xorist | 471f3fb1a953fab38be3081eb835574694bc72b94f239edc400d1ce3d7a8ecb0

Analysis

max time kernel
299s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 03:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b7eaffe4dffcbd06445d0b32785cdc8.exe
Size

39KB
MD5

9b7eaffe4dffcbd06445d0b32785cdc8
SHA1

af992e2e6c045137b8220c60f534f80da968dd38
SHA256

4137f8c196fdd99a5cd64c518ed27c466953e37b78887954ea192b5595a0a076
SHA512

3639fc1b3ccd57b6a61acecfce8030a7c2c634deb44b75345b5c69eb5cad03a8aecae781b950c254e35f4db248b5e9113fd06412f14ca7a90596985a282e123f
SSDEEP

768:BPXsWRbrIA8vxG/VZ0xcv+n9DfUEGC4ZC:B/s+HUxSZOcvI9DsE4ZC

Score

10^/10

xorist discovery persistence ransomware spyware stealer upx

Malware Config

Signatures

Detected Xorist Ransomware 12 IoCs

Processes:

resource	yara_rule
behavioral30/memory/1344-20-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral30/memory/1344-12-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral30/memory/1344-8829-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral30/memory/1344-8953-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral30/memory/1344-8954-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral30/memory/1344-9186-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral30/memory/1344-9187-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral30/memory/1344-9190-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral30/memory/1948-9208-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral30/memory/1948-9220-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral30/memory/2376-9228-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral30/memory/2376-9230-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist

Xorist Ransomware
Xorist is a ransomware first seen in 2020.
ransomware xorist
Xorist family
xorist
Renames multiple (2217) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Drivers directory 8 IoCs

Processes:

9b7eaffe4dffcbd06445d0b32785cdc8.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\en-US\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\SysWOW64\drivers\es-ES\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\SysWOW64\drivers\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\SysWOW64\drivers\it-IT\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\SysWOW64\drivers\ja-JP\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\SysWOW64\drivers\de-DE\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe

Drops startup file 1 IoCs

Processes:

9b7eaffe4dffcbd06445d0b32785cdc8.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe

Executes dropped EXE 4 IoCs

Processes:

RYiGElV1ZFlQ3US.exeRYiGElV1ZFlQ3US.exeRYiGElV1ZFlQ3US.exeRYiGElV1ZFlQ3US.exe

pid process

804 RYiGElV1ZFlQ3US.exe
1948 RYiGElV1ZFlQ3US.exe
2052 RYiGElV1ZFlQ3US.exe
2376 RYiGElV1ZFlQ3US.exe
Loads dropped DLL 2 IoCs

Processes:

RYiGElV1ZFlQ3US.exeRYiGElV1ZFlQ3US.exe

pid process

804 RYiGElV1ZFlQ3US.exe
2052 RYiGElV1ZFlQ3US.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

pid	process
804	RYiGElV1ZFlQ3US.exe
1948	RYiGElV1ZFlQ3US.exe
2052	RYiGElV1ZFlQ3US.exe
2376	RYiGElV1ZFlQ3US.exe

pid	process
804	RYiGElV1ZFlQ3US.exe
2052	RYiGElV1ZFlQ3US.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

9b7eaffe4dffcbd06445d0b32785cdc8.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RYiGElV1ZFlQ3US.exe"	9b7eaffe4dffcbd06445d0b32785cdc8.exe

Drops file in System32 directory 64 IoCs

Processes:

9b7eaffe4dffcbd06445d0b32785cdc8.exe

description	ioc	process
File created	C:\Windows\SysWOW64\en-US\Licenses\eval\Starter\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmsier.inf_amd64_neutral_622ad8125bbeeda8\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_profiles.help.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_properties.help.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_functions_cmdletbindingattribute.help.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\SysWOW64\com\de-DE\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hcw85c64.inf_amd64_neutral_96b71557b416d04a\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hidserv.inf_amd64_neutral_f2223e39f37c69f3\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_amd64_neutral_668286aa35d55928\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\PostMigRes\Web\base_images\ClickDownExpanded.gif	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_split.help.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\System32\DriverStore\FileRepository\adpahci.inf_amd64_neutral_b082e95ec9f8c3f9\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmboca.inf_amd64_neutral_cc532ed7b3b5b5a9\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnky007.inf_amd64_neutral_e637699044f367f3\Amd64\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlx007.inf_amd64_neutral_0b796ee4978458e2\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnrc302.inf_amd64_ja-jp_64ee91a0bf7b132c\Amd64\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-Sxs\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_parameters.help.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmzyp.inf_amd64_neutral_b64bd08009e7444f\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Variables.help.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Signing.help.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_arrays.help.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmlasno.inf_amd64_neutral_c86d5b5e5fa8b48a\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlx00x.inf_amd64_neutral_808baf4e08594a59\Amd64\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_prompts.help.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_While.help.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_type_operators.help.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\System32\DriverStore\FileRepository\adp94xx.inf_amd64_neutral_4928c8870f6a1577\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\0006\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_debuggers.help.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Redirection.help.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_PSSnapins.help.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_operators.help.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlx00a.inf_amd64_neutral_a89d2c01c0f43dfd\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\_Default\HomeBasic\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\SysWOW64\uk-UA\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_WMI_Cmdlets.help.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnky002.inf_amd64_neutral_525d9740c77e325f\Amd64\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\it-IT\about_BITS_Cmdlets.help.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\OEM\Starter\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\OEM\StarterN\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\OEM\HomePremiumN\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_execution_policies.help.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_objects.help.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_aliases.help.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\System32\DriverStore\FileRepository\crcdisk.inf_amd64_neutral_d10626d1f8b423c3\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnep00b.inf_amd64_neutral_2e6b718b2b177506\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\SysWOW64\fr\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\_Default\Ultimate\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\SysWOW64\AdvancedInstallers\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\SysWOW64\Speech\SpeechUX\fr-FR\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\SysWOW64\migwiz\es-ES\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Quoting_Rules.help.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Throw.help.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\System32\DriverStore\FileRepository\cxfalcon_ibv64.inf_amd64_neutral_d065aec3fcf4ec4e\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\OEM\Enterprise\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\002d\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-MediaPlayer\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlx003.inf_amd64_neutral_d1510a8315a2ea0d\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\eval\ProfessionalE\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\SysWOW64\lt-LT\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\SysWOW64\migration\de-DE\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_script_internationalization.help.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\TroubleshootingPack\de-DE\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

9b7eaffe4dffcbd06445d0b32785cdc8.exeRYiGElV1ZFlQ3US.exeRYiGElV1ZFlQ3US.exe

description	pid	process	target process
PID 2244 set thread context of 1344	2244	9b7eaffe4dffcbd06445d0b32785cdc8.exe	9b7eaffe4dffcbd06445d0b32785cdc8.exe
PID 804 set thread context of 1948	804	RYiGElV1ZFlQ3US.exe	RYiGElV1ZFlQ3US.exe
PID 2052 set thread context of 2376	2052	RYiGElV1ZFlQ3US.exe	RYiGElV1ZFlQ3US.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral30/memory/1344-9-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral30/memory/1344-20-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral30/memory/1344-12-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral30/memory/1344-11-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral30/memory/1344-8829-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral30/memory/1344-8953-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral30/memory/1344-8954-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral30/memory/1344-9186-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral30/memory/1344-9187-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral30/memory/1344-9190-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral30/memory/1948-9207-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral30/memory/1948-9209-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral30/memory/1948-9208-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral30/memory/1948-9220-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral30/memory/2376-9228-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral30/memory/2376-9230-0x0000000000400000-0x000000000040C000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

9b7eaffe4dffcbd06445d0b32785cdc8.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows NT\TableTextService\TableTextServiceSimplifiedShuangPin.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR26F.GIF	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Program Files (x86)\Windows Media Player\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.lnk	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\currency.html	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.en\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\bear_formatted_matte2.wmv	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\about.html	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_settings.png	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR29F.GIF	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\clock.html	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EDGE\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH00780U.BMP	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\7.png	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File opened for modification	C:\Program Files\Windows Media Player\Media Renderer\DMR_120.jpg	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\slideShow.html	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00142_.GIF	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02740G.GIF	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\activity16v.png	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_down.png	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\it-IT\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Program Files\Windows Journal\de-DE\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115864.GIF	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_FileHighMask.bmp	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\button-overlay.png	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\Passport_PAL.wmv	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR17F.GIF	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178932.JPG	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\GrayCheck\HEADER.GIF	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Program Files\Windows Photo Viewer\en-US\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\on_desktop\slideshow_glass_frame.png	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115868.GIF	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\ManagedObjects\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\REMINDER.WAV	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Program Files\Microsoft Games\Mahjong\fr-FR\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File opened for modification	C:\Program Files\TestInitialize.jpg	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SLATE\THMBNAIL.PNG	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\dialdot.png	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationRight_ButtonGraphic.png	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\btn-previous-static.png	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\flower.png	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\Audio-48.png	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_Earthy.gif	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\TAB_ON.GIF	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\flight_recorder.png	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)greenStateIcon.png	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\settings.html	9b7eaffe4dffcbd06445d0b32785cdc8.exe

Drops file in Windows directory 64 IoCs

Processes:

9b7eaffe4dffcbd06445d0b32785cdc8.exe

description	ioc	process
File created	C:\Windows\winsxs\amd64_microsoft-windows-themecpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_eababfd66766bdf2\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-wmpnss-service_31bf3856ad364e35_6.1.7601.17514_none_61acd141e5332baf\wmpnss_bw48.bmp	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\assembly\GAC_32\napcrypt\6.1.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\winsxs\amd64_mdmusrk1.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_b7aaec92f3c4ea2b\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-e..-mcplayer.resources_31bf3856ad364e35_6.1.7600.16385_es-es_6fb1229b7559793f\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..ui-pmcppc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_db73c41e9c984d94\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..tivexcore.resources_31bf3856ad364e35_6.1.7601.17514_es-es_d1b313649d44cf6c\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\inf\SMSvcHost 4.0.0.0\0404\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\winsxs\amd64_mdmmotou.inf_31bf3856ad364e35_6.1.7600.16385_none_25536ccb9426fbd8\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\winsxs\amd64_ks.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aebb9f49047e8993\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..tebox-isv.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aaee690e58940d2a\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\winsxs\amd64_prnge001.inf_31bf3856ad364e35_6.1.7600.16385_none_370faef49da5c275\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..gbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_be532d50172eb29c\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\winsxs\amd64_hidir.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ebbc86b85daa0055\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-label.resources_31bf3856ad364e35_6.1.7600.16385_it-it_cf677641880825ad\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\winsxs\amd64_prnca00d.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_78c7dfdba384826f\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-rpc-http.resources_31bf3856ad364e35_6.1.7601.17514_de-de_ac34209c8f58b02f\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-tasklist_31bf3856ad364e35_6.1.7600.16385_none_843823d87402ab36\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\winsxs\amd64_prngt002.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0ac52b15cd4a9350\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-a..core-base.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_68a3391d007cd856\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-help-appman.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_78726d038f779639\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..plication.resources_31bf3856ad364e35_6.1.7600.16385_it-it_1e0572835cc1e8b0\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-msxml30.resources_31bf3856ad364e35_6.1.7600.16385_de-de_ecc2fd7371a03bd7\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-mydocs.resources_31bf3856ad364e35_6.1.7600.16385_de-de_effd1cf37c79db0a\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..cognition.resources_31bf3856ad364e35_6.1.7600.16385_en-us_39d3bb4b3fea013c\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-shmig.resources_31bf3856ad364e35_6.1.7600.16385_it-it_0c5da1b632ffc4db\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File opened for modification	C:\Windows\Media\Heritage\Windows Ding.wav	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\winsxs\amd64_mdmhayes.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a54f10073de99f17\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-msident.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_395924b0f41ad032\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-ie-jsprofilerui_31bf3856ad364e35_11.2.9600.16428_none_793771322ae3b7fd\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-o..tend-apis.resources_31bf3856ad364e35_6.1.7601.17514_it-it_2e965daf859cb684\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-w..ewall-adm.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_794967650f4f20c7\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\winsxs\amd64_net8187bv64.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_a80bbb086fed604e\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-f..temutilitylibraries_31bf3856ad364e35_6.1.7601.17514_none_eb9dc1c34def72a3\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..noverride.resources_31bf3856ad364e35_6.1.7600.16385_es-es_f23478cc4df1394f\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..-usermode.resources_31bf3856ad364e35_6.1.7600.16385_en-us_6e69236bf1ae1f80\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-t..vice-core.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_f8cb59a36a3d48ba\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\folder.gif	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-kernelstreaming_31bf3856ad364e35_6.1.7601.17514_none_b5a6c7c6ac83a58e\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\winsxs\amd64_netfx35linq-addinutil_31bf3856ad364e35_6.1.7601.17514_none_29443e96f9fb6564\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\winsxs\msil_microsoft.build.utilities.resources_b03f5f7f11d50a3a_6.1.7600.16385_ja-jp_59b0ce0500353985\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_et-ee_42b4826dc12f503b\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-diskraid.resources_31bf3856ad364e35_6.1.7600.16385_it-it_a946cfb3c22bed70\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_3342e6899aa0557f\settings_left_hover.png	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..almanager.resources_31bf3856ad364e35_6.1.7600.16385_de-de_373b5cdbe51cd2da\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\winsxs\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.7600.16385_ar-sa_25b69e51bf9d09dc\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ehome-ehpresenter_31bf3856ad364e35_6.1.7601.17514_none_84ee9d077899aeab\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.1.7601.17514_none_698fc88e65b943d6\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-w..cture-bsp.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b680f7564791b2d9\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..fessional.resources_31bf3856ad364e35_6.1.7601.17514_it-it_82d71cebde58fe78\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\winsxs\amd64_prnky004.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_49a5251659731bc3\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\winsxs\msil_microsoft.visualbasic.resources_b03f5f7f11d50a3a_6.1.7600.16385_ja-jp_ae93debaeb25bb7d\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..centercpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_02fb84a0035b25e0\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-u..dem-voice.resources_31bf3856ad364e35_6.1.7600.16385_de-de_a0fcbd53df82fc1c\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-h..providers.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_feed4020425c7714\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-autoplay.resources_31bf3856ad364e35_6.1.7600.16385_de-de_499da319574da0ba\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-dims-keyroam.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1567383959976c25\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..l-keyboard-00010426_31bf3856ad364e35_6.1.7600.16385_none_e88cd0516f0d274f\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-i..l-keyboard-00010407_31bf3856ad364e35_6.1.7601.17514_none_f5844329a0133e29\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-h..providers.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_729fcacc780f7fbb\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-taskmgr.resources_31bf3856ad364e35_6.1.7600.16385_en-us_d6b26875c066b9eb\HOW TO DECRYPT FILES.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File opened for modification	C:\Windows\ehome\ja-JP\playReady_eula_oem.txt	9b7eaffe4dffcbd06445d0b32785cdc8.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-gb-component_31bf3856ad364e35_6.1.7601.17514_none_92d51a492ae12096\GB-wp2.jpg	9b7eaffe4dffcbd06445d0b32785cdc8.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

9b7eaffe4dffcbd06445d0b32785cdc8.exeRYiGElV1ZFlQ3US.exeRYiGElV1ZFlQ3US.exeRYiGElV1ZFlQ3US.exeRYiGElV1ZFlQ3US.exe9b7eaffe4dffcbd06445d0b32785cdc8.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9b7eaffe4dffcbd06445d0b32785cdc8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RYiGElV1ZFlQ3US.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RYiGElV1ZFlQ3US.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RYiGElV1ZFlQ3US.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RYiGElV1ZFlQ3US.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9b7eaffe4dffcbd06445d0b32785cdc8.exe

Modifies registry class 10 IoCs

Processes:

9b7eaffe4dffcbd06445d0b32785cdc8.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RRAHKKYNJVTSHLG\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RYiGElV1ZFlQ3US.exe,0"	9b7eaffe4dffcbd06445d0b32785cdc8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RRAHKKYNJVTSHLG\shell\open	9b7eaffe4dffcbd06445d0b32785cdc8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RRAHKKYNJVTSHLG	9b7eaffe4dffcbd06445d0b32785cdc8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RRAHKKYNJVTSHLG\ = "CRYPTED!"	9b7eaffe4dffcbd06445d0b32785cdc8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RRAHKKYNJVTSHLG\DefaultIcon	9b7eaffe4dffcbd06445d0b32785cdc8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RRAHKKYNJVTSHLG\shell\open\command	9b7eaffe4dffcbd06445d0b32785cdc8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RRAHKKYNJVTSHLG\shell	9b7eaffe4dffcbd06445d0b32785cdc8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RRAHKKYNJVTSHLG\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RYiGElV1ZFlQ3US.exe"	9b7eaffe4dffcbd06445d0b32785cdc8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Bl9c98vcvv	9b7eaffe4dffcbd06445d0b32785cdc8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Bl9c98vcvv\ = "RRAHKKYNJVTSHLG"	9b7eaffe4dffcbd06445d0b32785cdc8.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

RYiGElV1ZFlQ3US.exe

pid process

1948 RYiGElV1ZFlQ3US.exe
1948 RYiGElV1ZFlQ3US.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

9b7eaffe4dffcbd06445d0b32785cdc8.exeRYiGElV1ZFlQ3US.exeRYiGElV1ZFlQ3US.exe

pid process

2244 9b7eaffe4dffcbd06445d0b32785cdc8.exe
804 RYiGElV1ZFlQ3US.exe
2052 RYiGElV1ZFlQ3US.exe

pid	process
1948	RYiGElV1ZFlQ3US.exe
1948	RYiGElV1ZFlQ3US.exe

pid	process
2244	9b7eaffe4dffcbd06445d0b32785cdc8.exe
804	RYiGElV1ZFlQ3US.exe
2052	RYiGElV1ZFlQ3US.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

9b7eaffe4dffcbd06445d0b32785cdc8.exeRYiGElV1ZFlQ3US.exeRYiGElV1ZFlQ3US.exe

description	pid	process	target process
PID 2244 wrote to memory of 1344	2244	9b7eaffe4dffcbd06445d0b32785cdc8.exe	9b7eaffe4dffcbd06445d0b32785cdc8.exe
PID 2244 wrote to memory of 1344	2244	9b7eaffe4dffcbd06445d0b32785cdc8.exe	9b7eaffe4dffcbd06445d0b32785cdc8.exe
PID 2244 wrote to memory of 1344	2244	9b7eaffe4dffcbd06445d0b32785cdc8.exe	9b7eaffe4dffcbd06445d0b32785cdc8.exe
PID 2244 wrote to memory of 1344	2244	9b7eaffe4dffcbd06445d0b32785cdc8.exe	9b7eaffe4dffcbd06445d0b32785cdc8.exe
PID 2244 wrote to memory of 1344	2244	9b7eaffe4dffcbd06445d0b32785cdc8.exe	9b7eaffe4dffcbd06445d0b32785cdc8.exe
PID 2244 wrote to memory of 1344	2244	9b7eaffe4dffcbd06445d0b32785cdc8.exe	9b7eaffe4dffcbd06445d0b32785cdc8.exe
PID 2244 wrote to memory of 1344	2244	9b7eaffe4dffcbd06445d0b32785cdc8.exe	9b7eaffe4dffcbd06445d0b32785cdc8.exe
PID 2244 wrote to memory of 1344	2244	9b7eaffe4dffcbd06445d0b32785cdc8.exe	9b7eaffe4dffcbd06445d0b32785cdc8.exe
PID 2244 wrote to memory of 1344	2244	9b7eaffe4dffcbd06445d0b32785cdc8.exe	9b7eaffe4dffcbd06445d0b32785cdc8.exe
PID 804 wrote to memory of 1948	804	RYiGElV1ZFlQ3US.exe	RYiGElV1ZFlQ3US.exe
PID 804 wrote to memory of 1948	804	RYiGElV1ZFlQ3US.exe	RYiGElV1ZFlQ3US.exe
PID 804 wrote to memory of 1948	804	RYiGElV1ZFlQ3US.exe	RYiGElV1ZFlQ3US.exe
PID 804 wrote to memory of 1948	804	RYiGElV1ZFlQ3US.exe	RYiGElV1ZFlQ3US.exe
PID 804 wrote to memory of 1948	804	RYiGElV1ZFlQ3US.exe	RYiGElV1ZFlQ3US.exe
PID 804 wrote to memory of 1948	804	RYiGElV1ZFlQ3US.exe	RYiGElV1ZFlQ3US.exe
PID 804 wrote to memory of 1948	804	RYiGElV1ZFlQ3US.exe	RYiGElV1ZFlQ3US.exe
PID 804 wrote to memory of 1948	804	RYiGElV1ZFlQ3US.exe	RYiGElV1ZFlQ3US.exe
PID 804 wrote to memory of 1948	804	RYiGElV1ZFlQ3US.exe	RYiGElV1ZFlQ3US.exe
PID 2052 wrote to memory of 2376	2052	RYiGElV1ZFlQ3US.exe	RYiGElV1ZFlQ3US.exe
PID 2052 wrote to memory of 2376	2052	RYiGElV1ZFlQ3US.exe	RYiGElV1ZFlQ3US.exe
PID 2052 wrote to memory of 2376	2052	RYiGElV1ZFlQ3US.exe	RYiGElV1ZFlQ3US.exe
PID 2052 wrote to memory of 2376	2052	RYiGElV1ZFlQ3US.exe	RYiGElV1ZFlQ3US.exe
PID 2052 wrote to memory of 2376	2052	RYiGElV1ZFlQ3US.exe	RYiGElV1ZFlQ3US.exe
PID 2052 wrote to memory of 2376	2052	RYiGElV1ZFlQ3US.exe	RYiGElV1ZFlQ3US.exe
PID 2052 wrote to memory of 2376	2052	RYiGElV1ZFlQ3US.exe	RYiGElV1ZFlQ3US.exe
PID 2052 wrote to memory of 2376	2052	RYiGElV1ZFlQ3US.exe	RYiGElV1ZFlQ3US.exe
PID 2052 wrote to memory of 2376	2052	RYiGElV1ZFlQ3US.exe	RYiGElV1ZFlQ3US.exe

C:\Users\Admin\AppData\Local\Temp\9b7eaffe4dffcbd06445d0b32785cdc8.exe
"C:\Users\Admin\AppData\Local\Temp\9b7eaffe4dffcbd06445d0b32785cdc8.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Users\Admin\AppData\Local\Temp\9b7eaffe4dffcbd06445d0b32785cdc8.exe
  C:\Users\Admin\AppData\Local\Temp\9b7eaffe4dffcbd06445d0b32785cdc8.exe
  2⤵
  - Drops file in Drivers directory
  - Drops startup file
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:1344

C:\Users\Admin\AppData\Local\Temp\RYiGElV1ZFlQ3US.exe
"C:\Users\Admin\AppData\Local\Temp\RYiGElV1ZFlQ3US.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:804
- C:\Users\Admin\AppData\Local\Temp\RYiGElV1ZFlQ3US.exe
  C:\Users\Admin\AppData\Local\Temp\RYiGElV1ZFlQ3US.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  PID:1948

C:\Users\Admin\AppData\Local\Temp\RYiGElV1ZFlQ3US.exe
"C:\Users\Admin\AppData\Local\Temp\RYiGElV1ZFlQ3US.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Users\Admin\AppData\Local\Temp\RYiGElV1ZFlQ3US.exe
  C:\Users\Admin\AppData\Local\Temp\RYiGElV1ZFlQ3US.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\HOW TO DECRYPT FILES.txt

Filesize
937B

MD5
88de38daafc64c8ec113507d490c9d7d

SHA1
a51b5c3ee4c306b1a3ec68c0cfaaf41bef29e1e4

SHA256
f78cde7119f31d0e3ba5aafd8b932c342f5e762c5f8a1a3c7b115133c1f9f1ec

SHA512
3e3b42d9c2b42a24fe753dd2e24df8405edcc0c89bdba78bd4e20e5f83faa372a23008d0e7f568f4210a4935a68a1a03eebeb4e30954e5cb56542016295ddb71

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
341B

MD5
569ad6fbea02fda902db544bfe5b560c

SHA1
b9f7d07750c1514bd3a81e24d5e621b942c68795

SHA256
d03a917333f025405ea893296bf0ddbf1e61600cab48b9bfa53353548cdf811c

SHA512
b76a5d688a219dd563c3dab59e3b0b45315a19eb0e55ee4bf0c95287864978e40b90575e008a3f23fc6014894273bb0cfa728a14f6b2c800605d3900d6a2b079

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

Filesize
222B

MD5
3cedc7540fa583e9f12a2cfa2e1ee434

SHA1
d318f6fa6db7837b9bd55962d24eea333bd12273

SHA256
7775255f9bc33571b3d4b4aa598b27938391a7ff334fe88e268cd7636ef8653e

SHA512
497dac219a581ffebc33af36864f323fa550e67c0b5c5fac835600ca5e4a5e6f56f2c1ebb5ec26b4b8413e2e72191faf7207c0ad712403b0edcd26169ee9ff73

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\BG_ADOBE.GIF

Filesize
24KB

MD5
413f5698d7156e6e32a284ebe6e5ac3a

SHA1
8896785394896e21b46dda93f984660881cf491b

SHA256
962e28a7260f7d42b11fc8be92cf992d721addb7567f201b1154a2d123b51467

SHA512
04474fe2aae603b89e36e7e93ac3bf2580cbb80e74228439eac774114af20b4b1771f7c0d31fa2ec817fe355c7c9e6066903823e303dad1c2c4840c8f83db0e5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\BUTTON.GIF

Filesize
185B

MD5
434ee0ea5621a2d4e75750c75f288267

SHA1
8c1177427b634a8c94337377ae8f34d9cf125724

SHA256
cc57f6eab24b757da1bca26b58b93f3bf08c6e1d9fe91f269661ff228c3f195a

SHA512
9ceafd4a1f8cc39413dbb58fd823c3e003ffa2f7450beb5352a0f941efc6452e22a5c83dc6fcadebde8692b6fd7061764b669962214f8be128dbab07d775067a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_OFF.GIF

Filesize
496B

MD5
7e029d065181cd5ce332445de3732ee4

SHA1
afc48efbf0344469c2e6b65029b2256771c496e9

SHA256
f0da052928ffaecf2eac9666e11692ade253cedddcb9c5a7df71f36888f19d44

SHA512
d094ea99e9880efe9f25ad2785611ec4b4ea954564871ca8d0000b0057b9690e309d9d24191d1351ea3fedacca7b1cda70205a13f070771684d4911bab61c379

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_ON.GIF

Filesize
1KB

MD5
b6a2ee171339aacafbe7aa423568d15f

SHA1
51db6840c08f0dd702685068ca97cfe7ccc40e09

SHA256
35364a7f17794be0caf01c7ef54b2d237f3b6a1b3765ded6b8e32fb1a8fea9a9

SHA512
3d7daf38dea43cd09e0dc007e377c5be5a17ba5a6353e2156a7dbb422219abfd7b48aa95b1446a5c0c5f9608ccb4b4c091a77c35d0244ab52f6cccc7f84628b4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_off.gif

Filesize
341B

MD5
ed6b16a2d7c028702da21a075eeb4065

SHA1
7e3b98450fb95f470dca1c1a21937598d8e1afea

SHA256
caec3b77223d5e67dde35120ebfbe0ed823c16455eab8d772d74e8be86ef1b1a

SHA512
5765a71b05811175f9674e5ed99ef83fd040695a39f684de880d489f4d6d61ed25166ddcadb7dadb272916d074068cf26afcfea644c01f8b5f7ac9e173159b91

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_on.gif

Filesize
222B

MD5
7f9e5d2e08644851da3a582230721799

SHA1
3c6f22e4bdf44ec9681faf81617d06dca8686146

SHA256
a615873fa51e849cf148ec7c36411a00a543e1fa2bece4f78c9555d3b8c79e1c

SHA512
c8f7ac5fc1005801b1a1ed24126226c12f527a7169ce14b252f2d94f0d6119fdb600be72a84972ccd0faf103add1522e08a498360b89fa440a576fa9724494e5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif

Filesize
5KB

MD5
d117292646a12453e7b5582cc4a541ea

SHA1
d7ef02e44ce9ff4500ee8aff2173e34ff62e6a7a

SHA256
fbd8ec4929d82b0e7c6c581fa88a343028d988e94f9d6422f03b1f062535ae65

SHA512
8b6d21e86c55ca89a7e6f9ad4eead783528c4d4cb05c7b5a418fcfd99b7b095a5ca7e2af8522d5683abb88b18ddbf081887597e9a17352fdf2de68cdc150d699

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Country.gif

Filesize
31KB

MD5
8aad792af7373ee17d92cdfd2d7a2ac1

SHA1
65661b9430a24792c8eaf561aea97f906579a88f

SHA256
2d969b3affb3a6551191abceacffd3adbaa713843e3eccfdce6a07b1993784fa

SHA512
8f797b4594f9b8c94b66286c0bf2583ffb3a390f061753820035c5ffdbefcc5bf04e8707938a9ce88ff601899671ea8edab005258e3802bb5fa1a3e37b20d19b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif

Filesize
4KB

MD5
f63b67c513817864ecd976a89e19fc99

SHA1
49e4847df6b91c47ea2d03872ff4713e951c2d9a

SHA256
89a05d288f89e82b79f64691aaf3d8fa8205cedd768b9b1904503c638323ff72

SHA512
c60cbf149c24b4766c6e06bf5b2e8ebcad3706a1ab255c668ad0d944f53492e609c0c87f4f2229255ea07c7c01fdb948387cdc7538fa8bf4e6fcb0f10ee62e27

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif.Bl9c98vcvv

Filesize
21KB

MD5
7848bdf44fb668d78d19a4d3ff99948a

SHA1
69323c631a1187c24add7c3cfe259bf0b1f5b7d8

SHA256
abf988892540b7e9179da9f763464d12f65e24f3503cad35692d656896ceb5e5

SHA512
fd6b9daf56d3a5cef8a7f9803d345268dbd0588a6b3cae55e0750451daeaf47d52b0c5a41d828a124a940dff25db27b6fa2d07fde45da7a23cbfa3d0d05348b3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Groove.gif

Filesize
106B

MD5
f8b4416ac2848fe0262e5f4b989bf158

SHA1
d4d8d9b7e9b38edd990e3d6013d4c8aec5fd8068

SHA256
b4cf2ee8894287ba0f3da5a85247893e5519e2e3d977db3edc0c7f9c29bcd618

SHA512
c9ba07dafc1a9ea0604bd18d8ae195deec11eeb7398447fe137fa36785ea902631e641674370c53b4cc37d4e32d10c8d744f67a74795ddc5481778e9df4fe188

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif

Filesize
8KB

MD5
b89eeb5c362155dd26dcdacd12eaad5a

SHA1
bb5fdd503b81c24210827024085b029af5883213

SHA256
a0ab011d0e97f1da97658b8653620892a06c347d226de1abd88df75c1463cb1a

SHA512
6a9ac284f3122b2be257f22d3e3d4c863a7b1c4ce515a040e8078985967d63366e321a964e57fd3d7c2b51b36a36c1a8f2039e7c5864043623ddfae40e5fbef0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif

Filesize
15KB

MD5
becb69d0debbd5cfeb4348432a3816f9

SHA1
43c10881308a29f33e28d806f4954fcb08c10200

SHA256
f44aea688e58a801f9c394c945d514d174529132a7a86fbbb5474c331faf7123

SHA512
aa936d041cd64e183abbb80214c362472ee379b8fd372a732fcff4d89502d398146bf37d665799acceafc8ba434e941248c2421a431225c2aa4dcfd2ccf5b202

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif

Filesize
6KB

MD5
6dfba97a2239211be4ce12311dbcb20a

SHA1
fb721cb7ff575a19def531dd08b9db8fd760763e

SHA256
eba9f474b3243e0309793f66cbf356e68640828ebbc7bf125a420813e16fd860

SHA512
e455f19ec41d2349646c2df21b09e657e36084cf230787cfbcd0ebe600e889bcf505af883795078520277c0ce2b1e099e22c54eea8c36c8edfb5f07331ee3a3c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif

Filesize
20KB

MD5
e97f409fe50921ad87b82e5c877c705a

SHA1
415311d6ab339f272d2adfbb55408abfcdc68ef5

SHA256
a0ffbd052c685fcdf32375f68f4d99606d1edc910ddc693dfe2af5130452a633

SHA512
2c3157637c5610e97add6aea20f8e38da0cc6ac36df4084c5f6b51991e340d0ee31ec7426b897e9fd2d3208026686580b924d806f0f3f79548e108796b5cb319

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif

Filesize
6KB

MD5
7e38398ce1f75907facf403527a5b342

SHA1
2c19cf32ac42b4a259fa7c47f412191f3554a481

SHA256
82d74d54fc3c2a0d40be21921f49d4e7b2a47c0f46e38d4fd77f3dff9a9bc5ab

SHA512
0dd4f7890384636ced706b3bea2f963b4a19ebec48ed7c0b33917d11e3802821538442aed25409823fc324a9de7c104088e96cb951cd39121c8ee5338d0ae689

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif

Filesize
15KB

MD5
e342d4765ea16cdc376a58a868745fc2

SHA1
4b50252df504aa51c8f5a3d713648619bd93e74e

SHA256
446e8c47cddcb93f79d1218a97e6b267050b86df8ae9a4565e6efb12711d6e14

SHA512
02a28490046b799bbdce3285894cc68f306616e5a97904ee304693748629eb9de6fedfcc868349a807d174a127a8ec9733b595d6d194a8deb163818a1752619c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg

Filesize
2KB

MD5
82310c2b6b582711cf32f43adf01df11

SHA1
3ccca099556a3ab2bacbfd7c987cfe92fdf09db2

SHA256
84309e7787cf809df432ce767ce8326cef6468eea45122cb9e90645d02f53618

SHA512
4e787bd3101f3588370392b5fc62e964fe0c65abe6d1fc85b5bb9fd7c7927bdee2416cf0eca41c0eeeb8e046b04974d8190e3b16ad326c04fca16beea3975486

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp

Filesize
2KB

MD5
4f1ea8c5cb8b63701a7c550fd0a2d641

SHA1
219d7747243b6e39ceeac99a4ca3f16b24a0c2cb

SHA256
6cb2c6fd69d641f6796cec6451cb2f634c2a6a6fb69d7e2f8dc7450bff740171

SHA512
1eba282d233ccddb7215b73abfa2c1971a82daca7d39994670fa0f988cf0a6d08541cdf5c9de7f58f58c8e22e195be803c9c35e15a8b181b329dff31c5be7755

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg

Filesize
6KB

MD5
37febaa62b7bedfca2f7f6824d8816b5

SHA1
66020c80a557cd954138856ea8e28e804de63407

SHA256
8fdaf011d7ae41f012680db4a45c563e99e6eb7707872a26602f0250b49bb47d

SHA512
97295d53b936954f1ab956bde8c08112e393cc363c605d5206a291e8e00ebd8913aadffa9426171a59298f919ced69197d07ccde4d8d7d198ec93cbac730c79b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF

Filesize
255B

MD5
0a7cab8b4d1f9da2b8bb36befffd751a

SHA1
bc75498d72b6e3019f573ed26ad2bbf3e7d94e59

SHA256
084e2126815cc2e686b87f2da1731601106ed3a84d2955523496516b9e6eeff2

SHA512
cafdbe01802d61dff8d1be452541055476e3e2543d4b4e75b1964d93350d50dfaee81078095434b30abc0f9057600d581f97a04ca5872e5eb47f26ff3257e167

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\background.gif

Filesize
323B

MD5
64e4c9ea5fb23f06009aa5b16ca087fe

SHA1
2befd2dae6dfe6f2b53d6c949f75c7d93d28c509

SHA256
05ba7c709efd20351b792b216ccc88e7bca3a22432a2b04e4632c6459dac827a

SHA512
e7f5b5d35921247e20a84dbc2e0e7f20df2fad2b283b7982346a428702b4f3eac97b520f31e01491ba19574f174eaaba8a6eae684532a4a93a753d2495990b20

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF

Filesize
367B

MD5
ac6b94d770877ec5f57e1abac16a682a

SHA1
6b421c03ba819952c4d650ae3dc0dbf3dd057227

SHA256
650a913ef0a8e29160a443b128a1d77cd95742d19f15b53ea83783a5faeeb360

SHA512
bf476a191201a5835af60dbe7f9b7c60e219ab1129d10020759a4bcc95c9e66353a5592ddd213fecd13a3a8e3e08d8edd323a78c0e410a1ca9e85a6c5a7a3c36

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF

Filesize
148B

MD5
2b29edd6506b9435d6b4af7476c94303

SHA1
27e6e37ee7559b5cd2e2c5b70fa4b4e45598d603

SHA256
2789bb4858a36c51d6759d2dd411821fdcccf3667c235b8eb6396e4b631f3c9b

SHA512
7eae5f9545f8c76c37724a7820ccd7d4e761279197ebabaeb078ec4a235730e1746af86ccb5dd07036af8889049122c09cd242bd700ef11ccdeb4443c4d44190

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HEADER.GIF

Filesize
440B

MD5
b3bf57d56e13eaec75043f1826276ead

SHA1
d58e7d4850ac3a1c9f265a97e6436339cfb94ef5

SHA256
0dfaf18a41e2c90de8c5204db06080ecb6c86f273d97890dc94a5e2bc4c9bee1

SHA512
27ff9dbcf01b6f3d04b78a5fd6378fe0d1d2b1c4aec9b280ec3794ae537425181fc8e1d12aa6ba0e01acd9d9ef895bf100f5a206912c1a1df30bbf1bb1c3b8b9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_OFF.GIF

Filesize
462B

MD5
5065108a96e172bc58d5a4b24bcd323b

SHA1
c129ab1d48b024258e5fb6804c10510652dcc7e5

SHA256
cb2affb29f5f57a12478a60062cc12ba28d95b6655781bb11ca470ba58b137b3

SHA512
dd91d8de4784a66399fe05a49069ae4a29f81ef0fe901018d5dbd7fea0834df378dba5b3dc1b34d032770aaf8a67cf91310527d05c2c95dc3dcc07fa620903e6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF

Filesize
267B

MD5
ecb89dd731d04c590242767099096a73

SHA1
66d44c139be116c4aaa486bbbd84f5ac3d1c9e42

SHA256
030c3618d3c1209e55d54188e39424513f574057eb51c9ae8a1a6fa4003ad4b4

SHA512
9fe32df7beb38ad8e4e4f889a44a1f3c3bd1d26547cd48c20145db7784d8ceabb6a6cde0da78d9645bbb9c1ce51021789db56dbfc161a432d088a8b070ab3bd1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HEADER.GIF

Filesize
2KB

MD5
b97c027d670dac50ff38a6fd272d699c

SHA1
b2a3408cbe109a3386375a371ecd956f4898a970

SHA256
e5d19f9a22a5c55242e9111faeb692e3c094b86488244e503260f8d30bdeea3d

SHA512
9155ed41b28aae22af9fa7927a87aa041017ced319302c28c1793f556bd82ba4f52be767dcf0173afdbc49891e526f5e321c60640857242540ccf86a57375080

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif

Filesize
233B

MD5
4ddcb9ceb0422700f279f7a6b1a24489

SHA1
76006db0ba40b28a68d934f3239273ca9ba19730

SHA256
01cce9d875687d0965e12ad61b5c9ee699b716823f2b138c5fa838d8a8849718

SHA512
b15cc91d1acc87320eb0d2ba28f8b7399d2030184e98c7dee56035372baa06f68faff78b60b3191dac78041823050cacd5f601d816c7369ec8f542a26bac0542

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_OFF.GIF

Filesize
364B

MD5
d016a26367b394e93b76957a8b28e5da

SHA1
8075286903afd86c97eea771fd53f8a1794e80e8

SHA256
dad6796d6408d4312d96f6cbd40565f9f3886c20d1c62593cb247409119eb15e

SHA512
2b6eaaa021957bef48d20c8fae086aa03df77ddf91dd161d744c107292c2b79592d400a94d64f526409c2e6969fd026a24199124ec2f331479217e338efed8f0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_ON.GIF

Filesize
364B

MD5
9f244ba81e340d66127f3a4a07519b7c

SHA1
4656a5d4f7ebd4b05e5ea0cd7db8cbaab000bafb

SHA256
cba8950a0356ed7e2f026360a38faee13bf88d2c1244ceaa870573b4ee8886c6

SHA512
e6a728587456910eababba2eb1dd653ebf1bf6f67cc36898aface302a97058a9830d598550a5869dd3430eee74f8d9808030c7693810cf563cb6ca89e2ce59bb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\background.gif

Filesize
6KB

MD5
05055763f935cf9022cc828e886d1b37

SHA1
be8ac646f90c04a359306e303fdd916c3bc8733d

SHA256
46e5348391bfcdffa4ea87886f4995d78ee15b351798138d57c892afd0f243a1

SHA512
63d0bfe32aca403a2e818ba66881179253accad04497967dbb060d01b7099cf3ba9b68fd1d956f34ca0df51c7075ec94184685919d0f62cc4b62d9dc679ceb85

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\BUTTON.GIF

Filesize
428B

MD5
6fe334b032c45292ea4b278f082a1fc3

SHA1
d5cba29ca26e54d9a7471d13575a5a98e7bb9e77

SHA256
e93c2e049a011de6c8eb05dafb8782559a7021fa85d5a0eef0a7ffa14ef1b7ea

SHA512
ef2634860e55bf704b9aa5eec61323129d7ea20767bb27b4b91fdd10e2a877e4612bc6c59f5c11c3b2d7456160fa9b2e5e7b6a05f72dab8041e3d47986f5de7c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\background.gif

Filesize
815B

MD5
d2a8c97ca2d2c4c4d11ec45ad9cdd162

SHA1
d1864e46f6fa62cf19a5b72701a4999e36a71c23

SHA256
920f90f0f6e45bf2a079af8797a5f01763d041a705de4d47d2deea274f820ba8

SHA512
d37b65b00e480b28260d7cca0d39b0a293cbeab9d7f190bb8c4034656fcfbed4919cc92c7a4adee0a98a4213c77efb62f86031b0490eae5f803bc245f32a9cff

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\RTF_BOLD.GIF.Bl9c98vcvv

Filesize
870B

MD5
f109f35c72d658e5e8419128a642dc9f

SHA1
dab7dbff1c12e8dbdbfcad60939d4bb07c237c88

SHA256
4cbdbd14d5692e0d2e764e5d86287fe67291fdf8c7bffecc19b2aca58f16a216

SHA512
9c8dee71579cb8f5c7a00b0ea5e40c3565e8213c009683105a9c02fef1ce73627d479ab9f350ffccea17439f6e6ef878c89f9ada8253a509575fbb0285fad0d5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg

Filesize
3KB

MD5
67d2cab16794af766d73720d37706ff5

SHA1
e2d0b02fd00391e7092fe7b9a1a374adba299769

SHA256
b55be416bd431358ee3bb090602b2fb165eb3a7d8e6b29116c6269ce99a2cac2

SHA512
c5768be778634b7b7b6382e3d29b5662da6b2c32a0370c36f2b5cd0c3dda120c2d79e4e2e450cd96127c020c9d7be572935a0f023409d39892cb27e944cf5131

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif

Filesize
2KB

MD5
8dd14b363a9de14862596b9ce71368e0

SHA1
45370b69844c3b5f048edaa3bdc255a118568524

SHA256
c3184b9717c980033f4d9438eaa7737d75d399fe9a8934eef2a443a647c7908f

SHA512
74cf54f63841fd810a6c5a9bfaa479f37f43179bb393bfc9cf1c44676f27483d26b4c68f78e223761c6020f16f745f2a020d08dd37bdea4c9217eddaa015674f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif

Filesize
19KB

MD5
dc5a2dfa5a8ac342b19bda194e8737fa

SHA1
1e5c5c6b1e1208e93b680dd95c7a248fa93e233c

SHA256
fa4ca65120365f39240bbcfe857f6b5ae83f47b86260e43cf1929716449355e6

SHA512
d0b676973f11c17139fc294986c91894831496dbb4c18c29d8debb6e561ad05545ee6935b5d72325a773cfe19970f6996a9d8abf86972e15940f0cdace820c5a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosefont.gif

Filesize
890B

MD5
2b3a351fc1ef8d22c6c479ead02a52c9

SHA1
b0e41a386a39b25e958fa39cf82905877c0b43bb

SHA256
8d7fcff9f9d7cbdb8d8cadebb352fb393df46ed7763cbefb11b9003be9070552

SHA512
16fec2a6249aca41a265be066ca018ab2a1aecdc431d77c22868ff889855b74f0627d184ad3df2108aac21e6ef216819d224a46df42f6e3e3855aa646f8c223d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif

Filesize
852B

MD5
067138b7f15b3c53d2b9ec736836ad9e

SHA1
85620c9203ed84975a6e82a47584b6d89850f635

SHA256
ea551a7e47b2e92fe16e1b6e05a014c47a4a5aa94ae7d876b00a7bbbe0a7cbe8

SHA512
bd418b50235591597e1af6fa179b3f56be9ecc00cfcaf95f114a089fab8c3f368fe317fc915339dfbcd0482fe595c9120dea02848c2e6a10e07518c5459ae661

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif

Filesize
860B

MD5
729eefa7f3c9df72ab8789eb26746cf4

SHA1
7196ca78919f5e9cbecb64d37a6cd0274b85784c

SHA256
3a42b4da4dfc773e9ff718c9f56ac47afb199ac7144bc5c4b18d72a8b6adce2e

SHA512
e85aec599cab2b79a919e009904ee1dc9e380955a0fd92d458cab26693adc839e216e717a5b6ac92b5fee9834e55484aa7e0eb4ee4b289c1af877eb0c6a73980

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ADD.GIF

Filesize
580B

MD5
3e65edcfffd8b441d446ef9f36f16e07

SHA1
de6d4b69d38dc7930160bd305af3c40250b0cfa9

SHA256
d7f52e2d9b644bf5ddfe71895ec2b95b85e4d3bef426732e8c5e965cb26f9681

SHA512
6a34640d07229ef00865a398d524a40adf8a4dd8e6cdf73ab0f0558cd8936b021b66b63c9aab955ecafef618a5d211201606583b0c673f1efbd479a8fec149bc

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF

Filesize
899B

MD5
7ffcd7c88241805145b673f1e526c5b3

SHA1
6b72a498a4652f1018368b778537f778a59e3224

SHA256
50a5af23fc23222216cad62a468403e541de6fcb1e76083ab29bdfe332656da7

SHA512
2ba30519937941dcd8a0001261d6775edeb57a8c35dd09c72a3a424c6e7b90acb89c132e09fdae9f1c00fcc728cb545c13f0fa37a9ef6e45708337ad88bc0991

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIF

Filesize
625B

MD5
e2b360b774cebda8933a8ecd2d1565ee

SHA1
2c9b0c94143b0d4208b5deb3f2138e0dd9ee4034

SHA256
277290a5c358446b8a3ce2a6bc49afa1140ebbd68105d5b6a9bec1e389f31330

SHA512
93aaf67a5387b89794e1240a860c94443e4f23ba4adb8936429c499d345806bb8b400f1c8d9b769c563f8b3197d8f6db580e78efa09d221bdbdc70fb41d843cc

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF

Filesize
873B

MD5
1131d847dbdcc6399ce2cad9f9433d83

SHA1
3cf6395104b2b81a3c0f05f4f9d7cc89a6024bdc

SHA256
1a4f999bc43204e837f62700a44fb7b3f1028c84feb075199984c068660da047

SHA512
45afa4809d9ff89b968e3474981249f4df511935a39af53658ef3b3fae9125530f6522acb96bdaf082fa85f76378891f01e78d5807e6aa939a44173edd9efc72

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg

Filesize
5KB

MD5
4316e34986c15229a1e0d47aee37a3d2

SHA1
3c31a79bfabff07e7e4288960530f8255babd9ab

SHA256
ee0c2b31b15d682b4513808ba85489954d5f2c050d2cf08e2a0b38af0dcd0968

SHA512
43d9fcec25fe8462cd62ed6bf4511c22f989ed132064767477dc7bb2da91d554ae8f0f21fdcc59eefee0025c9362e6a85e1fcdd422dfea43f11a76f77761abac

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp

Filesize
1KB

MD5
42ea7c2d80bec8f2f0aec12d4c9f7123

SHA1
e7f713d5295f16fc4092628987019f132e1ffa3b

SHA256
1300c1deeba7598355f15c8dbf772681cf0b39db1a50c3c856ed3523825a61a2

SHA512
1f711613ab90dd88fba19fd9b5a5cbab0f9c6577c4dcd193027e47e861baf288c2afd822d0ffa6c6b2544f1c7f030ea721a65e77e7b0f05d877b2c5639c17df9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF

Filesize
615B

MD5
6026500b980644fb2ddd4759066f7235

SHA1
d0798c5324a45f3631279b0ef16a82bd5f2b5c49

SHA256
f75e56447f1e7eb82d6ba2c9d871c59dabcd28131b7920d17a63c3e31caec2ff

SHA512
d4eb7a75220c842aafed03a0f432194c7a959d367b7abe2f6ad1acfd6211e9b97bd9abb82c30aa75b65813285f3d763a169249dfac6fb5e8cdeaf260d05f493a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

Filesize
848B

MD5
53cf053a784ec5d84956451fdbcd8572

SHA1
32e32cd92beb21246452e905a263bdd1c2616795

SHA256
abe7964debeadc49e74ac5cb8a419d63c11a0fc63fb5680c2a3cb32048b50a17

SHA512
c9839a6406697ab6433dd69d9ad9e04e819b935563b06de8d21b04e8d0ea82476dfd2a07c58618ab2585df65bbdd5578eb364de7875a5962d7b98d038815f2f5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

Filesize
847B

MD5
c6059bd4a2858783915f34ddcce4b357

SHA1
2f94eeefe095132784b1f0bea8eebc0fa6341f97

SHA256
2db2eae502223835ab9eb915a04c1d1dc22a79220006f6ecd67db04ee3dd4d8a

SHA512
746c7babfca5e6471d1b7cdcd79f25101b08d36a2e88bbc9b221fef7f0dc2425d1d58b2a137f943d00ddd371dd2aa18abb409908bf93ab15536ea57f8d2dcca6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

Filesize
869B

MD5
d045c84721790c42c37d84d486d2cf44

SHA1
fc4b5a554cd8714b3a8b55cabab2246ba609980f

SHA256
64254363e7bcd2c930bab64db2d7821f74d118bce7aab0ceed7af881c488f4f3

SHA512
b7a63165aa5e5ecec9252f5cd58f6c061a2336e2676eaf63d04ad17341ed5a07a5cc3d0824b1250ab9a473286de9f3bb5b59e8ffb06af384a5cf7a95663e4ca1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

Filesize
847B

MD5
fa254aae7d255330ae97025f6c052fbb

SHA1
16fc8cc9d9e4f6e4734193867a769bc7123366b9

SHA256
afa30e372b2961b31c6395dee4ce44e5bd4f2fd2f2bbd59e4cae6a63ee269590

SHA512
1f88a1571dfba579319d1e1bb249bfce14654c69dc3d624a52ffbf4020e78ca92970f45243329510fe61f5b39283297b6482661ec2c51f3a58a1df4fb15c872e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

Filesize
863B

MD5
d873c6acdc5c1a2df5dff8366643d782

SHA1
cc17640c1a471925f09b543974680f9cf4e33dcb

SHA256
e4822a1444cfccba8c69803eacc82d2aa2fdf032467b18a97798e9df78763680

SHA512
5e9746e5b689ee6b2695d846197630f5072b4b97ac6aad033bdc1329f220f403156a7f06dda0e5da75fcd0cde272d7a4019828e36cb6402131a4482c746e490d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

Filesize
861B

MD5
4a05e7d775ff5f5b6c259b63c9e1d415

SHA1
8c96a18d3f9b67e18aaf651b11283ea9fd3b8e57

SHA256
c013fab02c16dcb090406c3b4fda2f3edf9804939f6a5aba97b8654a749115e9

SHA512
fb1601b1f9e02845ccbbc3dc6b9688438a099dfa2365ecfc1fe1f7bde3d41066c53b29e2e72cbe0d7557e8dbbb23f1641c3debc29bc59670b0da7f68122086e0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

Filesize
850B

MD5
8179db4bba39485b6249cc57062ced40

SHA1
37a3778094b2f4691919736398d47b34e7ffcd2f

SHA256
3756e5e9718048ba93b27d68c766369d2416744f07416dde964710176af2c9dc

SHA512
4928dfd5caa46d217ac394953e19f6e69d6209ea0d8911999c997b683a2bd732f3423802c1cce6ddf694387c41bca59c8ef8356fa4f869881990dc320245503f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

Filesize
883B

MD5
64ec82436e45ef578009261bc50f147f

SHA1
5fd2c67fa09b94556700afc8316a87c6a7b5b83b

SHA256
41ef262e05a87d415c32792c8774d80bd993c3ffb6a9f3334b475abf6974d01a

SHA512
2e9a1ebb32c2f9bf2f673085181aa288c27c9fff22f4437082ff978e5b855cdd06e63d07253cc5e7568ac9fa2531fb401265294d00986f33e5b7296326755352

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif

Filesize
153B

MD5
df04943e663f25cc1c915b6dcd28552f

SHA1
68cd5574c7e213f1ad89384d66fe673695eeaa01

SHA256
2caa4056f47fe5029b33a4bd71fd871b453a2d9a1f6bf54080bcf96a1628161e

SHA512
91848776349f491a40c3d906d60222d519a651be2e13686781ce186af0affd53cc06fb22e32d0f51e1d9dd02d1c5346cfd0c350711c2876af2412e9310102ab2

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
3ae734077b18a8ddd1d80a9500c653f0

SHA1
8e84106f2126a7a4439090b73e5407cb3883db93

SHA256
4b6ce89363b1ec7a21b6eb1dfdf614accb44bf35b98f70f477a0411ed070686b

SHA512
540a19e0f225ec44683c06488e53e679c8cc7e368a97b5c23ecdbd0abd86500c2cd37fe37c5146de37760820821c0cf856ca21c6fd79d6c3086e70917eb44d89

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
8KB

MD5
1796bbfa3b1c87c5028e6b5029f03675

SHA1
606d2d25f3ecf65951076c9de77bc6ea83e05bd5

SHA256
8f01ee0b137344ace9670b2cca619921480d87758a1a84c4b7bea3d409ccf204

SHA512
6ad2c93c9118759eea580d9243b4c1e441ffb0b1864e187f0b38b350e1034867c45f69f4b61bfa714906bb9f75c6ddd74048302da39bd68a845014a5f8f49162

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
3d241c1f6c53320365ee2f4da16648f5

SHA1
89c112fc20f7a79df5ed54524b2135aef5429ca5

SHA256
72bc9858f046fb4f2c775a548918f5dfc9c5661059bdfa9219b4b4d5c10bb79b

SHA512
e59de06b1ed25f2d7b66baf63dc41f78a9adf6f858cfae2881424e0c853f308b291da0abf3f776cfee0b5783bc6f4e4d8d9fcf46eeac4280b3a03255942db393

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
06573512904de85494f3d731b967280f

SHA1
2f4c18c5afcdcf502b7be1e2a41bce2493f3087a

SHA256
26361b8196f8d1ae24f70cb63f46b53d3072b6dcd671bc2ee965f96d1bac22b4

SHA512
a32e8dcf2059eb7b36bd57a08c6595279d5021fffbcfb6ae377d52547711dced382e82b0054136b2d9ca26b03d55b329e0241998150ad3e9372dd605c41b1792

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
172KB

MD5
7d35c42c103870664c1395937302ef85

SHA1
1a06c8c5a2f893edf2c8f6ad7bdd6ccd7b027f81

SHA256
91087c3c38ccd4bd98aa8de8e4e115bb8a3e27b1887958ce97c39dfbd864969b

SHA512
bfab1bf7680a55a93c204ba2268f88cf08a02aa59d513a63606fca99c554e440b35605c772272688401f17e86ec44cb5e842bec361735b3c67663c34d1271460

Download Submit
C:\Users\Admin\AppData\Local\Temp\RYiGElV1ZFlQ3US.exe

Filesize
39KB

MD5
9b7eaffe4dffcbd06445d0b32785cdc8

SHA1
af992e2e6c045137b8220c60f534f80da968dd38

SHA256
4137f8c196fdd99a5cd64c518ed27c466953e37b78887954ea192b5595a0a076

SHA512
3639fc1b3ccd57b6a61acecfce8030a7c2c634deb44b75345b5c69eb5cad03a8aecae781b950c254e35f4db248b5e9113fd06412f14ca7a90596985a282e123f

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk

Filesize
1KB

MD5
1aca0497707a207899dd7804984ce7ee

SHA1
46459d1c10cb6ebbadcac503b575d3574a43d3f9

SHA256
dda265ae389433e5113a1e07b1993f698372e9e8ddb9b02237c47994354b7ed0

SHA512
fbaf4c3f78ce13da90113d46af7485e37cf050b09d9770abe11ee41685e10553dd8930e64f5d10a225445a3b92084fbb994e72dc974284a26cccb3ab7e48b9b5

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg

Filesize
21KB

MD5
5f66b98035345c741845d4df520ebee6

SHA1
c73371a35aefc26303b7a7e7be729714a5f5d1e9

SHA256
23476dc0cd1f84e63d058d48011f5a38cf490600f188cf030609780e28c75c65

SHA512
8c224f8cd32a0befc6bca9e8ac1b84dd13956998c1b188c70739c8a4eb326a51d3ace66fc508722978cbd59eb8631a23dc5a11c06328e576762c8c110fa784d5

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\HelpIcon_solid.gif

Filesize
1KB

MD5
88c97f9ae243554565e8def5cab285c8

SHA1
d30a0eabb88af9ff4cd3554072675965b094304b

SHA256
f675696fdc11ddc4a99fc45c82b70665def2cd9eb47feca3372ea36679d3253c

SHA512
d5a0bc47578f6d5df36654f33d3df293e52f1c6312583a273ff1746176a4507ba5cb4e0e7c237ab19ae2d0d8215c47907e2763422d42e52b35b1b9a52eef474a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\alert_lrg.gif

Filesize
952B

MD5
fc18677ca4043b0d8a93d01d39063887

SHA1
3bbe3183e7c766be774f40c61f42ec19880cef4f

SHA256
e27925ab98cb485a948fdcca19a5916815874769b5af5d3d254b7085c9581835

SHA512
73a4a24ffe48796d3db3ac761770fd81af89492bfd6e10e3b7a19838f9ae8f9da7c45902a350e8d83c55d8dad441a398a61b9b361785f37f0cbe896fe619c0bd

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\aspx_file.gif

Filesize
121B

MD5
b95280dc2d0f115eea4d02e5b67c3ed3

SHA1
bcf7fcaacb4ea2dbaf5f20f425fc2c58e0964d59

SHA256
382f29a58f6673297b2578cbd4aec4b7b6f225af83f74faaf5983334a651f97d

SHA512
ed98534e020ff950e56fb9074b8145a158d180fc9b46c1bd3ab27981ebfb8d5a84e805602c7cf409f963c9851421c88ea4277a07310b429ec0b7f360bc4008d6

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\branding_Full2.gif

Filesize
1KB

MD5
a084499c4b14d106dc6ae542a55148e0

SHA1
817f92e0ad9704a62385b2737829fb86c2e123f0

SHA256
7ced6b3f05d22fb22e7a2c96df13d9e1f7d2297961a55dcd49205f43aef2f17e

SHA512
b5e42547152eb17e3dd60a10d04bcb8bbd9bcd96c9c02baf741aaba29b8990d7e0f0fa7738c7294cd0d19ccaacde66adf3ed1cc8ad74ee6c9930a01183e25e88

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg

Filesize
8KB

MD5
0305f3935eb97f0e28576793fed2a454

SHA1
b6f32c3487aaa7bdd975fffdd7c97963c28b3e44

SHA256
0bc62c17bbf1aee86137cd8d36804b3f2985240c91fcdae942f1a51dae696f95

SHA512
b63c28fbca595ccaf7ba1a0462624970c214742ba60892c9c64674d6c6728398ef92a480a2d7e41b6fdaf9138574247caea959c006fe71e4a7466429d4b80a29

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\deselectedTab_1x1.gif

Filesize
61B

MD5
b40036cff7a236be3c05c4ced98134fb

SHA1
d7156ce9dbe28ef15470d0ae556d9bb1c8706fcc

SHA256
ff193e5888d94c897d36f0132433d46619a75c2d8b652b8cac61dc1919aceda6

SHA512
f22b2956d7093b5e61eee47f75a27f52fc0f0963ad8786e24dae878969684aa6d15d5a39d042c2960b2a41f28c3581e57f043e43d926476cccb9136599b0f46b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\folder.gif

Filesize
914B

MD5
537383f503195b2885e38cea448ed5f7

SHA1
73bad596c39249e5aceab4cc66ddf5c7e116858b

SHA256
28ca666cbdea89bd23c1262dfb262f6b171a462c50b4b6a2864a34a9f6124f29

SHA512
8f39e25c5df04854a73f9c3625ecd06a17a3ec1c83a905a91af7d9ec3be20e61febaf1243f59b67d98bb32af4a9bf0186ed9788e4ee12cf8f2405dcb82775fbd

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onBlue.gif

Filesize
90B

MD5
757b8dd52893816d18acd53747bfb0bc

SHA1
bac3e7b9b85b233e713b8dfbc5c3ad45c6d99d2c

SHA256
ef562177487f2e8375c153bda7afd567272aa3892b8db33ad6da1f1ec581eb6b

SHA512
874700a1a4f8fc5a88209a9778bc2e0594742db9d88638b72228f75c01f6aad723568b3e59da8175253052d2cb9534a0f94689e02758598bb94c943fc3011a33

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onWhite.gif

Filesize
90B

MD5
7d79542dbeafaa523f55e565365e65d2

SHA1
448c53227bd2a68744801f4861dac88d58be27b3

SHA256
f87964bb48f948ed7fc49858a39a17ae0c7a8b55b0a4cc0037ec6f6b4d5ea335

SHA512
f0203bb57c1c36852b7ceb90c28310de4448a004b1ed784d37ab05f7e18886ece077886b50c6f7c2f250c0196df8cea92c3e84e577bc43bb494b121d2ba25795

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\headerGRADIENT_Tall.gif

Filesize
328B

MD5
8961e7d295079a3da8de9c5aa4a819ba

SHA1
934731afc0065c164ab45335f216790b0ab119b0

SHA256
c5240b6a850c5116fc7806e010930a63fa28f629ca363868dcad746dcc3c10ed

SHA512
562b630c5d6df67711413001b6824a7a4bf8205a8b4e0562f249bbe02ca3eb170a9c75e4fd74cf1ab129d8942329a38b142f605d9f7a54fb7b07b3961068eb74

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\help.jpg

Filesize
1KB

MD5
4bd333d90abaa611759c63702460a97e

SHA1
1bc0aa55c84b4cec249011659d1dd378e8827224

SHA256
09a860d631b024dff2ee0286417757f888a21115221c1c7fa8b31cf22b0449e3

SHA512
40968cc945139f23e587c8b7990f036d3f61e385bd2eab1d8580ec4125ff30d2889dd5e45b8ad5df9c567e778b8d8d34e6b78d66dbf6b8050cbd9922bf08c439

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image1.gif

Filesize
162B

MD5
65ad39bf7b613ed2991b768c5a53a6bb

SHA1
f74e404612b32cef39de33727652708873d825ef

SHA256
7bff5df8f5c5e87bc4e4a9cee04de9d14c3e9e23b0f60563f2352a38c39b01ed

SHA512
18f22e62d8c7fe432aac8e26609c125ce5eba94889c8cf581311dccd7caa2f73d35f6825b39c05f16e131fd771d645eb79c06f4c279a4f0f51231567abf46ff3

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image2.gif

Filesize
586B

MD5
642a4f7bda16af066f503a5f102088dd

SHA1
e1536dfdfe9d1e6ed495d04ecdd3e9d1ba4dabc5

SHA256
478ae124c83ab5d9dcef2f90606e7f5614f1a72ac3509221ee456d6b38e47465

SHA512
078b0be1ee69cbcf320200640d8c66f2776e6065a866789ca7610f577df49748487ae0edd695820cddc22b8c79ef50fa57ef4f2fd4d4320e770716a2e2b8c880

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\requiredBang.gif

Filesize
124B

MD5
c0a36b230311e53a684d35670a60d347

SHA1
3aef9426ceb9e6d32110a87e1a34382df520da4d

SHA256
b882c41e9a17264effae0a81103677a351248c3d9c9687b8f33b832428caaafb

SHA512
cf3124b8e9a6e5f75a861522e47d56e21b07007e1819a8874938e0a6f2503478eae00cfb512d5a13977ba6136c61b5fcf00bb099751d130162d8a23a6b235be2

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\selectedTab_leftCorner.gif

Filesize
65B

MD5
e14c7cadfd93f3f1c3aeca220474adfd

SHA1
1d043b314289718d395f86016f5a56898b95b7b3

SHA256
854a3d06095ceb965d0fd3c2b275e4b84cedc05f93c3abedcbbcf2afcf0c1348

SHA512
a7633878c664da07c7bef1293e4ebfd185a1f4acdecf5ebc49b0a3ab103da16980427e17026920a5c3435c6793e02a32f358e99df14fb45ded2d0ca3edb5043d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\selectedTab_rightCorner.gif

Filesize
65B

MD5
26b44f78f18fc0b219e29871667efde5

SHA1
74746f735cfaa9c2b9e217821dc61a5ec0000433

SHA256
2f40ad49d115567740919bfe99eb0e179d68ee53628b3aabcce265c355cffe53

SHA512
83eea8ab21a74333dbb2a5871ebcc45f4acaf21c3a1bb4ab3c5d5cc8888ba52fa08a131a123e3091e72160dff7ea51f3e66b76362ae268658123f20bff4eed3a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg

Filesize
8KB

MD5
ebf4afc630984bee8d56d68a63ca540b

SHA1
f415d41514c38f3bb1581c43f3ff5bc275870590

SHA256
b1eaf5fc907db4aee35549cac6866755cd51610a463abec89b4c62d2d781f760

SHA512
f63a802ce39e4a25e1cff9de9212cd546df38c5d9f35ed69cc9025175c782546c3f0ccf4b8506a3d8e400f7e9f6a6a3990d7f6ae10d4b9a72ee862790b31d6f7

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\unSelectedTab_leftCorner.gif

Filesize
65B

MD5
69212e15dc2754acfb98f4fa6939a194

SHA1
4c4cac7d83176f40c2cee3dad96a41e7d306fdd8

SHA256
3528ecd2134a99c8ed567453257ea29504f1b96744546c339f622abf855b8074

SHA512
b4900e2c21dba35f5f4d3eeb5deaea4b2e7256b6cf84f2ebd34cc7fec19499dfe64f69002ebf970b7103d591aeec469be22d7970934892dcaf936c63618a640a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\unSelectedTab_rightCorner.gif

Filesize
65B

MD5
feb5b28daa7551890e6a6397b7e93bde

SHA1
a7b20c3fb24cd64ecca2a4a1f43f4bcb184e8abf

SHA256
39772bc872af06c80efd8cc80a0023a02fa2a8532a9bd392b503501550e44918

SHA512
f35366347505f6fc856e61d2457ae63da08444ad0fc6f8d6ee0f21acca80f0abbf8d88147d18d6ed6138aa69cb7d001e7076fde0457a99b372d06a27cb2b654e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\yellowCORNER.gif

Filesize
880B

MD5
3d8afe0e5ee0a2e3eca1f1ba36736578

SHA1
a2189ca542eef367336ef3fe6637c093f7f64a2d

SHA256
92d74e36a166d280fc2df176b0cbe38cac3346f84324df00922aa099d26d126f

SHA512
94db04e298ef1e796f793d2ee30dcd6baef04b4ec5a540ed2a23c5ca83c6f7ddf794f5aaf6d55a943de3d21e55bb3ff84e6bbaacda994cd14150c85f056088ad

Download Submit
memory/804-9205-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1344-8829-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1344-9-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1344-20-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1344-12-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1344-11-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1344-8953-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1344-8954-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1344-9186-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1344-9187-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1344-9190-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1344-9188-0x0000000000410000-0x00000000004EF000-memory.dmp

Filesize
892KB

Download
memory/1948-9209-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1948-9207-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1948-9208-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1948-9220-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2052-9225-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2244-18-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2244-0-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2376-9228-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2376-9230-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download