8b0f9d248e67199bb7f1a778a03e4caee7d267e61d8a7d70fa1c1f6d7944e96a

Analysis

max time kernel
1561s
max time network
1562s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 02:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
Size

377KB
MD5

09963f553929ef4cced4c44e8ec4e9c2
SHA1

502de64ee4fe0133a1ea5efa4919c03bbca1adc2
SHA256

fcf187d75ec63c7bea8a45b18c558418bc0d1502cf01bbee76928e122c5db6b8
SHA512

84cb5fa5e485f07703008c2da9de45654b750df9457752c584270c979f4c06d097efda3920007184f672f309ba909c9e801cb3399ba58f385e4598fa195d3d3a
SSDEEP

6144:ILsgG5ppzgGwDdGtfssKkz+LLf8LRaLGYeCHs4pmGnu0mfLQwsDMc9aPtb88fm5W:MDZXx/msXmjxa1aPNWVqJKoplb

Score

9^/10

defense_evasion discovery execution impact ransomware spyware stealer

Malware Config

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2588	cmd.exe

Executes dropped EXE 1 IoCs

Processes:

1.exe

pid	Process
2712	1.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 27 IoCs

Processes:

502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe

description	ioc	Process
File created	C:\Users\Admin\Saved Games\desktop.ini	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File created	C:\Users\Admin\Videos\desktop.ini	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File created	C:\Users\Public\desktop.ini	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File created	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File created	F:\$RECYCLE.BIN\S-1-5-21-1488793075-819845221-1497111674-1000\desktop.ini	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File created	C:\Users\Admin\Links\desktop.ini	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File created	C:\Users\Admin\Music\desktop.ini	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File created	C:\Users\Public\Downloads\desktop.ini	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File created	C:\Users\Public\Videos\Sample Videos\desktop.ini	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File created	C:\Users\Admin\Downloads\desktop.ini	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File created	C:\Users\Admin\Favorites\Links for United States\desktop.ini	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File created	C:\Users\Admin\Searches\desktop.ini	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File created	C:\Users\Public\Documents\desktop.ini	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File created	C:\Program Files (x86)\desktop.ini	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File created	C:\Users\Admin\Desktop\desktop.ini	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File created	C:\Users\Public\Pictures\desktop.ini	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File created	C:\Users\Admin\Contacts\desktop.ini	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File created	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File created	C:\Users\Public\Music\desktop.ini	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File created	C:\Users\Public\Videos\desktop.ini	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File created	C:\$Recycle.Bin\S-1-5-21-1488793075-819845221-1497111674-1000\desktop.ini	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File created	C:\Users\Admin\Documents\desktop.ini	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File created	C:\Users\Public\Desktop\desktop.ini	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File created	C:\Users\Public\Music\Sample Music\desktop.ini	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File created	C:\Users\Admin\Favorites\desktop.ini	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File created	C:\Users\Admin\Pictures\desktop.ini	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\638678395792104000.jpg"	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe

Drops file in Program Files directory 64 IoCs

Processes:

502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR8B.GIF	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\trad_s.png	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File created	C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\sqlxmlx.rll.mui	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239953.WMF	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0199283.WMF	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\RESTORE-FILES!638678395098528000.txt	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0197983.WMF	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\OriginMergeFax.Dotx	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\calendar.html	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\css\RESTORE-FILES!638678395623936000.txt	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\3difr.x3d	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\J0115875.GIF	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SpringGreen\TAB_ON.GIF	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CALSO11.POC	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\logo.png	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\RESTORE-FILES!638678395614732000.txt	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.TW.XML	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File created	C:\Program Files (x86)\Windows Sidebar\fr-FR\RESTORE-FILES!638678395610052000.txt	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00176_.GIF	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\GRID_01.MID	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00346_.WMF	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Paper.eftx	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01468_.WMF	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.BusinessApplications.Runtime.xml	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\RESTORE-FILES!638678395188228000.txt	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00775_.WMF	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY00795_.WMF	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Elemental.xml	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SAEXT.DLL	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Executive.eftx	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18231_.WMF	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PAPYRUS\RESTORE-FILES!638678395179336000.txt	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\vstoee100.tlb	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\slideshow_glass_frame.png	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\NEWS11.POC	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_h.png	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB6.BDR	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FOLDPROJ.DPV	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18180_.WMF	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\timeZones.js	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\RESTORE-FILES!638678395189632000.txt	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153516.WMF	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Slate\RESTORE-FILES!638678395509432000.txt	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00276_.WMF	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewFrame.html	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\OrielLetter.Dotx	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\RESTORE-FILES!638678395619568000.txt	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\GlobeButtonImageMask.bmp	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\CHECKBOX.JPG	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGPUNCT.DPV	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File created	C:\Program Files (x86)\Windows Media Player\Icons\RESTORE-FILES!638678395604436000.txt	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101860.BMP	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime.css	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200163.WMF	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSPST32.DLL	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECLIPSE\ECLIPSE.ELM	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\F12Tools.dll.mui	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGATNGET.XML	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WEB11.POC	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\RESTORE-FILES!638678395622220000.txt	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\gadget.xml	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099147.JPG	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00913_.WMF	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe

Drops file in Windows directory 1 IoCs

Processes:

502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe

description	ioc	Process
File created	C:\Windows\RESTORE-FILES!638678395768548000.txt	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

PING.EXE

pid	Process
872	PING.EXE

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

Processes:

vssadmin.exe

pid	Process
568	vssadmin.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
872	PING.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe

pid	Process
2612	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
2612	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
2612	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe1.exevssvc.exe

description	pid	Process
Token: SeDebugPrivilege	2612	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
Token: SeDebugPrivilege	2712	1.exe
Token: SeBackupPrivilege	2064	vssvc.exe
Token: SeRestorePrivilege	2064	vssvc.exe
Token: SeAuditPrivilege	2064	vssvc.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

502de64ee4fe0133a1ea5efa4919c03bbca1adc2.execmd.execmd.exe

description	pid	Process	procid_target
PID 2612 wrote to memory of 2712	2612	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe	31
PID 2612 wrote to memory of 2712	2612	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe	31
PID 2612 wrote to memory of 2712	2612	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe	31
PID 2612 wrote to memory of 924	2612	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe	33
PID 2612 wrote to memory of 924	2612	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe	33
PID 2612 wrote to memory of 924	2612	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe	33
PID 2612 wrote to memory of 2264	2612	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe	35
PID 2612 wrote to memory of 2264	2612	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe	35
PID 2612 wrote to memory of 2264	2612	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe	35
PID 2612 wrote to memory of 2264	2612	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe	35
PID 2612 wrote to memory of 2264	2612	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe	35
PID 2612 wrote to memory of 2588	2612	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe	36
PID 2612 wrote to memory of 2588	2612	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe	36
PID 2612 wrote to memory of 2588	2612	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe	36
PID 2612 wrote to memory of 2588	2612	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe	36
PID 2612 wrote to memory of 2588	2612	502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe	36
PID 2588 wrote to memory of 872	2588	cmd.exe	40
PID 2588 wrote to memory of 872	2588	cmd.exe	40
PID 2588 wrote to memory of 872	2588	cmd.exe	40
PID 924 wrote to memory of 568	924	cmd.exe	41
PID 924 wrote to memory of 568	924	cmd.exe	41
PID 924 wrote to memory of 568	924	cmd.exe	41

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe
"C:\Users\Admin\AppData\Local\Temp\502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe"
1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2612
- C:\Users\Admin\AppData\Local\Temp\1.exe
  "C:\Users\Admin\AppData\Local\Temp\1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2712
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\delback.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:924
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:568
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\update0.bat" "
  2⤵
  PID:2264
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\update1.bat" "
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:872

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\RESTORE-FILES!638678395058592000.txt

Filesize
2KB

MD5
02b742180a9c6b3b4f8666b3c5a9f549

SHA1
e5f07c11a1f11b7061c352c80caf01c83bab8529

SHA256
30c99be0959dd852afc7118e2ecc5f2f732f53b4ae792fb5e3b457df47b5ca1d

SHA512
630dac8f77754d058863b2414b08c35ed53a47576ebba829a3225558c850b44be856993e581e7faf16610fd5574a346e27ef6468729d74efbf15cfe53919c493

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\BRANDING.XML

Filesize
582KB

MD5
bbc29c584f98b324666071c6c5b7f4f7

SHA1
813c489c3df8007e9189a5c74aba5bec699bf08f

SHA256
9c8c162e5f941e12f25675769d0ecf54430784d9ec7b9e37c331885caa2ada84

SHA512
a9204d288cb1e044ea9e466b7618faf92b9832c82f907b9c8b47d9d8b3f8ececf8fef473c187c81959c9e8e8cf8b6ca2268931a47288121fbc32208f8969d796

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
352B

MD5
9d1c7ac6c18a9dd80d4fba4d3d06decb

SHA1
4c8403213f47603a00db6b143bfc960ddd39b147

SHA256
9dc2d4565747d86c3b94a54ecf7e0367b92ced63d371950884c659627e07d493

SHA512
2dbefdd469e72ca0d716f74906189156d37dc18aaaa563c5b58e3b802b406416d3c0b416b0594f1c0a72649cf41c022dd015c57cfb6a68de73ea2fdafc0cbcbe

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

Filesize
224B

MD5
f4a6c633fef3a94d02da12b6dfbe2390

SHA1
5380509de13fa54783ef2b22f39f3dad30dfb775

SHA256
fecd57ab51e624bd2c718e0216de117c9c83ceee47a1d3066f2a9200814dbce0

SHA512
f1c668920de735fa2fe2de4776e0222050cae17b1222b88a89091b38599507c32d814dfa8ff7ac73f924726d4beb3c3c7a2e20f43fac25b9b715a4eddff609ae

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\SIST02.XSL

Filesize
239KB

MD5
6b69b4754ab698b9092ad399321ecffb

SHA1
9488b8a9bf17b77f500cdd8576c20639ffaf3f2b

SHA256
a636aca8c63f7738254c640ee0c3d810fe4c27f5bbc6ef4ecaf12993b9e777b5

SHA512
79fba105d087ea47cb8726a287971c4b93b043a363fa07e13b46ba2cce094190e6439a42b32205686b777ec69083c0869c78dac3ffde4b844d4ad998e3dbbf55

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\BG_ADOBE.GIF

Filesize
24KB

MD5
145d115c8ed61e1c2526e271ac4033a8

SHA1
a4ede31eb705376a5b41bda4c1bc936b8441cd9f

SHA256
c548ca021895f68c532bf4e88cafcb8695f95858921048f26e6f1cae51876f00

SHA512
36a65dc6abc429d055ce3c085f62cfc44ffc01bd769fc03a951f2193918c05b65c54f31433ec5d64d855ccd06be240cc864e378f21e4b6920f932ecaa93f2885

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\BUTTON.GIF

Filesize
192B

MD5
c3aa5ad7c9cfece6f3bb8bf007c45620

SHA1
1ed66d5e30256509c5b74173ece5d74be1b1fdbf

SHA256
b585b30365c7bf0075bc156145e6caf53a97188bb0a839bfc6300a7cad587290

SHA512
3b48b1df608eddfb319433033fd13bf5976af3ffb43ad380d8d6e0315509cac1ebe87c95d84e2a4df220cfe778006e060478fb0df5024cdd75c1ac4844c0bfe6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_OFF.GIF

Filesize
512B

MD5
204a2501c6fc761a5ba425d1da505cff

SHA1
f5853e42026732fe4c6dad0c32c83bf4c238b03d

SHA256
7c50dcbcf48137aa8d3ab1519e730490fb5b330b6eb6a70b29264dbd1e95b70e

SHA512
99cb8fdb0ffeee46b7d011f28491967b6c0a5f84a649d22c7478ae8f42808ba29c156cdace85ca32d633caaccf9a58d720c4590619f610560bde2ea3bae224bb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_ON.GIF

Filesize
1KB

MD5
bcecb6d0b50048c0fe02a71e22b6485d

SHA1
af2ce4a5f65111d0d3b7c0f740317b263020360e

SHA256
65b925d9772a57b13e5ce3b941c2326133cb2ecec9f31e2033539cea950fcdf8

SHA512
ecb18e59e3eba855090457210d045f81cdba21c702a876020b86405bd3f75cd069eea465b69992e289648e6728d257cc4cdf63ef21e70eed36d4dcbf8b007688

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif

Filesize
5KB

MD5
fd40ae837f5b89c1ff422d0c373f924a

SHA1
5f7c0a392d76ae31c71fcec97fd034f491691f42

SHA256
f95ae7058b7a910d656bbe9cf405440c8c555a8a10e708b663be60802dbda8f3

SHA512
4c67a164df549cf4c8423614571554e9876c2b3f40094bee5a065398536675abad4bda105b62cd10d44755a398f864d31d571026b4c1b4770b2e20b458f41831

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Country.gif

Filesize
31KB

MD5
614d85c60c55d85ea7b473664144d0ee

SHA1
4582219fc48e14e2d12d8dc2aec809270faf258c

SHA256
a0b24fe0bdf65ff7b09ed7611ecae1dbb3bbc79ac774e04e1b1253a7a1acadc8

SHA512
4d3eecc09b1e2bc7d42eab7939168ee22c4707790356e41171055eb5062f2cb283d27402ee1ba41f3d833270abfc186d5671bb50b5eca06cb615c7ae4eddbd58

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif

Filesize
4KB

MD5
15cb7ee4da8f9c0cd7d8a2a68381d785

SHA1
eadb2513855d5364685802438589383397a137ca

SHA256
832a833c32bf7b400df6e4f6bade5e9f84bff1216a04a177776f1aeae7083619

SHA512
9cbeb8dba18ac4e1d335ac5f563e32861aa8157825ec01c40b773c6671897bc4557cda04430d15726e9c5fceaf5f7253ef8925046e4eded929370c17ebb0e6dc

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif

Filesize
21KB

MD5
7326ffb8a4a5361e8da347ecf07a30f2

SHA1
fb996c4bef1efb3fd0d6948dac17d059853b0b69

SHA256
08c885cd5df72675433002963afd737009bd5d630aa5047c9546810d267f53c2

SHA512
2bdd7699494b475bcc90f9be7334ecc0f7b87a2260cf843324f70eac6be42b004f33b1193e173671b3d369968d98b945358791cda9aa06468823373566fab591

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif

Filesize
8KB

MD5
b33c26d85e7e9eb7974cf1684af3c0e3

SHA1
4e3e1a81b18c5705156033e83ca90f74f82609fc

SHA256
450915446c5acd556287ab7146d34e680913a03eaa82d04e6a2d42e74179a762

SHA512
09e54ef0efbc17a86adc34e74e80b6e7ae49ea4d9d38be627ec1808eeae1b1dfaba70da7609169c095a971f4f201cb4598ed23e03f7dd36a84be8e95ceff440f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif

Filesize
15KB

MD5
a260656bf0ef71343f3d21e32982155f

SHA1
cd166bc921c38c9f42f810d5e0f491c9a46c817d

SHA256
2d258a2c60212247bc22b3cbc7f2522f189eace965426eca64939f826be85298

SHA512
31a6b904e9d4a899d8c04df0f28402b24c2b27a2d65c13f503955f7022ed6c1750d61886472aca293f2f9669ecc5b0bec5fddeda9ef80373d6382d5075f4c371

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif

Filesize
6KB

MD5
8ccfa59a2ac04a5643a7ae6ce4b4e1c3

SHA1
5a4456c8f06f2cbcc4b91c6aa5dc656199416ebc

SHA256
4ed0067cab2b52ba8e9b9fb38e70cdcd214c4848a60f431f67506f3e32989412

SHA512
bc31c08a263dc4a5b0be4e22d539931c607b03df9ebfad34e41c09d2600b7e9266820700bfe5ff22260cd19520b54e19d17de53e69e6f208cd4d1a53595ac7c6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif

Filesize
20KB

MD5
68f4f2af266f95f69099e5b5fd53d10d

SHA1
37d67b0ee2457c6b80a4fad5450a67cbd3c64388

SHA256
0a081cd8b84c5ed8137e378a7e87c4969b05d8c357766e35d120174b8bc7f006

SHA512
6eb609c7404fb16cdcc3d954d478bfff945cff34feb59bb17fbaa34d2a59bfd0490258cf25fe672a28ed84dd7e46eecacc8a50cde39c9c3a8f7fde0e9db75978

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif

Filesize
6KB

MD5
0969753d91a9fdc51c4b9bfb4e261cb9

SHA1
e580a347abb5d8495a333b0a66d43cecbcf1dd17

SHA256
d0c5e1451b66b82a234317cb5aa2f561d5713b4bcf117a029bb61dff6b072ed0

SHA512
b9c4016e8897f13287046f81483c6e0514f70e5f4351298692c2e2b7a36af0f13c5b407db27f711b038fa40bee20fa22096a0dc42f6dbd7849814252bca21b7d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif

Filesize
15KB

MD5
65fd0b16622ba510fe25eb815fa95b6d

SHA1
0aff56f10493bd9c051ec82e6eb70842787530eb

SHA256
aca051982cdfe471427b86ea71c8da9b8d89baf17a14d6ee4e5191adee5abbb1

SHA512
c4f3c61e5dc2954e5ab1a4fefacab59ecf0864542b977f6c8910820d109338ee05bd8e0d27853423f360c3799d1a195014428ca2d211ec039f551a1d026c6549

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg

Filesize
2KB

MD5
d6f6ef9deb6947c7ca97bbafa5c842ec

SHA1
0978aeb3a38dacb28c2d8b60b861fff2cf8a9009

SHA256
bbf892751585eb0f2663d4e0733716deb76c935a5030b35dae81fa049d0a2363

SHA512
d3d0d3fe6b2d6459b066dc74f74d12063beeec28eb79b02f7241e636fc3c0dec876c5805a85b4c6ec016b5298eb62330d5d4dfa1fcfaa3f53f276a8dd7f7986a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp

Filesize
2KB

MD5
4b7f05099c3764d70fc988b7345ff47b

SHA1
b90d1dae228a734e017527caf55ce5512a9dfe4e

SHA256
45ed938a9898ba1c7860c82cc09df88399f5acf61af2c028181f518c0e308f17

SHA512
21c0b6332db08d627a3752e583b0f618c530a838d2ec5d8819abe4168de37476c9481c2f1f26af0c2fd9e1260dc698d22ed2b16ac7efc29abfc8a43336dc2311

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FORM.ICO

Filesize
320B

MD5
8dc1cc2c00cb4e2b57d0f4800da9c6f5

SHA1
879a4a37f73a204bad5c74e47a6b26d5535dd526

SHA256
ae50fff7a9a88cd133d1b223ec479d2b86fb97966a638dfe2f66455c9cd0bf0c

SHA512
4f3eb6f8e2ae304dc9d1b8fd606acd279b6db37c549821166c552e1c43e2f64b15a99d7f2c60762ec9c908fe0922bbcd2c71a07000f5f8c8f27304401956516e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg

Filesize
7KB

MD5
abc58ad29cde12bf403ca0e4143b5b6c

SHA1
6797068927a3a73ffeac824deaf4c90ad497b05a

SHA256
6246c078b8af2fd608d91d49b50a6d29a62c54aef1fa4c00fc9b16860017c187

SHA512
fe232dae64e58c106b5bceae80c546769daf1dcc1d16cd2880c59c1e22785e202c3e9ca2586092a6861736c46e53768ce3becef3006bc58f0153db37161de6a8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF

Filesize
256B

MD5
b528c99da6e2eeea3433194abc60a555

SHA1
4436b39b3295199d84998ea9a5c9d98094459221

SHA256
b541ef5d28f6dcb69269cb7f61e6848d5381440d158b61eb0da7885c388b59c7

SHA512
1b247f34b34cfb7f5c9a68efc8837fe7ab6a52a0082baeb18ca59ae11cacb3e906abb2fde1dd195fce011cebf68ebdff6e3b49d4bd5d122c55a7f4ec25a8eadd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\background.gif

Filesize
336B

MD5
a8906f314b504ba9848a41f106cd62ce

SHA1
42e4f3ba0cb325722c6fcab4dd7a296da17f2da1

SHA256
01397cf2d300ecc8d5b6b15e7e865db620809b7505f2b62b040213bd83ccc8f8

SHA512
024e7dd60ee5be1d104288edde0667af5b38cfef712999ad646146b6310db6959c47eeb76c5defb42ee5dc78b1ea3554b279998dbc11c487e01916887f294241

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF

Filesize
368B

MD5
94fb5493154739408a6e6c84314c1cc3

SHA1
12cb18c42d4e343e427b5729c21db5ab7a2d1cbf

SHA256
b486dc281fe2f98410cb2c6c19fbb785aa59592920290311e7945a8eee572050

SHA512
4c3cab9e7eb175fa39a0eb89893c58ff86cdd966d3184073c052454b074031844aa481d2e5b3a6ecd02627d716f72fc828fa3716481e5b994293963f7ae45bd8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF

Filesize
160B

MD5
adc33b4c49bf8d6952595f5efa28bbeb

SHA1
d80b83c5b26d2b69b0d025aba1ce7ddd01031224

SHA256
80e6bc488689aaf5e85d672f5d724eb79da54e2d784e561a195a3a63ac30a310

SHA512
80d71cce832cd967c11135a158716a0bda02839c1106533e66c0c0f309c49c74c639ea1d8014262023db90a4c54db6ff7daf7fa501f2ded48d138b18bd44946c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HEADER.GIF

Filesize
448B

MD5
89d536a1c3a6d1b8a5c4ed1ccbb8705b

SHA1
0b8b4e74e35a3ed946405874aed8b19b1794f6be

SHA256
2669ddcb8771b6fe067e8edf119a910dc2f5f554c8e8b10c85a25f98e6d8c472

SHA512
149081fd9332d3007184caf9599fa7bb16c86b6a39e04376eb7b56649c6077af6dc6e115d0b521892055b2d2d79fe54ff9164217cc86d6f6a6f79882260f9fa3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_OFF.GIF

Filesize
464B

MD5
ac1990ec938ec0dcbdd6d2e609b192b0

SHA1
e739207ba111722e4d2256c1c2d22e4707e768bc

SHA256
d78802e6366bfc173e115f72b5764ed79546eb841aadd46085248a56d361e67d

SHA512
8e660120650183e7eee1f89793df4228924718fbd085343cc712832ad220b59f17aa308a4a242e8bbc9a8d359282cb138917322a3c2f560e3e8214c0028c21f6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF

Filesize
272B

MD5
12f6e69903f566d697d983c6c16dca6c

SHA1
b47b56416fe2a60747fac4ee44d2ca00cd77b1d4

SHA256
c1dc3f138df6f0a629c306f373eb93c73f83366cc1c239d325782821581b80f9

SHA512
361efe4188d1850ab16a0d66669829a76dc1952c79e8c0a5f87ed8275c1360371aacdca96ce3291c1e83294251f8f617b96a82cd99a177718018edc3d639c748

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HEADER.GIF

Filesize
2KB

MD5
d65eab413d8b380d34cae71cabbd74e3

SHA1
464b0d6a9d696972d87053bccec3a89539c2ff5f

SHA256
40002a3b70bc425b67ab820ba476abf5bd232d1e7fe657c97940c5c60e94c1d6

SHA512
7d9e3a90e99754d8b46e93775d6ba1fcdd9c9613e3d059d2fbb9d5e7c16b357ff66bb20c8204e5e8f446060a55f72473727a83976ebafc2287532d329f432adc

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\HEADER.GIF

Filesize
3KB

MD5
b3b77e9f7ab3271c7f702c749fc42f10

SHA1
d2df3f79b061826c18ef4302da4b7af45891e0b9

SHA256
d6de064eb02480a4e2a7de207b214d42a7b4e73262e790d75512c98589cfd0ca

SHA512
1361e73f6b3d387a1065c7f5b341b7e35ad6208c9d0453590a9d48a7ba951bbd92aa2620408298fba4bffc634cd2bfab8519db14163e0054d7887cc817538417

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\TAB_OFF.GIF

Filesize
464B

MD5
546f5c97844fa9e566f12f5f58e57355

SHA1
364cf15c05f76783df9bbd7e3d2fe02748b5fd84

SHA256
d8672b79737494016b78540218363ff8fb0086c57393438302cb462e083e69b5

SHA512
71c931670f98d6f27cd21fc79043a1f16916b2f0c3699eff6c10df9926489a312c0a7f412d2821af3c5f61ef77ddd876f15f80ae8e87dbfb139b5c993eed0252

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\TAB_ON.GIF

Filesize
272B

MD5
5b8265707e2bd6896cd6f88a65e141f5

SHA1
ed7a5b7e0d7f9e0ce8f474aa0399e41d89f2eef8

SHA256
ae6eea66697a2abf65224f68974ed85e6b32f707eaa71e794604ad30449a7080

SHA512
193fa35afc0dc2cdd26b0c9d4474239ddee0119986184c0bedb187708d1c74b9bb0d0750b08fe20ad5769ebdb115aa3b8980b56e63e32cc7999f7c418682ff8b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif

Filesize
240B

MD5
25d7a5c3b392550dda457c046fca0b33

SHA1
7996df9543b5558512d8ce17675413ea712bda80

SHA256
ebbb513a76d436c2eaf5819d924f672fa1eee47f797c5633d374b448ef014501

SHA512
4312d2771c541d741bf60f14db14018788ccd203992a0f8d9b4762e58666e3ddcdaaf31e16e70916c7191151c07f0b8ab11d7062536e17e26012753ef4b529f7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_OFF.GIF

Filesize
368B

MD5
4b11ff544391503a2fe4150bde2ca0dd

SHA1
b677e0b29cd09d1585b851e18f50f04c33bc57fd

SHA256
2bb1663bbbfb758c9ee838d2e9c0cec56dd933e85bdafce820158ea0ca16d80d

SHA512
64aad47a525250d23b154c05b822d1044135eb70ce522b2760605da3d652339cb52935d651388d143a3baba2c7ca5c5e5efef4db126ee538c5f594732f8797de

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_ON.GIF

Filesize
368B

MD5
b1e8e5933eec74c91b9d46178a33eece

SHA1
451932f77c0d4404a86b43231c8a0e660528a608

SHA256
8df21b1ab6e10902a13a375cc516a799f5469257cbc9a0fe83e10f21f6f78ded

SHA512
334658cdbff61e463b2de23a9ba8ceb356ecdd543b07caa72ada8a619662aa3588abde3cc62d6af987ad5013db8873e6109cb118d36e00b9b03e920f6b52c1b4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\background.gif

Filesize
6KB

MD5
cd12ccb5bb3f0d0c518a1892b493e527

SHA1
835cf490692f8a4cd226fe2e89e903b303f4722a

SHA256
588abbafac98e1ce8ed6a7e2dd42c8b8d73ced443d47d95db013295cd5892a25

SHA512
3b3fe5c68f63c3214d5e99f2f62aefa8740ba0507a1428462c0d5d91cf51099a5c8bd25e098dc5acc965944a4a784c8e2b5955242a742cc5212161af955de9a6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\BUTTON.GIF

Filesize
432B

MD5
2940cb106e9948571fc62843c57f374c

SHA1
a91041463a757a2679e9b8809a61466c84798b99

SHA256
54e2b964fa7eb8f1f4fac63bfa65effd878e9a624d1dd935c7d1f2c29adfb355

SHA512
ccbf3918d4c3b9f267eecaf1de8d96b57fbde7602381778597d4399fc4eef136c3e61af3644b2162bbb7a26149315a40037d1543293bd961bb588526658a88ed

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\HEADER.GIF

Filesize
26KB

MD5
75209a5bd4ec026ccca87c1746d5b49b

SHA1
fcde54cee887e19b990ee544dec56b0b1e7b0bf0

SHA256
a9bb28efe7ad57077b30d7267a7ca3296b80e1cf15511fdd16de50a41af3d444

SHA512
b214ee3c71d4e058b9b35db870b3c55fd1bc231eb5d9084d19894dd5073fcd19934b309b508e9b4b9855e5116564abc74ef777d9c8480579feb444b1b3d97561

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\background.gif

Filesize
816B

MD5
a0cedd3122335d96e771bec6bafdc722

SHA1
c1afec2f9a9270a4c81a49cc333a9bc4a1c832e7

SHA256
6493abbb3dde256c957849948bbc83a2edd9b7d147a807db0cb8c3bbd242aa31

SHA512
0daa4ba2f09e3ca5d63146288084695a789b54dcfcdc2813035b2c7a213188a961a8c1125c0243dfd0d0ff0b40a69229b117897f98a47da97015f3feb399a64e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\RTF_BOLD.GIF

Filesize
880B

MD5
db2e88b6eeab4dd8df4488f639dea6bd

SHA1
acaf3848d9ebac06d47588f856abebadf49b08d6

SHA256
108300851481a6e594cddb3e275be77a2037e00ef80386d739740042777d7a23

SHA512
966a7b292b51efcb27a220c5f96bd9260413151a1b3fb45b764366e42d8b6fa4b1aad58d3e4a883032106a07cd35ff11726b19d0daf7dfc636d4926da9036d5e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\VIEW.ICO

Filesize
320B

MD5
66ef596053cc31985d4c2bbe85811662

SHA1
b37f4b160e9dda85ca1607613ec7180b70c884c0

SHA256
d7581c24f0e674108ffb8d08662424a30ef5f431bd83cbbac751dd4b78db05f4

SHA512
105f90868d4132724b9d97f7eb37842680e1af043dfb6a091aea27a44faa44c7c2d957d1b556a9ba7db392da00978eef459c356be4f846f956469a66d0b21ccf

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg

Filesize
3KB

MD5
018d9bb2472e12f58f57e4f17c50c6bb

SHA1
1a13f4b140c3ae28389ee179f580212f396cfc3d

SHA256
29d96c4c6179ad88df3b9cffe1feb94f4e4c17287306fdebf523065f015c7438

SHA512
4fe7f063f00f1d4f38f1f1a4ac5230e258de5ea38436ff9de87f28f0ba6a5e66cbe4c4b35c5a47fabe02c534ff41b165579992d1db97387f5358eb81642e64cf

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif

Filesize
2KB

MD5
fc8e82ee7208bab29f73342447db7928

SHA1
a958e572ec0f88fe4d3a46bb5be74fe6946c38c8

SHA256
7f602be0878d2b5e22688525b8b4a6f2bf7cbca78933c6dc1b5f4f7670e067da

SHA512
5979b125e67b1e8c5b0be843bb5604b56cf02c09351457a679cb089b695b7dbc9de9e95fa62b3c7dbfb1a2b52f8757d63a6205ff4bde16fa891184ef0e95b6da

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif

Filesize
19KB

MD5
0c7fdb25b0f78d14e905425f0d881bf9

SHA1
4e4ac9837cf276e258187e718be78c5259e16d59

SHA256
77cc250907763e540a4fb4e1d54a1d6e8f7a39b77591dbc2123a013ab7e6482f

SHA512
13ec814afb7323f2ca129deee43ff99c2a5671bc2d5df9a55a7c620b2d278627a16819d8f80a66c805a4bf4366d222fa214da2ab4a2cf8b1e47d32f0c36b720a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosefont.gif

Filesize
896B

MD5
dd3e41fc91305a345c605f3fedb3d16e

SHA1
d60eb4b9fa863a86ac3e0233a4ca268303729c07

SHA256
45b6c8858a9b5d8499adf3e61c3ee18c3547f5fe940cd5bf9f3d7753ad2eea92

SHA512
aa2991a08c4717644eedc9f74fc37ed9e9731bd4daefce1224105abb94fb6c65b7d87bacd58045ec224a65c0dba7744d32ad5bff674a8e3293fc7b177a9dd55f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif

Filesize
864B

MD5
8c5f25b7dd6894df929b480c2fe921d2

SHA1
b2b1c9f359ab6fff9858aa49531b21d7ccfe094b

SHA256
c1ce1b00c8efc0c674a4ee62f7add5ee4193737e505f2363b4c3179201370663

SHA512
72d561112a2cbce75fc034307e954245dcd85aa529bede2b1d1bb7de48579994e584172fce856e71e768429c71e49028301bfb6a7fd958f619a0272b0907b74e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif

Filesize
864B

MD5
e300cf179f7bdba7b6d8dcdc33b6c07a

SHA1
4745d80b6627ad5b11a2e33e4908ba3439d63233

SHA256
21c07f66f5ccdc411460690f7590185f18f112c52e39599f853099788f84a31b

SHA512
aedd24907acae81ba10a640e042a8afbdf1e78acf262e2d0386d5d611ab483eb68e47c9dbf8e8dad94b18cd864a0490eb4eef5bd95cb132c8ba30795969176b3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ADD.GIF

Filesize
592B

MD5
cd805c739746808f09a701bf8ef49674

SHA1
b19adf9fafb3744f137a96f07bac63e1c75ce7dd

SHA256
804e978ca966098646241bfc58dca4c02c2afe44114ab3561e429aa6f742793a

SHA512
f9dd8ab76e0ef5a6ec15617837f49fb272d5833fcf38bb30bc04ea5b84c1e72643af6c877e58bab3cc2e8f8ea726313eca32c30e504a274aa051b8c191d794e3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF

Filesize
912B

MD5
a891f0951b878ddf850a472f1a4012fc

SHA1
73b2981fec69bce3dbb15e2a95252fb67a6b2f4b

SHA256
b3147320c93623fb50436b2d8c92a6626ccf1e3df8acb24b47b2cb1e642efb6b

SHA512
936261c960eb6cfab9ad483495870bb826149fe3e2385b5f5b90bbc967b9f1e00dde747104d7a29c868aa267e8bad6b002c463881645ac9408a1dc447efc35cf

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIF

Filesize
640B

MD5
6ed86bf1c303bb93e921d012374f9ae9

SHA1
49b2b03b80abc959cd33cf171291a6da7e61d50d

SHA256
088087d6e4ac2c17e8f69a3bcc34d9ab9f43a4e838bc55329d46e18580ea835f

SHA512
d64694afeed66e76a2283827122c5c3870ade0043b7939adc4755fb78afd3d880f591fc7381e76bba02290c6a894ec327e1cb8da21fed9db117171c7f7a93fbc

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF

Filesize
880B

MD5
3cbde98f01e6eeff825d074061f9b3ce

SHA1
6c3a03ea48bacb111483d41da008479f571f1c48

SHA256
12fb5246768201e11c79cce474bcf84f46da981c6a9a3b5bc842325d55e1c0c5

SHA512
1ebb388bdb12754036a1f1414dbfb0d683a3e6a9b94a11566849d84f3624c3d4eccbb80369274f3790ce12ca3f869fc70fa77b3f0e38b3f1518534105c0e478c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg

Filesize
5KB

MD5
f349b6c0b5a105b04d4637c3b1e22a8c

SHA1
28bf0ac9ebf04f98b3b0edd486a58215fc5636da

SHA256
d928abfafd9394ce6b90e40dae856623f1ffc68a7425187fe8bd2c948be9d6ab

SHA512
9dd930b4187c71385997d2ec2ecc59907ef0205b85a26474befac1f4b12eb7af62e4294bcfc598829cf47b3f3fd967787c1a5c908fcd9125c9e3985a1ffea656

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp

Filesize
1KB

MD5
b01212e81c03ded75d09f1fd57141b22

SHA1
cc9b55e6f42ac1ca3a192ac1c6f7545e5acee395

SHA256
7472bda0ddee51f4ad0cc51118ea676256face0a2b3feecc90433e4fb2bb06a3

SHA512
0ecd7d6bab17e7ae43efa83e3b38afebbb422d5fbd1738b9c81f389aa0c5dbc017f892bec294a7a6896e8d3ee085870f81e7e9356f773270cefe9dc845d2130f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF

Filesize
624B

MD5
29c159602baf2d6d95b7dc74c2bee514

SHA1
975c5d47788754be68b4fc09836f39d1a3eb8966

SHA256
0341770072880108ad0ee500a75a6a205315756af4f33dd367e9853a6b51c656

SHA512
1be9921ea9b4c25713ae11726e324314ac5e9b95f683315f390814f5e17251e4b1f312deef0f8b5576737bd3c6d4ebd67fc250002e9a03e9be3939d5eba6fc0e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

Filesize
864B

MD5
0f168e123a0c0d5c81e3285c75ebc6cc

SHA1
5f9565a537ac3a3731247dd5bae2d61600aa4f89

SHA256
fb6bfdb9fcfbfdc2b34b83eeaa11b0402fcdc88b1b9326c329e6483363e38430

SHA512
6696b2761db4aba084986c2e253c523162e1b6957bb18157b8397c334f8188d15ce1c03c3693497919ae3a497c3563844d93dd3777b0d03f3979be6088eb225f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

Filesize
848B

MD5
35c973f1186097428b5e4b87bc79d548

SHA1
7776b8c80b4388fc4037fab9d0db0427a87ea0b6

SHA256
4c60a65d17e0016f665c0a13e9beb4f61dcbb0f0611a9668666fd802f53d36a2

SHA512
2a37a25fd463e33843eaf9e0ce809f9bb4ff28070f23b31f1f5532c83db8c46cd7d7a2eb17ccdaedd9594e2295b126db6245089b0b79596488c4389910916037

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

Filesize
880B

MD5
852d58f9cfbef45affeb66db0a7c864f

SHA1
6bff64568416a3294d6f606aad982a9074a9cb62

SHA256
f863d4de8a5f3749143bf1b91cbf39fedb32a82e0065debe2c9ea68eb919d7bf

SHA512
a1bbd085e0713786eb42e753f949c9ddd4940304b29e0b969336bff81bae760f6a5d65ef9af2c0db9210572859f96bf7e9491d6b9a552348a698313b56ccd316

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

Filesize
848B

MD5
97499c9790c5d929e939ec117f2d393d

SHA1
cd621ba7f2021e2919c3adbaf85dab6816246fcd

SHA256
9fd264a8397bfa8078ba45a0d237e5c6c9978f6d6ec58c3d6f7f8ff0795a106d

SHA512
7bcf02dbacf81baa3b1729d04d6232aaf232aae30f52726ae160eef958c50d259440030169e4803813d0e8e60f51c6b3d1efadc7c372fe6aa131d38f11af5e30

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

Filesize
864B

MD5
8ef8edb506c4850074f2e1d88597d4b6

SHA1
a0e524c6e1d0c215fcaa9aa179654884f2ce4195

SHA256
2f782ddf4f680f82ede20602e746d265b7ded89726168386474693c75b3a0dd1

SHA512
2c1714a71c325ed1d60a8aa56814acc3447a914fc2f79835c0880abdde5047f91effdf0be8281ab2cd960bce8eff053a14a7ea0a7567326b7159dcf174bdafba

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

Filesize
864B

MD5
be5d76224dd22fe7d61c1416b4e31708

SHA1
9110fa05efdead75ca751c30a65b24c871fede2e

SHA256
d104a8c5f165b3439f0f196253cfaa8350eb32543e9f6c043d6273cfa888dfb8

SHA512
b5253670a0d810450d3efb2b971c515c2d18f658e20512fee26e7c133fe6d2955f2cacad006b39f63cfe7f9ab75f17157de2e82ae56a6b13b8c434cac103e8d9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

Filesize
864B

MD5
c4b916ac13441af515ef4f4eb3669b09

SHA1
e8614aceb2ec151721110df0bbfb1475b326d6f1

SHA256
d63a9446cdab5d54ef16c3d0e4a5e618b609c3034dab05e3448d18d077c8d76b

SHA512
c43de4853abada1d71430e5ab57ed283ee9f7c0fa4f70a3236bdc71ba3ca6760232bd228149ffa4fedf08177482cf26369fe19de77e62bfebf8cf2fad71e4173

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

Filesize
896B

MD5
8ba334237d5c252cbe6aa8c5d798ca49

SHA1
1d2ab4fc586ace6d7df9b55fa219ac6e2f6d4d07

SHA256
95621ba727db0c5e113fa7bfd7b22885f393df07dde29b43b5d7e53fa51cacf4

SHA512
67698f6c243e796e012952ffe74e7e674ddbaddfcec1c6c2a0d4c8b5f19da79b3353cc3b83e430cf0244047cbf216e4c41f59acd236ec3110506f6595ef047c7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\InfoPathOMFormServicesV12\Microsoft.Office.InfoPath.xml

Filesize
247KB

MD5
691fad9fb1d3146cefbfdaf802fb7fd4

SHA1
9dcfe2bb238505dc7c63bde91bfab60f711f2f38

SHA256
3ad5757495c2576ca819e1875571bdd86313e77ad68dcbf84650730abee88d32

SHA512
f5a9353125a23e561de920fb8c21a8e5af6d215b87dfe31ba40ad54b828b57d08bb4e24d1a3c21ed1f32a539fde7d83ea4b1e5dca3404ac9ade7bd8c38c3e603

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\TALK21.COM.XML

Filesize
816B

MD5
960a5031a8876d9f315b573e8f481638

SHA1
b7dfaee08efa514a1b334bd6a686250b2378c764

SHA256
d6fb2066c1c9bf21a45a40f2f8123c574b32cc5eb04ea49f88ed4b51f8201402

SHA512
b19e2b38fe71a40550239cc5482d76ad78cb7f452975c847af81b836b8af6cf9cafe26c2ecae8f7d89701d659625e27d93e92dec0adcfbb89e7b0cb7f87c758f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.XML

Filesize
816B

MD5
9e59df2aa02462bcea423001af3142e1

SHA1
278612f968e1d1ab244e7ce813258f13baf124b7

SHA256
c5a6e577590df4fff3200d0034f354d04ce198e7250fa104eb2f350af0ce1d9a

SHA512
88266425253027a96ad8dde425bb5432ea60a1fcfee0376bad1689003122f1937c79c7a4f8723bd40b691a00e9a9ed16be29b77c9c59c84cd685e1ba9340168f

Download Submit
C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi

Filesize
180KB

MD5
71bac788cb95b085a59f741aaf95936c

SHA1
a2d5206c88d9e1e0209fd2d0d1a75e4d48749a93

SHA256
4d1531c4b0d32a205caacdf513508a8a612badf8d584120e7927e6d85b3d1445

SHA512
c0f774d43d02447b005a9028c4a678935c52ef35449f10b51ae7764f0f7f9d31025354906b2d31e3859214ebf49bb07b923d2825ced9078d3be7be5c63f3cfb9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_2

Filesize
8KB

MD5
ae7ad2c289fa6e5b3addc30a77bc7cee

SHA1
4f1f5803f6cd3c58dd9a18873403c94c69e8be98

SHA256
accdd8f5fbed055c95350fb8bde011055d69d2a9ea8b4bc28564db260f43bf75

SHA512
c5310b2e35f4405fb180bcbe563c5d09c44f0e54457a143e4b5fdaaddb9d2af8a72af5fb0cc04943adbd5766fd67392cfc1b3154f461adf703a39cbb001cb2f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_0

Filesize
8KB

MD5
6ada4b8b6a782163584d1493ee1a57b6

SHA1
c911177a6e63882b41763dbf50bbd6809466dc86

SHA256
c6b56e3285e382d216c35ec37dfa006776fea675597e7cebee9f4011813a7947

SHA512
1e9a55226c8e502da2143ecc01c15a236a9d01b772eecdd51357458d1b59e4ab389be36d29c09a6134d8e8ca5cb45e8ab622518dd7d8a67cf18e48e7dd1e2d65

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1

Filesize
264KB

MD5
ce8e45ad84b8f03cd235d591f26fef1e

SHA1
43de69adf35b294d27754248c768069e3eb2694f

SHA256
403d412c578bf127b168ec02c60b7dcca49c3f0a7c6e6a1ed68f3131dc369d82

SHA512
2bc093414aac0acfeea3fde70ef5211bde10b0655a53bbb1a895c670d066f43e8c0e71c045e275eeb6b7bc8df10250075a9ad3e179ae623125215813dfb275a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_3

Filesize
8KB

MD5
392252052c4d901a28631ba69183393b

SHA1
d71a2c20b698ffcf9309bbd20cdb3e5c2630c025

SHA256
dbefd4654a38ccea636ee0228b79aad3c5bb867214c2b9e4a66cbc03b9510ca2

SHA512
f33aacd62c5574608d053b9ee6c5a89b945ae4d715fd3e108a2eee51566aeb602650832102c1c10b99cf7a057923ad1185c1ab53c70b4ff418b75f6bcb0447c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
131KB

MD5
a8c3f72556d549418f38e999b1547d5e

SHA1
e31442a4bbe35870aeedf0b3ecf0c855370c0629

SHA256
e04d77494197accdae6c2959ef168fcfccb320030b5b71479754ea863f740fc9

SHA512
9e3a6a3da7d2494bf4ad64edcf9cf4b3c952dc15a6eb69dff1ad5cd8de46b57e5d4c4d7d320b22300042524ab67f4e2dc94368a99d7975437678e0cf317d361f

Download Submit
C:\Users\Admin\AppData\Local\Temp\update0.bat

Filesize
66B

MD5
fc004e866908605679c1062fd8a665b1

SHA1
dea7cde7445e3027fd2c0f32959f1653147d2786

SHA256
f6acc27f297681ba3c5d7c0983fb9a5eda6da3f87c6d3b92a511d5d375d58a3a

SHA512
aa486c9fc90996c67f7df60b4ef0cce45d2c68154f54bd5a8298edf5ed32c4368e99f310a83b61921fb81e78cd029c8cda367a77aaeb6c6f12b9cf75dec697eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\update1.bat

Filesize
128B

MD5
a82811e2a239de436641cd1cbff90e63

SHA1
40f315913ac2db412f743174e2280a71a36de920

SHA256
2ebeb04f83608c8dda7a0a0ce7364e7a1c11a03288f5f9b7db12e2d6df681294

SHA512
97956e88c79e5c1b902bbfafcb79cc46605ed1f1634b530977ac8e615e8c78406d700aea847f2f7b6f442dfa7c530b2392d790f3e41bca15ed05b660749ad153

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite

Filesize
48KB

MD5
512fea11dcc702987343b6f28ac212e4

SHA1
66e8ed220be3664582265f140eb88886e0e3ce3a

SHA256
186c3547f5226e3a139835efd4d64ee7b317fa77764e24c6dd7e9f4e9f828d67

SHA512
9c11207f4d989433974ce6cfd037d2e722a39dab8b750b9f38cceec126a9102b5f26a86b4c06448e12895e96e447cd5804acc399dd948ae5958698a673ae1c39

Download Submit
C:\Users\Admin\AppData\Roaming\delback.bat

Filesize
35B

MD5
d41ac96c53b4fe0dfbe1b080649141c1

SHA1
b4d75213c61646b5bd48eadf723542fa9aef8b00

SHA256
325de85e48afabcc0d53d5f6d9371314d0ed6e46d91c271abceccca58cbbd238

SHA512
a65c10d4face73078643ebc99c022a19a5944cef222c27739bc94456bd7601b5f118d4f2738fbc8374b8ad86c927fa0dcca7177fc936409f3000b7b58a6c1563

Download Submit
C:\Users\Admin\Documents\UseUpdate.xlsx

Filesize
14KB

MD5
7a7969f8946bbde9b7213b7ac167e33b

SHA1
66f67c2ba4d56d27025a8c4db92205f764ec3271

SHA256
cf1802d037d2fcf09c78f2c8030cf82a990d0be1bdcd68fa415a44094eea239b

SHA512
1163f8a91c46eb47e9da5499ee062658cfe58b68b16ed44a779689eefdefc9d6607b8d97e4d5134dca12baa07228e027d1a713e5f6490f3b3dbc28cc08898599

Download Submit
memory/2612-6-0x0000000000390000-0x00000000003D0000-memory.dmp

Filesize
256KB

Download
memory/2612-5-0x000007FEF53C0000-0x000007FEF5DAC000-memory.dmp

Filesize
9.9MB

Download
memory/2612-4-0x000007FEF53C3000-0x000007FEF53C4000-memory.dmp

Filesize
4KB

Download
memory/2612-3-0x000007FEF53C0000-0x000007FEF5DAC000-memory.dmp

Filesize
9.9MB

Download
memory/2612-2-0x000007FEF53C0000-0x000007FEF5DAC000-memory.dmp

Filesize
9.9MB

Download
memory/2612-0-0x000007FEF53C3000-0x000007FEF53C4000-memory.dmp

Filesize
4KB

Download
memory/2612-1-0x00000000000A0000-0x0000000000106000-memory.dmp

Filesize
408KB

Download
memory/2612-11961-0x000007FEF53C0000-0x000007FEF5DAC000-memory.dmp

Filesize
9.9MB

Download
memory/2712-12-0x00000000002A0000-0x00000000002C8000-memory.dmp

Filesize
160KB

Download
memory/2712-111-0x000007FEF53C0000-0x000007FEF5DAC000-memory.dmp

Filesize
9.9MB

Download
memory/2712-85-0x000007FEF53C0000-0x000007FEF5DAC000-memory.dmp

Filesize
9.9MB

Download
memory/2712-13-0x000007FEF53C0000-0x000007FEF5DAC000-memory.dmp

Filesize
9.9MB

Download
memory/2712-27-0x0000000000180000-0x000000000018A000-memory.dmp

Filesize
40KB

Download
memory/2712-29-0x000007FEF53C0000-0x000007FEF5DAC000-memory.dmp

Filesize
9.9MB

Download
memory/2712-11950-0x000007FEF53C0000-0x000007FEF5DAC000-memory.dmp

Filesize
9.9MB

Download
memory/2712-37-0x000007FEF53C0000-0x000007FEF5DAC000-memory.dmp

Filesize
9.9MB

Download
memory/2712-38-0x000007FEF53C0000-0x000007FEF5DAC000-memory.dmp

Filesize
9.9MB

Download
memory/2712-80-0x000007FEF53C0000-0x000007FEF5DAC000-memory.dmp

Filesize
9.9MB

Download