buran | 60b290310f67adb0ae186b4b938ca466a6b55653b2519261fa425127f5500a1f

max time kernel
111s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
13-05-2024 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ransomware/default.exe
Size

211KB
MD5

f42abb7569dbc2ff5faa7e078cb71476
SHA1

04530a6165fc29ab536bab1be16f6b87c46288e6
SHA256

516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd
SHA512

3277534a02435538e144dea3476416e1d9117fcddef3dcb4379b82f33516c3e87767c3b0d2b880e61a3d803b583c96d772a0bdeecbfc109fe66444e9b29216af
SSDEEP

6144:zia1vcaEaA+HPsISAzG44DQFu/U3buRKlemZ9DnGAeWBES+:zHctWvVSAx4DQFu/U3buRKlemZ9DnGAn

Score

10^/10

buran zeppelin defense_evasion execution impact persistence ransomware

Malware Config

Extracted

Path

C:\Program Files\dotnet\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] or [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Your personal ID: D50-447-D2B Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran

Detects Zeppelin payload 10 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe	family_zeppelin
behavioral8/memory/676-33-0x0000000000700000-0x0000000000840000-memory.dmp	family_zeppelin
behavioral8/memory/448-43-0x0000000000FF0000-0x0000000001130000-memory.dmp	family_zeppelin
behavioral8/memory/4660-46-0x0000000000FF0000-0x0000000001130000-memory.dmp	family_zeppelin
behavioral8/memory/448-3807-0x0000000000FF0000-0x0000000001130000-memory.dmp	family_zeppelin
behavioral8/memory/1112-10139-0x0000000000FF0000-0x0000000001130000-memory.dmp	family_zeppelin
behavioral8/memory/1112-15167-0x0000000000FF0000-0x0000000001130000-memory.dmp	family_zeppelin
behavioral8/memory/1112-24917-0x0000000000FF0000-0x0000000001130000-memory.dmp	family_zeppelin
behavioral8/memory/1112-26156-0x0000000000FF0000-0x0000000001130000-memory.dmp	family_zeppelin
behavioral8/memory/448-26184-0x0000000000FF0000-0x0000000001130000-memory.dmp	family_zeppelin

Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
ransomware zeppelin
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (6115) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

default.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation default.exe
Deletes itself 1 IoCs

Processes:

notepad.exe

pid process

8 notepad.exe
Executes dropped EXE 3 IoCs

Processes:

smss.exesmss.exesmss.exe

pid process

448 smss.exe
4660 smss.exe
1112 smss.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	default.exe

pid	process
8	notepad.exe

pid	process
448	smss.exe
4660	smss.exe
1112	smss.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

default.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\smss.exe\" -start"	default.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

smss.exe

description	ioc	process
File opened (read-only)	\??\B:	smss.exe
File opened (read-only)	\??\Y:	smss.exe
File opened (read-only)	\??\X:	smss.exe
File opened (read-only)	\??\W:	smss.exe
File opened (read-only)	\??\P:	smss.exe
File opened (read-only)	\??\K:	smss.exe
File opened (read-only)	\??\E:	smss.exe
File opened (read-only)	\??\V:	smss.exe
File opened (read-only)	\??\O:	smss.exe
File opened (read-only)	\??\N:	smss.exe
File opened (read-only)	\??\J:	smss.exe
File opened (read-only)	\??\G:	smss.exe
File opened (read-only)	\??\I:	smss.exe
File opened (read-only)	\??\A:	smss.exe
File opened (read-only)	\??\U:	smss.exe
File opened (read-only)	\??\T:	smss.exe
File opened (read-only)	\??\S:	smss.exe
File opened (read-only)	\??\Q:	smss.exe
File opened (read-only)	\??\M:	smss.exe
File opened (read-only)	\??\L:	smss.exe
File opened (read-only)	\??\Z:	smss.exe
File opened (read-only)	\??\R:	smss.exe
File opened (read-only)	\??\H:	smss.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

39 iplogger.org
41 iplogger.org
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 geoiptool.com

flow	ioc
39	iplogger.org
41	iplogger.org

flow	ioc
3	geoiptool.com

Drops file in Program Files directory 64 IoCs

Processes:

smss.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTrial-ul-oob.xrm-ms.D50-447-D2B	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\SEGOEUISL.TTF	smss.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GameBar_MedTile.scale-125.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\StopwatchWideTile.contrast-black_scale-100.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsLargeTile.scale-200.png	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\logo_retina.png.D50-447-D2B	smss.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\uk-ua\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-pl.xrm-ms	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_uinline_warning.svg.D50-447-D2B	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\cloud_secured.png.D50-447-D2B	smss.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\eml.scale-32.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-60.png	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\cs-cz\ui-strings.js.D50-447-D2B	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sl-si\ui-strings.js.D50-447-D2B	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\appstore.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\19.jpg	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SLATE\SLATE.INF.D50-447-D2B	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\82.jpg	smss.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-64_altform-lightunplated.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailBadge.scale-100.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe7dc.png	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ul-oob.xrm-ms.D50-447-D2B	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\tinytile.targetsize-48_altform-unplated.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-60.png	smss.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_TW.properties.D50-447-D2B	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\hive.xsl.D50-447-D2B	smss.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-black\MedTile.scale-125.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\LibrarySquare150x150Logo.scale-100.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.scale-125.png	smss.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\jfxswt.jar	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PREVIEWTEMPLATE.POTX.D50-447-D2B	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\MicrosoftAccount.scale-100.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\MarkAsReadToastQuickAction.scale-80.png	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial5-ppd.xrm-ms.D50-447-D2B	smss.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\joni.md	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\Hx.HxT.D50-447-D2B	smss.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AlarmsSplashScreen.contrast-black_scale-125.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_EyeLookingUp.png	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\next-arrow-default.svg.D50-447-D2B	smss.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\asm.md.D50-447-D2B	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Grace-ul-oob.xrm-ms	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\ChronologicalResume.dotx.D50-447-D2B	smss.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppPackageBadgeLogo.scale-100.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedLargeTile.scale-100_contrast-black.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-30_altform-unplated_contrast-black.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeAppList.targetsize-24_altform-unplated_contrast-white.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\LargeTile.scale-125_contrast-white.png	smss.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\javafx\jpeg_fx.md	smss.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\uk-ua\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\fr-fr\ui-strings.js.D50-447-D2B	smss.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-40.png	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\DEEPBLUE\PREVIEW.GIF.D50-447-D2B	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-60_contrast-black.png	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\manifests\BuiltinOnboardingCommands.xml	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AFTRNOON\THMBNAIL.PNG.D50-447-D2B	smss.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\resources.pri	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-us\styles\WefGalleryOnenote.css	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-pl.xrm-ms	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\STSLIST.CHM.D50-447-D2B	smss.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\SplashScreen.scale-200.png	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_KMS_ClientC2R-ppd.xrm-ms	smss.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxAccountsLargeTile.scale-100.png	smss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Compare_R_RHP.aapp	smss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 50 IoCs

Processes:

default.exesmss.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	676	default.exe
Token: SeDebugPrivilege	676	default.exe
Token: SeDebugPrivilege	448	smss.exe
Token: SeIncreaseQuotaPrivilege	1468	WMIC.exe
Token: SeSecurityPrivilege	1468	WMIC.exe
Token: SeTakeOwnershipPrivilege	1468	WMIC.exe
Token: SeLoadDriverPrivilege	1468	WMIC.exe
Token: SeSystemProfilePrivilege	1468	WMIC.exe
Token: SeSystemtimePrivilege	1468	WMIC.exe
Token: SeProfSingleProcessPrivilege	1468	WMIC.exe
Token: SeIncBasePriorityPrivilege	1468	WMIC.exe
Token: SeCreatePagefilePrivilege	1468	WMIC.exe
Token: SeBackupPrivilege	1468	WMIC.exe
Token: SeRestorePrivilege	1468	WMIC.exe
Token: SeShutdownPrivilege	1468	WMIC.exe
Token: SeDebugPrivilege	1468	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1468	WMIC.exe
Token: SeRemoteShutdownPrivilege	1468	WMIC.exe
Token: SeUndockPrivilege	1468	WMIC.exe
Token: SeManageVolumePrivilege	1468	WMIC.exe
Token: 33	1468	WMIC.exe
Token: 34	1468	WMIC.exe
Token: 35	1468	WMIC.exe
Token: 36	1468	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1468	WMIC.exe
Token: SeSecurityPrivilege	1468	WMIC.exe
Token: SeTakeOwnershipPrivilege	1468	WMIC.exe
Token: SeLoadDriverPrivilege	1468	WMIC.exe
Token: SeSystemProfilePrivilege	1468	WMIC.exe
Token: SeSystemtimePrivilege	1468	WMIC.exe
Token: SeProfSingleProcessPrivilege	1468	WMIC.exe
Token: SeIncBasePriorityPrivilege	1468	WMIC.exe
Token: SeCreatePagefilePrivilege	1468	WMIC.exe
Token: SeBackupPrivilege	1468	WMIC.exe
Token: SeRestorePrivilege	1468	WMIC.exe
Token: SeShutdownPrivilege	1468	WMIC.exe
Token: SeDebugPrivilege	1468	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1468	WMIC.exe
Token: SeRemoteShutdownPrivilege	1468	WMIC.exe
Token: SeUndockPrivilege	1468	WMIC.exe
Token: SeManageVolumePrivilege	1468	WMIC.exe
Token: 33	1468	WMIC.exe
Token: 34	1468	WMIC.exe
Token: 35	1468	WMIC.exe
Token: 36	1468	WMIC.exe
Token: SeBackupPrivilege	4520	vssvc.exe
Token: SeRestorePrivilege	4520	vssvc.exe
Token: SeAuditPrivilege	4520	vssvc.exe
Token: SeDebugPrivilege	448	smss.exe
Token: SeDebugPrivilege	448	smss.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

default.exesmss.execmd.exe

description	pid	process	target process
PID 676 wrote to memory of 448	676	default.exe	smss.exe
PID 676 wrote to memory of 448	676	default.exe	smss.exe
PID 676 wrote to memory of 448	676	default.exe	smss.exe
PID 676 wrote to memory of 8	676	default.exe	notepad.exe
PID 676 wrote to memory of 8	676	default.exe	notepad.exe
PID 676 wrote to memory of 8	676	default.exe	notepad.exe
PID 676 wrote to memory of 8	676	default.exe	notepad.exe
PID 676 wrote to memory of 8	676	default.exe	notepad.exe
PID 676 wrote to memory of 8	676	default.exe	notepad.exe
PID 448 wrote to memory of 1112	448	smss.exe	smss.exe
PID 448 wrote to memory of 1112	448	smss.exe	smss.exe
PID 448 wrote to memory of 1112	448	smss.exe	smss.exe
PID 448 wrote to memory of 4660	448	smss.exe	smss.exe
PID 448 wrote to memory of 4660	448	smss.exe	smss.exe
PID 448 wrote to memory of 4660	448	smss.exe	smss.exe
PID 448 wrote to memory of 4420	448	smss.exe	cmd.exe
PID 448 wrote to memory of 4420	448	smss.exe	cmd.exe
PID 448 wrote to memory of 4420	448	smss.exe	cmd.exe
PID 448 wrote to memory of 4424	448	smss.exe	cmd.exe
PID 448 wrote to memory of 4424	448	smss.exe	cmd.exe
PID 448 wrote to memory of 4424	448	smss.exe	cmd.exe
PID 448 wrote to memory of 4552	448	smss.exe	cmd.exe
PID 448 wrote to memory of 4552	448	smss.exe	cmd.exe
PID 448 wrote to memory of 4552	448	smss.exe	cmd.exe
PID 448 wrote to memory of 5700	448	smss.exe	cmd.exe
PID 448 wrote to memory of 5700	448	smss.exe	cmd.exe
PID 448 wrote to memory of 5700	448	smss.exe	cmd.exe
PID 448 wrote to memory of 6132	448	smss.exe	cmd.exe
PID 448 wrote to memory of 6132	448	smss.exe	cmd.exe
PID 448 wrote to memory of 6132	448	smss.exe	cmd.exe
PID 448 wrote to memory of 5360	448	smss.exe	cmd.exe
PID 448 wrote to memory of 5360	448	smss.exe	cmd.exe
PID 448 wrote to memory of 5360	448	smss.exe	cmd.exe
PID 448 wrote to memory of 2976	448	smss.exe	cmd.exe
PID 448 wrote to memory of 2976	448	smss.exe	cmd.exe
PID 448 wrote to memory of 2976	448	smss.exe	cmd.exe
PID 2976 wrote to memory of 1468	2976	cmd.exe	WMIC.exe
PID 2976 wrote to memory of 1468	2976	cmd.exe	WMIC.exe
PID 2976 wrote to memory of 1468	2976	cmd.exe	WMIC.exe
PID 448 wrote to memory of 5720	448	smss.exe	cmd.exe
PID 448 wrote to memory of 5720	448	smss.exe	cmd.exe
PID 448 wrote to memory of 5720	448	smss.exe	cmd.exe
PID 448 wrote to memory of 3372	448	smss.exe	notepad.exe
PID 448 wrote to memory of 3372	448	smss.exe	notepad.exe
PID 448 wrote to memory of 3372	448	smss.exe	notepad.exe
PID 448 wrote to memory of 3372	448	smss.exe	notepad.exe
PID 448 wrote to memory of 3372	448	smss.exe	notepad.exe
PID 448 wrote to memory of 3372	448	smss.exe	notepad.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Ransomware\default.exe
"C:\Users\Admin\AppData\Local\Temp\Ransomware\default.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:676
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:448
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:1112
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -agent 1
    3⤵
    - Executes dropped EXE
    PID:4660
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:4420
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    PID:4424
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    PID:4552
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup
    3⤵
    PID:5700
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup -keepversions:0
    3⤵
    PID:6132
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete backup
    3⤵
    PID:5360
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2976
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1468
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    PID:5720
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:3372
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  - Deletes itself
  PID:8

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\aic_file_icons_retina_thumb.png

Filesize
64KB

MD5
a2e5aed01c8b5768340bb2836a2a0f5e

SHA1
0f4f7a6a0b81f690f577b6840772a5f5a0bb2432

SHA256
a2ecd6f6cad02cff10646dc250b366df3c8f55f7296f321f3e5637bd5b2713d7

SHA512
4a1f8279510052885eb064d8b464a16ffeb22c58aeb87ff54258bbae7487506c11c7e72fcf9b0d71232df5236cf7159789c497847eaad35189e94feeeaefa45e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons_retina_thumb.png

Filesize
52KB

MD5
639a939081ab4d0d84430a6f928bf5dc

SHA1
3dc69ffb967841f0f003f2ed862bff3a771a5490

SHA256
5c6dad5ee9b7fb21ceb72879660152d8cf98069e8c4a57477bd1fa2e2ef4e077

SHA512
3a05c1d97dfc6a5db98a09a271de02064931b6fe82217c37b703919f33c8ac8a0c5dcc23319b4246ad77c6db8efd8a81c901568c08548f1a32a135b1d1852962

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-il\ui-strings.js

Filesize
29KB

MD5
fca1dc2fafd5676fb53bb780ad95c919

SHA1
ae1b8429dafb52582df2d3d159eb401fe159603d

SHA256
f27c580d9584804e9363dc219456cd928cccc32f9a33e1d00499810fac9a1cae

SHA512
b3b032602519fbe07008ed51a2910969e45f2d8872b74f53025935946bb1e9cec22151113772809465246094b2158b6a8fe6062634a98e9c92d22cb26ded25c0

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-ma\ui-strings.js

Filesize
34KB

MD5
f26e861aa6c582ea51c53316ced83486

SHA1
ef96728b37d7699855f5bb80bd7246f7f60624f1

SHA256
d37e3ba2ac9af5eef954b6a2ac6b7b42971f61b3dd04808ae0a6473091f10180

SHA512
6dfab257f2441a2ced9351ac5da5b6f06f374c1986b794216d9780a9e3bc2cde56ae3d72a9a54e6bd928a99b13a0ccb39b37576c0c7a7e70a819344119995a96

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-il\ui-strings.js

Filesize
9KB

MD5
4ede8f14124808adc0a6b14c175205d3

SHA1
9d25283c7513876954c824a9b85e8e4ade3397ad

SHA256
0fdfbe00f5de138ab1f839e4825ff4a64eff234d9a1fe64cf596f1b5add55520

SHA512
98fc3db30ea1e5009b7ecffdfbd3911dbdd3d956eb25f06f633bd2f0071c2355b63e2671b56c20365b6a464f5e702489013d2ead1d75c1c6a1e19709a7a1efb5

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-il\ui-strings.js

Filesize
5KB

MD5
d1e53377005911d9eee855456eac63b2

SHA1
07686bbbdd4f826ce9a98db5d4fbea4f8103fdd5

SHA256
6c9ebe2e20a45e5bb66dbd30e2d13b6534441aa8f67c04f503c7fb651305f403

SHA512
c948ef4bf5ee3f3469e909607b5ec46ef124fe9f0b829d8a1afa8a198a4376ad8c550df975968153af3f868498b2b2ef49bb5a1230b9d9f3d38a4d89cce46f76

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\exportpdf-selector.js

Filesize
175KB

MD5
760d337935c4d68bcb35289e019e9d39

SHA1
ab88daf5bd59302fa45db1bd6387ac75f0fb3a0e

SHA256
31e516fa3d1649b6e4424be3089d9d8d5ce0670241b306449d81ef905c99f213

SHA512
9467eaf8eb3f071362dcee27c912634c4e046131748a609a4a7e4eafb7631ed3b606c4d7c82a9dafda6d67ad0e1d671e2f553519196a623bb4be4924e1967895

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\exportpdf-tool-view.js

Filesize
395KB

MD5
c6449f3ef66df27c64646888a9b96a33

SHA1
44b3145aff827a2385062aa7c894f7c4c0c5977e

SHA256
b2098ce640f0f2e43e78155bcdcb7fd5f96499d4c6afcc1a0bdbb6b63e68e606

SHA512
4cb328bd224984be272a2408c9eb5f488d256a9892de273c6e04b0e76dd15015e0f1252b9aec4365eb981f43a561b13a51240a4005088e4fe3b32648a50d6628

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\exportpdf-rna-tool-view.js

Filesize
387KB

MD5
63a988ccbe49534923b6076c4e18c218

SHA1
7386405ad0c2cb1cd4d2c063f049c80ada81ab49

SHA256
90e30c0d97442e7686845b73056cba51e2194a35e5aef74c8e8a7d97009c75b7

SHA512
7795ada7d8390972e51d43df3a13a7482f8e66c2c8d84f3f423ea0e90a11cdfc9178bafe2ab16f25f5846a932377d945eef59821a19fb26122d498cdc9367da7

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-il\ui-strings.js

Filesize
10KB

MD5
34f4fc950429c936f62f39966375c5dc

SHA1
8e916fbe7ba03dad69f9b9de8ebbff0b246321ae

SHA256
3bd77fa8aa00c5ecfdae89c0450156919afd974f358eaa99916b0bec4e66c1da

SHA512
c6468897a409572121b3a4c12e61eec33b04426e809a6e64071e7c360ceea822320620c673f4332b8e97ff470dc6761b7e904049aaf53a4c403292df0ac1290c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-ma\ui-strings.js

Filesize
12KB

MD5
451f8646dfa130e2d4b686e879dba936

SHA1
80d5d598b6868e078ff64274f8cb91a32e5db52e

SHA256
f71fe0547c8a24cca3c5a6020e6321f6467130f0f6fd1ca0d261db6ee9f2cfac

SHA512
9bdbe2a01e091444c0f6f14cf36dfd633a844737b176de03519d685a6ac34478543da42165790789fc5071fc40276598d0f4168a9500f4345d4fb656cf9e1224

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\new_icons_retina.png

Filesize
18KB

MD5
7cc915e2cd61844afce4af981c4ada65

SHA1
2ef228fe9ac927aea2687531c7e3ad97ca252be4

SHA256
8fcb5ef7d71641d6097ab751a880edc24cfa8337508aa813367e39f6c0f0064f

SHA512
a0ff25b82f0ddb0b10a85239dd8cbe528c0a56b287d9a417f066be473fede528073bafa50d0f60f5abaab61de6c763e263d9ee7acaf2e7bb41f6d4aa6e97c765

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\illustrations.png

Filesize
10KB

MD5
17f1ba1bda10218e7e313de17fbb0e74

SHA1
b87d2bebfcb87c164e01d51dc760bb4d3265dc0b

SHA256
d5845b2554bc14018c1f4fe80febcc2d14bb06938f7055ade6afb4eb1d6d6713

SHA512
92fa16f93f394a01e2af8eb1296e2f2e3e9d1b31475462bfa4312e285339369c2a2043ae075ba40c6b78ba79c942c0ae3ebdaf91219188adfe5144381ef337e6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-il\ui-strings.js

Filesize
6KB

MD5
69a82b0c2aa25e9e169bf5f76defbe84

SHA1
d8c2080e7dcbdee9f60df14aa102b5b6d6555936

SHA256
fbf19425233d738f58975be8577f9791e8a101878b3cfe7b9bff6a095bc42fe0

SHA512
de5c144e04878cf3844adc5243989cf6be6775b972f71dd7dee9dff01ea6b4e51648e693354ffee0c4b27b785ab28502c1ec148a20972efba6d79fede6a7ed34

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\selector.js

Filesize
48KB

MD5
25a545599d29d1c5218d9a14ddc1f3fa

SHA1
5f2bb849c4b162d7066fc84b6ba99088783e07ee

SHA256
0bf354b1d9a5c2610039913dea49595f450430ccea78cba45bedba70b439249c

SHA512
a1d29b170f4e4e434566d4faa155c4681a732eea1e3d626331d6affa9f9a170c67f0daa74f55e6ce6ea0c52001032e4aac4b27dbd25c094f77957fc237d33cd5

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileScanCard_Light.pdf

Filesize
56KB

MD5
62c59dff4b4be02aad7d763a6441cc42

SHA1
fcadb21971b879dd29c9015ddaaa8198045d9c02

SHA256
4f3ba0d03e627ed12d4ee7cebe9c06791af61488ed0f877b05478305d5103646

SHA512
5428b29b663842ddd1435fa6d6741c9507c0577cfaef478f6a0b69d81cbf1cf48f28eee938c80606f03d1ec304ae6db9727cc839b0811ae9c6c3256bd85f40b8

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-variant2-2x.gif

Filesize
813KB

MD5
1f4d0a15a3ac27342a0abf79514fcc9c

SHA1
ea406083998e5d4d2a213c844086bba3983dca92

SHA256
3d4239cb429d83cf117f066ad0bbff984c0131608b45061b1095b8a2927fc7f3

SHA512
124c3c9ee8ffda77f61276eda7bb6ff8cbebc0fc6eabd0eb01253e1c69fa46c337cb51f68597fc4a9b9e1ceedbc75db10685ff089b9d10863081118a9a977801

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fr-ma\ui-strings.js

Filesize
17KB

MD5
8c3973d4fc3e51f3716c56b7494784e6

SHA1
ba5561cfec4aeb739b234f4d8d97389014044252

SHA256
150c7a966e25c596873adeba50125354c5b11102eaec837531e098c71f763558

SHA512
b1c61143c8af1a4b7b11d64d3310cc8dceeca453c7ab8b1ef06e837608a0dcfc8e56736096ca576c34ac73282b3b90d4edd17cbed013470d2ae609f76fb50f12

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-il\ui-strings.js

Filesize
15KB

MD5
edf2da293c4955d2ec1567dd4bd019c8

SHA1
c5664fcfc398c17fbd86015b31d869e2f860694a

SHA256
6963f07e50742788c5f3dda9f5242129dffa338a2b4a60f6be17c9e0c0cbfd34

SHA512
f48261b53317d749152a31a753700ea8c0d43b7d46912d2d2deea68eac01bc4f3b5102f2e2cddb56e40a19464c204b4277fed486f3267059565aaea220b1245f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fr-ma\ui-strings.js

Filesize
18KB

MD5
a8a157e9c5fbfcc92d30f5de09483cf7

SHA1
aab11cdc3a5acd18529e685ed5e1dd89918c2c49

SHA256
b3a7751fe53d36e1fa4a2a2d645559b8986059cd263bd94754a1de9ba9a9c01d

SHA512
edc12ddab2d512fbed15201fa54bca896d801d07be966163269744899ec84f86b62e0fdf8cb4b3381eec6f92c7e2947fe0fc937f94378e9c686a38b5fd112ef6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-il\ui-strings.js

Filesize
9KB

MD5
476be96150564aa46073a0d46dba9c39

SHA1
505e07241fc3915249156e214429410c6f0b9d84

SHA256
9935de8a21c140925a7fb26b4434731ea0e81a8fc73309cc4c949e8ccb103851

SHA512
58a848c6f2107d1b378ae94c1dc8bc93158b3197d18229a1b462ef6a8de385426cd547e6194f640353ec0446a1e1cab15de75700994cf73fd2e166092314df75

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fr-ma\ui-strings.js

Filesize
11KB

MD5
5209c8997bdcaceb7e777303327b2541

SHA1
b063678be1d434a240c7769461d0f9dd683e152c

SHA256
db98d7b7bf781578d7656bfc8b51b21a48ae36d0bf8c7cb3e8d22b2092acfd06

SHA512
f2b9ece8ac59674671834e0bfa297bfd8b3bc0ad4e505374163359a22289ec4193658eb2e0bdfde4487575a49150787f5ba15ac710661fb29030f846b75a3ec6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-il\ui-strings.js

Filesize
15KB

MD5
715b4e9164a3450b6f84d7693172322b

SHA1
b803db54b3975b15ebb5f740404a088247226d1e

SHA256
525d02aea5f0219265411018c0fe82dec89793caf9149dba8087fb5b0bd76474

SHA512
97eefd62d7596457fffc17809a568b9e61060d467383f722e8ed1f6d923d2b2268ce0b89b75f8ab8843c364f5ee98926f0953c1ba514576dc88526923f0f383c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fr-ma\ui-strings.js

Filesize
17KB

MD5
53c7b659118dfd191992242174f754a0

SHA1
f274c4a1f9b494be1019942f7883b12933de1717

SHA256
8f0f2d3a534eb692da1971044964eb59b501dc461aa43c05ac8b3ee14efc0d59

SHA512
e11c852bed4e27b804b7fe2eb9ccc850ed69f13a96a3d99e9317f2360829d645b45936105b3c24450224732f9dcd275fc165affa61bb9ec8ce338de92f48335f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-il\ui-strings.js

Filesize
15KB

MD5
20b35a559bbbe769d2853804f496a78f

SHA1
d2567df7e5a93877bf8c3a477107ace1f53b4cb1

SHA256
359bd64dc068f3b4fd4884c9e30ffa77a048150808808a261ed0af5d0f61af49

SHA512
4c8cd8616f16d04a830ea65193b4672762f8f30a02a74ab1fea5d32a34830817e69b097e6e1c3a7908aa976489b7ba94a47f2d3402f76b9aa17f9c0bb95ef46d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\fr-ma\ui-strings.js

Filesize
18KB

MD5
1dd258d0c8f0b37c48293bf216f15717

SHA1
22e075c9d90fecbb9034b937619e611b947341cf

SHA256
e3c89478484d8c1a4f99bee16bbd0866db25a00953674ba16a3cb757688aea28

SHA512
14d51428e1ecc4aff38cf3cb72ff77498b0f7ddf76ec8a41244d269fa2e875433e2b02b40cddecdda72fd747e1c4fcdd0355dd39ceaab9e816cfaf2ce1cbb9f7

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fr-ma\ui-strings.js

Filesize
23KB

MD5
2bbf6b2b9753cfa718ab0871763a4c99

SHA1
b4358fbdc0924d4b040250d4f6afed204c3ea2d1

SHA256
3d523da986409b95ea1f3d96a3276a5e3c93873019c675ab80c709c907d0d43d

SHA512
c301340a55c87d1fc2c33dcd15454f6570862c33656ac4b1b5cef2855f1e964bc7a99119cac3dd8e78e8daede8993af084e5a7678e60477dd664b2f496f9b452

Download Submit
C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\US_export_policy.jar

Filesize
9KB

MD5
4e9ad656a73584adf567033a468114f8

SHA1
0335ee5860a2d0ce0ae0a4ea50796b9877d3c4b2

SHA256
4254791065907e2a529bffff768430212c8c04f596032737e16c1db857cf2755

SHA512
67c1678cb1a74cee15dde46186267960fab7518c0a5d90eabc824036a284755c947b0e48776d6db238a39a75dc735910e0f3fa2092c5bde08735de5025fd016c

Download Submit
C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe

Filesize
4.1MB

MD5
3e46332bfc13679ba0d7c5b16737f71f

SHA1
cf56ec590f163b4d78ea497fd5c6197766380d46

SHA256
bd6271520cf23082f2226dc88eaa602416efea60305f83b41e4780ab6008a464

SHA512
33e3da2dff117b33edc4dcf5068a87cb5eda1a479ddbf1d9b4568fed432b32b1fe1d840fc9357cdcf9ae31c529fb9a3b05e9eb4d8cd3370c75b0c9aad4538da2

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\PREVIEWTEMPLATE2.POTX

Filesize
292KB

MD5
7130789e848e42a81bda8645cc35cd1d

SHA1
6079aff117acf9c1db186bf4bda2601b55dbf32d

SHA256
4390e3e2e821e807c1fae2048feab9821941237317fdb3cccfcf03f496fe0027

SHA512
985565d5456c86157711329bd771de9a7d5adf049cdb8a4c4b0c2c87ffe400bade09da5d0da565b317f290f538114d2992f377d83ca4af09076724da75c7f0a2

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\osmdp64.msi

Filesize
2.4MB

MD5
10f9c7a4e49e7a32e5f399f3d45216ed

SHA1
302205ad4400746749870d09217a8b772f21af1e

SHA256
4d613598feff2277f994f043ebc0b9c2a0fdc810ff8156d403e5270ace874a88

SHA512
3e901af91407a76d92b64c05806389affdad2a1ef26cff9f05bb91029ad071804a2a0c8fe75ce61cea1cc7d472d568baf7e43fb19ad57d939c30382824f5421a

Download Submit
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmclienticon.exe

Filesize
62KB

MD5
7acd7d0ceb933f1fb7398a623e66b1a6

SHA1
eb16d96ee2d7f152bbec8501bb85523d581a3af7

SHA256
d0a6a5f45c100e6a41bca10b35f281a02d331b0e06e6da045a4b5e44ea05d9cd

SHA512
c4c3375d014567b16b4f45a60f4256c2a391a1ae843ae2c5950d35f7d9348f789e6a8195b989461ed6e3ba8b09b7a85465a5a10b2cd875acf542015cfc3ee1c1

Download Submit
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exe

Filesize
1015KB

MD5
dd174926bf9e98ec4908bbc7a35ee8e2

SHA1
f30e85fd291da0c99a894aff9a5846e8aa811512

SHA256
18d8e85eca5b9e055e8f77d4300514bb949297451d6cfb3dd857cbec290bf02e

SHA512
4c08e02091969a51487df7eee861241aa9b080a9a93355c8e422519b2b1ed0a25bbeb5dec83e1da2f6bb150d0ea588deb6877aac5de5a42f347acff18ed958de

Download Submit
C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\vlc.mo

Filesize
586KB

MD5
5b832c24fbc65300b3aa4122bfe9f0c6

SHA1
570eea88d0d952aea80d6cce6954241dfc8869ee

SHA256
5aad49fcd4020fb657eef65a70a0e9ecdee83164b94aea4915466b16304a94d6

SHA512
16d9cc5b7754bc960ca59b94c3e80395ebfc94f5792e44d83f4ce5f410f36406821a8332a21d250ba111e9d48f4b2c9a3a83977025dd1c2feca8cf988e902546

Download Submit
C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\vlc.mo

Filesize
615KB

MD5
76972ba2573ba5cd45645966fb45f286

SHA1
8ab93c5fefafaf88c121a30bcb9935c9a25a6ca3

SHA256
3b937fef2358c90f49a4105b61d2e55fcef202e786027f30a320d9b1aeb460f0

SHA512
ea77c0fd077dc86862ea2150eb72227cca87fa46f278c0b7c99cbf601843079cc45cccb723e777c393ae6f78e2c55172cac9222c9e028d38b758607ac9f6850e

Download Submit
C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\vlc.mo

Filesize
612KB

MD5
ba8b3e8e423d0700aefa1b6b11447562

SHA1
f9d1979050e6d1709e828c61036b50e1b71770e8

SHA256
591c2eeaf791f452cbcaa8ab0e1d0daee2e0deb5d34f057f40d38a793ba34707

SHA512
8aaf5f78b59ef6ea4c7f0ff992e06524ded212a04e5191864f9cf58e60a9202a45ac7fbc298fcbdd50ef9fc7603a21e64c212101fbd92cf0c976c63aba952997

Download Submit
C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\vlc.mo

Filesize
579KB

MD5
d79c4bbad34a9409e7867e0774275435

SHA1
82fe9aa2839d8d1d29c58b2cd7927e1bb43d03f7

SHA256
bb8e7c90738f32def1a000ea937fdc043193131c7e37050b06ce63271a5e164b

SHA512
ff09a65fb1a40eb50893d24462265ac7306213716f6faf0d4d4251bd6b440ea70df15b2941d6598cb5e02a9918932ca74fe45115a01ee49a65e5ff18ad0f4f3c

Download Submit
C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\vlc.mo

Filesize
615KB

MD5
317a609e863d63507b0cbd0c338651c8

SHA1
b2403adf39c543c0d087b4081162ce4c1e4cf708

SHA256
eea2ccb9daa3c1471468df6933e094c13047b745218361832811453335d0f300

SHA512
1c862d28d9c8253473739afa6a6f9d1afac7163196741f47c43db42d103788a0be7a51d59f4ebe3cd41d1d3a037c262c4a477395af1cb2b44b9450818b065040

Download Submit
C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\vlc.mo

Filesize
614KB

MD5
5fbf6c62b2d5f4a94e57d8bd79a03943

SHA1
bc7b6ed48750db2944f1aef4a62beaa2a848a5c6

SHA256
a8eeda28563442829f99ade25b5d519e3c434281c15a9a2cbc588714dc3fb8ab

SHA512
01cc7ce86f0a2ddd91f326c3ac2016a1e741e05904c4bfb647fc851015a6006e6de29b00a62bc3308dde2b50d7798ab5dbea029038dbfa7691106c1b4e806538

Download Submit
C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\vlc.mo

Filesize
552KB

MD5
e282a8c3786df03d4c61f465f237f4bb

SHA1
eb1454199ce718cf28b57e4926ba24c17acbcb8c

SHA256
0de27fdb6ae20dbef36481a261967f1a5949e7f1a005ec13ca17a7c28e0626fe

SHA512
bf5ffa04de588c8a15b0a0cae7e459cda39eba839c88650fcb1bb1beb476e0f8fcd1722d2a736dc5e8202ee8e34e535a943bd5a1a3eee5270fcdf469415a8844

Download Submit
C:\Program Files\dotnet\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Filesize
985B

MD5
8eadf9f1bfe302b72072c8d0fb4c49a0

SHA1
df76b8f3fd8a0f321a3060f8a578e04122c3aa02

SHA256
9be11b94fa071e891093c71ef768af620fbf492d5ece4f502bc1d5a344536b29

SHA512
7f644ee6da674b9b76c2a34e8db79a02f1c30dc462b8004bca405d6ff74a1ecfaed360bd4f97bb6fbcec8a24e8088c96bb78210aae4cc6bbbc6f218e42875442

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

Filesize
2KB

MD5
793f91b724d85cfbee31286611d24276

SHA1
7ea041859f49b0ddbe169ba8cfae7a012566e901

SHA256
1670d1c6d9364e85bbcc0fed25ee15d08f776ff0cda2faa922d2332bbdefe8e2

SHA512
1a2a569ea31e129b74d72c88a82c4fababbaf1594035587be2c4605635cbe5b208ee8cc5320ff14b9381861be6eba06423c928bc097c9fd7ef6278bb9b4feec3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_3F2A9DB42365395CA97CFD2FA38D17E4

Filesize
472B

MD5
28441017ed2172f154d6a0eb6ee6cd87

SHA1
b2a96dc105d2603b76c8a06da371fe207f44ada7

SHA256
0eb597a1106d9f406c3a235763137119b0c2ecbf4c5ed4776b38742f85cddcb0

SHA512
69f5ad19f1104a9d2918ba113e49bd27f9047a9c5a9300a06dcfbeb76e6cc5161cf53225816d6df1b4b3b680e86e9eb0ad1791189dfd0f1a351250924b6d3923

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
133d53b2000db065d95a086304953d29

SHA1
dd9aaba87a5b2e840ea35e3c2ace5a8717f33784

SHA256
5504a66e5b782564a3e8990573d89850c6aef93f9da69bec8ddde2a3ffaa64e3

SHA512
7c22a122f645d7c423413ba7117fa1b22c53b1af3f741ae195e163ed45e1e7b8dd1d062e6249d54c285e8971968d4707070e6174a5b67e2a7903dc1646d65a6e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

Filesize
484B

MD5
3c14afe4481a876e6d80aee379e1c42d

SHA1
aa3b530bcc0ae6f2bbbe75c3a56dabc82d839c3f

SHA256
4fb2bf69aa96fa3a041e4b480664d800235f3fe73a01c10dd4eda2dfb4a1ac7f

SHA512
bc3dede90cd821bc35501de316f89c44fa6cdcb8f468624cac620b241450183f6b762d875bceeea241133a0cace3c943c9c21407ca45e1e2d04e8d2ffd2fd181

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_3F2A9DB42365395CA97CFD2FA38D17E4

Filesize
488B

MD5
d3497b1901ac1d467ab9940343ea94cc

SHA1
c73a4176878a92fa27d20c3084ca1f4a3d93fb82

SHA256
b1682adb79681229ff3317af122fb43d29f3a68a2e81398cf020b7117ea1e3e9

SHA512
8f048b886743ff31258c3c478685a5f2b7fa655d0478afba49a1ee277b47eae0a83e8f645d1fee3fa4c47cd36e6eaaf2e9d97fec3b9441f63f3c6fa92299bb75

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
26dc55a8eeff4384d4bc15fdd1c1a5b4

SHA1
59c335e4ca428f32dbbcf37e0144cd189ce0ef52

SHA256
cc1d1889b7a00693bf988d8413fe2fd263d28be9ad83e95dee5a296cc8ab4eeb

SHA512
f3e211a3907ed8af433c76c38289a2a6d690cd604146e3e45cbc7fc90933c170bfa441f0b71ace5b607c7a86e14120d0b2c159f9da80e87efe7729359f45d482

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\79ZXHV21\ATQ2RF44.htm

Filesize
190B

MD5
6ebbeb8c70d5f8ffc3fb501950468594

SHA1
c06e60a316e48f5c35d39bcf7ed7e6254957ac9e

SHA256
a563426e24d132cd87b70d9cb5cd3d57c2e1428873a3f3eb94649cf42e37b6a1

SHA512
75cfab1c9f5a05c892cf3b564aed06d351c6dc40048faea03ae163154ff7635252817d66b72a6ef51c4f895eebf7728f302df51148acce2a0c285502bf13652c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\CMMYN4JX\T48ZQJW1.htm

Filesize
18KB

MD5
46e7f28a55cdab07533424725a04b9e5

SHA1
48a915fe8958b0882f364b1e0ceb37e7b7948319

SHA256
e40cc25f9a709e182c284705b0b50b448deb4b1b81b456a633638003db77068b

SHA512
717be51be74aa8b36d714f35942d40c8c18bea13a49d293681e16f1b10dfbdf3887a887ca40688348eee38b10ec80c96a17c338378c315c70d4abebfd42e9076

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe

Filesize
211KB

MD5
f42abb7569dbc2ff5faa7e078cb71476

SHA1
04530a6165fc29ab536bab1be16f6b87c46288e6

SHA256
516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd

SHA512
3277534a02435538e144dea3476416e1d9117fcddef3dcb4379b82f33516c3e87767c3b0d2b880e61a3d803b583c96d772a0bdeecbfc109fe66444e9b29216af

Download Submit
C:\Users\Admin\Desktop\BackupUninstall.bmp.D50-447-D2B

Filesize
298KB

MD5
43958d5d9eda159d1ab73f79897f2303

SHA1
e5a1e21bac4d6c87e7c622164dc50ac5d30fbeb6

SHA256
6cfd8fdd3acfa86f2bf58decaef5bf27c2e1a0aae880310591b65c82eb7da6bf

SHA512
ff4d3eb51f3bb586a0c0077ff8735ecb478a2ece5cbf57bad9102696a29c8a7cc2ab856fefb95dc0d2cf6670910df8b2c96f6f3ac2581162c4a156f61dc15358

Download Submit
C:\Users\Admin\Desktop\CheckpointMeasure.m1v.D50-447-D2B

Filesize
234KB

MD5
1e1199e4232bd181c61a820d34dfc913

SHA1
53a8d78128a27f4f9fd6dabadac1b4e20a887398

SHA256
7320baffd047207aadaa52e18efd8bb52a0adba3c5546df88fe01a17f860546f

SHA512
90d218ceb27699e7702b1a9583ba1bddc6f3888d59b3c8386fd949ed56045d577d5331c74f1ca83eb8def4f49269ee19df04a88127fe022a25182ab5fa85a61d

Download Submit
C:\Users\Admin\Desktop\ConvertToPop.jfif.D50-447-D2B

Filesize
330KB

MD5
79f0d8fd91a779fa77fd2f477584c1a0

SHA1
95ded5837fb2f63a83dd29d239ac8a02f772fc35

SHA256
de5d9f0cb6ff2b20b45b5c2249012f9d6766f4250fe79c1845d66507cd36e483

SHA512
b9e0226ff35c76af04ae5a6a8d4d2259718d412ea7680b0ccfdeb98e4c69a3376004f9fe8c666135390d41c61a1f3da5078c3e246ba32de0444d002d6dfeb12c

Download Submit
C:\Users\Admin\Desktop\DebugPublish.clr.D50-447-D2B

Filesize
351KB

MD5
dc3cd790954b7354d2befb5c6ac9c15b

SHA1
07a9b4b8813d76eb3c50f7b13c75986fe344bdfd

SHA256
ac0ee51dc216fa17939cebb03bc861243eeafa129906e76ff5633f2688c43b05

SHA512
885133b143b3d991453345b9ef79dce8fb94d392c1c5b805cf9e76b785600973a6f48dbf33f333a0e75a3ea3ceea3a69e74d605f52a2ed11f658454216b42734

Download Submit
C:\Users\Admin\Desktop\DisablePop.wdp.D50-447-D2B

Filesize
171KB

MD5
f049b71dcef0d349e2d820c77ee3abcc

SHA1
3b8ceafe1f7c39e24105503f8beb4a388080ae63

SHA256
c44e4d4856a00627c30eb3da81c78f27ac7baacecc480218da7e4f12206fdd2b

SHA512
d479615e40f11f0fdaa4f7206bb0881d2efda9b4f6d5b2b32536245dd6136eb3379d75f1881009a876e171b285beff56fbdef2382a851c145f49dc64647220a3

Download Submit
C:\Users\Admin\Desktop\DisableStop.wpl.D50-447-D2B

Filesize
213KB

MD5
cfbcb400a113fc2a16890eeaba7ff302

SHA1
cf5edac8b338ffa02f442eb4d098ef8f811329ae

SHA256
045112fddcd7c8f17a9eb5235736859603048976972f11f16cbd4de4ce707569

SHA512
06602b3c0a44600066017fd544a84dca38623450230d4e5cb9f626180c23db89362fdc9803cf7fd2cad1167ba35d54f63d305aefb794742777f47a7f98ed8125

Download Submit
C:\Users\Admin\Desktop\EditWrite.ADTS.D50-447-D2B

Filesize
309KB

MD5
6d6f77215dc7b1b221386ce97ea076dc

SHA1
427f4728824ecb7612001642b2a1f7668ad63b3f

SHA256
ff4af14720f2f42e6fa1497a2b91ec02b23d646b974e3742552a1cf214cbe31f

SHA512
1eb1f002f9eea41249f504e5daa84599f39df0d764db28882b8f73b6df00f8111ab26c5c2189dc3a693be27a456b7de818b13e4383de5a6bf15d134faad5b3c4

Download Submit
C:\Users\Admin\Desktop\EnablePublish.jpeg.D50-447-D2B

Filesize
181KB

MD5
c1300b1682152c68ef69416bde6dc8d2

SHA1
f9cf71318ca7ba3399515c9a5580e09c7a30ecdd

SHA256
dd2e55dbcdf7119bead60e5408005e127693d503b3d3faec1c27cda011a161df

SHA512
a232056aa25d6d9b8de86756a9251f7efc2b2a16c3aac81d38682d074c40dc24df02b83561db1e098b1ad64c95231d744fbe05b7efa49672633aec775bd44536

Download Submit
C:\Users\Admin\Desktop\EnterEnable.eprtx.D50-447-D2B

Filesize
394KB

MD5
51b8e86b794640fb8ca1a80eb33e445a

SHA1
9adae9b8e92bcdab4ad441d01fe87bfb4189016a

SHA256
9c4ca2dc45d5582e94d4f3d532ce7b4c25b9e7cf3081c0111ee48ce51642b35a

SHA512
7a242dfba730fc390f791cf4b8d02643dc00409fc0af4e5afea29aa75c1a25e3dde2c97608d7d19f2261194b0b1a6cc3ffadd6757eed0390f6438671f12d4612

Download Submit
C:\Users\Admin\Desktop\ExitExport.emz.D50-447-D2B

Filesize
383KB

MD5
23e98ed3384664e175d969d5a9ccd0fd

SHA1
6a01844092b3ac40847b6418ce856a8d1ac9bb99

SHA256
d56b4ef0706d96e29c709c921e75a24ddf0fc99ce794e85fe4f00df440666f93

SHA512
5c0efc625085b4963ed78482878c4f2eefbfc94e6f77a4f333349785ba2254ce93fa9d4c8c5bf5b3c45b9c00a147a3752f3187fa69ce910dbf93d094c92a60e0

Download Submit
C:\Users\Admin\Desktop\LimitEnable.mov.D50-447-D2B

Filesize
362KB

MD5
5fadb4ca01dd618a6a175952ea64cd6d

SHA1
7d9484a287fa54e65f695eb311ddfed301e0df19

SHA256
6ccdccc822e3d55b671310e3c66b8a3e36b06428b6664a5bcd1ce629a2c3588c

SHA512
879d5b71cfbb899dcf0b5163d96b6ff8c17e96ea6eaaba00faba5f23f5728025e34faa2920fd7fe9f030c475bdc526a76ff8c5405d162e486e0cd53b0ae4db2d

Download Submit
C:\Users\Admin\Desktop\MeasureConnect.TTS.D50-447-D2B

Filesize
319KB

MD5
f0448372219f836ae0a2d808e893010a

SHA1
32e3e9a1a1eb3e3791714b75bbb86e617e4b6977

SHA256
35c03d9c54a86d21ded52a4d310943683f70e241a3ba33b2bd45d00b58800466

SHA512
ad2a061a4c31a42d6a104921dff46de3e0242c93a26d0fd5d0918a5cf28deb6ac9f1476595d4d9659c2dbeefa92730a6491d223ff9f0553993b178b1117baeb8

Download Submit
C:\Users\Admin\Desktop\MeasureDisable.xlsm.D50-447-D2B

Filesize
277KB

MD5
c2a36ab4606b395a5a20209c9f1c159d

SHA1
5964ac85c4af4fa0b49353418d1a2a80566d2e80

SHA256
31d7a401b46015caf39b51a25f9f0cbc986bba5a07f215518e24ac96820be2a9

SHA512
4f453017771e2046d1616d2fa07a75f918cf43f3a35076afca98d1f1e359fcc4979601a0dea53eff21e427cbe06d580c119f73ac64dd4b70127e673bd7336dde

Download Submit
C:\Users\Admin\Desktop\MergeEnter.vssx.D50-447-D2B

Filesize
266KB

MD5
7018f65f6c71f7ebe66e0fb26e36e18e

SHA1
2570e2714cb65a1d0f0f5be30bf248c12ceedadd

SHA256
1a02aed4dbeb039a7e2cf1842bdaf7d37adb7822b4a6512c26f9a010098fa669

SHA512
b5488e8e0016423431d55e7f9f34f27ec19c5e17e6ae2817870d2343cea743eace3150f46666fcc8545cf859feb1bf386451c5263ce3c2afde5039307947ed43

Download Submit
C:\Users\Admin\Desktop\PublishRestore.dib.D50-447-D2B

Filesize
192KB

MD5
bae90b18fa89a9356d401f06e8f5041a

SHA1
f8addcc219e5e5609ebdfb1b84863ea996435440

SHA256
c462c0597597056eaea32314f8187c217538ef94ce7bf18e05f2c177cfe869b6

SHA512
6a569ed1905d66e03956fb99130b06fc3675aa92766a6fb98f3c0698e43a5b0561f1b9337642c677660281016ef3ea9ef875c7b06cf5b6d134669596e1c11da7

Download Submit
C:\Users\Admin\Desktop\RemoveEnable.ppsx.D50-447-D2B

Filesize
340KB

MD5
49d749bbdacb19b2f4a1c36f56b06ab2

SHA1
bdce110f6875b58528d4a1f0ca10401d1dcaee96

SHA256
8b6cc6cb61e5c9a70df738cdc8bc57eb190c40b17f7b85f27ce352141ac34516

SHA512
a6bd372238a917d2acf1dc1410c85ddaba5a297c19070d65a4e833f338906e48e7add6a4c30e386f83086043448a5ae413d046df80c66e15d72e13d85622269d

Download Submit
C:\Users\Admin\Desktop\ResolveLock.au3.D50-447-D2B

Filesize
372KB

MD5
94747e863994f74667835de5f7deb209

SHA1
1c5e9fc1f1bcd5fb78d92175280af9291ed81941

SHA256
f949e001b0658d79a25dadda527ebb2276a478ca82986dafa104508c2d51267b

SHA512
06a751eb12003b182dd1691cfef7a517d1fbe41f5f10b03a6ca3f6acc6d2078e41a905713695e4cbd579b112ae4423c602f724aa60acb5da1110471fdf04fa02

Download Submit
C:\Users\Admin\Desktop\RestartPop.xlsb.D50-447-D2B

Filesize
287KB

MD5
7d73cc7994da6b0a07e42c4fa3320185

SHA1
cdd1cae6f4af6e37d9588d58ffd98f12796859ff

SHA256
75210b281b9205ae8da921f48ea6e84eb00a517d75720ed664bba14d97531a36

SHA512
5ac32463da2dde7a3512e5178b670872835f8e27417d6a7a6c96c8448968cd3b45719b44cb3ab93fddb86b6de256581b340bd69f939c5d876fb5293393d2ad28

Download Submit
C:\Users\Admin\Desktop\SelectRead.php.D50-447-D2B

Filesize
160KB

MD5
d79d5fd0dfd2207cdef6c0be16c6b4de

SHA1
bd010d1fae452d2eeae77e28db9f404a82412e64

SHA256
6996690e7a6d028f6d147f1fb322d11f6dd455e33db318eb9edc2af76755acc9

SHA512
b8c24760beaed2c188551d74da8b6def98e5d0433fd30b8604f2105677b1add01bd6b16e69a4cfec183b9faffb4fbe541eb93ff19a02493c6d92d4aed5a39fd9

Download Submit
C:\Users\Admin\Desktop\SplitResize.shtml.D50-447-D2B

Filesize
245KB

MD5
8d4331e0ecc8b40bb5cb0c0f27c4f82e

SHA1
df5a570b9166789d64e412061887b3265f3c8469

SHA256
980ab6aa15ee826f327dcfc7d4f9230df8d40799cea967f5580a184bb068400b

SHA512
bd76a4cd1a13f09fe4137b60d5cb7003737afaa3aa0eb515d481f4905c75846ec1d959ae31f0f654057e67bce22e16b172a20b0d71b0a05e1d13cc6946861429

Download Submit
C:\Users\Admin\Desktop\StartGroup.xsl.D50-447-D2B

Filesize
224KB

MD5
08edfd2c9c202df735beb9cac4da08c6

SHA1
4fc11ae8f2ee631638313997d5cc5502aa193221

SHA256
3005854246472a14cc65a824b678fa3d8170815c69fd0e4fd2367c320ee77e08

SHA512
3c8c3a50f47a71a81a3e2351240dfb70a32609e06b9ec8b3578ffb56a08d6cf88bce0e60f9983e35398e94086cce350aa4f2884f0f1ab3d30b3818df8298befa

Download Submit
C:\Users\Admin\Desktop\StopConvert.dotm.D50-447-D2B

Filesize
139KB

MD5
15be6f224c07da753ab22898532257a2

SHA1
baf28c434e3cac95ac812bad460c06f2ccef48f3

SHA256
0f9ae4bf6f8d4d6af52520e23fe4b15172b44b22bcad33323d32e41e39dffa34

SHA512
09059e092ed48ded379e99f22cf9e2e69ec4bd50cb6f49751a54ee594f81dc4faf1b2bf397c306b93ae532ecc8cc314ab84b9c26d0bcf45104fc538983c82060

Download Submit
C:\Users\Admin\Desktop\SyncShow.MOD.D50-447-D2B

Filesize
542KB

MD5
fa1b05fb4f0aef6af2db1123622ed577

SHA1
d66d87eed491a9240a9d7f3db0cef0cfb6fe6936

SHA256
e736314ddf7b7602d4ec696897379ed32a3bb4d70168a8df223c50e7f73be71e

SHA512
1973463d99da64f41fe195dec8eff7b083db88e3af77d5a642b325e3c9e985bce2c3922bb926bda128637c5d9b5da017000044737946aa2fd4bf8a52a919662f

Download Submit
C:\Users\Admin\Desktop\TraceOptimize.ico.D50-447-D2B

Filesize
150KB

MD5
09a9938cd086714fdb6b5801fbd9519c

SHA1
b789bf93f8cf8e8c59c6380d54268b75261d323f

SHA256
c02799b3b525067b621b1aa820f60b6b5b26b8e442dcd899c2452940e1e3cf4e

SHA512
8627677ae2d1d27b3e208087656fe6400ebae20939e9fdff47f65cc2daf2df50afe381b409938b87d6e63f6b3af5885781f741a7faae60a90fe11ed4feb61454

Download Submit
C:\Users\Admin\Desktop\UnprotectEnable.png.D50-447-D2B

Filesize
256KB

MD5
d2d218eea291fd48f6d02ca058533137

SHA1
a812b49d5fff82b90564e157038009ae2c606e62

SHA256
10068e8a79d7e092ba9534c8eee64f75165b3c3f6b6e5d83cb3f94138c845e2a

SHA512
68c593487c03bae033322066ccf286cd2ede1c6f77fd0bcf6ce020c0367c5c22d4fde7f3186c708426aa5318a4c25b891db3cdd859111be740a575706dfa3ab6

Download Submit
C:\Users\Admin\Desktop\WriteExit.jpe.D50-447-D2B

Filesize
203KB

MD5
063e51a17e2cea044867d659411b3fe4

SHA1
156de29c0a7002cdcb7b56fa5c009c7abfa19a82

SHA256
9942cf8ca12099aed6bdb1a51175f4bb571d37f810319df27ddea771207de22f

SHA512
593b31cb00afb13d47374ec4dadcb0c3db644648a9e11a9a94aedaa823462479abcc6d27000836ba1463a13c6c0c388529a12fdd32084622329e56bcbaf4ff43

Download Submit
C:\vcredist2010_x86.log.html

Filesize
82KB

MD5
f78baedb7da78cffa36e360c5d83a05e

SHA1
0754626aa9a0d7fdcac79f1fed67660b092cd4bf

SHA256
e45a7b4305053915645c92ed5114565736c2584baa8b5cab1accf43e06b1dc7c

SHA512
07020d2f35204378a6a7fd4f554c0da8953ebe1a557d95edd20a7397fcdb639c3dc04975b7069c2feb9c7999582d8d104811c889bdb2fff6838d85a0a4e03f9a

Download Submit
memory/8-21-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/448-43-0x0000000000FF0000-0x0000000001130000-memory.dmp

Filesize
1.2MB

Download
memory/448-3807-0x0000000000FF0000-0x0000000001130000-memory.dmp

Filesize
1.2MB

Download
memory/448-26184-0x0000000000FF0000-0x0000000001130000-memory.dmp

Filesize
1.2MB

Download
memory/676-33-0x0000000000700000-0x0000000000840000-memory.dmp

Filesize
1.2MB

Download
memory/1112-26156-0x0000000000FF0000-0x0000000001130000-memory.dmp

Filesize
1.2MB

Download
memory/1112-24917-0x0000000000FF0000-0x0000000001130000-memory.dmp

Filesize
1.2MB

Download
memory/1112-15167-0x0000000000FF0000-0x0000000001130000-memory.dmp

Filesize
1.2MB

Download
memory/1112-10139-0x0000000000FF0000-0x0000000001130000-memory.dmp

Filesize
1.2MB

Download
memory/3372-26183-0x0000000000C20000-0x0000000000C21000-memory.dmp

Filesize
4KB

Download
memory/4660-46-0x0000000000FF0000-0x0000000001130000-memory.dmp

Filesize
1.2MB

Download