64cbc767de28366dbbf0fa9209ded49741513c98a

SHA512
52b82242f6012a12318df97f5ede1d0dc776a1f366afcd422a5df3292b8a2239e4995b9c3a6da5fc57f3fc06e59a3e208ed329d1e2fe1903b779bf556a0f786f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
1KB

MD5
a26045c60badc3ea12344117b7bc4403

SHA1
e042d0cb3844ca44869d5e01a2e427144b458556

SHA256
69872c2a3c0bdca24598431943ea06f46d2a28bee615698ae09ba335b1cfa925

SHA512
7b0e7562480066d929e4dce2201ced8be9e7d309d28ada04d7779a9ab232ee4bf5a8ba89317865eb382250f8f529c0c0b95d8eb80cff800e595280f2f395d7bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
Filesize
484B

MD5
5f3f422f9ba9043f028b2ba15d6fbaaa

SHA1
86ca3966ae98feb43c77a35e91c7e95af29142c9

SHA256
c45f7d983c9407bf00a38f0fdfe406a2eb83d8b4f7d3a659007e9e94e90e9c28

SHA512
4de62b6eff453dc7a28b614a27c8d0687de6bea90b7fb2a9d2ff5c4fe42eb13adab41d63182174a00b8a9941a315ae865fe110c9588de891c0dac14fee1ee86d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_3F2A9DB42365395CA97CFD2FA38D17E4
Filesize
488B

MD5
37d56fd13262fcf6c9c88d7a1881a156

SHA1
65084325aa8b92cde711c1b36cec1004ebc54368

SHA256
b7badab5b96f69502cea39379b6690ccef20e19dfee88ed96ce91b4de374c3da

SHA512
e36ffc1a8ee3a263d33572905b178209a25cd32723da847ef995b7b2854f3e4522d3a62af66f3cd7c9d5919a5472f69f23c31241d193588ba6668aec4586dcb5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
482B

MD5
65558c45442153e29a3bad8946bcd512

SHA1
f751f7860d92b752d5741972d396df5ed2bbe70c

SHA256
e379c1d375aae623a4fe7cee5f61a52c52313edcdd0532b8722df9cae4972469

SHA512
32be1ba6a9ddca905dadc9966feb4693e9c0aa58f1586dd4b8d78cbdee21d26d6f03b246dca307e31f402f5a1b9ea3bdd430ce3053ff044f23b0f2176e29475e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WOBB13N1\T78BLO34.htm
Filesize
18KB

MD5
46e7f28a55cdab07533424725a04b9e5

SHA1
48a915fe8958b0882f364b1e0ceb37e7b7948319

SHA256
e40cc25f9a709e182c284705b0b50b448deb4b1b81b456a633638003db77068b

SHA512
717be51be74aa8b36d714f35942d40c8c18bea13a49d293681e16f1b10dfbdf3887a887ca40688348eee38b10ec80c96a17c338378c315c70d4abebfd42e9076

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YB09K3UP\9BUA8K7L.htm
Filesize
190B

MD5
6ebbeb8c70d5f8ffc3fb501950468594

SHA1
c06e60a316e48f5c35d39bcf7ed7e6254957ac9e

SHA256
a563426e24d132cd87b70d9cb5cd3d57c2e1428873a3f3eb94649cf42e37b6a1

SHA512
75cfab1c9f5a05c892cf3b564aed06d351c6dc40048faea03ae163154ff7635252817d66b72a6ef51c4f895eebf7728f302df51148acce2a0c285502bf13652c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
Filesize
211KB

MD5
f42abb7569dbc2ff5faa7e078cb71476

SHA1
04530a6165fc29ab536bab1be16f6b87c46288e6

SHA256
516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd

SHA512
3277534a02435538e144dea3476416e1d9117fcddef3dcb4379b82f33516c3e87767c3b0d2b880e61a3d803b583c96d772a0bdeecbfc109fe66444e9b29216af

Download Submit
C:\Users\Admin\Desktop\CompareLimit.cab.23F-00B-36E
Filesize
744KB

MD5
a6ba8e2965351a190dbdac3991a325e3

SHA1
1b7fcc0811b1dada797b763f94b4c64cb4ee4fc9

SHA256
d7f7e4feb9863311176340d53110b2b4fc29fc9a13a92eb21fc8a7524c7097e1

SHA512
41843becd4a6677c57384c1ec6f090813b02d352f703f95f2f30d9f2e71bb42e26c9e7f0bc6a22bc94969d235316baaa1b69994a8ccebae7c4e7b0acee856b18

Download Submit
C:\Users\Admin\Desktop\CompressComplete.mov.23F-00B-36E
Filesize
677KB

MD5
9f697e8d2137d250ac0018ac98d39c9d

SHA1
a609abb74e0abd6987d813d04821dea8ee39f417

SHA256
8f489c9ffcb32244f621b98785896d78a67bc4fb564c50069f0b82b10d8c09c0

SHA512
2af0838573612decab76ecd5f831684bcbab828f37b827d7f32dca20328e19d6f46a0147da50d3e79b1f53b9e24b2df54c13b5e59eee3356cf75113c87d8c81f

Download Submit
C:\Users\Admin\Desktop\ConfirmNew.potx.23F-00B-36E
Filesize
407KB

MD5
f9b8d6883a3604a5505effd983792f8d

SHA1
08dadacd7484fb714b8a85a7e46f630f19bb9980

SHA256
08baa3942465fdb700687d3fa266d3beebf45a288e7b54e99f89b10a4297e216

SHA512
4e7bd6fa6ef4dd59c82ec2304cd6b7e246c560ab7c290d3697a13a64cd7856d00a0def64e68ed77cbdfdf1711c1f65e276f7d9ea2111d1a3ec1a4c572a3e74e6

Download Submit
C:\Users\Admin\Desktop\EnableEnter.crw.23F-00B-36E
Filesize
542KB

MD5
237c9c56c8631ce4987948ef15a07c6c

SHA1
88c1c5c3092b1ca35a8785f7d3215a209fd7db11

SHA256
658b992027d0c4ad00d5154dedea332057096f003d2589dbd79c01e5a6c81287

SHA512
b140374fe5ddec4f8a90b67b9564313babc624eba8135ad7a469f0330f6de7f4ba3d12dd34cacc6e3221c16fd306ded6be0ca8ee7363421b0e5b1dcf5791bffb

Download Submit
C:\Users\Admin\Desktop\GroupUnblock.reg.23F-00B-36E
Filesize
710KB

MD5
2f11f0014e03965c821ce353660278f8

SHA1
086e363c0f49fd87eda6931f6917b62c2dfe435f

SHA256
2eb80fb1d979e1f83357ee02449498334c4c93eaf6542d8f7e8a60fcb72badbc

SHA512
981eeda8378cfbebe580f36ae3c1e8c80524c77b6caef133b702323d7d4d3a9bb0c165fb66a9591d61687ee33282f1e8b777ce9be3aa95fd6e89fb2b245060be

Download Submit
C:\Users\Admin\Desktop\InvokeRead.aif.23F-00B-36E
Filesize
1.1MB

MD5
a3dffa37be25be2b6550326d5e1f5942

SHA1
6fed2212ce902dd4da80cfa5a38641a15d6ac0ae

SHA256
9022449767fc9b0487cd143cfe3c2a882d7a88622dc683bf51c7121d9ab73ef9

SHA512
2ea113a4909bc9927e9ac04636f7688c5b4dfbb4810915bff155da133d441de147a2306c22e47db9eac65c2319e9a32ca77d0e93ae869c662d285b508bc7ca0c

Download Submit
C:\Users\Admin\Desktop\MergeInstall.vsx.23F-00B-36E
Filesize
981KB

MD5
7ef4b8a20f3c2ee149160a6bd1762152

SHA1
249ca7bb190dd24e8eb5d8500a2ee078ef9754b3

SHA256
c598f8a5482a59280bfb30842afd070eec1c84259ddf0011582ab8c527a120f5

SHA512
90e1c531750c1f890f548cc7ef2074fc400a0662deff86fc62d011dad2163299d04b3cd78dfd6f71c249f18f9e4ff7559b935ab6f9aae3bc20803ff6aa7ca53a

Download Submit
C:\Users\Admin\Desktop\NewSuspend.potm.23F-00B-36E
Filesize
778KB

MD5
5d62eb885ae96b0ca40350395ec09ad4

SHA1
87eb0a21f06b287e0b97fe2c4a3afa48613f8195

SHA256
193f34b21ed7e59a6a4c0bafaf669fa74f7ab8fb0954261b5f2be471c6ce1441

SHA512
f1b54e24a6daaac5c54318b513f5b78d29d4717d6a3780355c3d3464df20ba833e13a1e980ea98af9ef443d28dbad36ff5596ee70feef0b0b354bc7e71eacccb

Download Submit
C:\Users\Admin\Desktop\OpenGroup.rar.23F-00B-36E
Filesize
879KB

MD5
f34d80097fc92d3a3f4be4f000a06d40

SHA1
46b1a1114f627c102856f2a035f16a71028cf5e1

SHA256
cd4548dd83c67d43f6534c1f7f1d9ed3ddb2be1064a5eeae51232a61fc4ee330

SHA512
f4d8c1646315fbceb28d8eba8a0c3131024d9b635b04dc10f8065b45d56d76f6809cb12f61f2716b6476e69c82bed6f90f392ca81cb6c4f5473f33c8555f72c2

Download Submit
C:\Users\Admin\Desktop\OutCompare.vb.23F-00B-36E
Filesize
947KB

MD5
fc5eaa4fec25ad5464d39614f3585e11

SHA1
65ec093ae262269feed77dd5ffd0928f1718a910

SHA256
86089b869bd48828059468997f0c0d262f59dd3afbe97f2cf064f78a8a202378

SHA512
47ab3157b4b9a7cd1e8a74dde92ece81139cfa2da5f391b9ce2309006cabe0ca7ce381f852a7c432956c06ea18195454698eca40d2983e6296388ebc86a585ba

Download Submit
C:\Users\Admin\Desktop\PushMeasure.xml.23F-00B-36E
Filesize
474KB

MD5
745ed402a126a18f5c8449df4774f583

SHA1
89e228fdeb7463774891e44590cbb94a768774cf

SHA256
c322457b9ddbd9a8e016fbc2fd8a9c2a7bd86ec7c07acbbf01a0466d5ca367db

SHA512
fa3caedeffa0ba118ab00432b4d801bc3c1a4491c7104662512867f9d529a2d779da65400045ab01c76daccb44c9dd9869fe3d2e345a0711a3d8f87a53275072

Download Submit
C:\Users\Admin\Desktop\ReceiveBlock.png.23F-00B-36E
Filesize
575KB

MD5
4ac16c4839e52140d050be5f582025b0

SHA1
274bc8ba21ea50500c455c688d8d231faafef613

SHA256
4fcec2085cd242bd1290b9d0d7c11da2123f285c6060ff6a844c36202732ac2b

SHA512
36197d5844056a75a93d06859138917d72f409d975027e4353346ec80ebbf80dc521d70464467e705803bf2e38953eac15d6ae78d4520cea57d815df0175c4c2

Download Submit
C:\Users\Admin\Desktop\RegisterFind.dxf.23F-00B-36E
Filesize
812KB

MD5
64049634e84cf374e573d36381026cdf

SHA1
a8596232c673b501a0b85bb6798b4167007a9a86

SHA256
1330a356ec38436d1e800f9594d6c3c995e97147d7ad1e9e5aa926f65e5f05cc

SHA512
23aa0f27471996173ffacc947a93b5b3b342478bbbf7b22ba7f34473831a5e0642ac2d94bcd980a9f6b94c363bbaff21612dcc3a7bf72b2987f0e8d2220b5add

Download Submit
C:\Users\Admin\Desktop\RegisterSkip.rtf.23F-00B-36E
Filesize
440KB

MD5
cdc4409790370fe4fb6353735a87c7b0

SHA1
916ac6d0b6549188ea4972bcce9fb731ad9eda8e

SHA256
44c8e7074b02df974a6f456d9941ebc1f8338b62f9db3b408c369ffd4e52dcb4

SHA512
aacd8cde338f0263bea0fb397d5fdd17ae95fc76d9dd3ee228e1ad5f1b6c2f5b3a3e455f2611de00bfa8d3c33be0573c435203d920836a2604e90a204fa48536

Download Submit
C:\Users\Admin\Desktop\RequestDismount.3g2.23F-00B-36E
Filesize
1014KB

MD5
4c863f1566bdb090c927ff1ff7bf3776

SHA1
e5ff89ebcb4587447add961ecb9b622495d09f71

SHA256
e6380927fb82bafefd1427e514477b5122bb01ea85199d3d216a4fa7a662b0ac

SHA512
b0753fc4cca75c8a5287e1a3757ee66a1b21b6eb8703fd0f4a1d012c1fda8fcf7d4fe9d54a21d342da8e783ec92b8bd3ccb16d12fb7cb4094b6a013377b581fd

Download Submit
C:\Users\Admin\Desktop\SaveSearch.mht.23F-00B-36E
Filesize
508KB

MD5
fe1b8ce6b2507f409b3048232b9fdb46

SHA1
94bdab24f50b4b53fe1e8655146137dedbb0b551

SHA256
a142fe887f4ea3f16239162681bdf26b012d3ac233f33eac0aabd3d03117da65

SHA512
223d65e7f20e652d73ab50373dfa5d7e32b5a097f3df92ad54cbcb06035a1d55a151f638de8a6769e3b6932d6db3861713be1fe54e5e612fc271adb7445fb8f9

Download Submit
C:\Users\Admin\Desktop\StepClose.rtf.23F-00B-36E
Filesize
643KB

MD5
bc060b007e147a59eaffe81fa7e0cc08

SHA1
7c15181db93aabe5b3e5baa094aa7319250269be

SHA256
06affd26d4e550de3af1d3fba0598fc2c1710eccd35eb951a4e5811ac4f1d682

SHA512
49ddac4de585158b00e8a471afd84cdd6e91f5517ff64b1c48f10d567e608a4c1ccf80b64f40172d9d200ea84a6974d415237afedc3cabd598dfc22d0b370cd0

Download Submit
C:\Users\Admin\Desktop\SuspendPing.ps1.23F-00B-36E
Filesize
1.1MB

MD5
331d2aa4a7c62277d7236ed51cf4138d

SHA1
e43f5ec02c5b352320f4eca28bd3190b50be23ff

SHA256
327f8acce376c5b2e3902089053858c29b454afd0953a1f0fc0b84ba36bd2090

SHA512
523865d175bd8b5bd9ed925215a8414422db87a4f33559ade7203db77834f9709c3e7329c9ffad8f2c3734b9008f27064f3d08f5c10eac5f5aced54bb612bbc4

Download Submit
C:\Users\Admin\Desktop\SuspendSelect.doc.23F-00B-36E
Filesize
1.0MB

MD5
2e64e1a1d8509961dd29ba98458ad2f1

SHA1
ebf2460c9fe187bbc6e8433235727dce3751b356

SHA256
c8b55b1b574bedcd8173342320704fddac106fe957f98b8c6df63bee6b3a0e7e

SHA512
f77d29b2b3a2f57626664ae2c44dec2afce643e1d3f86e82c94d8464ef0c55dfa7b2611e4165b354d154db6a60da8275a3bb62cc22fea2611aa8bdadc3e0f40b

Download Submit
C:\Users\Admin\Desktop\SyncMove.mpeg.23F-00B-36E
Filesize
1.1MB

MD5
c05ad247aa59a685d132b7897a247833

SHA1
38dfc9dc05c4b1dc56f28d3ff4cac28cb3b33a4c

SHA256
79d384e3a38297898bfeea4e54754a4c2966c2178484f3cce0d2b57c94b9aff1

SHA512
6a66d15c9a2e3f608d3c6310f6e136dfdfba3c745c4ccf69379babebc0c334c3d88b3c5c524edb8b0cb7195efe292664a714a01ca25c4ef47fa6861f6e6d20df

Download Submit
C:\Users\Admin\Desktop\TraceRemove.odt.23F-00B-36E
Filesize
846KB

MD5
0f492d8260ea1da5b9eeb2d79e212d73

SHA1
63ffd4a15e35e53be0907c20cb0de6d8981a3d1b

SHA256
9b861a4c968526a6ad377170eb8123f0e0578967466d10f92e6e1dbf43e2c2c3

SHA512
69a5d62bdaaad80bd1b5e67c83e909c82b133b45e6058f5ab406601ad50ba4ad05a0477e98de66fd733d3733f937d84dfd13b88f3d5d8c0eb8aa0b1bd8a1a5c8

Download Submit
C:\Users\Admin\Desktop\UnblockRestart.wmf.23F-00B-36E
Filesize
609KB

MD5
1e96a350125a8ebe84447b8872f01d72

SHA1
fc5ec904c2c57e6ccf64407419bf568d5bf7924d

SHA256
0733560bf3c6945219a3b43f392d4d8d812864e09dd261d66533a599d95f12fb

SHA512
b2da86c6126283ab539bfa51bdba5b7a8a76a1df64e30005c528bb35f1b13c10e1030c220e77fc879948e4b29fd3f48c4b6e3e41378ef433a4aceeca30b184b4

Download Submit
C:\Users\Admin\Desktop\WatchSearch.ppsm.23F-00B-36E
Filesize
1.6MB

MD5
655cd5ca16d440ef49ee5bf6e3fff68a

SHA1
b3a28949204e1ca3615f4e8af566be2704a2ed47

SHA256
a45a433d513ea6e575b983bd38bb57576762978771f2e1917b4eb639209d7a1b

SHA512
2b23af75665b8e606a9162774a6e339730f345427567e326c866a144e2ed7fd8f15ba80abf642813d85d3fde996478f4409c684a1f3735dd8809fd2f8d8e0c25

Download Submit
C:\vcredist2010_x86.log.html
Filesize
82KB

MD5
7d864ff6d854d26f6149f03980c30944

SHA1
3a80bf04708b5db2e2bf9c51e131b9be29e7b62f

SHA256
19bda8c61f54378044d1847cd65c5454ad2d1a9d4d3791840a12a6464e47f8be

SHA512
036459d50b8e4b0d7bbe703f4da42599317cc1f2398c7e670e5fc02070ed9190e08cea6a626e2cc645f30c296b9f1a6f202008425978676a54b07f8a5d6c45f7

Download Submit
memory/876-46-0x0000000000640000-0x0000000000780000-memory.dmp

Filesize
1.2MB

Download
memory/2368-33-0x00000000004D0000-0x0000000000610000-memory.dmp

Filesize
1.2MB

Download
memory/2396-26104-0x0000000000640000-0x0000000000780000-memory.dmp

Filesize
1.2MB

Download
memory/2396-24068-0x0000000000640000-0x0000000000780000-memory.dmp

Filesize
1.2MB

Download
memory/2396-13857-0x0000000000640000-0x0000000000780000-memory.dmp

Filesize
1.2MB

Download
memory/2396-8524-0x0000000000640000-0x0000000000780000-memory.dmp

Filesize
1.2MB

Download
memory/2396-17700-0x0000000000640000-0x0000000000780000-memory.dmp

Filesize
1.2MB

Download
memory/4084-26128-0x00000000007D0000-0x00000000007D1000-memory.dmp

Filesize
4KB

Download
memory/4700-26129-0x0000000000640000-0x0000000000780000-memory.dmp

Filesize
1.2MB

Download
memory/4700-43-0x0000000000640000-0x0000000000780000-memory.dmp

Filesize
1.2MB

Download
memory/4700-3100-0x0000000000640000-0x0000000000780000-memory.dmp

Filesize
1.2MB

Download
memory/5116-21-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download