buran | 60b290310f67adb0ae186b4b938ca466a6b55653b2519261fa425127f5500a1f

max time kernel
117s
max time network
125s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-09-2024 13:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ransomware/default.exe
Size

211KB
MD5

f42abb7569dbc2ff5faa7e078cb71476
SHA1

04530a6165fc29ab536bab1be16f6b87c46288e6
SHA256

516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd
SHA512

3277534a02435538e144dea3476416e1d9117fcddef3dcb4379b82f33516c3e87767c3b0d2b880e61a3d803b583c96d772a0bdeecbfc109fe66444e9b29216af
SSDEEP

6144:zia1vcaEaA+HPsISAzG44DQFu/U3buRKlemZ9DnGAeWBES+:zHctWvVSAx4DQFu/U3buRKlemZ9DnGAn

Score

10^/10

buran zeppelin defense_evasion discovery execution impact persistence ransomware

Malware Config

Extracted

Path

C:\Program Files\Java\jdk1.7.0_80\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] or [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Reserved email: [email protected] Your personal ID: 12D-4EF-BEB Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran

Detects Zeppelin payload 8 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe	family_zeppelin
behavioral15/memory/2480-92-0x0000000000280000-0x00000000003C0000-memory.dmp	family_zeppelin
behavioral15/memory/2024-98-0x0000000000C00000-0x0000000000D40000-memory.dmp	family_zeppelin
behavioral15/memory/2840-4410-0x0000000000C00000-0x0000000000D40000-memory.dmp	family_zeppelin
behavioral15/memory/2356-10923-0x0000000000C00000-0x0000000000D40000-memory.dmp	family_zeppelin
behavioral15/memory/2356-22530-0x0000000000C00000-0x0000000000D40000-memory.dmp	family_zeppelin
behavioral15/memory/2356-30409-0x0000000000C00000-0x0000000000D40000-memory.dmp	family_zeppelin
behavioral15/memory/2840-30445-0x0000000000C00000-0x0000000000D40000-memory.dmp	family_zeppelin

Zeppelin Ransomware
Ransomware-as-a-service (RaaS) written in Delphi and first seen in 2019.
ransomware zeppelin
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (7435) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes itself 1 IoCs

Processes:

notepad.exe

pid process

2588 notepad.exe
Executes dropped EXE 3 IoCs

Processes:

csrss.execsrss.execsrss.exe

pid process

2840 csrss.exe
2356 csrss.exe
2024 csrss.exe
Loads dropped DLL 2 IoCs

Processes:

default.exe

pid process

2480 default.exe
2480 default.exe

pid	process
2588	notepad.exe

pid	process
2840	csrss.exe
2356	csrss.exe
2024	csrss.exe

pid	process
2480	default.exe
2480	default.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

default.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe\" -start"	default.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

csrss.exe

description	ioc	process
File opened (read-only)	\??\V:	csrss.exe
File opened (read-only)	\??\K:	csrss.exe
File opened (read-only)	\??\I:	csrss.exe
File opened (read-only)	\??\G:	csrss.exe
File opened (read-only)	\??\E:	csrss.exe
File opened (read-only)	\??\A:	csrss.exe
File opened (read-only)	\??\Y:	csrss.exe
File opened (read-only)	\??\X:	csrss.exe
File opened (read-only)	\??\S:	csrss.exe
File opened (read-only)	\??\H:	csrss.exe
File opened (read-only)	\??\B:	csrss.exe
File opened (read-only)	\??\L:	csrss.exe
File opened (read-only)	\??\J:	csrss.exe
File opened (read-only)	\??\U:	csrss.exe
File opened (read-only)	\??\T:	csrss.exe
File opened (read-only)	\??\R:	csrss.exe
File opened (read-only)	\??\Q:	csrss.exe
File opened (read-only)	\??\O:	csrss.exe
File opened (read-only)	\??\M:	csrss.exe
File opened (read-only)	\??\Z:	csrss.exe
File opened (read-only)	\??\W:	csrss.exe
File opened (read-only)	\??\P:	csrss.exe
File opened (read-only)	\??\N:	csrss.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service
T1102

Processes:

flow ioc

17 iplogger.org
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 geoiptool.com

flow	ioc
17	iplogger.org

flow	ioc
4	geoiptool.com

Drops file in Program Files directory 64 IoCs

Processes:

csrss.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\Melbourne.12D-4EF-BEB	csrss.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02444_.WMF.12D-4EF-BEB	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Metro.thmx.12D-4EF-BEB	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Guadalcanal.12D-4EF-BEB	csrss.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\de-DE\Hearts.exe.mui.12D-4EF-BEB	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0227419.JPG.12D-4EF-BEB	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\mscss7wre_fr.dub.12D-4EF-BEB	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-loaders.xml.12D-4EF-BEB	csrss.exe
File created	C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00050_.WMF.12D-4EF-BEB	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Opulent.xml.12D-4EF-BEB	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSQRY32.CHM	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewAttachmentIconsMask.bmp.12D-4EF-BEB	csrss.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_buttongraphic.png	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0103402.WMF	csrss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt.12D-4EF-BEB	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\ZoneInfoMappings.12D-4EF-BEB	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-spi-actions.xml	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_choosecolor.gif	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGBOXES.XML	csrss.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\15x15dot.png	csrss.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer.12D-4EF-BEB	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382939.JPG.12D-4EF-BEB	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGPUNCT.DPV.12D-4EF-BEB	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN002.XML	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\NAVBRPH1.POC	csrss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-core.xml.12D-4EF-BEB	csrss.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+4	csrss.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\koreus.luac	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107742.WMF	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Grid.eftx	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR20F.GIF.12D-4EF-BEB	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-heapdump.xml	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107026.WMF	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01607U.BMP.12D-4EF-BEB	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00222_.WMF.12D-4EF-BEB	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jce.jar.12D-4EF-BEB	csrss.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\SpiderSolitaire.exe.mui.12D-4EF-BEB	csrss.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\batch_window.html	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00246_.WMF	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg.12D-4EF-BEB	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Start End Dates.accft	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Scoresbysund.12D-4EF-BEB	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Apothecary.thmx	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18202_.WMF	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD15156_.GIF.12D-4EF-BEB	csrss.exe
File opened for modification	C:\Program Files\Java\jre7\lib\ext\meta-index	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN01251_.WMF.12D-4EF-BEB	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00097_.WMF.12D-4EF-BEB	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143753.GIF.12D-4EF-BEB	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\gfserrorfromgroove.ico	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WCOMP98.POC.12D-4EF-BEB	csrss.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	csrss.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14711_.GIF.12D-4EF-BEB	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099169.WMF	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\AD98.POC	csrss.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\DataSet.zip.12D-4EF-BEB	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\setNetworkClientCP	csrss.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Darwin.12D-4EF-BEB	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.jobs_3.6.0.v20140424-0053.jar	csrss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exeWMIC.execmd.execmd.execmd.exenotepad.execsrss.execmd.exevssadmin.execmd.execmd.exedefault.exenotepad.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	default.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Direct Volume Access
T1006

Processes:

vssadmin.exe

pid process

2212 vssadmin.exe

pid	process
2212	vssadmin.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

default.execsrss.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	default.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	default.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	default.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

default.execsrss.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	2480	default.exe
Token: SeDebugPrivilege	2480	default.exe
Token: SeDebugPrivilege	2840	csrss.exe
Token: SeIncreaseQuotaPrivilege	2804	WMIC.exe
Token: SeSecurityPrivilege	2804	WMIC.exe
Token: SeTakeOwnershipPrivilege	2804	WMIC.exe
Token: SeLoadDriverPrivilege	2804	WMIC.exe
Token: SeSystemProfilePrivilege	2804	WMIC.exe
Token: SeSystemtimePrivilege	2804	WMIC.exe
Token: SeProfSingleProcessPrivilege	2804	WMIC.exe
Token: SeIncBasePriorityPrivilege	2804	WMIC.exe
Token: SeCreatePagefilePrivilege	2804	WMIC.exe
Token: SeBackupPrivilege	2804	WMIC.exe
Token: SeRestorePrivilege	2804	WMIC.exe
Token: SeShutdownPrivilege	2804	WMIC.exe
Token: SeDebugPrivilege	2804	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2804	WMIC.exe
Token: SeRemoteShutdownPrivilege	2804	WMIC.exe
Token: SeUndockPrivilege	2804	WMIC.exe
Token: SeManageVolumePrivilege	2804	WMIC.exe
Token: 33	2804	WMIC.exe
Token: 34	2804	WMIC.exe
Token: 35	2804	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2804	WMIC.exe
Token: SeSecurityPrivilege	2804	WMIC.exe
Token: SeTakeOwnershipPrivilege	2804	WMIC.exe
Token: SeLoadDriverPrivilege	2804	WMIC.exe
Token: SeSystemProfilePrivilege	2804	WMIC.exe
Token: SeSystemtimePrivilege	2804	WMIC.exe
Token: SeProfSingleProcessPrivilege	2804	WMIC.exe
Token: SeIncBasePriorityPrivilege	2804	WMIC.exe
Token: SeCreatePagefilePrivilege	2804	WMIC.exe
Token: SeBackupPrivilege	2804	WMIC.exe
Token: SeRestorePrivilege	2804	WMIC.exe
Token: SeShutdownPrivilege	2804	WMIC.exe
Token: SeDebugPrivilege	2804	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2804	WMIC.exe
Token: SeRemoteShutdownPrivilege	2804	WMIC.exe
Token: SeUndockPrivilege	2804	WMIC.exe
Token: SeManageVolumePrivilege	2804	WMIC.exe
Token: 33	2804	WMIC.exe
Token: 34	2804	WMIC.exe
Token: 35	2804	WMIC.exe
Token: SeBackupPrivilege	1964	vssvc.exe
Token: SeRestorePrivilege	1964	vssvc.exe
Token: SeAuditPrivilege	1964	vssvc.exe
Token: SeDebugPrivilege	2840	csrss.exe
Token: SeDebugPrivilege	2840	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

default.execsrss.execmd.execmd.exe

description	pid	process	target process
PID 2480 wrote to memory of 2840	2480	default.exe	csrss.exe
PID 2480 wrote to memory of 2840	2480	default.exe	csrss.exe
PID 2480 wrote to memory of 2840	2480	default.exe	csrss.exe
PID 2480 wrote to memory of 2840	2480	default.exe	csrss.exe
PID 2480 wrote to memory of 2588	2480	default.exe	notepad.exe
PID 2480 wrote to memory of 2588	2480	default.exe	notepad.exe
PID 2480 wrote to memory of 2588	2480	default.exe	notepad.exe
PID 2480 wrote to memory of 2588	2480	default.exe	notepad.exe
PID 2480 wrote to memory of 2588	2480	default.exe	notepad.exe
PID 2480 wrote to memory of 2588	2480	default.exe	notepad.exe
PID 2480 wrote to memory of 2588	2480	default.exe	notepad.exe
PID 2840 wrote to memory of 2356	2840	csrss.exe	csrss.exe
PID 2840 wrote to memory of 2356	2840	csrss.exe	csrss.exe
PID 2840 wrote to memory of 2356	2840	csrss.exe	csrss.exe
PID 2840 wrote to memory of 2356	2840	csrss.exe	csrss.exe
PID 2840 wrote to memory of 2024	2840	csrss.exe	csrss.exe
PID 2840 wrote to memory of 2024	2840	csrss.exe	csrss.exe
PID 2840 wrote to memory of 2024	2840	csrss.exe	csrss.exe
PID 2840 wrote to memory of 2024	2840	csrss.exe	csrss.exe
PID 2840 wrote to memory of 2008	2840	csrss.exe	cmd.exe
PID 2840 wrote to memory of 2008	2840	csrss.exe	cmd.exe
PID 2840 wrote to memory of 2008	2840	csrss.exe	cmd.exe
PID 2840 wrote to memory of 2008	2840	csrss.exe	cmd.exe
PID 2840 wrote to memory of 2476	2840	csrss.exe	cmd.exe
PID 2840 wrote to memory of 2476	2840	csrss.exe	cmd.exe
PID 2840 wrote to memory of 2476	2840	csrss.exe	cmd.exe
PID 2840 wrote to memory of 2476	2840	csrss.exe	cmd.exe
PID 2840 wrote to memory of 444	2840	csrss.exe	cmd.exe
PID 2840 wrote to memory of 444	2840	csrss.exe	cmd.exe
PID 2840 wrote to memory of 444	2840	csrss.exe	cmd.exe
PID 2840 wrote to memory of 444	2840	csrss.exe	cmd.exe
PID 2840 wrote to memory of 3040	2840	csrss.exe	cmd.exe
PID 2840 wrote to memory of 3040	2840	csrss.exe	cmd.exe
PID 2840 wrote to memory of 3040	2840	csrss.exe	cmd.exe
PID 2840 wrote to memory of 3040	2840	csrss.exe	cmd.exe
PID 2840 wrote to memory of 2444	2840	csrss.exe	cmd.exe
PID 2840 wrote to memory of 2444	2840	csrss.exe	cmd.exe
PID 2840 wrote to memory of 2444	2840	csrss.exe	cmd.exe
PID 2840 wrote to memory of 2444	2840	csrss.exe	cmd.exe
PID 2840 wrote to memory of 1488	2840	csrss.exe	cmd.exe
PID 2840 wrote to memory of 1488	2840	csrss.exe	cmd.exe
PID 2840 wrote to memory of 1488	2840	csrss.exe	cmd.exe
PID 2840 wrote to memory of 1488	2840	csrss.exe	cmd.exe
PID 2840 wrote to memory of 1700	2840	csrss.exe	cmd.exe
PID 2840 wrote to memory of 1700	2840	csrss.exe	cmd.exe
PID 2840 wrote to memory of 1700	2840	csrss.exe	cmd.exe
PID 2840 wrote to memory of 1700	2840	csrss.exe	cmd.exe
PID 1700 wrote to memory of 2804	1700	cmd.exe	WMIC.exe
PID 1700 wrote to memory of 2804	1700	cmd.exe	WMIC.exe
PID 1700 wrote to memory of 2804	1700	cmd.exe	WMIC.exe
PID 1700 wrote to memory of 2804	1700	cmd.exe	WMIC.exe
PID 2840 wrote to memory of 1564	2840	csrss.exe	cmd.exe
PID 2840 wrote to memory of 1564	2840	csrss.exe	cmd.exe
PID 2840 wrote to memory of 1564	2840	csrss.exe	cmd.exe
PID 2840 wrote to memory of 1564	2840	csrss.exe	cmd.exe
PID 1564 wrote to memory of 2212	1564	cmd.exe	vssadmin.exe
PID 1564 wrote to memory of 2212	1564	cmd.exe	vssadmin.exe
PID 1564 wrote to memory of 2212	1564	cmd.exe	vssadmin.exe
PID 1564 wrote to memory of 2212	1564	cmd.exe	vssadmin.exe
PID 2840 wrote to memory of 1688	2840	csrss.exe	notepad.exe
PID 2840 wrote to memory of 1688	2840	csrss.exe	notepad.exe
PID 2840 wrote to memory of 1688	2840	csrss.exe	notepad.exe
PID 2840 wrote to memory of 1688	2840	csrss.exe	notepad.exe
PID 2840 wrote to memory of 1688	2840	csrss.exe	notepad.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Ransomware\default.exe
"C:\Users\Admin\AppData\Local\Temp\Ransomware\default.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe" -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:2356
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe" -agent 1
    3⤵
    - Executes dropped EXE
    PID:2024
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2008
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2476
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    - System Location Discovery: System Language Discovery
    PID:444
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3040
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete systemstatebackup -keepversions:0
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2444
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete backup
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1488
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1700
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2804
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1564
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:2212
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1688
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2588

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt

Filesize
29KB

MD5
2f9736b032e7af6ec2834d5e8ebbb669

SHA1
d319ce6f0cfe65e83e6660ac4e39e2f6310e3e65

SHA256
c3962d6a433ee33d49910b9f442fec427a899ee0877451b5dd8a1b1fffa606d4

SHA512
6b2ed8ccd4fadaf552997f5135f5da56b5131a3b1e47087ecfaca25f4afed936b4a33e7ef2b574a5276437d7422d37c6e4878eaca1c34559c376e7b7ca404f70

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME39.CSS

Filesize
122KB

MD5
8dab7d666293d948bed7b538c60f185c

SHA1
3638063fea9cac7a42770ead0a659a417d0ead60

SHA256
e0d82cebbb21fdcb1392f26cd011f6916a5177a81f4845f5284b01ecbdcfdda5

SHA512
298c13fea6d0ed67051a027b5db6e4d8105533d023151236aed88ee55123e5104d26c3e70bbe1b01b8f3dbed944c830943bd4562dd8f4b9d0fbef8eb0d46d424

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\ISO690.XSL

Filesize
258KB

MD5
05290d705005a9157686f5fb9d6175f9

SHA1
f7192a8891d893a95c59e214df000fcf92472c9c

SHA256
2b78aa273afcf578321347524412b7a585c300feeeee333e8fac5841929cbba3

SHA512
fd88ddc18c132dc89406d2399f70b9be42a77d08862d04f395cc329f8f14e0031ac2d6d8265bc6f99c6bf7fdc4cb0c40f4046a5f5e60eed4d7f916db09f2adea

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\EXLIRMV.XML

Filesize
78KB

MD5
72263fa0beb4fc22501be1c7e030a3de

SHA1
526ec83e649612961bf0e60986cbc7f3c3872c87

SHA256
59cdf41b63440595d0741e984cf599c22215b5dc90ead508ffa34e622ccde807

SHA512
dadbc53f5d90855e457885469997e47057b5b7006a79f9806b175329266313efcf5244c1339d51f2b3464f2608ad93f40aff9de6d83e64ddf22b7f18b7445f55

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataViewIconImages.jpg

Filesize
7KB

MD5
73491e5f1de145c430fa372a0836f50e

SHA1
e0d5cad3456030f3c65eae3320953b542b2f73d2

SHA256
3497b08378f2e633fca93c6172964bbc38b9be5ca1b203d48ed1d65c2a876a72

SHA512
17ec14493533b643d3343c491ed752195ce68e0d0c5a363d039dbd2abfd1c72b1ed88d036c21a2f41483fa99efc1bbf45e44af15e25d05d256a54cf47d228012

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_OffMask.bmp

Filesize
8KB

MD5
2f5749a5e3dca11474f2a40fdc95c077

SHA1
2ef8ef96694154f9d5eaf01e7aa358122f9d8048

SHA256
5d9b2c725e590b9ff2a033b068a2a7f40c1b72ef03cb1e39bb2377f52d8803c4

SHA512
3daae80d70e26310ba281e10042d6357326add5b063c6645eb30bc56689a12ef7a6d69b925a45c9278c69f3cc50c45bb668ae77abe166c1336b2aaf973a9d648

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\IPIRMV.XML

Filesize
78KB

MD5
ae39ea2a415350deae250f19a24ff283

SHA1
506779364527d529e8b4dd3ddcb1759dbb759051

SHA256
d7dd4fd60fa638c94d01172b4084760d7e6173746a8fe4d36b09514d38090dc5

SHA512
831c330f2d6bdb90bfdba02877b4ca5ca4ece8ba915b28ca9ad3d85c86ed6b1269f3dca3b7d234fd517d9893e61e17bed4dc24fa21cc7e6ac2f50098f3ae3251

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\InfoPathOMFormServicesV12\Microsoft.Office.InfoPath.xml

Filesize
249KB

MD5
401e59bc024a18fb91a55774e01d4ed8

SHA1
f74b281c243d8f6bbe73bdcf7dd7a337d835cfa6

SHA256
770cf10697e9f425765abe0627e72458d548f531cd346e5bc9ce8e9a26043e25

SHA512
c4775ae8f8777255de282c986d9693b1a3fa6bc9c4d059adc298226df51306fcb9208f985aac63758ba0cf6308f419e48a230f7ac096377fc29a798078287567

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OLKIRMV.XML

Filesize
78KB

MD5
c738131e433e030fb5c38bbc5c79f015

SHA1
e8476c67f754422591e81bf9b19d1525926b9edc

SHA256
dc4c2bd76b63661edd8df5ea34001cda316706595ca3586ce35a980c7ea43680

SHA512
c411ecfb6cdab5121ed0b565ea6fc2e3edf7a2b2a8886aa871c90748fc11710d1e7af7fa768f6ae052c2e0711d447596a77a6719f6cfa74634ebd471e3bec5ab

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\PPTIRMV.XML

Filesize
79KB

MD5
a21518c102261828ceead193361d6bd3

SHA1
256a76165a65e3abb5dbe0b8c8201229ea9cd4e8

SHA256
a28877c00994d2bec403f0ee57f3166d700eacfde4055b67c100c09178b5cd9f

SHA512
eacda17f016e6456bd697466819803fd6c2b1d75133e41faaa6bcdf2375de62bbaac0f26321589877d25a5f16c25346a67e5024a0bb0931c26928510fec43a2b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\WORDIRMV.XML

Filesize
78KB

MD5
7fb4794a6d02bd866fd7cebc90bc44c9

SHA1
a6d134e986e08b57c236c665253383ff6aee7bf6

SHA256
9d7dfbc4dfdbebbe7a73427bb4cc0856626c8060862ac6400a1ff686649a916e

SHA512
90fa295d89e49a67b1cbaa7945f286bcaab5d89b25a617b4f1b3bfb241eba6a16432a69f3d9d292b9718f0d7bd5aac8245426c8b3e353c0062794666879c3a3f

Download Submit
C:\Program Files\Java\jdk1.7.0_80\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Filesize
985B

MD5
b6a7a096484e20adb7014bf9f8adfe4a

SHA1
eeaadea55fbe2e82459c2f591faf47330c758df5

SHA256
b193f68c2d2d7f807b0ac82b273a339d892f505c26078b6252d9b0ba886d7be4

SHA512
a272d599d1b84e3496a6a0030ec6b02172062718f2a3da0dc876c00a0497dde39febbb61ddd0ae9390f30658201131578cdf11020c89ca920b2f5c2ddea2e0a5

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\epl-v10.html

Filesize
13KB

MD5
6f56d1d5c7a3d9a97ed95bb4412f4fa3

SHA1
2a5d920217c1ad52d5e3f946bc7197cf1d38b6a5

SHA256
31363db50e9ccae79a8668788c66146d4aa22c9f22fc35a7a15bbff37ffd5797

SHA512
79d7d79c3ca98274ec03a89a2e045286755afc0539799095b3772578535edc04bc6e0955c7a05cd33cf401158170ba5676b93bb2e0fba7100f9bcfc4e0eb377d

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\license.html

Filesize
10KB

MD5
3f0e774fb0cae41241bf02d24f4f0265

SHA1
e6f59c619ee54e0333bb47fe5943f4b6774d0c10

SHA256
ab177edc7c8818530f69786f4ff50d443de8b95c14fb1b8116c94e2a8f310911

SHA512
090465f170793db88502e94cc1fe3de66c211418b3a0130c2947d4cef11a61efb78b11bf63999f71255ffc280b275eb87b7d1bfcbb9c45c46d56aac9ddc357e0

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\epl-v10.html

Filesize
13KB

MD5
efcf676496c9ecab67b2fa6acc6f2fe0

SHA1
8e55e1393fabe9d416f72897468302b2ae634867

SHA256
67c3189af6cd01283d6795cc1d49ef4030eb63bd292fe37c304f5453af5f578d

SHA512
21d029d59d4babb760bd83ed2ac028f3a627d65bf8896bf949f45f02976d31fe4a8b0ff791dab1b4b3f1f1a49201e5ce17254c52b6444b62b9dc0edf73e2a16b

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\license.html

Filesize
10KB

MD5
c210a559842541e6640a57e9e7a8517f

SHA1
380532069a6f1dc5456579bff5f914dfcdea3f06

SHA256
7a39593ba247a3fa934015ec6593144d2e8cf5e95226b3df77d6c00d4265f8c7

SHA512
a1902712fc498ace833a4792e79a18ad2a7a3e02286e383e73e8c6fa95159b28bf27234581b1a5448dd4ba9eb13392dcf1c2ddfac914b59de902aa5831c948d5

Download Submit
C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\vlc.mo

Filesize
606KB

MD5
d20cc3a1bc9331a7d8296f29821a3d3a

SHA1
99b86f6db3abceafb758b9370a260240c98545b0

SHA256
8d2519b31c23f62d17d693204f422714896ab6992815fba324cfedbca50e68aa

SHA512
024de44bc84d3c239aee7ab774e9d2e516958c6b927bf60c069e14bca46152be917c41f886399bcda990c4a209a8b0f1e16f03dab7ece700cdcd4366d3376e4f

Download Submit
C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\vlc.mo

Filesize
833KB

MD5
d1b4fe7513131b8be9175afe5e64a3ca

SHA1
cdb3470679ce22cf7f46d9350c99124467e9066f

SHA256
c46f6b7b7f0a6971f4e67383e60a32fb1e63d2273c659826f517372d5590345c

SHA512
b99e27905c4b36344ac538c7d5e738442848073b2737e99833a6683ebff4e447511ebcc1daea8689db95b6c6c9ccffddd4c105be579862408c6f3e02255b9de5

Download Submit
C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\vlc.mo

Filesize
674KB

MD5
603953e2ad3fe4b6e8a7d3eb2ec1d30b

SHA1
15e31a851541ac548da4985c48b48fdce8f3fc24

SHA256
48289634290f89915a5f8dcb286f5365fc6974d6ad037b398981a2b4e3965ae9

SHA512
63f8dc816069d5971c80b2ddd05ed3143295512075030957ea411603068e5fca5a7b505dd2dc67d501e0e0c2c18a22de2160f1b47208fa4e82b202d76f04a4c0

Download Submit
C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\vlc.mo

Filesize
613KB

MD5
c18315b1acc1c49b5fc10bd90c78511a

SHA1
e37bf454eac9ae2e7076ba536885835eef1b3e0c

SHA256
7033e47309a049a3f9ea340ef502310fcc68ba47dbbdf81fe67b33cc59e5435e

SHA512
5a606bb48eba3cb3251ce1e31fc0f0b8ec5c29f69e5d7b3297151e7a01e37bb265c27f3306fb9673127434f716f574ddf0c116563b33a8918f4b21ce927f2d76

Download Submit
C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\vlc.mo

Filesize
595KB

MD5
2e777bffc53c09d0c8a99da15794a2f7

SHA1
f25a0af3ad7e3bd09c14c3be82a2fc42374cbcdd

SHA256
97c155924ee096db1fd66da6c2ac0b9005ec50ba45f4072b3c4ddad7df60a392

SHA512
368c6927f09f16924ab28a8586433a8f9dce3389dcbc707a1c03d5037139e50b01311bce3c5d0c3b65afa5d00186cd438d286c0bc288e9eee532e49a4bf3669a

Download Submit
C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\vlc.mo

Filesize
615KB

MD5
feccf23d6af073d1d83eff70acaa0a4b

SHA1
7ab13dc8ff0d0c5475c6598b15e6daab2f0a23f7

SHA256
fdda1662551d2e2a13d4910bf996df1116e0458ad81e2bb95d41ea2dd64d309e

SHA512
25119cd22e11bb1f19ad4192c3a567f0063be4a5471f9f9e314f947b180085704c7ad36cca4307ac08819af57e80d41ff83efe93d817ffffb92fbd5c19fea926

Download Submit
C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\vlc.mo.12D-4EF-BEB

Filesize
780KB

MD5
d27c67836eb332fb277f59f786d56219

SHA1
a9b4f716ceb6e2764f4e63ca5c14e8c954b2623e

SHA256
7582945f014fb6fbf7e36e68f9ed6a882b0da6abd269bd1a7793607dcf288d0b

SHA512
76131194ad87006b29b65b587e2bd29f642ab72fcf1f9ff832453984ed1901eb5bcdc15b9978ff99604a0fee8dfcd0cae73b37f3529ad5c4a5a0604f81de5d06

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

Filesize
2KB

MD5
e496751cd2219f672baccfe069c05607

SHA1
d43326345986e0c3a25bcfef2febf570a1794915

SHA256
272f89d727d01fec581fffb1a38e02ce025eb523663aa3e102f77ae9aa9e0f1b

SHA512
e84c7c29f3aa5b2184bd6590f3660ec3c67b5814e226f4f7c4ae9bfb11080ab0eb2fe43697710bd64beef869e368fa1ddd85495f7f92b0ff6a61a9c59264b5b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_268232F9B7ADFD0751C3D83F667CFB78

Filesize
472B

MD5
d554992d4494a99ee1cb814b6a475ac0

SHA1
28f5679ab12b98f1e1cb1db81cc45d2e81bd7eae

SHA256
2305f09094b346b7d121fdf848cd807e31fd3d788e1dd12bab77963dd792c0cf

SHA512
00da55828c7237ce5086b21b0bbeaa73c45ce13b974fc5881e4390d78118721abe690879b21c7b638bbfba7c001d06ddec2db51bd287dd8d8c129f69ee7b2e76

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
d8e9a72a6c3f0f85aa9c1191fd7f475b

SHA1
6ca59986f7442dd4cc86f8d9ccbbe60bf0bb5521

SHA256
7be0516557405ce6902e0029557412f8c439745532018adc581770b4177edaa3

SHA512
186de583be2ab6928a31ca38fd6419437a26a3c7c75c854818ccf48ec6d79fa76902cb1ed0168772d4aaf817a26263b8f0a2d9dc338d86d5fa2433920fc16bd3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

Filesize
484B

MD5
551607aa99cf7f67422cff329174e819

SHA1
a8fbd6972eee670b42be3e549b5c0e5464d0dde6

SHA256
78047d182616614a6e1a89abdaa6daee3c136594c4f11cce64965e1397833eb7

SHA512
0770d40619f2982e4f0835d80c156929074342c5034ca9adcd014d02a89d1fbc166b179757647d1f4fb81c6d64dab8ca2ae66cacd70425ea862d38a614566889

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_268232F9B7ADFD0751C3D83F667CFB78

Filesize
488B

MD5
e135a75e4791b9ee0d907445e330a016

SHA1
fdba67048581b5babb685a3251031234c71ebac5

SHA256
f315c261d26df5f7abc93ae6419cc294aa5e1b93fe92bfec9f20bd5192f60808

SHA512
96955237064516fed6fb0bad1bf2c1c468c49e9d02dba3e57bef5149f35054557e3949f15e128309aca919e75167a834b3f844e4617171eff43dfbf5f233de04

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e27222572d7f9e389a067a850c630262

SHA1
7e2d1f267e1be5953d99847ba034d801da7a5689

SHA256
08c4a1f0cd5bb320222feb10b822812388c9592e6dc91c043aa5a2ba2e89a586

SHA512
d1ee703017d38b8b71b5b442d6525a58d3c6ddb27a0fde41b629c185123c4520153666270b9360e6fbfef83f2b8d344f6fb002c0046b298e8bab6e201ac92021

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
e56e24810f5913771f6788e2701cf7a0

SHA1
de478d3191741b25bce86be039e9db57e2901a3e

SHA256
7164ffeda42f3c6a5acff327d8c8b01fa7f9456ac291b9788cf8191002d1a122

SHA512
ba6a73946c985a7516a904489dbe09087fba389db0f9fc66f65372a0afcf4b4b0711f31a506799c465f7515ee99e885e48a40a580a978c9b9f901a0631561209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AS91FDNI\ZLN6AM13.htm

Filesize
190B

MD5
6ebbeb8c70d5f8ffc3fb501950468594

SHA1
c06e60a316e48f5c35d39bcf7ed7e6254957ac9e

SHA256
a563426e24d132cd87b70d9cb5cd3d57c2e1428873a3f3eb94649cf42e37b6a1

SHA512
75cfab1c9f5a05c892cf3b564aed06d351c6dc40048faea03ae163154ff7635252817d66b72a6ef51c4f895eebf7728f302df51148acce2a0c285502bf13652c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S8GI6B9B\P8Q3NNJU.htm

Filesize
18KB

MD5
3c9fb9fbbdd372a9ab7f4e11cde5e657

SHA1
06f7b35568d81ca65e30ac213ff1031220ac090f

SHA256
f363ad44f70cd532e08a53e7ea0323f68d2b58b448349034ccc3dc3b0a96296f

SHA512
dd585b080863512a9a933e39d7542b13b3501f43ddfbd153e266964c37846e4d7ebd798512f705457c2be74a80a1d0aaf98c11ba5e6c2ca3f07f29eee1f68fcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF9AC.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF9DE.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\Desktop\BackupDisconnect.docx.12D-4EF-BEB

Filesize
474KB

MD5
33db3fa688ece616c2eedd3270dbb073

SHA1
5643849e0926b43c7550585eb3308052047f1666

SHA256
450942b18b9198612222955c5854a8a66dffa8891ce2f6b5c8de616206b0247a

SHA512
3180c28e49d58ef6470873fb83d1d0e1eb729ecf3f21bf9e64d5d8a72da879c3603ecfd1c09680a0ee3c0b54c8c0f77565d5b2779cdaa6d2e4ccf225062f54de

Download Submit
C:\Users\Admin\Desktop\CheckpointFormat.svgz.12D-4EF-BEB

Filesize
524KB

MD5
ba75532a753448e8b0aeb17fdbf8c075

SHA1
73267bacada8399d35ff7b63457acabcc7a21c58

SHA256
1e7104447855f2cc72322f6a1f48e9ae711fed1f684eb68a0b9c1e40a2ce147d

SHA512
203fce673870f81dfd3792fc66f7961042dff4a02da14ec286220dd574ecff3248b6cb4cfb61189c1e413fd9b2ec2ef1d190cfc3af6d43023e3cf6e5b7d8aeb1

Download Submit
C:\Users\Admin\Desktop\CheckpointWrite.3gp2.12D-4EF-BEB

Filesize
623KB

MD5
f192947fd4ff732c07cab6aed6d04e31

SHA1
c6f6d727379c2c4311205ca5854f484f330684c1

SHA256
d43d74fb03d288fca64bc5041388c49e5cc90e515966eb0230ebbaf05eca97d6

SHA512
c5a0768b795f73e74cc2125905dfee1d4c09b7b0cfb8b0f13ea316e1141fa9bad3e34938fb3bcb61c12b09ce8e8f3c8f5956c965e696d5b86489ab2bdbab1901

Download Submit
C:\Users\Admin\Desktop\ClearGrant.7z.12D-4EF-BEB

Filesize
549KB

MD5
4448f4a045dbce5cff688c71afeb75bb

SHA1
8a80658cc2e7d2c882283e7ace5f390797d3fa69

SHA256
e260e1508a2c704bbafe2344a2b790e5a05c0b09a2e295d1049beeefe5ed700e

SHA512
23e5d57c060485766560edb1aa24d9b03b59e5ae18ec9562f6995d3cb402f88f13ab8849af9be3cf707b8997fbeb77af717e9353bfcb0c09820ca986b3546a51

Download Submit
C:\Users\Admin\Desktop\CloseProtect.svgz.12D-4EF-BEB

Filesize
325KB

MD5
6008f15242111903e29969fe4191a767

SHA1
62ce670c010eed3f8b8a68857453805666644e47

SHA256
76e28ca90ea67629bb7ab18c5f31cfe364426ef8fade615b05449185dc5ce8a0

SHA512
41942bd15f14f261bd893721a74e54ced68debe664171fdcfa887198051b35a381100e0329f901fc978a163179836d9ab3fc2af0e981dfe76d9e7c81a9e6beb9

Download Submit
C:\Users\Admin\Desktop\CompareExpand.dib.12D-4EF-BEB

Filesize
499KB

MD5
61f79f13c4eb0d2919d85e37363e7de4

SHA1
22d63a7b75ccfa11c76b40686ec7861eaef651a8

SHA256
48d054651b656a6e68020fda6d44c1b53a453e5080bcb9d9e40f33c9f817ec4c

SHA512
d7ce66b39865da456368214a8099e6b62a1dfb0abd68e1ab4be66272948baf64517d48a46af3d9d7fa5cfc587982a252a15141d372a6368578b21e48b9b0670a

Download Submit
C:\Users\Admin\Desktop\ConvertFromBackup.xlsx.12D-4EF-BEB

Filesize
399KB

MD5
29f9d964b0bd57f0b8d827ab0a4f562b

SHA1
24f7e13fb932552fad1d75a7434911a5c4b24e9e

SHA256
845f327166831194afc3e481f3866005cc4d460552137fa07dc1d6403e17a36c

SHA512
445090904757e1d4b532d9cbd89b2c98f34c78b569d959a30bd3b4d2eee56ab4317e06776e138766a878bc9cac6acfad5321caa970be9c9d59bbf124dd84824e

Download Submit
C:\Users\Admin\Desktop\ConvertToGet.vstm.12D-4EF-BEB

Filesize
449KB

MD5
8eb3073f890c53b013e8c7e3f5aba816

SHA1
1861bcffcc38f5d649c764620d9e746a697f52d7

SHA256
9c609f64975400a17de2dc45b7d36fdc855bbdf689031f33bcafbe91ad286a42

SHA512
06e23098a3a4eeb3323ec7f3ae2b118a521a858569790264c23c82c27931b6bede032fb740471260ac3c4587cddfef04eaee43a823d810ac9637a108018667d9

Download Submit
C:\Users\Admin\Desktop\DenyTest.mp3.12D-4EF-BEB

Filesize
574KB

MD5
31f1782a5ff6d97ee82ba7c0921d57ee

SHA1
24bbf68cd476c927b410669ed894b6b6dfb14f7e

SHA256
06792ae0b158e89f9de16b9f4f3debc8436f7e574196d03f78b1cc797b71ea56

SHA512
a88a1efe4c90962291b2340cb7400941ab6edc2b3b2254fdb4e2629dbec79236b6ff25604fc24c3efca27a24849799f83d4cb8042308f919a67498141ba29f6c

Download Submit
C:\Users\Admin\Desktop\EnterResolve.ocx.12D-4EF-BEB

Filesize
673KB

MD5
aab7aa711abd93bf1e9f77367157dc25

SHA1
b0c524dbf55b5aa0e3b1e22a58f77ff4f7afc5b9

SHA256
bd41d1097981d57d1b602b950b6585a9ade2183f7c877f6ea9626bd3c7e0b7d6

SHA512
5ef127a015b5ee10a407b62d7026877c7081d336c339ae3eea8c7abf0491ca95bcc33cd11f739741cf25708615dc4e22ea8ec09a5395ea7cf5b4610cdb67a278

Download Submit
C:\Users\Admin\Desktop\ExitClose.docx.12D-4EF-BEB

Filesize
300KB

MD5
93fa971b193a826c0abaeacc8e5a87d0

SHA1
f7f152476f6cb852e88c616fee8957deabe41968

SHA256
c10bbfdb9d83841deb40da776aed5cf8e73b42e872da363cbfccd46499414967

SHA512
ce644fa90621420db30c06537b990f0a02d620d9607882044a2195671dfe75bdf0824f15744292062f4b49b9cb6c220fe06f8bf50e49d24845e163a3410e7e44

Download Submit
C:\Users\Admin\Desktop\FindExpand.docx.12D-4EF-BEB

Filesize
17KB

MD5
d3aeec0527da6a121bc51c301a1d490c

SHA1
13dc0eeb37284c4295e42e64fdaec9a932031f7a

SHA256
aace7bb16ebca3d23cb9f368d4685fcb1855a89a6b4ccc4adbb80b4858b80a90

SHA512
37feb35325964c8022ea32ecb749876da5ca611b4d414b009e4d920f8e85eb2283f9fffb9cd747290563435710d37f9a600077119b9933fc80d1a13bbad38e6c

Download Submit
C:\Users\Admin\Desktop\FormatSwitch.wmx.12D-4EF-BEB

Filesize
748KB

MD5
8f5dd450ba45acf9e0d2f984be68b16d

SHA1
508dcf2b6e65f7387bb2310261d6c2d80ada77ab

SHA256
81dc172da5f2266d09932119385736d1e7a9e1923fdc13722e3f0463665efc99

SHA512
594a75f4170c2b925e95bfaead7c2ba24c2692458a056de0d5680c70bdced3cb9a9e0753c20eab0c487c8ad48a358fe2ed2d7e2a60f69bd92e2a87ab6bcdae9d

Download Submit
C:\Users\Admin\Desktop\GrantHide.cr2.12D-4EF-BEB

Filesize
598KB

MD5
33d1529ad8da68052c757829bda1dc48

SHA1
e2ddc02a0fdb9f224c0f41cd817164123972caf1

SHA256
35ff02fb9fccafdce0c91be94089b1183fb1f4cb5560e4d4b6ad2702fa804624

SHA512
3b2ab285fee5e9a1d5a7103a019dd918ad76448857844d2d82cef5d67889666c6c5b08104f720449f611807331e23e7d0186c140db4b30f226e0cdaa54a4034d

Download Submit
C:\Users\Admin\Desktop\GroupRemove.odp.12D-4EF-BEB

Filesize
424KB

MD5
b714124949381894c4d86293ad1aa722

SHA1
bc40a6c9818e5edd611fb138dd47a836c411ee38

SHA256
4e88faab98d1bb4cd29ab89b58b18dc4d20f674f19b9fba9c51cfd738953fa04

SHA512
bc73b57441d14f76befc05d47d14504fbe40c3c07129fd501b52d224ca59271e08a903d9d16d5623b0c0dc5771759d2ea616db83e832d260e6bd8d3d8bf7119f

Download Submit
C:\Users\Admin\Desktop\ImportSplit.ex_.12D-4EF-BEB

Filesize
723KB

MD5
50a4e8647d3cfdafde7c4ec3f449a15d

SHA1
d3d4952c8b0a8f7239115b896d3b7e28e0411e85

SHA256
706d15cf39164c7eedc9e36974150457b4d1db61ce4b531e8857ebac7cc95b3f

SHA512
091c5e1a487b1851231f203be26e5a4fc5b3342e9f498db0421ff86b36723d3396a68949f2eca1efacb40a13daf83026a34282648b6d12440bf7deff5fc6145e

Download Submit
C:\Users\Admin\Desktop\InvokeStop.xps.12D-4EF-BEB

Filesize
847KB

MD5
9cbabaa652c2d72b3da8c30c79e510ea

SHA1
ec506a1ee562e2a53abaa16f91821e7d13df1786

SHA256
b644040142b74ab03c97fc8c57a66838645c4adafa9045333086ddddfd3a689f

SHA512
062779667d30768e700c511f3b58709ca24a7b9ef3483aa29207a4d5206bad3e3735099a6a8d2a342e4deb01bc1ba7b387dc515fe264764b7eccbeca1e4bb802

Download Submit
C:\Users\Admin\Desktop\LimitUndo.ppsx.12D-4EF-BEB

Filesize
698KB

MD5
33a72e2687334328dbda19ddb40404b9

SHA1
30a212753024d27b4d1b434260a5ea78267dc174

SHA256
c9a9967ea4ef48f0be959673c3d9c17c725121d3b6a2009d3fd7e4e69f7d6be9

SHA512
25f14403be080fd4b9b73a2007fcdbfee9f2a15ddeaeb436151ac5fa72a563802929127482bb7daacbbad4f5f8208ae16b4ae88930d60d0c2af54e8ec720b582

Download Submit
C:\Users\Admin\Desktop\PingInitialize.htm.12D-4EF-BEB

Filesize
773KB

MD5
cd3b429f2bf91d8e5c4e8413e77c3220

SHA1
e0a1f252b952bf2dbadfe8bed66e55f38d2c7837

SHA256
c28307a70cbecf0bea5bf64af827fd2d0d0b3032c41a733d490e4578f7c018e0

SHA512
95e3657c9f0b68a482c0568fc5b229a44b8502031bf216dc21802dd2b5c2ce63ac06b5825d057298bb1c63db69b101e790364a3fdda33b0fa6599c8f7f4a5f52

Download Submit
C:\Users\Admin\Desktop\PopSearch.WTV.12D-4EF-BEB

Filesize
798KB

MD5
1247e3d7fb388d6dbe75584270f2b9d3

SHA1
56dbdca825f4e85375b2f69a4d97cb4853207bb6

SHA256
519f8aed018a4a5188388e9b4ce5d5d479e546d05a6f88cb0716f5debbc567e9

SHA512
ab51098c381a02c382bb7415546ed2af3cc3d77841083fb7a0e13a670b7f77b20bbfe84eae91724f73f65bd313ecd792890980e0d9ca7f394d4d89b17d6b68eb

Download Submit
C:\Users\Admin\Desktop\ProtectPop.xlsx.12D-4EF-BEB

Filesize
12KB

MD5
38b4789284ee55ca17513c39a2e6bdab

SHA1
f852f802b9be5c58ff6cae0bb9794091a95c7aaa

SHA256
249fb3064b6377b09c15688df2a0a7f8909fadd57aee10f1a1a8c18c71e58b34

SHA512
cb12dda6397db74f0dcde9185ef858631740338cce9c0100c3eacd9c2fad1293bbda04c0ce798b180fca959722d63676f6446503a6efeee35654318cb0e55862

Download Submit
C:\Users\Admin\Desktop\ProtectUnpublish.docx.12D-4EF-BEB

Filesize
20KB

MD5
294cd58fde9ccc05df516d95edb1b4b4

SHA1
8c23ff9a51e9a852ce2a205944e3a64b8c076ade

SHA256
1fe21e16cf58adc22dea1c07ffb1600c541a8a0e19254e2699a8c66256c7589d

SHA512
b80970e1582c2ca725bc8cbd777c77c198aadf0e9a7f9457460b9907316241a2d41d3baaa19b43dc781fca2c8df4d9fedc4d03eea0b4168005c03609b906596e

Download Submit
C:\Users\Admin\Desktop\RepairEnable.001.12D-4EF-BEB

Filesize
350KB

MD5
4d5296db7291211e640611091fbe2eb4

SHA1
420c56b3f984b19a71d12b76ac97d8cb314769c2

SHA256
f268eec884767da3268069370ae7a67d1b682b5bd38f37be88d306c17162aa34

SHA512
082d046875780a2a133c2547a3c2be6fb73f19d3eb837a30107b806be2077bb3938f3e81cad5bec900f3dc62571197fed9aacde47016bf18515960cdcf37581d

Download Submit
C:\Users\Admin\Desktop\RepairShow.mp4.12D-4EF-BEB

Filesize
1.1MB

MD5
fca19ca6452e8383166739ba18306066

SHA1
0a478bb7ce00dbad986dcb4f4bb91e733c419915

SHA256
ea9d6643aa636249a3cc3997a19364648559e25c1912764da0ae795c0736dcce

SHA512
ab03b959da911230d5144bc388bb70f707fb16f255ae34ace1a550bf676727eb135b17927f46dc516721c3140da4e6853e53b8aec595d06dba53e5b4720788c9

Download Submit
C:\Users\Admin\Desktop\SaveCompress.docx.12D-4EF-BEB

Filesize
18KB

MD5
7e80632aa79a06ba945072215b9269d6

SHA1
17dff2ed5595b80ca18d850a118f28ee987ce3fc

SHA256
6b309d7c28575df12f903780588505d69997bda13a1cf71d7d161ec968061977

SHA512
f3003f91a206584b896121fd6ac328d0353b64687a178e207d5f7e5d6e18b442a3286b7b13019b25515e20011b3ae7ec81a8201f5439880d1341f97ade88db24

Download Submit
C:\Users\Admin\Desktop\StartReset.dwfx.12D-4EF-BEB

Filesize
375KB

MD5
d71755185b598cd587c4f70efeed3e1f

SHA1
4c363103d2327ff1cf31c9224e5cd5241255c33a

SHA256
719ea5b9e02c514230464ab1b761fdd890d4c7d857082c8378374a69656d6c0a

SHA512
f7d2829749a899086668c7c7dbf7680ee4643052d7d6fcef61f32e64766a7d759308aa9f8a67b7e21fa962d245089ef0d5fddc2bf814f4e1f9f0bf5ff43ea0d5

Download Submit
C:\Users\Admin\Desktop\UndoBlock.pcx.12D-4EF-BEB

Filesize
648KB

MD5
f86ed25db53714d4258bee5e21d003bf

SHA1
b98dddb4ecaec693bc3168359cd3a143a3e6961b

SHA256
ffd93b9860c79ec821a4f74b7b204c735bc98a05470be5f38f1d764fe206db87

SHA512
62a11fd17b2568bf9cdba49bc1770ff175795683b38cfeb172265ac9050ac64c40c161ba0e7702f59f3e9704f5a286fd5f5b4369610d989721208ddccc600999

Download Submit
C:\Users\Admin\Desktop\UninstallJoin.ppt.12D-4EF-BEB

Filesize
822KB

MD5
c4e66736dbcf3a035790e4b5f2348854

SHA1
e13c0abf3a2addef7b3daeb95eb2147fa3f22f62

SHA256
0a5d1a3192cc9807789aa9dc48925aabff0e46b20755e1b5dea06ec641986b27

SHA512
00f03c74dcc0aa2e07792af6a2d2c502249f5523bd8eab2b442b46ada63268ea48bdb224e058ce33eeacbeedcb3fd5e9aa45e44f4d3f91bccf70dbac695c7a2b

Download Submit
C:\vcredist2010_x86.log.html

Filesize
81KB

MD5
06f3788b6a79e92c937d96b802055096

SHA1
c365739249e0bd9d53c4131cf993e06e1f0bd67a

SHA256
6a8d0e5b181096c63b6ff5d41085b89194bd4f6d25b5e34ee06c70df07ba0576

SHA512
74bf86178b6b79cb728725d8d440fbb67a4bcecd89d30a75e44c4bf18e658a15efbb8ff037fd492dd664f5d0fcd29fc56eded3b340c64bccd9a5a3d66fe53ccb

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe

Filesize
211KB

MD5
f42abb7569dbc2ff5faa7e078cb71476

SHA1
04530a6165fc29ab536bab1be16f6b87c46288e6

SHA256
516475caf3fbd1f0c0283572550528f1f9e7b502dce5fb6b89d40f366a150bfd

SHA512
3277534a02435538e144dea3476416e1d9117fcddef3dcb4379b82f33516c3e87767c3b0d2b880e61a3d803b583c96d772a0bdeecbfc109fe66444e9b29216af

Download Submit
memory/1688-30444-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2024-98-0x0000000000C00000-0x0000000000D40000-memory.dmp

Filesize
1.2MB

Download
memory/2356-10923-0x0000000000C00000-0x0000000000D40000-memory.dmp

Filesize
1.2MB

Download
memory/2356-22530-0x0000000000C00000-0x0000000000D40000-memory.dmp

Filesize
1.2MB

Download
memory/2356-30409-0x0000000000C00000-0x0000000000D40000-memory.dmp

Filesize
1.2MB

Download
memory/2480-92-0x0000000000280000-0x00000000003C0000-memory.dmp

Filesize
1.2MB

Download
memory/2588-72-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2588-66-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2840-4410-0x0000000000C00000-0x0000000000D40000-memory.dmp

Filesize
1.2MB

Download
memory/2840-30445-0x0000000000C00000-0x0000000000D40000-memory.dmp

Filesize
1.2MB

Download