buran | b0fa28ac0f0657906df6312a22baf99111cbf27afeaab98c92eeba4b07fddeaa

Analysis

max time kernel
92s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
12-05-2024 15:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ac926d3bca5450ce48d10c253700ae4_JaffaCakes118.exe
Size

212KB
MD5

3ac926d3bca5450ce48d10c253700ae4
SHA1

0a918e434b1f8e125fb23a71c7317e6b16f3df23
SHA256

b0fa28ac0f0657906df6312a22baf99111cbf27afeaab98c92eeba4b07fddeaa
SHA512

ef62bc011a2fdff15b466f798bcbe5c4308e925fb1240d7621f65ede89432a329e00c80a917cc5be401b7029a2c5a497a9bc09436c3f1c05259a2e3479c581c5
SSDEEP

6144:Via1gMHvEXtAuL5Qnqn64DQFu/U3buRKlemZ9DnGAe+hH+8:VIMH2Gw5Qb4DQFu/U3buRKlemZ9DnGAV

Score

10^/10

buran zeppelin defense_evasion execution impact persistence ransomware

Malware Config

Extracted

Path

C:\Program Files\dotnet\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Your personal ID: 29C-FBA-4F0 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran

Detects Zeppelin payload 11 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe	family_zeppelin
behavioral2/memory/4780-35-0x0000000000580000-0x00000000006C0000-memory.dmp	family_zeppelin
behavioral2/memory/2608-45-0x00000000000A0000-0x00000000001E0000-memory.dmp	family_zeppelin
behavioral2/memory/412-75-0x00000000000A0000-0x00000000001E0000-memory.dmp	family_zeppelin
behavioral2/memory/2608-3894-0x00000000000A0000-0x00000000001E0000-memory.dmp	family_zeppelin
behavioral2/memory/4740-7987-0x00000000000A0000-0x00000000001E0000-memory.dmp	family_zeppelin
behavioral2/memory/2608-11077-0x00000000000A0000-0x00000000001E0000-memory.dmp	family_zeppelin
behavioral2/memory/4740-14258-0x00000000000A0000-0x00000000001E0000-memory.dmp	family_zeppelin
behavioral2/memory/4740-20943-0x00000000000A0000-0x00000000001E0000-memory.dmp	family_zeppelin
behavioral2/memory/4740-26053-0x00000000000A0000-0x00000000001E0000-memory.dmp	family_zeppelin
behavioral2/memory/2608-26084-0x00000000000A0000-0x00000000001E0000-memory.dmp	family_zeppelin

Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
ransomware zeppelin
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (6088) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3ac926d3bca5450ce48d10c253700ae4_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	3ac926d3bca5450ce48d10c253700ae4_JaffaCakes118.exe

Deletes itself 1 IoCs

Processes:

notepad.exe

pid process

3032 notepad.exe
Executes dropped EXE 3 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exe

pid process

2608 explorer.exe
4740 explorer.exe
412 explorer.exe

pid	process
3032	notepad.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

3ac926d3bca5450ce48d10c253700ae4_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" -start"	3ac926d3bca5450ce48d10c253700ae4_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exe

description	ioc	process
File opened (read-only)	\??\Q:	explorer.exe
File opened (read-only)	\??\L:	explorer.exe
File opened (read-only)	\??\K:	explorer.exe
File opened (read-only)	\??\H:	explorer.exe
File opened (read-only)	\??\Z:	explorer.exe
File opened (read-only)	\??\O:	explorer.exe
File opened (read-only)	\??\N:	explorer.exe
File opened (read-only)	\??\E:	explorer.exe
File opened (read-only)	\??\W:	explorer.exe
File opened (read-only)	\??\V:	explorer.exe
File opened (read-only)	\??\U:	explorer.exe
File opened (read-only)	\??\P:	explorer.exe
File opened (read-only)	\??\I:	explorer.exe
File opened (read-only)	\??\G:	explorer.exe
File opened (read-only)	\??\B:	explorer.exe
File opened (read-only)	\??\A:	explorer.exe
File opened (read-only)	\??\Y:	explorer.exe
File opened (read-only)	\??\X:	explorer.exe
File opened (read-only)	\??\T:	explorer.exe
File opened (read-only)	\??\S:	explorer.exe
File opened (read-only)	\??\R:	explorer.exe
File opened (read-only)	\??\M:	explorer.exe
File opened (read-only)	\??\J:	explorer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

33 iplogger.org
35 iplogger.org
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 geoiptool.com

flow	ioc
33	iplogger.org
35	iplogger.org

flow	ioc
1	geoiptool.com

Drops file in Program Files directory 64 IoCs

Processes:

explorer.exe

description	ioc	process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\dummy\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Author2String.XSL.29C-FBA-4F0	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-32_altform-unplated.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\Ratings\Yelp8.scale-200.png	explorer.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\models\en-GB.Calendar.model	explorer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-114x114-precomposed.png	explorer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-down.gif	explorer.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\es-es\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription-pl.xrm-ms.29C-FBA-4F0	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SUMIPNTG\THMBNAIL.PNG	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupMedTile.scale-150.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookMailSmallTile.scale-200.png	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\Logo.scale-100_contrast-black.png	explorer.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\sv-se\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	explorer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MyriadPro-Bold.otf	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-GoogleCloudCache.scale-150.png	explorer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	explorer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\[email protected]	explorer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\x.cur.29C-FBA-4F0	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubBadgeLogo.scale-200_contrast-high.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\LargeTile.scale-100_contrast-white.png	explorer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_gridview.svg	explorer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-tw\ui-strings.js.29C-FBA-4F0	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\AppPackageLargeTile.scale-100_contrast-black.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxSignature.p7x	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Date.targetsize-24_contrast-white.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Helper.winmd	explorer.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\US_export_policy.jar	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Green Yellow.xml.29C-FBA-4F0	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-ppd.xrm-ms.29C-FBA-4F0	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\msql.xsl.29C-FBA-4F0	explorer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\progress_spinner_dark2x.gif	explorer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filterselected-dark-focus_32.svg	explorer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sl-si\ui-strings.js	explorer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\plugin.js	explorer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-right-pressed.gif.29C-FBA-4F0	explorer.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ko-kr\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	explorer.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\de-de\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerElevatedAppServiceClient.exe	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\search_emptystate.png	explorer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\adobe_logo.png.29C-FBA-4F0	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\word2013bw.dotx	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GameBar_AppList.scale-125.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-60_altform-unplated_contrast-white.png	explorer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\zh-cn\ui-strings.js.29C-FBA-4F0	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ESEN\WT61ES.LEX.29C-FBA-4F0	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleLargeTile.scale-200.png	explorer.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\uk-ua\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	explorer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sv-se\ui-strings.js	explorer.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe.29C-FBA-4F0	explorer.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_CopyDrop32x32.gif	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial-ul-oob.xrm-ms	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ppd.xrm-ms	explorer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\cstm_brand_preview.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\FetchingMail.scale-200.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailLargeTile.scale-150.png	explorer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\AddressBook.png.29C-FBA-4F0	explorer.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\fr-ma\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-ppd.xrm-ms	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL112.XML.29C-FBA-4F0	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\osmmui.msi.16.en-us.boot.tree.dat	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\TimeCard.xltx.29C-FBA-4F0	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

explorer.exe

pid	process
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe
2608	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

3ac926d3bca5450ce48d10c253700ae4_JaffaCakes118.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	4780	3ac926d3bca5450ce48d10c253700ae4_JaffaCakes118.exe
Token: SeDebugPrivilege	4780	3ac926d3bca5450ce48d10c253700ae4_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	4764	WMIC.exe
Token: SeSecurityPrivilege	4764	WMIC.exe
Token: SeTakeOwnershipPrivilege	4764	WMIC.exe
Token: SeLoadDriverPrivilege	4764	WMIC.exe
Token: SeSystemProfilePrivilege	4764	WMIC.exe
Token: SeSystemtimePrivilege	4764	WMIC.exe
Token: SeProfSingleProcessPrivilege	4764	WMIC.exe
Token: SeIncBasePriorityPrivilege	4764	WMIC.exe
Token: SeCreatePagefilePrivilege	4764	WMIC.exe
Token: SeBackupPrivilege	4764	WMIC.exe
Token: SeRestorePrivilege	4764	WMIC.exe
Token: SeShutdownPrivilege	4764	WMIC.exe
Token: SeDebugPrivilege	4764	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4764	WMIC.exe
Token: SeRemoteShutdownPrivilege	4764	WMIC.exe
Token: SeUndockPrivilege	4764	WMIC.exe
Token: SeManageVolumePrivilege	4764	WMIC.exe
Token: 33	4764	WMIC.exe
Token: 34	4764	WMIC.exe
Token: 35	4764	WMIC.exe
Token: 36	4764	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1732	WMIC.exe
Token: SeSecurityPrivilege	1732	WMIC.exe
Token: SeTakeOwnershipPrivilege	1732	WMIC.exe
Token: SeLoadDriverPrivilege	1732	WMIC.exe
Token: SeSystemProfilePrivilege	1732	WMIC.exe
Token: SeSystemtimePrivilege	1732	WMIC.exe
Token: SeProfSingleProcessPrivilege	1732	WMIC.exe
Token: SeIncBasePriorityPrivilege	1732	WMIC.exe
Token: SeCreatePagefilePrivilege	1732	WMIC.exe
Token: SeBackupPrivilege	1732	WMIC.exe
Token: SeRestorePrivilege	1732	WMIC.exe
Token: SeShutdownPrivilege	1732	WMIC.exe
Token: SeDebugPrivilege	1732	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1732	WMIC.exe
Token: SeRemoteShutdownPrivilege	1732	WMIC.exe
Token: SeUndockPrivilege	1732	WMIC.exe
Token: SeManageVolumePrivilege	1732	WMIC.exe
Token: 33	1732	WMIC.exe
Token: 34	1732	WMIC.exe
Token: 35	1732	WMIC.exe
Token: 36	1732	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1732	WMIC.exe
Token: SeSecurityPrivilege	1732	WMIC.exe
Token: SeTakeOwnershipPrivilege	1732	WMIC.exe
Token: SeLoadDriverPrivilege	1732	WMIC.exe
Token: SeSystemProfilePrivilege	1732	WMIC.exe
Token: SeSystemtimePrivilege	1732	WMIC.exe
Token: SeProfSingleProcessPrivilege	1732	WMIC.exe
Token: SeIncBasePriorityPrivilege	1732	WMIC.exe
Token: SeCreatePagefilePrivilege	1732	WMIC.exe
Token: SeBackupPrivilege	1732	WMIC.exe
Token: SeRestorePrivilege	1732	WMIC.exe
Token: SeShutdownPrivilege	1732	WMIC.exe
Token: SeDebugPrivilege	1732	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1732	WMIC.exe
Token: SeRemoteShutdownPrivilege	1732	WMIC.exe
Token: SeUndockPrivilege	1732	WMIC.exe
Token: SeManageVolumePrivilege	1732	WMIC.exe
Token: 33	1732	WMIC.exe
Token: 34	1732	WMIC.exe
Token: 35	1732	WMIC.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

3ac926d3bca5450ce48d10c253700ae4_JaffaCakes118.exeexplorer.execmd.execmd.exe

description	pid	process	target process
PID 4780 wrote to memory of 2608	4780	3ac926d3bca5450ce48d10c253700ae4_JaffaCakes118.exe	explorer.exe
PID 4780 wrote to memory of 2608	4780	3ac926d3bca5450ce48d10c253700ae4_JaffaCakes118.exe	explorer.exe
PID 4780 wrote to memory of 2608	4780	3ac926d3bca5450ce48d10c253700ae4_JaffaCakes118.exe	explorer.exe
PID 4780 wrote to memory of 3032	4780	3ac926d3bca5450ce48d10c253700ae4_JaffaCakes118.exe	notepad.exe
PID 4780 wrote to memory of 3032	4780	3ac926d3bca5450ce48d10c253700ae4_JaffaCakes118.exe	notepad.exe
PID 4780 wrote to memory of 3032	4780	3ac926d3bca5450ce48d10c253700ae4_JaffaCakes118.exe	notepad.exe
PID 4780 wrote to memory of 3032	4780	3ac926d3bca5450ce48d10c253700ae4_JaffaCakes118.exe	notepad.exe
PID 4780 wrote to memory of 3032	4780	3ac926d3bca5450ce48d10c253700ae4_JaffaCakes118.exe	notepad.exe
PID 4780 wrote to memory of 3032	4780	3ac926d3bca5450ce48d10c253700ae4_JaffaCakes118.exe	notepad.exe
PID 2608 wrote to memory of 2628	2608	explorer.exe	cmd.exe
PID 2608 wrote to memory of 2628	2608	explorer.exe	cmd.exe
PID 2608 wrote to memory of 2628	2608	explorer.exe	cmd.exe
PID 2608 wrote to memory of 4540	2608	explorer.exe	cmd.exe
PID 2608 wrote to memory of 4540	2608	explorer.exe	cmd.exe
PID 2608 wrote to memory of 4540	2608	explorer.exe	cmd.exe
PID 2608 wrote to memory of 1612	2608	explorer.exe	cmd.exe
PID 2608 wrote to memory of 1612	2608	explorer.exe	cmd.exe
PID 2608 wrote to memory of 1612	2608	explorer.exe	cmd.exe
PID 2608 wrote to memory of 1404	2608	explorer.exe	cmd.exe
PID 2608 wrote to memory of 1404	2608	explorer.exe	cmd.exe
PID 2608 wrote to memory of 1404	2608	explorer.exe	cmd.exe
PID 2608 wrote to memory of 2464	2608	explorer.exe	cmd.exe
PID 2608 wrote to memory of 2464	2608	explorer.exe	cmd.exe
PID 2608 wrote to memory of 2464	2608	explorer.exe	cmd.exe
PID 2608 wrote to memory of 3668	2608	explorer.exe	cmd.exe
PID 2608 wrote to memory of 3668	2608	explorer.exe	cmd.exe
PID 2608 wrote to memory of 3668	2608	explorer.exe	cmd.exe
PID 2608 wrote to memory of 4740	2608	explorer.exe	explorer.exe
PID 2608 wrote to memory of 4740	2608	explorer.exe	explorer.exe
PID 2608 wrote to memory of 4740	2608	explorer.exe	explorer.exe
PID 2608 wrote to memory of 412	2608	explorer.exe	explorer.exe
PID 2608 wrote to memory of 412	2608	explorer.exe	explorer.exe
PID 2608 wrote to memory of 412	2608	explorer.exe	explorer.exe
PID 2628 wrote to memory of 1732	2628	cmd.exe	WMIC.exe
PID 2628 wrote to memory of 1732	2628	cmd.exe	WMIC.exe
PID 2628 wrote to memory of 1732	2628	cmd.exe	WMIC.exe
PID 3668 wrote to memory of 4764	3668	cmd.exe	WMIC.exe
PID 3668 wrote to memory of 4764	3668	cmd.exe	WMIC.exe
PID 3668 wrote to memory of 4764	3668	cmd.exe	WMIC.exe
PID 2608 wrote to memory of 1776	2608	explorer.exe	notepad.exe
PID 2608 wrote to memory of 1776	2608	explorer.exe	notepad.exe
PID 2608 wrote to memory of 1776	2608	explorer.exe	notepad.exe
PID 2608 wrote to memory of 1776	2608	explorer.exe	notepad.exe
PID 2608 wrote to memory of 1776	2608	explorer.exe	notepad.exe
PID 2608 wrote to memory of 1776	2608	explorer.exe	notepad.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\3ac926d3bca5450ce48d10c253700ae4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3ac926d3bca5450ce48d10c253700ae4_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4780
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1732
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    PID:4540
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:1612
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    PID:1404
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    PID:2464
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3668
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4764
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:4740
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" -agent 1
    3⤵
    - Executes dropped EXE
    PID:412
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:1776
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  - Deletes itself
  PID:3032

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:5088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_retina_thumb_highContrast_bow.png

Filesize
52KB

MD5
217ac7074399386c31ff4d4d8968e405

SHA1
04ad3ab5f8a9ee6a25da540efbfb439727c71fc6

SHA256
f31326aa455d98fd77b59eb0375ad7c280ca6a98fbca64e4b65f061f21b76736

SHA512
eec8aa1400265ba0183694b8a7b2b91693518dbae9fc59c3d796368e58777bde1a1c0b8b5bfc0958bd3ef0f022c8e068179473c0887de754bbaecb217dd5db36

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_retina_thumb_highContrast_wob.png

Filesize
52KB

MD5
a21be71096df890bf1aef773f4b1c071

SHA1
2ff7da971076b9ee61f92f3a6121ab1fbeabb92b

SHA256
b2a0233c6be1e5ea80b354dc53acc6038f03c54ab980662d9fb769c6133cd515

SHA512
0a6ff15e3df58a50e8e3cb357f4b0975e8132306301e104ee822a7466a6fafd3f92d1e5187ef64249b15ee8d62e186e37121b14642d328a3fbe5a52555e10d8f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons.png

Filesize
52KB

MD5
4a8fbfe608feb7880e4963f5cff266f3

SHA1
78419d9f7cd42aa4c0370c4b38febc49440c3399

SHA256
bf3e7f88de9e904bcd52e7baa414055e77c44b4c12001f23144ddc1ba6ac112d

SHA512
d2d723077adeb7086753dd419f4f9fdd569b3ddb2f7b339f6ebe5b06ca9fd4d96e7cf79a8a7e70088d5ede86d24e4a57efc69d23709892274d056e159770e795

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-ma\ui-strings.js

Filesize
34KB

MD5
eb33f9cddbbc650f5f71ea085990f3ba

SHA1
a3a5322096f98e313f5bc806c82863eb0d690867

SHA256
80c4bed022dd7b6320ae03aa0163c2f2c4712755f008d6f83273b1bad0fb191e

SHA512
5c20b146df6e8f9ac2bdcbd197fa2f40837a86059cc29e2624554f25340bdadc23f9a1918e58f330cd67dc8052b53d6559f90641ae64bc8f5e906a5c5521c117

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-ma\ui-strings.js

Filesize
10KB

MD5
beb01b03fbf29769e45a8eabaf921597

SHA1
a9bc24ce15eff3214f23f6dcdc2881607b3595f8

SHA256
76b7c8fb307a12343d6a5358d0796125068f73bcc419d9ccfc4e8bf24a92ef58

SHA512
a565c9ab01b828f1b02f4e79fc956a856015dc2e84ef2a9994d6405efe69eb69224dfada6a5d997a939bdeb397f04a33bc8d663de2018bc2c2569852bace0074

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-ma\ui-strings.js

Filesize
6KB

MD5
3c51d813a6dbbf8abceaac6786c36bd0

SHA1
3e2fa06e6bd9825e56c5d9ab458d06d5842112b1

SHA256
8b19a29e3fc7f1eeb73a19f115b5e272bfc1c266c2e6faf066b3141a2fe22bb5

SHA512
b85caf67dc84ed635f8199f791ee84ec9f29b47abe50a0c9b6fd1bc5ec0231dc6275e4ea2b90184eec9dcb9a800896e45286927e6e64248e97342dc4233d0320

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\illustrations.png

Filesize
10KB

MD5
3569b0297b27bb3ccfff2cb0c3bb09ea

SHA1
411903f1eb83b23e141da6d5b67d89e90de13997

SHA256
3531a994ef247d0695433d942fc7dcdbf38442a7b55c63508cd2581b1a6fdf1e

SHA512
42a9f860a580e263627cae7358f11e70443ef8c071626171a31fd32d4f80d615b53186c5435948467031b49a2ef75221dcc12e88e582ec4dc24ecb384817fa7e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\exportpdf-selector.js

Filesize
175KB

MD5
5807a907cf0fbe2cf04c130b8ce6e900

SHA1
c56927341256b477ede6bfaf6991f0f643792154

SHA256
fd26307894311a170570f540482f1aa042bfe5ed4ec7f1a70debca7783190da4

SHA512
57a3fe316580b1b5cb8080f8e45905bdb59cd11ff575841f85717067284ceb31e730b9a0b635ed9b01a3acdc9a75b38948e69c3bb66070291fd45538b3a53b67

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\convertpdf-rna-tool-view.js

Filesize
378KB

MD5
652e8b217dd155625e9ed18fb2d73abc

SHA1
532cb367fde0252d8830827dba3ec4edfef72a7d

SHA256
f32b1c018f9d17ff2e71c1a31ff5d6172cbe4f8582dcd6ea0802dfe0809aebbf

SHA512
69a8b66d1640963a64e9bf47f6ddc4472610f451951e4b756cf4507fe5d18ee8738bc8744c261373884b41c4b08acb31dd61f5d2f5be5e7392f6816156a49105

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\exportpdf-rna-tool-view.js

Filesize
387KB

MD5
f47a7b68ddbc7b2bb7d1a5b0da615da9

SHA1
78811512b87a50168bc7dc942445829ccb2b34b1

SHA256
ec3d18f06307e81ce11bb9d5b880da7a25a0675a0dc8623ed6fd300a29032cb0

SHA512
50b50376b528283a14310adb6e2a15b82036f17443ff11169e8d7aa499337f23e678dbaf3af7589e777b2903699edccd9ffd827795e235f50662512bf025a60b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-il\ui-strings.js

Filesize
10KB

MD5
51f5daf5c17a2062183f60e8e554d993

SHA1
df5114fad7a2757b87ba00a401e7c434fe480727

SHA256
8e5c4d11ea6defce6053968cf16add26b5faa1cd01b34fbe871e0133f2e6fc53

SHA512
cb3bbad21a2b4d93829835b469dddff4e72ea3a79766b0f8853270640c38f41e41bb1c19241e7ca301951a0be9bd2a92673b15da2736ee41afdc95fa0067cb6d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-ma\ui-strings.js

Filesize
12KB

MD5
82d32167da56a629cc92070d0f24a4c1

SHA1
ec0d88ea6e99dde262a62ae2860262ee52fdba24

SHA256
5d39a578ef1abcc25c49b308d155e0eb21f579c7783c7be1c83640cfef4e14e2

SHA512
795e6a1943e46f94bc5287f573cc5f28765f711566c6be3c39f927060c4500f08beeb08af69221ef123c090c676e42cfea71b16e99dbf166fdd3337b4fab02f0

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\icons.png

Filesize
9KB

MD5
3e90016e41d796ccbaa09c1a37528111

SHA1
49829428bb483d004d5b185556de42b4c0132c2d

SHA256
4994da169c012a0863b0e3cb76bd0879997cce0f66d4f45ab01858b5932b26c8

SHA512
2064a67e2a1bae03b86b94cdd88db3f8c9dd9e02e0646d0df0c16909680bb2cff681eabd457849ad0a2856bbe7c46c07ffb9a245839b3b049e9a3fad54ff5982

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\icons_ie8.gif

Filesize
9KB

MD5
1afd0f641baad012893ac68a3f268f38

SHA1
1c0bd7f8a9183a8cdd25fb2bf4c2c1f4f44b899e

SHA256
6b017eeb458d2d54ec527e6c459eb8734efbf714faabb7233d2ca46ec0e5e792

SHA512
7c4522709f71c1a2a72bfe7a99a7d40dca7b3585fda9a2798ac4fb18c9d35bc8ffc8acd47401282f0f356de47f677884d5f749d3ab1746e0f538a7af3260c72d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\fr-ma\ui-strings.js

Filesize
7KB

MD5
9dca9e7767c8c4b468d6a7d7605f42f6

SHA1
903be8b7d9f139f95a160fce9c0935debf19d80b

SHA256
299f177077024c0ab65388c7f86ad382544f7dcd38a74bbba7cce4327ead65fd

SHA512
1a2df7919a4d79088e354b70f4ec69208c25786950727bbb327ac257f65d77b9ab0957d841aa743275c2a2d56d4f30edbbec7e348cfe91614db19ce580c565b9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileAcrobatCard_Light.pdf

Filesize
381KB

MD5
33a467bab8327a06c55eded64aa1d369

SHA1
864dcfd6e138d54ac8ed2fe26688bf6c4dc798de

SHA256
f91546ee4b54fd88b9830e70ab4837b488ebb0bd119e88a230ce02595a8ad8dc

SHA512
4fed546985051458280281d7fd4be4cc817e27058751bbe979438ac19eacf270a4914428dfcc65cf7c1b409d20241cd1b3d3942120572513afcf65870b244869

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileScanCard_Light.pdf

Filesize
56KB

MD5
00cfd00e6bb901d3f3e66fd672f675e3

SHA1
ba98d8f6d453bd6b41bf19aa225b266d2f6cfc58

SHA256
6011edffe864b0150832a03e8f335f79810803e3a5bf8d58a17651b37672c954

SHA512
b393bd9c2eb8d92dabd13b5afcc71171448a86b28ad0f310759cc5b02f034600316bcb15974a5af19420c253b6ac615ebc646767124bc9c5412f475c60ed4334

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-il\ui-strings.js

Filesize
14KB

MD5
d2281deb02455ba39ecdce459b386e60

SHA1
215fccc84464fe3c4726db7bb55c1b3c26de7929

SHA256
6e3beb99da47e0a15b3bb6ae2308b18e42fab961189a9ae6c3da9e5ea6c582aa

SHA512
d814be332ded097b2249a85d39d1a934ee39c89636e516e1ccab2a39ec89812ba7baa4b13f0c4b2dc699f2bea15e13aac7ca58813c69f58faefb84e897446f77

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-il\ui-strings.js

Filesize
15KB

MD5
b5672ce69cb0357bba253c35a96a8235

SHA1
73035216e61525962adadda00ed025a57fa8082d

SHA256
62dc88385f3328bcf6c04565c8e8f107ea0500852c0fceeec12443921295f572

SHA512
073eafc26f393a5e7100b34a81b2555bc106ddafc8b649cb03d338af29dfefa94618943d846907cb39c2a4d2363d3835ebfe6e2d0b2d56033c9a46f72b6644bd

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fr-ma\ui-strings.js

Filesize
18KB

MD5
9df09920823e670457d38fa48e95af8a

SHA1
0380cc05bb330b4f3dd7ef6e19a56054f5fc0861

SHA256
bf6a00dc722d965c974921d0d61ce5b4dbfda76fa6e69991d39d248d094fb116

SHA512
85d9085c123270a4b82232e4f8252a0554aeadb8ab7259bfcdf38f986c3e0dd74168a37c4fba69b87e02f5bea4788335dbf8650effcb6b1a394bb620ee3dad87

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\cloud_secured_lg.png

Filesize
8KB

MD5
9af64b2458bbe0645879084bef498f9e

SHA1
bebb448c835d141faef0451d149bde18c929b65d

SHA256
603c3c497e82709010fa7aad53bba73825f3689323e7ec05604e004ac5ab0322

SHA512
0fedae53a9d149a8b5536d874d0c43c96c2c13cd8e93ac0364504b8f80d4d9771f7dfe8df648e9a3024f355f576436dc6789dfdc56f02ba744f9a93527baaa73

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-il\ui-strings.js

Filesize
9KB

MD5
7c32a7794e713ccbc077769257f50ba6

SHA1
a1e0d37a8a76f0bdec1bdfcfa276d6f0e09b7e88

SHA256
28973e6579e3fe17fc6babdfdc6ae7378a0c2ce2772af3bedba1b166103e8482

SHA512
4e7edcaf404ff2b5341396574323ddd7c897c88046e3fe1ec7f6c539d5b912672db2c2f4e6dbc59841aeed814bc20a4a8a89587f2e607b41cd6f5fc45d54dc9a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fr-ma\ui-strings.js

Filesize
11KB

MD5
982d9662e9212e3dac2fc33032ca2286

SHA1
1f71677817afcdddf373fdc54823676a48fd9fdd

SHA256
f6845d893d5bb8c32bc4ed8f333d98cbf7e58559d043280160784648e5a5c54b

SHA512
e464eb00bb8afac4bc4c726ff36bedab477f3ec80514165644c0f4776b1995ec3b879c0aab7282842bb1dcfaf3ed9be980006dca0da62562ae94c55fb0999f64

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-il\ui-strings.js

Filesize
15KB

MD5
9e98a295f642b057aaa31aff587cec9f

SHA1
c32895871ace65d84bff4be989e6107a04419340

SHA256
70cfd20c391a3e206583dc76eae24d4e6e169dccf1d8df76969975ea1dfae7f1

SHA512
62dc5760693f0477c0b04d64f7a66163afa6fd4f7e1b4155cbca6d8588dd8d180b74a1af87af8a16ce1e86644a74f16015b141369b486ca1162db24485976eac

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fr-ma\ui-strings.js.29C-FBA-4F0

Filesize
17KB

MD5
4db8587e3ef8159288a8d09602ffafdf

SHA1
c3ac42396fc996a22611f41ffe1fe57c6b07e7f3

SHA256
68b24a2954b874e945b593466d6c5c625fbd7c376904ed5773bb5dcfe497c446

SHA512
dad88f5c96477cf5ddce4057e6dde1724666abfe06eae467ebe5327936e6b6556c8a6245848b921a9e3516f1f48a440f1638f7b9ac3ddd3a29f978ba6a8fdec1

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\fr-ma\ui-strings.js

Filesize
18KB

MD5
dd295160e733db245806aa05ec8019d0

SHA1
03d6c8aad95e0ca4d90461e5c595c5be836beb7d

SHA256
d0e46675c25265d655d2b5db87c07d32767c0d60d87a4354da252ea46f92b57d

SHA512
832b268b2b879b453618b96e4ea66396e1c452c3d63d8f22e8b069e2e81f69586472ebc55b888f5a1f1e93692a14e3424d07cf87edd5c3d6d99e8057836d54c1

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\en-il\ui-strings.js

Filesize
19KB

MD5
7ca6d6217d432357c0b7c1adbad90cf3

SHA1
6fb696e41214741a3dea189c15997c15c837d26e

SHA256
e1633583df3dd334b662ffc7bf2d47a295a7431d1d624a4a3f4ad4be3a529722

SHA512
477d7510e6ae13f6655130f0caf8e222dc511f970002fc4272d8da1a9487967e83770c93927bf7b038584c53bd13c58cdd9db6de7e5996598c6a1a617f40b668

Download Submit
C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\US_export_policy.jar

Filesize
9KB

MD5
d2d92ffabfe108d8cc21e3ff48488496

SHA1
9483e328dd24e1058519d0fe3d03a0229df8789b

SHA256
010b6e197afeeec461aa933176704464ea61968557aaef5c77f4281051ded9e6

SHA512
d5b1af740bea8ef21decc1dafa209c44ab1f6e4e3d6f22f50f30bbec9b6b80dbda985bbd7dd8c4e9bdb227a2c29954acc78f8c9fdc8c00cdeb4b8c81f1ca347f

Download Submit
C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe

Filesize
4.1MB

MD5
08aef66bbe4728be9bcbfc0de2b25945

SHA1
72ea9a25e90e10bd498a32a53ac38916174b551d

SHA256
0f9dd6c4381d8b0192a8463cf45fed6f7dad1ac863aead278ee01ea67fc65138

SHA512
22be3ad0cf59e19530e1414a2052fbb31dce596132d4981a1c2d6f79bc26546bbc58d2589bb94dc1a454597bdccb554e21a13135748c6a20c78932e322995483

Download Submit
C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\ISO690.XSL

Filesize
265KB

MD5
b9cdf94da59b718f88adedf60e147ee3

SHA1
e1119d58973e7236466f7e3a994b02f750c0a91d

SHA256
7e8fe1ff0246f124da297ce97081deeeab78042ddd5d693bc769e047d9599e22

SHA512
0f3755ed572113cd47b440737099705d77d61be177c94f6f7c7595948ec167ba52baa07be72139beb2b534ab7fda409c7a8467c37d49d3d1ede5a6ad791a7ce6

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\osmdp64.msi

Filesize
2.4MB

MD5
5f79695575a9f66c5a59387f07b3e563

SHA1
a156423bd99adc52913329a0a10883b9d8d42427

SHA256
1e0db9a5581c67c5f44efa099f08e30b30af1f5263215fb44b020d8bbae54fb7

SHA512
d3e8b13f49d26bec227877214a5a5bb59793d4786b12d6e90044650df481718a44e9d3ca46788b58781b7b61b0cf63147a60cc66e7b183adabf9d1be4b3b2a05

Download Submit
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exe

Filesize
1015KB

MD5
11330bbb4371b61bb0057ec59caed7d5

SHA1
8cf9750a583244f3cc70083ef37f2c9cb8b248ed

SHA256
aa71ecf472cb7fe1afa66866f16c434f090e16b748a1721dffda96154f98680f

SHA512
094ea17829a4988c2ce97f76c459a3416979c573f5c5b87290f42c091d28739f237f8b6057384fdd865e28cbda76c7778243455e3d790e773a72f4533e4c653f

Download Submit
C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\vlc.mo

Filesize
606KB

MD5
60ba61ffe3695cc5b0b507fca40cde23

SHA1
70769a0a938a6337cabbea16c08dd0a6efe75748

SHA256
57f1fe81451b110f55118954e79a0a4915e9144e85b9c96d231ce558389f8197

SHA512
9ff7e871e5b92bc92d8bc9a0332b8af3e961665ec0f797ddb973769172259a407b01244b4d2d58294a30611fe2ccc214d3249847351eb6775b05ba63407dd9e7

Download Submit
C:\Program Files\VideoLAN\VLC\locale\es_MX\LC_MESSAGES\vlc.mo

Filesize
610KB

MD5
36716dd49af2379fae9490a46d6dcf19

SHA1
e1ee0be59bfd3d7327e3d46a9bcc33716781fa89

SHA256
a360360428df4cb536bcb2332a30dbc3c7f6f10acb661980a42d48237e4bb7df

SHA512
d2bfdfe0bb7a20a7b1ed86a6df73aba392043a791d804cade5152d7c9d718f9166bc23bd65bf66f74ab91cd53c3d99320474505a611521f5c298b0f8e4e6f66e

Download Submit
C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\vlc.mo

Filesize
674KB

MD5
c7b2dd3c83455ab55affe3e7ce7cb8b6

SHA1
cc7a259d0afc7750e23e4ca6b7f74b12d546096c

SHA256
0e9b635ced007c33cf69393b7b2fff74f83f098259e64531eaa7469db8b0890d

SHA512
4225b24b237591d6535dbd1f6f68283f65be955f0cccc459d50629a2da557b1159f62981d754107c11140b49748cad1940692a856445524fd503827c4fee3423

Download Submit
C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\vlc.mo

Filesize
1.1MB

MD5
a11759e6fb843c8c7b187d510e9ba234

SHA1
38d0ee23fd22c09d35cbd1d4566ed3f12b443bd8

SHA256
d1474a44efde4b94e57ccd3e75efeabc1dfd945697d19d6bc08d9a45d5263b5b

SHA512
a25d7040d1089a4fdefdc07aebca1062cd9d52f3d87ac93cd0458eec705a3a33abec95a958c1bb0962bca359d57de69d3fe43e96b50d7813795ad5bbe2886ceb

Download Submit
C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\vlc.mo

Filesize
606KB

MD5
14a03caf8868ad5dfe810dc735e9aa74

SHA1
499d96aa27133ca8c0c8fe8d0b7677a47179bb3e

SHA256
833714ef7fcf7a21a9ad877f9d976ec7785ddbb71cbef0e5bf10eef289bd77aa

SHA512
11fa9a7ef6215deae44b4c1af526e544c46041f49bc43366ff8f2827e7a2736da874dfd7500a9df0a5dcbb54fc2fbaf4c36089f550486a9ba38c8717038630d9

Download Submit
C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\vlc.mo

Filesize
773KB

MD5
cdc770c128c7cfa84426b266c9f6c188

SHA1
e4e89c49a10159957f007b8a58e8a189519e2f6c

SHA256
9e317a333cec13f6bb480a83a6ea38088d4f7a79169919a0d4453d051f28b1f9

SHA512
91be1297f5bae1ed88934a97ae2c42efb8a87910b16f950de0cb371a3eaff179e1849092b64a0bb8645dee21da25dfd1a866bb289c7afe1eb8465c113f165ff0

Download Submit
C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\vlc.mo

Filesize
780KB

MD5
9e256e6e312aa9abbeda4e45db28e34b

SHA1
5b6e35135adb437fe4fcf552fe10e3231cfb92ff

SHA256
c8ad61b20cf9f71eec995fc1308b4f9dc216d6edcc8c9c98cae708b0cb1e2cf8

SHA512
9eb4ba31c573c32e918ed428905542bcb6e627bc54d069c198a9561ec01100012fa80479abb2d8b862108ebf87c37a7151601065221d84f6db418a4f0f419eab

Download Submit
C:\Program Files\dotnet\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Filesize
946B

MD5
159c7e526d9df863e32b644f3a19b6bd

SHA1
2c9adc415f7ffcbd6274a7b605ed7447ce349ecd

SHA256
183fc38be0c82d298ecfd1728155b382b393550d75391cece36a5d4ad8a3438c

SHA512
b17b1f93fd358a049c75641ea390ff632ff14690e6612bae3cabb905155372c74486de1e13f4fc22e79858b56be6dad1694daceabfbc7cc0a0db90c365a94711

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

Filesize
2KB

MD5
793f91b724d85cfbee31286611d24276

SHA1
7ea041859f49b0ddbe169ba8cfae7a012566e901

SHA256
1670d1c6d9364e85bbcc0fed25ee15d08f776ff0cda2faa922d2332bbdefe8e2

SHA512
1a2a569ea31e129b74d72c88a82c4fababbaf1594035587be2c4605635cbe5b208ee8cc5320ff14b9381861be6eba06423c928bc097c9fd7ef6278bb9b4feec3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_3F2A9DB42365395CA97CFD2FA38D17E4

Filesize
472B

MD5
28441017ed2172f154d6a0eb6ee6cd87

SHA1
b2a96dc105d2603b76c8a06da371fe207f44ada7

SHA256
0eb597a1106d9f406c3a235763137119b0c2ecbf4c5ed4776b38742f85cddcb0

SHA512
69f5ad19f1104a9d2918ba113e49bd27f9047a9c5a9300a06dcfbeb76e6cc5161cf53225816d6df1b4b3b680e86e9eb0ad1791189dfd0f1a351250924b6d3923

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
a26045c60badc3ea12344117b7bc4403

SHA1
e042d0cb3844ca44869d5e01a2e427144b458556

SHA256
69872c2a3c0bdca24598431943ea06f46d2a28bee615698ae09ba335b1cfa925

SHA512
7b0e7562480066d929e4dce2201ced8be9e7d309d28ada04d7779a9ab232ee4bf5a8ba89317865eb382250f8f529c0c0b95d8eb80cff800e595280f2f395d7bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

Filesize
484B

MD5
dc9fe30b66f678ac85f366b670172582

SHA1
f574ff176254d82d4f0ee0da303dc862cbad0d94

SHA256
b668044555984b4a31b2d32436bafc6f1cbcaff979624e6c435417322d61a797

SHA512
b47e9c3d681db3ef6e5827faf158c995abe5026ec7a1dddc84f949d56058c36bbd7ee74b0efc5786efe1ed995539590f46b7dd4fd874491c04ea167036a239d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_3F2A9DB42365395CA97CFD2FA38D17E4

Filesize
488B

MD5
3f809650bea8654069c0154be1404834

SHA1
bf7b76bbef3f8bd1b40fe74d26d775f42b062066

SHA256
839f47140177b9cc47d3b65f6e498f8a4561fc8f80163eb1df75aa46a7bb50e7

SHA512
af1a50e10f193c6c26e735b9343173a6f7f26a58a21dadaff6ce38ff03b0607f677f88d7b4d7059f411550e35bd1028e3ac496f1c92da0084212c1dcca078182

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
e816a5fca44dd9ecf0ccfe55742daf14

SHA1
615f7e337a3bfb400cb57f63f0d5714d12d01b8b

SHA256
9c9098345f181e53993857a9fef65db647186c2c11586211844cd220bb43749f

SHA512
e5933e1a23918b510ab30685b85260c5d743750bc5ed04d490ce4a5309e46d5d61108e7cfab5077f76773da9effd8c2ee5a3870080df85993605aeb54d22ea78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6TQEXKX3\0ZFB8R5E.htm

Filesize
190B

MD5
6ebbeb8c70d5f8ffc3fb501950468594

SHA1
c06e60a316e48f5c35d39bcf7ed7e6254957ac9e

SHA256
a563426e24d132cd87b70d9cb5cd3d57c2e1428873a3f3eb94649cf42e37b6a1

SHA512
75cfab1c9f5a05c892cf3b564aed06d351c6dc40048faea03ae163154ff7635252817d66b72a6ef51c4f895eebf7728f302df51148acce2a0c285502bf13652c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DKWDYRX8\SYOD6Z14.htm

Filesize
18KB

MD5
46e7f28a55cdab07533424725a04b9e5

SHA1
48a915fe8958b0882f364b1e0ceb37e7b7948319

SHA256
e40cc25f9a709e182c284705b0b50b448deb4b1b81b456a633638003db77068b

SHA512
717be51be74aa8b36d714f35942d40c8c18bea13a49d293681e16f1b10dfbdf3887a887ca40688348eee38b10ec80c96a17c338378c315c70d4abebfd42e9076

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat

Filesize
406B

MD5
ef572e2c7b1bbd57654b36e8dcfdc37a

SHA1
b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

SHA256
e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

SHA512
b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe

Filesize
212KB

MD5
3ac926d3bca5450ce48d10c253700ae4

SHA1
0a918e434b1f8e125fb23a71c7317e6b16f3df23

SHA256
b0fa28ac0f0657906df6312a22baf99111cbf27afeaab98c92eeba4b07fddeaa

SHA512
ef62bc011a2fdff15b466f798bcbe5c4308e925fb1240d7621f65ede89432a329e00c80a917cc5be401b7029a2c5a497a9bc09436c3f1c05259a2e3479c581c5

Download Submit
C:\Users\Admin\Desktop\ApproveSelect.m4a.29C-FBA-4F0

Filesize
508KB

MD5
57cb917210cefa6922d1d35515f168b0

SHA1
83e53338a808f6145ca1d816ccca94c7ab4af55b

SHA256
a27c3fc8c5e053dafb2b6e8f9e111d66cc9c558f1c550958102007f58196fd31

SHA512
c36f841aef160960fcf582f253c2321b2d68796a901e758bc79dc5a04f48345a12480dd138b8cb173445aebb4d3c973d93f1b702c43a03a3b04449a3791996db

Download Submit
C:\Users\Admin\Desktop\BlockCompare.bmp.29C-FBA-4F0

Filesize
363KB

MD5
84d441c7c5f58ee2da912a23963e4d74

SHA1
c5cd11887c236732b83c69a48677c7840a6fa54d

SHA256
14a1f7402dce475a0533ce2631cbb587126ff133754ffa918f6bf945a746cf3e

SHA512
3721baaa10ad20cfacd5f40adccea456cb103a0cef6210125609e0522b09cc1b12cd53386ddc59e689e9269f462a5ac82fb9834fc9cba128beb5168e20afbdb2

Download Submit
C:\Users\Admin\Desktop\CheckpointUpdate.odt.29C-FBA-4F0

Filesize
839KB

MD5
3e4b735fc5ff4c660d04cd54e602260f

SHA1
087a348371ce7289567731d48953b567ac999275

SHA256
1cdee48c551e624624f8c328fa3f952605bc9dfc209e93a0db5899e66b0390db

SHA512
57c2ee30d9a0390c34db4425d8f02ac52d585a4e3477e7e7327c7bea165b383f90d07fd6cb09f0e592de1031de8a149e8a213f7aece5e57b7484dc6e4ca4e7c8

Download Submit
C:\Users\Admin\Desktop\CompareRedo.ico.29C-FBA-4F0

Filesize
550KB

MD5
093790b4215dbf5e819eaac4d2ed10c0

SHA1
d365bc2b3e75e50251119d23f47d26e080af03c9

SHA256
1f8ccb1af073b11745ec18d0c7a068ab841bd5d23fbd48c26b445ee6da56b613

SHA512
9b3254ab65f7f6a473696afc58b85de5fff08aee630e30960a0f5f6eb04286e8eaace0bcbb25a810145a92dc1740894cfc089ad25fa478285d80854453efc24a

Download Submit
C:\Users\Admin\Desktop\ConfirmExport.odp.29C-FBA-4F0

Filesize
529KB

MD5
9d84dcc3faffbe3df66e6955ecb9cbc1

SHA1
49b566587815b15dad271257782c83dd074016f6

SHA256
0838407d13608952725d7797984de636328e0cf76c47e9f509c4a66e125d6eb8

SHA512
697ed399fabbb57e73323a51fad8cc142f2cf5f0d9f61d0d49682ceac27a74a810dcbcf296dbd882626b98aa1a83e062170238065b41196bd79f972e3d53e025

Download Submit
C:\Users\Admin\Desktop\ConfirmRevoke.txt.29C-FBA-4F0

Filesize
343KB

MD5
48e0e2533b7a0bf0302b884be0d12a6d

SHA1
9ec5229f3c5b4a621ec7a1887117e5f230998946

SHA256
9ade73b64270d4d5cfd6b1200173b3064c5172a273d29b7f7219aa04e46480a4

SHA512
db27d57733d7839d4a3f5e853c3d38071c91e8d410406f1325ce9ed131beafd0c5d704325ea25b4be205dfc8ee2f9783f455f1d883b2da60ae11a973b69604b8

Download Submit
C:\Users\Admin\Desktop\DisableDisconnect.xlt.29C-FBA-4F0

Filesize
819KB

MD5
e818f150294110a3b6d6e9e3334e6f51

SHA1
cea8e51c89c9a46791fda212d87141c5f04ed441

SHA256
4f0468988289708563c4484ee4e8075266cdb99e7695841de33388c37e43fde0

SHA512
b72f2992da323d1de075d940ae18f9a342b74f64b28be954c574cc15a78f0203e97493e7595705a958664f42a92b76ff592416d3d6cbf8cd45221f7b28c6013f

Download Submit
C:\Users\Admin\Desktop\DisableMount.potm.29C-FBA-4F0

Filesize
322KB

MD5
9c912e445d5d4c63aad5b6900b8aef58

SHA1
625dda9bb9afe2febde6fe929de3f39446a270a8

SHA256
c260565821a069f084d94bba012bcf5cd26daeef106301ab249ee13ab3feda3b

SHA512
19be8c957ed0936672a70122681862722183cda33797ee31f0abe57477727b35e671d5bcff04ae21b7da8c1fb6f5be208effb76c0a9c7b59eb108045b5035bbf

Download Submit
C:\Users\Admin\Desktop\ExitRemove.jpeg.29C-FBA-4F0

Filesize
757KB

MD5
441846371c67854efa92b435a6bbe987

SHA1
d3d648a68ec7e91541aaeeab4d36c7d8d6358c03

SHA256
6e88213bc2b5b7c7c4215e72581b013ed7316f8b7eb3dc61913c4b48f3853617

SHA512
f9005ca29811c2f6093dc45e9e7510f6dc10db4a3ca98ba358c729478e70637c833c5ea5009d2cb42079d7ca630f0a140ae1ea70649185543cb1ef3e6fbd82cb

Download Submit
C:\Users\Admin\Desktop\ExpandEdit.eps.29C-FBA-4F0

Filesize
632KB

MD5
5d49c475bf889f461b567524cbced93a

SHA1
46a28df3ce9c671e36e1a48e2bd12e1b6aa85c10

SHA256
2f868b6acedcf2bcd180dffff8a6e54333bfe9212992bb0a5e69150660b19afc

SHA512
2c0b29f18596d26f2a640307262f815923bd87e108cd9b573c6cfb96ce656cca06aae4b7a21db54278c2562c2d6e651450fe08c5f76f0a5d4f6d487f0750a6d4

Download Submit
C:\Users\Admin\Desktop\InvokeRepair.vsdm.29C-FBA-4F0

Filesize
798KB

MD5
02d083e41859e035a91b183a3d90b786

SHA1
d5d86899e3f8471278092ebfee2958e5a9eb8965

SHA256
40adaae5ea6c1111b52034ec0e7f6f6f5322e2f034fde73fc90fc4a77e464168

SHA512
4e4bf5bc2de36d1fd5c6cc2f0863646f99bfd7e26543263c68e85a7edc6ee1f86aa44df098c25a4135f003b231c96121913d47aa483006e63b095c2ada0b2717

Download Submit
C:\Users\Admin\Desktop\LimitSet.mhtml.29C-FBA-4F0

Filesize
425KB

MD5
ff6daab3ff43e1d15894102b639ccf10

SHA1
52a329a373b1d74400b113ed058f04ea5e3a0469

SHA256
69792bdf8c9d76f22c9842cc4b304a5ca00204ca080839775d334cfa9309f528

SHA512
15676e0f6902c295aa9b723e033072f646608d43d519bfdea1e0991dbc1db77300e5e0c8b4bdbc07536746fd9cbdaee316737e9f39a87f244241e32c1b9be156

Download Submit
C:\Users\Admin\Desktop\MergeClear.3gp2.29C-FBA-4F0

Filesize
570KB

MD5
f7832d9d28c4c3ce5c3137dcd423a02c

SHA1
89d7ddfc8c721dfdc6aa620fc758243c56e732ee

SHA256
add0ed273db5e66bd775bc8a1d689d039d5d22fd5651816de14069ee37355b09

SHA512
055f831132998fdfa9e57743584119f04ca392df0f3b61ce58002d9399a6c6c818960549c5b98608ab06cc8949cc63786ff344a3e548c83a731f3dbbbd7bb5cc

Download Submit
C:\Users\Admin\Desktop\MoveFind.001.29C-FBA-4F0

Filesize
860KB

MD5
ed7131f8d4cbdb61a023dece800195ec

SHA1
e253b2d9d37b041c80c072b96258ec1ff6b91fcb

SHA256
3c919017c64c77794ad6b64ada2cde2041dee45ba8fa3b3c4557e137633f392a

SHA512
0b3db99a35396aa1e4948ffa5f7ac8644b4341a69683d73bf312a767be313cdfe48a9ceff50b03b860a221d5c2aad7ee8ee8540e11e044695d8e04f1a9ce3911

Download Submit
C:\Users\Admin\Desktop\NewDismount.xlt.29C-FBA-4F0

Filesize
591KB

MD5
ecefba29a980a2f7a01f2c544ccd7c6f

SHA1
37f45e268abd3d6b93051c359fbd7d286f516f66

SHA256
cdfa6ab3d50c77b9c6ea90ef3a2062c481035df3452418bacccadc5ac303614e

SHA512
f39cfbcc46b643960ef372152dc7c191b857c6c5500ee6675b81f8d85f36b5bb4e7a4606a46b1393ec1bba13b58fc465520fae9adc085ffee1b7f7dc159185fc

Download Submit
C:\Users\Admin\Desktop\PopConnect.MTS.29C-FBA-4F0

Filesize
653KB

MD5
7cd80fa66055a2a00707688651a2f554

SHA1
7b60026332097bf6c9e7dd14ee1488123fb25b92

SHA256
548914747250325060bc95186c8746d05a009f5f0b8e554054f6aa8a7e9a141f

SHA512
df4db68ac277017872c84934d52d53714f469f73aef657bd9a20e6b9f0ec7ab1dabefc90b64a4f44b0d69235f8ac229659434d8d0e4d790bf32825978d0139ad

Download Submit
C:\Users\Admin\Desktop\PublishConvertTo.AAC.29C-FBA-4F0

Filesize
695KB

MD5
fd8aa99a54202037edf6b277898575bc

SHA1
97a0907e53a07c97b3aeba4e2f47ec51c7199fc1

SHA256
ca9624c0c884717588524906d066c2cc71d4534fe0b3b3cb32e5937c43ccc7cf

SHA512
5e1e0e487630a2c363678daed26b9e22c916e45ec1c3322e5b73930bd9a674106cb048b923886db33beed116a612f9e2e95659a478b20d5458b081dfc91ebf59

Download Submit
C:\Users\Admin\Desktop\ReadSubmit.svg.29C-FBA-4F0

Filesize
736KB

MD5
33decd03c6564dd81211e61d330dbfcb

SHA1
cf2dd1b9a8c41df7505aa30120b62ff4f61c7650

SHA256
e6719ddc6b29021ae56b81e385f067b609480564f38c3445e431a133b148721d

SHA512
7562ed4b33520455fb276174f1879953350628a11c61f31d487460f518c69a29c2f5f76fe7bf6ef831c08aff1d365b936c219fb563aab859e424496a9f14efe0

Download Submit
C:\Users\Admin\Desktop\RedoRestart.avi.29C-FBA-4F0

Filesize
384KB

MD5
9425d72b2a1756d4c227c6685fd431c9

SHA1
f48eb6f95f34fad1beb2afc288caf588bbfbfcc2

SHA256
26dbe8b1267415afdb5ae0fe8f99127e8b216c919caacf6db7ff52d069fcc43e

SHA512
9ee274f8551179053a3ae57eaea34e83af3ec73e713d5f07b22fe2707c8f6a2f2c8aa0797e5c0b29439f4787e07098915e9ef8e32c1afa847c551978f595fc7d

Download Submit
C:\Users\Admin\Desktop\ResolveResize.html.29C-FBA-4F0

Filesize
777KB

MD5
70a0e1a39dd0f3a051e6b71f7407193a

SHA1
a531b11678a4e168b6f50a507e4a8a9f29444ada

SHA256
4cbef4fe0af3cc56bb96e71cb05cf04a8f9f7310929b579a2e4225aac58c5695

SHA512
6d28e0a99f7361db3d70ab9dd009e5e52d40ac1a60b3bb1e36faba8762a09e8531e337ef117948402e5bb2e966d0012e4c12857dcef219a9175e0d56f1b58f35

Download Submit
C:\Users\Admin\Desktop\SelectSwitch.asf.29C-FBA-4F0

Filesize
446KB

MD5
a8d027a1f082641c7302deec110b0655

SHA1
7f544acdc3c1fa47ebd9c4f42d61c88d00f733a5

SHA256
afbcfd5566bf5187298c5f9d2b414d446d638db753c647ef263c23fb54a6d908

SHA512
b95ab13d514f46ee98ab547a07ebed7f4a9a7077218c58872559dbceadf3cf0de5b98c3bebd4874af0f8db0b17ab10354df847a5030b047fe62bc3e4f00d650f

Download Submit
C:\Users\Admin\Desktop\SendRequest.bmp.29C-FBA-4F0

Filesize
301KB

MD5
b4e8ea5766916ee4793052dee7d533cf

SHA1
2f08861ae1af764c8c9c200d88fbf2f462c5838e

SHA256
98332b02d317aa9d1ade8042281d570271214f0c8907f8fcb36597bac1e8a91a

SHA512
a4ae337b54e894f672bdcc3c75763be2aa4993abdda9c506ca9c2ad89cd11cb78f6fa56a7513d5a6065aac51cac457a2b75f29cfb95e88102d1d444223d179c6

Download Submit
C:\Users\Admin\Desktop\ShowWait.nfo.29C-FBA-4F0

Filesize
1.2MB

MD5
dce7709091c445003be7c68b9077d1a0

SHA1
13a3d696f70137be7161d2f06c8e907f6553eecc

SHA256
2463df103b858ea7a0ed85c8f33704a6e5bcda618ae524a0aa71f86b36d20d8e

SHA512
76b331d4c5b7c9765da6ea9f0777c45349f443eb4907475d6e2b21a06bc31317bc8c9e833bf534817f99e2f18e6bccba84e6f21a49313885afd53d2c4c576293

Download Submit
C:\Users\Admin\Desktop\SuspendRestart.dwfx.29C-FBA-4F0

Filesize
612KB

MD5
a56f4f92b2b00506c5af937220f14480

SHA1
a3386acc14ca6a37de6717d16ac5438642173f53

SHA256
835373bda409c32f9cba2aea757787e1449a7cbf5eba02de195e6470e9126ba2

SHA512
505732c5e65570559fd9d92f39bbbc74a273e7e10c64632f7c542c3c72ddf88aee46d5404090898fa57817b3908093f95a68ab83d8e6140d39d0a71f53c28a7c

Download Submit
C:\Users\Admin\Desktop\TraceSuspend.temp.29C-FBA-4F0

Filesize
405KB

MD5
9f1b5b25ef36908f06ce88109828f4c9

SHA1
058624d54574843166507b3dad9db7e957f020af

SHA256
e5e70fe22e61b8b0e6117e2872829031fb73a1f7122ea2bf4daf57e747791cef

SHA512
bcf423df1047711c67c62cf4870b79aa9ec37feb9abb5e761624869fc5977acb2a56d9a6a1169d58d1ee7bf570b5b44ec6b2fe11288c12c56f3f371ceac4455c

Download Submit
C:\Users\Admin\Desktop\UndoRemove.vsx.29C-FBA-4F0

Filesize
488KB

MD5
3c37f05cf33f28ff4236a6b29a0f7c9e

SHA1
955c5c1eb2b011d1edd11aaf59b5a6406c3b912d

SHA256
fd1e6953b41628f83e0bd2b8f79ec9bf3bd85475dd4fd09df851d44ac5243877

SHA512
b84a24946b16780e124d5c8c85336e0fe59129acf0a84e2c60692d76c3a2b852062db4edf5e309a03ec51d386b23ac3937aeaf1f3bd6524542841ab265aa8412

Download Submit
C:\Users\Admin\Desktop\UseWatch.M2V.29C-FBA-4F0

Filesize
715KB

MD5
85c3686f8619481987c4213d4703b614

SHA1
7f409e4df548f3279d52fdd52634db43b38fd18d

SHA256
ee43406bb033023d36db0238985b896e0aea348c83936762c03bb7d84586dc90

SHA512
a35ae21a1d0ea4f0e76a9c997ff79688aa717131c4e92ce9130365611d8a660303c427d0f4a8d02b6141f6f26b7fd765c338bbc450edf1c654ff8bf8d3694809

Download Submit
C:\Users\Admin\Desktop\WaitBackup.mpv2.29C-FBA-4F0

Filesize
674KB

MD5
9ef81cce21187e8aee4ac1d496625dc9

SHA1
1b2dca2749f384891ca0b83c99507340fb146798

SHA256
93f0b039969bde34c376978830f9cc70913f43e35529179b99bf58c6d1a61c06

SHA512
a333fb01aa7ee2b656655e0f2a3dca8b69d2ec3829f21b5e40bc3045071fd241a350357f0cedf5b342cf1f8c495c740798a4cda8a4141e99a3182e0a7e65ea63

Download Submit
C:\Users\Admin\Desktop\WaitFormat.odp.29C-FBA-4F0

Filesize
467KB

MD5
f6ea6ae46078c246c76545f6442f8681

SHA1
ef8b22ea266098510d5832cfc3c73cc0927bde5b

SHA256
bbfbeb558a5abee61b44ee576801165c461cdfbfaf5c262e58fb11c7254cf984

SHA512
0da435fefbd9c67026eda42315a3ffcb254a4efe73a8906c2419e291e3d24f533b5318976565bfb8bd7a1dc967fcf7f88089f6ef59fe31b81b44ab5531938668

Download Submit
C:\vcredist2010_x86.log.html

Filesize
82KB

MD5
f23a30e568eec0c52393f38062e9f2e3

SHA1
a038e865c63fe70416d79f402f40a33947c2bf74

SHA256
cdba51276161f578c1bed54768e488edc530e4a48fc7ff89c65c62aad133938b

SHA512
fa515e71f41d768affc4f26411b2b7187c5bd0a716b90230c740c9eaa949234171a902e2d754701028fa1c63eef34f92f953751b3c6dbd657f49adabe0b4a3af

Download Submit
memory/412-75-0x00000000000A0000-0x00000000001E0000-memory.dmp

Filesize
1.2MB

Download
memory/1776-26083-0x0000000000870000-0x0000000000871000-memory.dmp

Filesize
4KB

Download
memory/2608-3894-0x00000000000A0000-0x00000000001E0000-memory.dmp

Filesize
1.2MB

Download
memory/2608-45-0x00000000000A0000-0x00000000001E0000-memory.dmp

Filesize
1.2MB

Download
memory/2608-11077-0x00000000000A0000-0x00000000001E0000-memory.dmp

Filesize
1.2MB

Download
memory/2608-26084-0x00000000000A0000-0x00000000001E0000-memory.dmp

Filesize
1.2MB

Download
memory/3032-23-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/4740-20943-0x00000000000A0000-0x00000000001E0000-memory.dmp

Filesize
1.2MB

Download
memory/4740-26053-0x00000000000A0000-0x00000000001E0000-memory.dmp

Filesize
1.2MB

Download
memory/4740-14258-0x00000000000A0000-0x00000000001E0000-memory.dmp

Filesize
1.2MB

Download
memory/4740-7987-0x00000000000A0000-0x00000000001E0000-memory.dmp

Filesize
1.2MB

Download
memory/4780-35-0x0000000000580000-0x00000000006C0000-memory.dmp

Filesize
1.2MB

Download