blackmoon | 471f3fb1a953fab38be3081eb835574694bc72b94f239edc400d1ce3d7a8ecb0

Analysis

max time kernel
300s
max time network
122s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 03:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
Size

322KB
MD5

4a6bcd14aee9be6ccd5fd4939f8350ef
SHA1

10a7e4377fdbab12ee66151d3c5af9096bc47b59
SHA256

a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244
SHA512

336c05288cae08c966659b5ca528994ccdb0be55cc2197ee810067242995a3448321a9c1b2355a16c5f4cbdcc4131f2707839e055dec4df2bd8dbb6c5090b7f2
SSDEEP

6144:lf0H8b57WZ87m4eEictcjk76F3OpRsmC:lf/b57WZ8K1ZcenF3OpRs

Score

10^/10

blackmoon banker credential_access defense_evasion discovery execution impact ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\_XiaoBa_Info_.hta

Ransom Note

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'> <html> <head> <meta charset='windows-1251'> <title>[email protected]</title> <HTA:APPLICATION ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no"> <script language='JScript'> window.moveTo(50, 50); window.resizeTo(screen.width - 100, screen.height - 100); </script> <style type='text/css'> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background: #EDEDED; } .bold { font-weight: bold; } .mark { background: #D0D0E8; padding: 2px 5px; } img { display:block; margin:auto; } .header { text-align: center; font-size: 30px; line-height: 50px; font-weight: bold; margin-bottom:20px; } .info { background: #D0D0E8; border-left: 10px solid #00008B; } .alert { background: #FFE4E4; border-left: 10px solid #FF0000; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } </style> </head> <body> <img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAHgAAAB4CAYAAAA5ZDbSAAAABmJLR0QA/wD/AP+gvaeTAAAAB3RJTUUH1gQdASckuERAkwAAHNZJREFUeJztnXmQHNd93z+v77l2jj0BkCAJghBo0SYJUpRKJC2Ksmm5Uo4kp2iplEAFoRy6kirFSUqp+A+XzUrKqaQc5yqVXFIYiSqKkhzK0UGTkmxLlERTRUEUBJIgQNyLvbC7c+7cM328/NHTM7PAAtxjZnYJ7beqa3r6eP26v/27X3fDNraxjW1sYxvb2AyIze5Av3Hw4MExVVVTiqIkgYTneUJRlLyiKIVGo5F96qmnFje7j/3EdUXwo48+qkaj0fcBDwN3AweAibfYbQE4Chz1PO+FarX6w2eeecbtc1cHhuuC4E9+8pPvAz4OfAQY3WBzGSHENzzP+8qTTz75ww13bpPxtiX48ccfV6ampj4kpfz3wLuvtp1lWei6jqZpaJoGgOM4OI6DbdvU6/VrHeZnQoj/snv37m88/vjjXm/PYDB4WxJ86NChh4QQnwHe2b1cCEE0GiWRSBAOhwmHwyiK0rXen5eyw5XnedRqNSqVCoVCgXK5jJTy8kO+AfyrL37xiz/o0yn1DW8rgg8ePDimadqfAwfp6rtpmoyPj5NIJNB1HV0PYZoRDCOMrofQNANFUbt2kXiei+M0aTZr2HaVRqOCbdewbZtCocDi4uJK0v1lVVU//cQTTywM5ow3jrcNwYcPH35ESvkVYDhYFgqF2LFjB8lkEk0ziURShMP+vKIILEvDNFUMQ0NRQFV9CXZdiedJmk2HRsOlXnfwPInjNKhW81SreWy7Tj6f59KlS9Rqte6u5IQQ/+wLX/jCdwZ7BdaHtwPB4vDhw38spfxTQAVQVZWdO3cyNjaGYYQZGhonFIqj6xqxmEEsZmCaGmKVZycl1Os25bJNqdTEth1qtSLF4jzNZpVMJsPMzAyu23auPSnlf7z55pv/w1a3zVua4EOHDlmKonxVSvnhYFkikWD37t2YZohk8gbC4SSWpZFKWUSjRk+OWy43yeXq1OsOtVqBfH6Ger3K1NQUhUKhvZ3ned+pVqv/5Jlnnqldo7lNxZYl+LHHHgvbtv0t4DeCZTfccANjY2PEYqPE4zsxTZ3R0RDhsN6XPlSrDplMjXq9ydLSHOVyhoWFBWZmZtrbOI7zk1gs9luf/exny33pxAahbnYHVsJjjz0Wt237O8BDAJqmsXfvXkZGRhkZuZmhoQlSKYvx8Qi6rly7sQ1A1xWGhgwURUGICLoeRtM8otEIS0tLeJ6Hoig31uv13z5w4MBfHTt27Jox12ZgyxH86KOPGpqmPQu8D3xy9+3bRyIxzOjoXiKRIXbsCBON9kdqV4JlqUQiGratYVlxpGwSi0UpFAoByTts2354eHj4y5OTk87AOrYKbDmC77vvvieEEB8BMAyDffv2EY8PMzZ2G7FYmImJUF+l9mpQVUEspuM4CoYRx3FqxGK+JLuui6qquyzLuvv48eP/F9gyjteWIvjw4cN/BHwafE95//79DA2lGB3dy9CQydiYtWrPWFEULMsiFAoRiUSIRCJEo1EikQihUKid4VIUBdd1V0puXAEhIBrVcBwwjDiuWycaDZPL5fA8D13X9+3Zsyd58uTJ7wFv3eAAsGUIbuWTvwQoQgj27t1LPD7M+PhtxGImIyPmqtqxLItYLEYsFmuTqKpqy44KhBAoioKqqui6jmmahMNhdF1HSonjvLWGDYc1XFegaUPYdpVQyCSXywFgmuZ9o6OjZ8+fP//aBi5Hz7AlCP74xz+e1DTtu0AS4Oabb2Z4eISxsX3EYhbDw28d/pim2U5Rqury0+omVnSpgG6pVVUVy7KwLAvXdd+S6FBIbZEcxXGqGIZOoVBACCEikcj7bNt+Lp1Op9dyHfqBLUHwvffe+yRwP8Dw8DC7du1idPQ2IpEwIyPXJldRFOLxOLFYrJ13FkKg6zqGYWCaJoZhtFKYnSlYpqoqQog22YqiEAqFUFWVZrN5TdVtWSrNpkDTIkhZp9FoUKvVUBQlnEwm3/nGG298C9hUz3rTCT506NDvCCH+DHwpvPXWW0kmbyAWSzI6qiOEL2krTbquk0qlMAz/JlAUBdM0MU0TVVVpNGyy2SJzc1mmptJMTaWZnc2yuFigWKxg2w66rmFZZtsee56HlBJN07Asi2azieM4Kx4fJKGQQrOpIoSKYUA+n8d1XQzDuDmVSmUuXLjwCrBp9eVNJfhTn/qUadv2N4Hhjt0dIZm8keFhHU27ukdlWRapVKqtdk3TxLIsQJBOF3jjjWkuXFhkfj5LOp0mn89QLGYplfIUi0UKhSK5XIW5uQLp9BKaJohGwxiGgRAC13URQhAKhdqlxZUgBBiGwHEsbLuGaWpkMhkAIpHIndPT08/X6/VNU9WbSvAdd9zx74DfAxgdHWV8fILR0b3EYjrh8NVDoXA4TDKZRAiBqqrtsmA+X+LVVy8wO5shl5snn59maekS1Wq+TW6lUqBWW6LRKFEup6nVCjQaTQqFJouLBSIRg0gkhGEYbe86sMtXI1lVBSBQ1SjNZgnbblKtVlFVNToyMmKdPn36J0C1D5fwLbFpBB88eHBMUZSvA4aqqm3VHI3GSSSu3q1AcsFX6aFQCNf1OHVqmrNnF8jnL5HNTlIu51hcnGd2dpbp6WkWFhbIZDJkMhkWFxdZWFigVCph2w2gSbWaw7Zd8nmXer1BKhXDNH3P3XVdLMvCtu2rkqzrgmZTIKVAVV2y2Sye5xEKhX6lXC7/MJfLXWQT4uNNI/jAgQN/LIR4GGDXrl0MD48xPHwT8biCepVeGYbByMgIQggsy8I0Ter1BseOXWBhIUMmc45SKcvs7AwXLlxgaWnpqo6SlJJms0mxWCSdTuM4Dqrq0WgUcRydfL7K8HAMyzIRQuA4DpZlUa/Xu6tKy6DrAte1aDSKSOlRLBYRQmjRaDR06tSpnwKFFXfsIzaF4EOHDiWEEE8Dlq7r7Nmzh1TqZiIRi0hkZburKAqjo6NtL1fXder1JkePnieXS5PNniebTXP27FmKxeIyUqWUjVqtNlmr1SYbjcYl13UrmqZFhBBaaz2VSoVsNoth6LhuFSk18vkmo6MxTNPPRwckVyqVFW8aRQHPE4CJEA2y2Wwg/Xvm5+e/W6lU5oGBpjK1QR6sC/8SiAOMj49jmhFCoSGiUXHVsCSZTLZjVV3XaTSa/OIX58nnF8hmLzI/P8+lS5e693fy+fzL58+f/9HJkyfP2La9TOx0XVdvv/322/bs2fNAMpm8H9Acx+HcuXNMTEzgeS6e53H0KNxzzx5M00BKSb1eJ5VKcbUQNxKBRiOGaUYZHx9nenoaRVGse++999Bzzz03CZzrzSVcHQYuwY8//ri2tLT0FSCmqip79uwhmbyRaNTCslbeJxKJEIvFMAyj7fC89tpFMplFstnJto0NUCqVjr344ot/ceTIkR8vLCykPc8rA3lgCcgBS57nlRYWFubffPPN17LZ7Mujo6NjpmnuACiXy9i2jWGAohhUKh7j4/F2tgv8gXvNZvOKvgoBvgbXkbJOJpPB8zwsy7r59OnT33QcJ8MApXjgBN96662/LaX8A4CJiQmGh8dazpVEiCtjTUVRGBkZQdM0wuEwAGfOzDI/nyGTOc/MzAyLi+2x697k5ORTzz///NPFYrGMT+Zs63ceuABMAZOt+QvAuWKxeOnEiROvJxKJZiKR+FUhhFKtVlvxrEBVI7iuZHh4CE3TcBwHXdcpl8vtuLl7UlWJ61rU60vYdpNyuYyiKKZpmtNTU1Pn8W+2gWDgBN91113/CfgVIQQ33XQTqdSNRCJhTHNl1ZxIJLAsi2g0ihCCXK7I2bPzLC6eIZ1eYHZ2NtjUOX78+P946aWXgpBkGigCi8BZIIufVXLoFAI8wMa/AU5PTk6+put6fXR09D1CCLVSqbQSIA5SRonFQoTDJpqmYds2QojLx2sBgRQLPE/gefX2DWgYRvTEiRN/D2QYkEc9UII/8YlPDCuK8nlAjUajTExMkErtJhwGRbmSYE3TGB4ebjtVjuPy6qsXyWZnKBTSnDt3LlCZ3okTJz5z5MiRo/hqeBaoAWeANKu/mIW5ubmfDg0NNVKp1EOAKJVKDA3FUBRBva6xY0eynd5UFIVKpbKiV+2nvEPUanlKpRLNZhPDMMYXFxe/WyqV8sBARoAMtLCqKMqHAANgZGSEUCiBqmqo6pVqTkpJPB5H07R2KnJuLkOlUqRcTnPx4kU8z+dtdnb2//30pz99BV8S54AK8Gbrd60o//jHP/7zTCbzv8EfNz01NUW5nKZSWWJ21s9SGYaBqqrE4/EV+65pXsvjjzM87A8EFUKo+/fv/w1gZP1XcW0YNMEfBL8YkEgkiERS6LoLXHmBVFUlEom00o/QaNhcvJihUJgjm81SLvsCUK1WT37/+9//NlDCV8c14DS+6l0vGs8+++yn6/X6z8F3ujIZ/9hTUxkaDd+5CoVC7erVyrlyj3A4RSKRaFexUqnUewATiG6gf6vGwAh+7LHHdCnlI+B7xZqmY5pRdH1l6Y1Go8seN1lYyFGtlqjViszNzQEgpbRffvnlL7iuW8eXXBvf3vYiuV+en5//A6ABtMZHF6lUlpif92u/qqqiaRqxWOwqUuxiWTE0TSca9fmMRCJ3WJaVoFUa7TcGRnCz2XwPrdg3Ho9jWVEURSCEu0KVhnbBHvxU4cxMjlJpkUwm0w5P0un03128eHEe30P2gPPAlbHLOvHCCy/8vFqtfgnAtm0ymQzlcpqZmXzb7gYOIFxZ9VIUiaIITDPK0NAQAIqiWHfcccd9QKJX/bwWBqmiHw5mhoaGsKyhq9rewKkKpDefL1GtVqnVltoeqed59Zdffvlv8J2qKr6XXOp1p0ul0p9KKatA63GWEvV6lVzOP1TgI4RCoRXOxUNVHUKhOPF4vN3m2NjYPfi+SLjX/b0cAyNYCHEP+CnHcDiMZcVQFAfP866YQqEQpmm2L9TCwhLVap5yuUyj0QAgl8u9lM1mgzDIAWaufvT14/nnn59vNpt/BdBoNCgWi5TLOebn8+3+GYZBOBxe8VwUxVfTlmW1R5pEIpG9gA7E+tHnbgyMYCnlveCX+oRQ0DTzquo5Go2i6/6wWNt2yGYrVKt5stlsu72TJ0/+Pb70OnRI7guEEP89mM/lctRqefL5GrbtH9IwDCKRSHtkSPckhIummahqJ1ETCoVuwZfe64Pgw4cP7xRC7ACfYMMIt7zKK1V0UCUKvM5SqYJt17HtOktLSwA0Go2Zs2fPzuCrZQ8/1u0bnn766ddd130DoFAo4DhNbLtGsdiJwoKRJFfesC5CSHQ91CZYVdXYjTfeeBO+J93Xp0sGQrDneXcF8wHB4CDlygQbhtH+n89XaDR8GxwMhMtms0fww6EmPsl9z+1KKf8afIfPNxVlCoXKMjW9sh2WCOFhGOE2wQC7du16B36iaXXDRdeJnlaTnvjdHTcJ1T0gEMteozDfeP2hkuo7jYlSE2W2RD1j0VSudHit4WFm5oba/2emMtRz85CZZ8L2y6lR97x5+wOJB0O6OLAzrs1HdKXRy/NYCUv2K+ai3AmAmClSr08znXkNZbZzquVikUqXGQkgpYFSr5MozTNhXwIgMVJ+3/vfn3THouqDcUutSnAV4V2iaf/kk98s9Kxu3BP18MTvjd0v4D8DD/SivV9y2ELwDEL7o8Nfm5veaGMbJviJR8f/ECH/gi0wQvM6Q04q8sP//GvpFzfSyIYIfuKj4x/Df+reT61bHjftahANewixJZ7ceNvAdQWFksrFWRPX9WmRklLZcd/9b76RPbnedtdtg7/8T1NDdVv+L1rk7r2pzt13S9L2DdjKUPuFJ9tYHaTXZFgsceCOGV74SZhsQUMIYrjiS8D7WV/hZP0EN2zt47TeSTUxYnPnAY1s4iF2v/NudGvoLfbexuWQ0qNRTHPx2M94+MF/4NvfjdKwBTFLedcj+0K/87ena9/CjxzWhHUT7MEjgX7/tf0V5pUHecfd70XYNcgMdNjRdQGhqFhDO7jlXe9l+kez7Nszxeun/LBq/7jxgb89XXsdOMEan1pcN8FCihtp2dlYUked2IkQGsweBz0BarjTF0ln/vJfeZXl7XXd53P5vldpV15l+2XrV9GulOAN8NGiZhVj/Hac8E5GkufbiyO6shOI4Bco1jTcZ90ESyHNQII9oaPqrabcOozdA9H9IL0WSW7r1+v67Zq4bBlyhXVd27TXt5YtW9/dVrBeLl8vL9uH7mV0HceDygC1keNrYNUIoWudQSiaKkz8hEiSQRHM5R54IGzSAem2prczufjbCMAb0CBI6a6gXdrQWEfWq3eZrLZaCwj2eHuT21ouNJADUtPS7erzilgzX70lWHJ9kQuA2rrwA4AX9KV36AnBEokMLoh0WtPlJGwCudYoRN8B4VvASIAa8dfbJWikoXwClk6Anb8KuZ6vouWgxqn7N1IvOe7toyttG+zRscGbQK4xCiMPQuSW5f3zWuPw1DCEb/Kn0d+C/BFI/wCaSywjt/umHQQCG9xDhnv8bFJgg7sleMDkJu6F1HsAAe4qi0zxuyF6O8x+Dcpnuo7VdU6DgPTH5G89CZbdk4N/gdzBkzvyfojsA7dThjxx6iw/P3ac85PTFJaKaJpKKplg/217ePe9d7FzYqy1pYCdH4WFZ2HpleV2eeAS3DuKe+hktTrVLcGDJHfoAFg3taV2enaeL3/9Oc6cn7qiq9lcgTPnJvmb773Ae991Jx/7yAeJhEP+ypFHoJmD6tnWMeyB2+Beog82OJBcd3DkGjtakuuT+4vjp/n8l79Fo3ntse9SSl46cowz5y/ybx/7GGMjraHKY/8Ipj8HTsW324Pyovtgg3tX8mnbKxe81hQQ3f3/inVd27TXBzdI9/rutrpuICkh+k5fLbsNzl+Y5HNPffMtye3GYibPf/vcV6mUlvybRAoYek+rT81OX/o++TdsL61wb2t6bRvcCtgHEQoZEyAscBu4zRqf/8pzNO21q9TFbIGvffv7PsFuA8Lv8L1tt95ldvo8eVtUgn2/ILDB3YmO1oS3fJ7LtsFbvt+y9d1tBeu9zrw+1iblxSOvsZhdWvd5/OToKS7NL/jteXbLppcGLMHBFe0Nei/B3mWd7ie5ElCG2gS/fOz0xrovJUdePd2RYnMX2OWOWen3FNhg7y27umr0Lxft9VEtt9fr+IUAB8f1ODu98eHRJ8/P8aFf39/6Z4LXs0ed3hqtXPQWjINbFz7wor0uSetnbllV2p5zoVDF8zZ+afJL1a4EicbAPGhonS9syTh4mQ1epnb7RC6eryVcv9LjOb2p+Lie226zfR4Dg6+bt54EBwi86EGQKyVQa0tbKiJaLy7d2CkMD5kdCXbyDC7JQccG9xB9yEV3O1T9JLclXW4dEGjAjlSYuezGXgl540ioQ3BjfsAqOggve4c+Z7L6SG7QnpMHEQHgvfuTfP2ljRF8/+3JDsHl1wZLcB/qwb2LgwMHZ6U6cD+L9V6uHdY8sD9GxFr/Axa37Qhzy4jaCZPKr3YcxUFMbXa3chzc9qJ7EecGTs7l64NlEuQSuBVwGwyZLgd/fX2fD7Z0hd//QCdpQuko2GmWxfQDmeipFPc+F92W0D5LroQO2Zk2MffdYvDhe+Or/joLgKkJ/sVvDjMa8fx2nAosfa/T54FOspdRUj9scKej/SfXax24Ap4Cnv/Sln98p8VIRPLki0Ucj2siGVH4w99MsntYAadle0vf8237oBHEwT0U4Z4V/Dv5l4AEdzDkBsv1JWg44Pqvfrj7BsEXV9H1ZFiwO+EGbxCF2s+gdmzj12Rd8K/hFpTgFkGye36A5AK+Ta6D6/8/NukGs9fEhYxLvlQnGW7pdGeBnhrBNaHrGvYIPX4EUIIiWG6LB0Fua77htW3x0anV1YOlhKMXGx3nSr3RP4fNmpCdiKQH6P24aEX4Q01Fi6hlvy3SRBe5oovQ7m0DckWL3GB/QWc50Ca3CTh+YaDpwutzq/945dFpjw/cGmSsxkDR2JQv4QjRc+XR42oS/nvtRbe6Dn4vUz/d66Vcvi3dy/y38fj/RecmobU82KZht+3o8TmNprt6gk8tQrnWJGq0jq1MAJfWcRE2CCVw/beqipbQiU8GpJaDbar1jnqeWduLCzwpODYjO2pajvnnMehJblEJ7sTmsiPBgSrup1oOtmk2oek/medKwbFLa/+28NE5jQduKPp/RBxUFQb9GorABm89L5qOClb8j0QNRC0H21Rq7RLfm+kQVXvtiun4okmj2cRUWzeREQdl/cN/1oXABveQ4N6/SEMRLRs8ALUcbBOMhnQb/PxSaF3ddjzBa/N6R003hzbJi+6tlt6QBLc74gFeIMGXqeh+qeVgm0Yd6uVWfwS/WFz/e7Z/Ph/hXaOtYT91C2IDfpGMEkhw2+ABndt7PejdiI5At7RV9AAkV3pQyrfLe+eWoiw11n9Kr6VjOI6NJjw/SrJNMAc4Jku0bHAPm+y9F60IX8ICR7btqMjOvJCt9cEy0SX1orNctJZfa5tCtqOeFzf2ju26q3IiE+6o6bo5eBXdYxvc+y+fKQqdsTN9lFw8Xz1Xcu1Dn8oPEdE2NsTmjWyMX4v7nwygJGB4gGpaBDa4dwz3juDA0W0H630mVwJLi8seEf2TX/1Rb84lSGLVgKYC1oDCpa2ayfK1SqA+la7Xs8hOVitQzzJYJrqcrVYoFKji7lBopW2C5blLq38GeL0oKhAalBQrdELH3qB31aRlEtxnycUDuw6FeXp+y1+OvAo71hd6rRmXedG9QB9s8Aqpyl6TiweaDvfcDyy0po0EE6s9pz6jdZgtEwdfgavGwRuIc6/YtwykQaRBD0ZQCq6Ltxkryta0wT664mDvAggXRAr/DXyw5vQjAmQT/xN/S0AeRBFEd1w6IMkaFBTYoja4hbYNngO3FWqggAgDUZAmCNM/rFBBKi0JbeJ/dsEF0QBqIKotgi/HdUZqN1ruy9YjWOKnKsFXM1eg6k+XcxMkvbr/L/v9JXvndHC+snf+RJ8keBvrwpauB8suG7yN9UEC7latB0PLZ/olU6u9hAy86K0YBwd92pbgDaD31653mazgZ0UnaxurQtsGb0EJ3rbBPYDcymOyYNuL3igCCd5yBHd3altFrx9eqx68NYoNK0jqtgRvDMvqwd1ZoPVf0+04eCuhD2Oyelts2PaiN4agHtzDyud2HLyVsJbXEqwSvX+6cDuTtX6ILZrJEu0ObdvgDaFVD+5lpLQRgtsP7ujCoVQp+71qjoKV2XjPfhlRG/Mfda7lqXkdTVizZXG9TW6E4JPA/QDzCxpl4zy18h2E5h4AMw/KgIaaXi/wdKgnmJ99k5Fwmukzna/YZUrO/Hqb3cDXR72/lkL5fYBjJyJ88KFL/OyV59l9wx3E4ykUpffj+a5nOHaJhfQblAvHmdDKTM75T2lISfPvTleOATbreO3Aug2mBPHZ3x17xdDEAYBIyOW9B8poEY2ybeB527Z4LdAUj7jVYGEOXnk9itu6fqcWm8/+1x/mvwqcAQrA2bW0uyEW/vWD8QP7x83vq4poPxRk6JJo2EXZVtFrguMISlUV1+1QUqx7Z//kO7k/q9juIv7Y4GlgcS3tbljMPnpn/JEHbjX+j6UpN2y0rW10kC67v/ifL+b/cqHkFoELQAM4zhrV9IYHE7+x0Jh85aL9g2RYMcKGEjFUhoQQ18Eg5cHD9ahmyu7rL16oP/2Zfyh8s9KUDWAG/x1Ck/ijF9eEXhlKBdgD3A2Y4zE1rCjbAfFa0LA9J1dd9qBVCV8tN4EpYF2xZ69JsIB9wDjr+Fr1NnDxB4iX8VVyCZhlHZIboF9SJoAwoPfxGNczHPyHVwf4PYFtbGMbWw//H4sSVoS1YoLgAAAAAElFTkSuQmCC'> <div class='header'> <div>All your files have been encrypted!</div> </div> <div class='bold'>All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail <span class='mark'>[email protected]</span></div> <div> You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. </div> <div class='note info'> <div class='title'>Free decryption as guarantee</div> <ul>Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 10Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) </ul> </div> <div class='note info'> <div class='title'>How to obtain Bitcoins</div> <ul> The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. <br><a href='https://localbitcoins.com/buy_bitcoins'>https://localbitcoins.com/buy_bitcoins</a> <br> Also you can find other places to buy Bitcoins and beginners guide here: <br><a href='http://www.coindesk.com/information/how-can-i-buy-bitcoins/'>http://www.coindesk.com/information/how-can-i-buy-bitcoins/</a> </ul> </div> <div class='note alert'> <div class='title'>Attention!</div> <ul> <li>Do not rename encrypted files.</li> <li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li> <li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</li> </ul> </div> </body> </html>

Emails

<title>[email protected]</title>

class='mark'>[email protected]</span></div>

URLs

http://www.w3.org/TR/html4/strict.dtd'>

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 10 IoCs

Processes:

resource	yara_rule
behavioral31/memory/2816-19172-0x0000000000190000-0x00000000001F9000-memory.dmp	family_blackmoon
behavioral31/memory/2816-20568-0x0000000000190000-0x00000000001F9000-memory.dmp	family_blackmoon
behavioral31/memory/2816-20948-0x0000000000190000-0x00000000001F9000-memory.dmp	family_blackmoon
behavioral31/memory/2816-21265-0x0000000000190000-0x00000000001F9000-memory.dmp	family_blackmoon
behavioral31/memory/2816-21560-0x0000000000190000-0x00000000001F9000-memory.dmp	family_blackmoon
behavioral31/memory/2816-21819-0x0000000000190000-0x00000000001F9000-memory.dmp	family_blackmoon
behavioral31/memory/2816-22330-0x0000000000190000-0x00000000001F9000-memory.dmp	family_blackmoon
behavioral31/memory/2816-22669-0x0000000000190000-0x00000000001F9000-memory.dmp	family_blackmoon
behavioral31/memory/2816-22874-0x0000000000190000-0x00000000001F9000-memory.dmp	family_blackmoon
behavioral31/memory/2816-23279-0x0000000000190000-0x00000000001F9000-memory.dmp	family_blackmoon

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 1 IoCs

Processes:

a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 64 IoCs

Processes:

a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\DQFI3FMT\desktop.ini	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Users\Admin\Links\desktop.ini	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Users\Public\Videos\desktop.ini	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Windows\Globalization\MCT\MCT-US\Link\desktop.ini	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Users\Admin\Favorites\Links for United States\desktop.ini	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Users\Public\Documents\desktop.ini	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\desktop.ini	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Windows\Globalization\MCT\MCT-US\Wallpaper\desktop.ini	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Users\Admin\Videos\desktop.ini	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\desktop.ini	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6SLTOM5C\desktop.ini	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Users\Admin\Favorites\desktop.ini	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Program Files\Microsoft Games\Hearts\desktop.ini	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Users\Admin\Searches\desktop.ini	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Windows\assembly\Desktop.ini	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3D87ST3G\desktop.ini	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Users\Admin\Music\desktop.ini	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IJMS2YBB\desktop.ini	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Users\Admin\Desktop\desktop.ini	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Users\Public\Recorded TV\desktop.ini	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Windows\Globalization\MCT\MCT-GB\Link\desktop.ini	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\JEDNWX6E\desktop.ini	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4JFE2I4S\desktop.ini	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Users\Admin\Saved Games\desktop.ini	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Program Files\desktop.ini	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Windows\Downloaded Program Files\desktop.ini	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Users\Admin\Contacts\desktop.ini	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Users\Admin\Pictures\desktop.ini	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Users\Public\Music\desktop.ini	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Users\Admin\Documents\desktop.ini	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Users\Public\Libraries\desktop.ini	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Users\Public\Music\Sample Music\desktop.ini	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe

Drops autorun.inf file 1 TTPs 1 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe

description	ioc	process
File created	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe

Drops file in System32 directory 1 IoCs

Processes:

a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe

description ioc process

File created C:\Windows\SysWOW64\regedit.exe a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe

description	ioc	process
File created	C:\Windows\SysWOW64\regedit.exe	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\×ÀÃæ±³¾°Í¼Æ¬.bmp"	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe

Drops file in Program Files directory 64 IoCs

Processes:

a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe

description	ioc	process
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\kor-kor.xml	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler.xml	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-attach.xml	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00351_.WMF	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0300840.WMF	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-utilities_zh_CN.jar	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Program Files\Java\jre7\lib\fonts\LucidaSansDemiBold.ttf	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OSETUP.DLL	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\CMNTY_01.MID	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18212_.WMF	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow.css	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\Chess.dll	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\POSTCARD.XML	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Office Word 2003 Look.dotx	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\cacerts	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-heapwalker_zh_CN.jar	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\es-ES\ChkrRes.dll.mui	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\settings.html	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\LightSpirit.css	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-correct.avi	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2iexp.dll	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Program Files\Java\jre7\lib\jfr.jar	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libblend_plugin.dll	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PARNT_05.MID	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_m.png	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00806_.WMF	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ASCIIENG.LNG	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\css\localizedSettings.css	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Net.Resources.dll	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\square_m.png	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099203.GIF	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsPreviewTemplate.html	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-over-DOT.png	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-output2_zh_CN.jar	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\ja-JP\Mahjong.exe.mui	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382955.JPG	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD15155_.GIF	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\SETLANG_F_COL.HXK	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\OutlineToolIconImages.jpg	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\button-highlight.png	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\33.png	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\msjet.xsl	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0293828.WMF	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ext_5.5.0.165303.jar	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-util-lookup_zh_CN.jar	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-progress_ja.jar	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\bdcmetadataresource.xsd	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.nl_ja_4.4.0.v20140623020002.jar	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-windows_zh_CN.jar	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Services.Design.resources.dll	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\visualization\libgoom_plugin.dll	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287643.JPG	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\NL7MODELS0009.dll	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SoftBlue.css	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\en-US.pak	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.compatibility.state.nl_zh_4.4.0.v20140623020002.jar	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01145_.WMF	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0285822.WMF	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PARNT_08.MID	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_dot.png	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\mshwLatin.dll.mui	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationRight_SelectionSubpicture.png	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\1047x576black.png	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe

Drops file in Windows directory 64 IoCs

Processes:

a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe

description	ioc	process
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Web.Routing\b9977dd97ed7006f1d7968495c594bc5\System.Web.Routing.ni.dll	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.AddI3d71a354#\e9b555ea0ea297aaf786f05eefd6e5a9\System.AddIn.Contract.ni.dll	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Windows\diagnostics\system\WindowsMediaPlayerMediaLibrary\es-ES\DiagPackage.dll.mui	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Windows\ehome\en-US\ehcmres.dll.mui	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Windows\Fonts\serifet.fon	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Windows\fr-FR\twain_32.dll.mui	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Windows\assembly\GAC_MSIL\System.WorkflowServices\3.5.0.0__31bf3856ad364e35\System.WorkflowServices.dll	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Comp7dda8007#\4233efbee3de5f702340b1088df01439\System.ComponentModel.Composition.Registration.ni.dll.aux	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Manaf08ebffb#\13e78018da27a55f22b29d9ffef6f33a\System.Management.Instrumentation.ni.dll.aux	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\UIAutomatio4e153cb6#\d5c4de7f641d7ccfa89c41e212754da7\UIAutomationClientsideProviders.ni.dll	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Windows\Help\mui\0410\iscsi_init.CHM	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFontCac#\b3ade8d5c0d4bb5d4940bcafd3453642\PresentationFontCache.ni.exe	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiiTv\4a7ec1155d9e9e4b40889b171d16a577\ehiiTv.ni.dll	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data.SqlXml\7111bf18edb7bf9d986782131f797acb\System.Data.SqlXml.ni.dll	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Windows\Boot\DVD\PCAT\en-US\bootfix.bin	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Windows\diagnostics\index\WindowsMediaPlayerPlayDVD.xml	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Windows\diagnostics\system\Power\fr-FR\RS_AdjustDimDisplay.psd1	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_fr_31bf3856ad364e35\Microsoft.GroupPolicy.AdmTmplEditor.Resources.dll	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\14.0.0.0__71e9bce111e9429c\Microsoft.SharePoint.BusinessData.Administration.Client.dll	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Web.DynamicData.Design.resources\3.5.0.0_de_31bf3856ad364e35\System.Web.DynamicData.Design.Resources.dll	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\PresentationFramewo#\09ca6fe45ec9d8c535413b0dfa7d2075\PresentationFramework.ni.dll	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Speech\160c2dad0a0b481f8ed2c4462dd95618\System.Speech.ni.dll.aux	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Windows\diagnostics\system\Performance\de-DE\DiagPackage.dll.mui	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Windows\ehome\it-IT\ehmsas.exe.mui	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Policy.12.0.office\14.0.0.0__71e9bce111e9429c\Policy.12.0.office.config	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Windows\diagnostics\system\Audio\fr-FR\DiagPackage.dll.mui	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Windows\diagnostics\system\Performance\CL_Utility.ps1	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Windows\ehome\de-DE\epgtos.txt	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Windows\Fonts\cga40850.fon	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.dll	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols.resources\2.0.0.0_es_b03f5f7f11d50a3a\System.DirectoryServices.Protocols.resources.dll	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Windows\ehome\de-DE\ehdebug.dll.mui	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager.Resources\6.1.0.0_it_31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager.Resources.dll	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Windows\assembly\GAC_MSIL\System.EnterpriseServices.resources\2.0.0.0_es_b03f5f7f11d50a3a\System.EnterpriseServices.Resources.dll	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\dfsvc\2c3e7fda8de40e45e7f5e004094dc7c9\dfsvc.ni.exe	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.GroupPoli#\cd46037a39e95bc84d3694aa4d97e18c\Microsoft.GroupPolicy.AdmTmplEditor.ni.dll	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\naphlpr\03d99e593bc94e308005a972667d7ca9\naphlpr.ni.dll	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web.82d5542b#\d56e83822b7799e202533e1b84b3c134\System.Web.RegularExpressions.ni.dll.aux	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Windows\Cursors\move_rm.cur	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Windows\diagnostics\system\WindowsMediaPlayerConfiguration\TS_WindowsMediaPlayer.ps1	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Windows\Fonts\vgasysg.fon	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Serv30e99c02#\aa093ade93079bf7ac8b4446ebd6d935\System.ServiceModel.Channels.ni.dll.aux	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Windows\diagnostics\system\Device\DiagPackage.dll	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Windows\Help\mui\0407\cliconf.chm	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics.Resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Commands.Diagnostics.resources.dll	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Office.Interop.Excel\14.0.0.0__71e9bce111e9429c\Policy.12.0.Microsoft.Office.Interop.Excel.dll	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Windows\assembly\GAC_MSIL\PresentationCFFRasterizer\3.0.0.0__31bf3856ad364e35\PresentationCFFRasterizer.dll	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\e7873d3bd71f6122c2a954be1bb5bb28\PresentationCore.ni.dll	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Windows\ehome\mcetuningoverrides.xml	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Windows\ehome\mcGlidHost.exe	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Transactions.Bridge\3.0.0.0__b03f5f7f11d50a3a\Microsoft.Transactions.Bridge.dll	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\08d608378aa405adc844f3cf36974b8c\Microsoft.VisualBasic.ni.dll	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Te49ad7d9#\9620e555dd2477358732a139f1724c57\Microsoft.Transactions.Bridge.ni.dll	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Windows\ehome\fr-FR\ehdebug.dll.mui	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Windows\Fonts\RAGE.TTF	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.ApplicationId.Framework.Resources\6.1.0.0_de_31bf3856ad364e35\Microsoft.ApplicationId.Framework.Resources.dll	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Numerics\5ac17cc5b92efda83e2925857f4fa655\System.Numerics.ni.dll	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Confe64a9051#\83e220cceaab3e2595510ccaeb5f01c1\System.Configuration.Install.ni.dll.aux	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Servb00a6512#\ad984d55a4110a6602766230dad1b189\System.ServiceModel.ServiceMoniker40.ni.dll	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Windows\diagnostics\system\WindowsMediaPlayerConfiguration\ja-JP\DiagPackage.dll.mui	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Policy.12.0.office\14.0.0.0__71e9bce111e9429c\Policy.12.0.Office.dll	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\mcstore\67c2902f53638a9056174f6130a8bde7\mcstore.ni.dll	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Compba577418#\dee98e5b0e1a766ada50708c26bad1aa\System.ComponentModel.Composition.ni.dll	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\hu-HU_BitLockerToGo.exe.mui	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

mshta.exeWScript.exeDllHost.exea322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.execmd.exevssadmin.exeWMIC.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main mshta.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe

pid process

2816 a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

pid	process
2816	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

Processes:

a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exeWMIC.exevssvc.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	2816	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
Token: 33	2816	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
Token: SeIncBasePriorityPrivilege	2816	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
Token: SeIncreaseQuotaPrivilege	2156	WMIC.exe
Token: SeSecurityPrivilege	2156	WMIC.exe
Token: SeTakeOwnershipPrivilege	2156	WMIC.exe
Token: SeLoadDriverPrivilege	2156	WMIC.exe
Token: SeSystemProfilePrivilege	2156	WMIC.exe
Token: SeSystemtimePrivilege	2156	WMIC.exe
Token: SeProfSingleProcessPrivilege	2156	WMIC.exe
Token: SeIncBasePriorityPrivilege	2156	WMIC.exe
Token: SeCreatePagefilePrivilege	2156	WMIC.exe
Token: SeBackupPrivilege	2156	WMIC.exe
Token: SeRestorePrivilege	2156	WMIC.exe
Token: SeShutdownPrivilege	2156	WMIC.exe
Token: SeDebugPrivilege	2156	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2156	WMIC.exe
Token: SeRemoteShutdownPrivilege	2156	WMIC.exe
Token: SeUndockPrivilege	2156	WMIC.exe
Token: SeManageVolumePrivilege	2156	WMIC.exe
Token: 33	2156	WMIC.exe
Token: 34	2156	WMIC.exe
Token: 35	2156	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2156	WMIC.exe
Token: SeSecurityPrivilege	2156	WMIC.exe
Token: SeTakeOwnershipPrivilege	2156	WMIC.exe
Token: SeLoadDriverPrivilege	2156	WMIC.exe
Token: SeSystemProfilePrivilege	2156	WMIC.exe
Token: SeSystemtimePrivilege	2156	WMIC.exe
Token: SeProfSingleProcessPrivilege	2156	WMIC.exe
Token: SeIncBasePriorityPrivilege	2156	WMIC.exe
Token: SeCreatePagefilePrivilege	2156	WMIC.exe
Token: SeBackupPrivilege	2156	WMIC.exe
Token: SeRestorePrivilege	2156	WMIC.exe
Token: SeShutdownPrivilege	2156	WMIC.exe
Token: SeDebugPrivilege	2156	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2156	WMIC.exe
Token: SeRemoteShutdownPrivilege	2156	WMIC.exe
Token: SeUndockPrivilege	2156	WMIC.exe
Token: SeManageVolumePrivilege	2156	WMIC.exe
Token: 33	2156	WMIC.exe
Token: 34	2156	WMIC.exe
Token: 35	2156	WMIC.exe
Token: SeBackupPrivilege	2712	vssvc.exe
Token: SeRestorePrivilege	2712	vssvc.exe
Token: SeAuditPrivilege	2712	vssvc.exe
Token: 33	1828	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1828	AUDIODG.EXE
Token: 33	1828	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1828	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe

pid process

2816 a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe

pid	process
2816	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.execmd.exe

description	pid	process	target process
PID 2816 wrote to memory of 2924	2816	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe	cmd.exe
PID 2816 wrote to memory of 2924	2816	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe	cmd.exe
PID 2816 wrote to memory of 2924	2816	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe	cmd.exe
PID 2816 wrote to memory of 2924	2816	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe	cmd.exe
PID 2924 wrote to memory of 2980	2924	cmd.exe	vssadmin.exe
PID 2924 wrote to memory of 2980	2924	cmd.exe	vssadmin.exe
PID 2924 wrote to memory of 2980	2924	cmd.exe	vssadmin.exe
PID 2924 wrote to memory of 2980	2924	cmd.exe	vssadmin.exe
PID 2924 wrote to memory of 2156	2924	cmd.exe	WMIC.exe
PID 2924 wrote to memory of 2156	2924	cmd.exe	WMIC.exe
PID 2924 wrote to memory of 2156	2924	cmd.exe	WMIC.exe
PID 2924 wrote to memory of 2156	2924	cmd.exe	WMIC.exe
PID 2816 wrote to memory of 468	2816	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe	WScript.exe
PID 2816 wrote to memory of 468	2816	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe	WScript.exe
PID 2816 wrote to memory of 468	2816	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe	WScript.exe
PID 2816 wrote to memory of 468	2816	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe	WScript.exe
PID 2816 wrote to memory of 1380	2816	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe	mshta.exe
PID 2816 wrote to memory of 1380	2816	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe	mshta.exe
PID 2816 wrote to memory of 1380	2816	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe	mshta.exe
PID 2816 wrote to memory of 1380	2816	a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe	mshta.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
"C:\Users\Admin\AppData\Local\Temp\a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe"
1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Windows\SysWOW64\cmd.exe
  cmd /c vssadmin delete shadow /all /quiet & wmic shadowcopy delete & bcdedit /set {default} boostatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin delete shadow /all /quiet
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2980
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2156
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_XiaoBa_Info_.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:468
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_XiaoBa_Info_.hta"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  PID:1380

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2712

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
- System Location Discovery: System Language Discovery
PID:1372

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x5a8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1163522206-1469769407-485553996-1000\desktop.ini

Filesize
129B

MD5
a526b9e7c716b3489d8cc062fbce4005

SHA1
2df502a944ff721241be20a9e449d2acd07e0312

SHA256
e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066

SHA512
d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\BRANDING.XML

Filesize
118KB

MD5
73f3c22e4367eb6984b5bca05aa0cb29

SHA1
d83bce4d5f013348550e54beef0c4157c2127cec

SHA256
026d8ef12ac2aefbf3634ec18a25174e63daf34443105ba604d54cbf1c0d1cf9

SHA512
d692f835633016fccaf277790f1023d57e27f63801373b13ab52987fbbfa7a36565e400e1097daa21a7589df9bf4bae9a17a337cd4be10fd90af7a486ffc2e04

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_F_COL.HXK

Filesize
109B

MD5
58ad110435158be704eb09ce9f227d25

SHA1
c5b4059a8a1a10304f1c44222d37d1041d68caad

SHA256
ad2abc1c2b8531e3265711457384ed6dc8eeca27b9d973d530c7efa0d26bb4fe

SHA512
2d589e6ae0fb3df51d598323a1c33502183aaef82a95d66646c4d4949eb7cac7d7b46e1b220b2c961303b3937eeec416b8a108446de7652b45280c1534874f8f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_K_COL.HXK

Filesize
108B

MD5
519b0bbf189c0734a4e40ef96039784e

SHA1
d51fe82527e126750e6d2814706d8aab28f8645e

SHA256
1ae3cead87cabd3ad004a89fec0c313eb7c3971d56fb75222ce98432a2926892

SHA512
28692f08a01143f5dc97356c19468e54e917c90fe3c34fedea0dffac1f83c4235824671a4532c1b9ea3ab2766c018149d9d1b596e8b14875e79cc8f3a740e90d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
360B

MD5
8421e33856efda1d14bce4914418a9cd

SHA1
4ea97335f160d56bdc2ebbda3e431fc28a78c4bb

SHA256
c130e511bf35d1fdd572f327eb6463531ffc8d07d1392e3bb40c08fcc942ff8b

SHA512
9848e9cb5c5c2a39a5b238a550918389457f091306a1c387a7af564665dbd3f9e1049c148d50725f71ddd8dfd4f431eba53679a361775561fa6c3afb7e226a89

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

Filesize
225B

MD5
02c0fde85c2474a190363b82cd606ce4

SHA1
5326bfb30a9f4991b6d47a4ee318af9c2c6002b7

SHA256
065bfde2d414816bb1a25a0b8e4f62b238fe5f3b85b799fe130767c9e8b379fd

SHA512
7e73acae4135fc3dd04cd87f3ac8e6a6d1e04f5c323748474240b41aa6452a5312fa2342a0a130eafde1e2c97474ce703dc8120e608b9f65c680ebd6e38df554

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\BG_ADOBE.GIF

Filesize
23KB

MD5
173fe749739664340761e2e93f428add

SHA1
48e43df453c654bbe9f475cddfc8698d5eb15b60

SHA256
65ab81cb9ae82982e816d69a3cf07ee06a75e37625cfb41fd219622addea72db

SHA512
dddf21512950c3338d4bbff30c9304fa62d3cc2de5f7c781067e119979f00bcd30ada63c5bd7ef9d30971381ff1ef77d8d6aced9e669e50c3a5acfb425709359

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\BUTTON.GIF

Filesize
160B

MD5
aaf9470456a1a890b9f84b1b8dcdd20d

SHA1
2a41d50388bf21d21eea2067b36b16bb9819746b

SHA256
7c4f2fe5c64c2bed8e1f95332b30ad65a0e1e79d2f5c7fac041554d805b1efb8

SHA512
4e589f5a776a7882630bb986cbd28908e4add61381f5bc39425bc0ef017012fc530cb17d5d7749ebd7e86baf5837d50d2a30052d40e7458f5697487c283e7af5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_OFF.GIF

Filesize
483B

MD5
7ecd9f42ec3027b608f6772e31760f2f

SHA1
882bfbe3a385e7f16e7afc6fe6b7c9c90d4827c0

SHA256
30f721759a9fe394a2659a15d4a6daec80e0a9c82705f70398c2753df3f5e2e6

SHA512
455e5417576af4f7443aec7132d8b23f66554278a54fc3ae3e91e4eeda880f003ef9994a81a796bfcbaa622489bac987bf5ae203c2664e2172dbc37306f903cd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_ON.GIF

Filesize
1KB

MD5
d60c9670f984c8cd35a08a2c8f002ecb

SHA1
d690da888c7942c1645bb9b4e88cc05fb1cfb7f9

SHA256
f9868f529b282c31d1d7d16f6032a5072f0385606447813b2172d23b662147e8

SHA512
6147f9878e82d2f2857fa24fb5d98ffad0caabddfe1d22e1d216898eeb40bba1d95d0fd30677eb1e2d7c160f2e30157a57f87d4668f38e62934c69ae72d81581

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif

Filesize
5KB

MD5
ef888a1df5ff64a5f8930fdcc2e7354b

SHA1
6534b691e36293d54f38f06e4bfe3ed15cee6e5f

SHA256
ffd95542e53da0bc0ba4acf330b957e73b83c252620b9de61a344227d3a6c991

SHA512
21b09b859246f169dc0fba5bb16d994dc59946f0a476094311726f37c70a35b8a2ad73428979c55eb7cc57c4b9ff6bb9ae0d67bc3cbbbc38572e6c0b90340a6b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Country.gif

Filesize
29KB

MD5
fc75496faf5408a74c2cb27b3f9eefe0

SHA1
1ab973d704983388b1fa4a1972ffbc00b114bdf4

SHA256
0a76d8318a0f5117829401565d13e9ec908c307c3638feb225bb7f5a7848b6e1

SHA512
16ddbf7c2c19615b297d50fd87177761046c1d0ebfc7c1334fd15a726bf16f8f8cc7390363e2a39b921cc083f6afa8ffa868616db222a0703e78a61342236a3e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif

Filesize
4KB

MD5
694796d0de408740c17127cd9ad172f3

SHA1
76ca0c11a7f93fafaf20ffb7be8efdba84882557

SHA256
d55f351d5f49efee1b2526de89cfd463e73aaf969063616d8fb8d726a6581460

SHA512
814d2ce9b88df1a90880cb40bce1c8e697acc99d93b1c547ee93bffe6880c7a6ea289d4572d211d519a87f39676c38a552fba1d621d80bb0eec2e460d0e98c0b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif

Filesize
20KB

MD5
487962c77cf431acaedfb47ca9e14352

SHA1
f7298e829e9e8311bc4cda3df9a91a65bc4cee97

SHA256
3ced62c9d0977060deeaac5bb7b0a500aac1eb4a6d8db0012da6f0ceae56346e

SHA512
836706d3dff207f9aaca70da60db3c6317a2f5a7fa5093128e02300001c0eb1ffb79c88d2c8b6c10eebb49d9ecf7ded094b412e7b1ac1db9ff839ec131f6827e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Groove.gif

Filesize
114B

MD5
4569b1227f89d2f562f4883717835e01

SHA1
41e8cb888fe8b30ad2cee7e454dd933c3172f02c

SHA256
b70d4ef41c701b6e1522238e22ed5182aa5d66d9d4d866147031ec5745cea09f

SHA512
c0e931c6aef05886700e2b6fd2faeeeff4ab91eff895a2b4f1a8e7e8a7364c19ba452ea4d042b0415ab6e5092f9d5c299b25297e7680c0704fb1e7fa4966479f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif

Filesize
8KB

MD5
b4fc382ef6e0543f44cef097c83950c6

SHA1
e520281a479494f649a40812d40f87f96c3bc6cd

SHA256
27ebb10b4b999ddfcab4a4d32c533d51712fe063237c7826ec13c47ce3279611

SHA512
911967a8b651ff98f2ac27a6b3da195554f4baddb3fb24d2f7d29dd29f8a53da323cb9131a76245559ceaaf7d35b193da5d459975c330da9292b7fcf66507850

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif

Filesize
14KB

MD5
97f5bb9cea0978cb2fc4bea349c8cbba

SHA1
6d654e02f4bbd48717b1561d8544a7ba678dca2c

SHA256
e69759de2db58ed25fded6ee532d2a894fc63a8e8931c8b2e1022587c40414aa

SHA512
d35a0e30ebcfd8420a9512cd05997615f4a39706102a332b32bc72434fcf7fe30995b0e8a6d339dab4eceab3996d1cb94736a1dce47c11cc72248261a779743a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif

Filesize
6KB

MD5
c851bb10d88f040267d193005f1810dc

SHA1
bb2b15ce4dbb57cced8b014fff7fe5821a3c8260

SHA256
baf9cef510853cf29e96621831832687f4bd9a44a173ab702027750252b69afe

SHA512
1ea8572897325476fdb41c4dc40f19a93f6d820cc5c48e3d818fe69d011e18bcfea001d98fedc80dcd160a75fdc272b04397a731ed8c1d46ca902746fb3aa9bd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif

Filesize
19KB

MD5
f8ded3eaf0fc4e92137c701e8c31a08f

SHA1
0d527360eae0a785ec6d712482ab8033c2bccd3c

SHA256
2557e0bcd4aea8a0ebf278a1853c85c8e87969e86ab41ac4aca49391c2c4daeb

SHA512
d8928b71707dd7b97d613d1147ad2e2e9889879a211ac97b7c841384596fb55537406979058f848b80c7cf0828a49388ad8bd4d3342e822a34c3aec6becd9dd4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif

Filesize
6KB

MD5
a4e8bda9c25b29db2efe046ee679346e

SHA1
6f57fa30ecfe3bb61a743baf3c8d209260e79927

SHA256
f9b3bb2de1611596b16dfa580b1eb4c168d439813436d1d4a45a2bbe3fad3f61

SHA512
117f786adb0a4d2e2067d684a17ac7a15f7fc419d5d53451f1e753397a968b7162cae07640ba42752dac6ea9f520053f0d881f30103aed7ac1e0bb66a628e53c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif

Filesize
14KB

MD5
c445736f473c9ecdb7c02a393c201a76

SHA1
05ced771529392747ce0ba035572ca65518477c7

SHA256
bc91002bc1e2fe2e5a75eeee2091b878651a03a8cb12609badb57e16ba2faa57

SHA512
8665acc1388b660b77f1d2ff20a51c54326daebe9b0142fce8977ccc44d416d5312ee4f4434e8aa5118d9a1585262167969e4c20f229995f015a7776fa33fd73

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg

Filesize
2KB

MD5
8c8b92acb2d6f40365fc6df4cf259794

SHA1
70fbc1fa7136ade2e217a68808df7b6f584f7791

SHA256
f4ee3a39e3d0d31a2c60e8712d7807f9ae2de1931f04acfa8858d0c94241d50d

SHA512
2257f9be2e754bf7eb33231c757cc9c27d19c7f5661fc9b323cc4ad9014859579072fd4ddc52196a0b0e85eefbef49f1a75d57f37bdc9c4dfa96624804d868aa

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp

Filesize
1KB

MD5
93f4a568c7fb5f7582850ef96bb682ec

SHA1
fd22d40b90f60743430af68f2ceaecfca96cf70c

SHA256
c9d9b6918b0ada309dfe2127c11102db6455357cb2c5460a20d86d2a37047b9c

SHA512
8fb93c143e127dc1c8c07fd081dbacf11525e08ddfa174bd4c9aec91c5bbb58fc1a9e674e4e58ac174be838563326e441637748a469ea8b61acc75349f66e1ff

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FORM.ICO

Filesize
119B

MD5
8faab801465bd490bcef5695b581a246

SHA1
461a1f9b1ec9b75c0d051a9c5689b48071f71af8

SHA256
4c01fa717036e585a8d1c33a3b1605eb267ea60434b9d28f600e79d0743d8cee

SHA512
cc3217ab8424e25c904d573ae7b9fd8dd8017ceab456eba0789720594b810d503c80c13e484734aea067fbd42b465a8ed1f4158694bb117fd3184586e7269172

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg

Filesize
6KB

MD5
f068e3065b859e543b43321f5916e254

SHA1
01b471bac9568ae4f3f685b6aca05405091a1fc3

SHA256
97cb8564b67e9778af612144940e083109024e369bc073be9a041d6853aafdb3

SHA512
d91360d5ff316f42c13fac89e04cdac4d15510ff2747ff30e7d244c5e654ba8f51ffba10cc4daaac605aedf92203a2d4fe11f7f736def63635d25681601826ef

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF

Filesize
274B

MD5
3b7d21736b4a27090e6a3129d00eb5d0

SHA1
f87ed1d0c93e372189e8704ac8eb6e2040c92bb0

SHA256
e64c6317387749ee43e3293b399cd8181f5f5ef929b52fea1125877247f6e669

SHA512
18a722dbd508b58054f82f33118d7650461d6f2757bc6547270f54cdc862f7027cff179000f261e820170b0bff5b7338bf15490ade309e1b71411a43af78a23e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\background.gif

Filesize
342B

MD5
a46258dd3b20e6e769b0a788859fa239

SHA1
0b776082387555f1a5b5074f2b7c17ef9f7cddd7

SHA256
fafe00b21a95444c13fdff8b6d5b1f2e89bf23009c44c2ee6338a22919a81937

SHA512
c469eb6e71472315f32703e438070f63c6239ee3244986f7557a4a0643d84926263d524baa84468fdb31ef55f988f035d0bb4791a2043d23feb660f2032000d5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF

Filesize
384B

MD5
2e0f13e463c68d2141afc4aecd6ffef1

SHA1
9523dd345296d2e5c6d036019841fd137068b9e8

SHA256
e422f7119656c53f18114d7293361b0f269d0bb24d92e28a2a3205847ae6ebc5

SHA512
3891fafa8e571ac0ac4b52c34f01f744c18893ccb86837a281d9bfd2f7cb691627b632897a0f3eb22434c09cc2f0be340aa2b90466d69bc40871eb46b0165bdb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF

Filesize
167B

MD5
101d9bbc23e78855c08613e91cef5a17

SHA1
b98b38cbf462b8f028f410273c6bc3b0981cbdd8

SHA256
a67f6dee993aa48ce99a1e88a32430ff8ae67acd22d7be41f6138bf59dbd0620

SHA512
dd8ca38ca24b5d0d8c33a819ff4e72ba9d03cf778fbaa792dac491351515f0377c695aaec291959712cad613657df233fb58d2b0f75effa28466e0d7df8367d5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HEADER.GIF

Filesize
459B

MD5
7e2099b96f6cb9d23b6d96ca4c611f21

SHA1
78988fce69f9b2bc7d1b61842c119948ac97321f

SHA256
2ba163be1fbbc4d3b20b5f2ef9ede346c93cef0a4e134218e5bc290c348ee6d7

SHA512
dc985d935008d6d8f9997ca168b05f48a73f103bac91837d7dce56439511e10798ad16709c613ae65deab101e444324572994d43be3c3abdaf9c04375fac2222

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_OFF.GIF

Filesize
463B

MD5
e7100066438b5167006cc042f929eeed

SHA1
59784136bf7840774a0eb2f1631239a9e117b244

SHA256
caf2a53ee0e3e25303f3af2e3731d76da5ebaac89914487dfce7bf131a4c3c61

SHA512
f1dd0688bc5e182e511f78ee0622907d70c5f87be174ca8f557c8cd721e51705376f72bb3ddfafeab039c03db41f7140d2c0bb74daeaff68ceee53b761aa0a94

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF

Filesize
280B

MD5
a7b5e9a142e9789668e8f355c287d0c0

SHA1
e7be24daf938315586eb682cac0ff0d9cef05ae8

SHA256
8ad9db4b0926246d048ef69a2756c70f778b02aefdc4ceac83334bacf251bf8f

SHA512
734ffdeffc04b3fa816786a2e557209daeeec862378c8e2b9ebbb1830003e7c3106cc2eac8f50ada77d530e79b0c95dfd271bcee4bbf5605a8ffb1a07123b304

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HEADER.GIF

Filesize
1KB

MD5
07d693d81f1f4f200d7157cb897ae451

SHA1
88d941715d1c0fcb7f7307b686d16047b9caceef

SHA256
bec2a242da85877e1acf55423fdad8534017944954733b228377351cdcd17cf1

SHA512
880f857d4cf5d77c3b015c0d8dc4475cf9b89e4e93de3e533a565fda4062b7b0bf4bc70fd0a0e62d20ecfb743ded5d62c4e09a73328f44ced5060ccaf5d9b918

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\HEADER.GIF

Filesize
3KB

MD5
4fb75c69c4b1f369ec253c11638c3517

SHA1
f1c116024c55d89244a69f226d753b8ed8fbe8ac

SHA256
3d8094093fdd5cd0b692eda5f89413921042ecd8419b5d29cb388ffb3d7b58b0

SHA512
8a773481a2f5ae5639d9357cdf81051efad8a1338c44afbc961f279cd0fa1e7466d2fd7c06030d3ce92a9b4842c06334edf4d035b57bef5f5c0be7c50779e196

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\TAB_OFF.GIF

Filesize
459B

MD5
39ef7e546c23fdb962cdfb2f418d68ea

SHA1
7c3ba234dc4b4db1f78d3b6ef8eada17ee02a2c8

SHA256
eb8d68871cfb8ebaa28322574c2a23aaa781e9c81c0c9a3dcdddd6f70799cb01

SHA512
f3177a14bdbd4d77ed9d1360454c46ce0deb9a396cc26c18f5ee22b6180b379cf6fdd03a8a26bded076bc27cd974e91f6ea8d58697c6fe2749c02bd91a91d73f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\TAB_ON.GIF

Filesize
277B

MD5
391ed0bf341139be01c9f4779c687eeb

SHA1
01f7e16c4030db3d3d6406314f02255cabe9e071

SHA256
5a91654ad813b9f12c266e91264911a9cfd661ce0fc8e4596a14c31156123e34

SHA512
490d1f2d623c2ed3eef0828b9fc467d6e24006defe05a886999e6f730b7b449b1e895ebaa002d51369bf9b6e7b935bf75565236fb83a717d8d13c50ddb63722f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif

Filesize
252B

MD5
ef2cd535a896aab1232530a3c4050b6f

SHA1
615f88e979c9c925fc388d72ccf78346023c79dc

SHA256
39509ef60b012d8ea9202d795b2a6b63b2b171807302c8cbcfd09fddbac307de

SHA512
b59a362eec52c20f87472a871c2de2e72100b5005b3fe4b2ad9ffe660352e7eb4907795db454a454178ca12f297d7dbe427e52584b418c0302163af92e25ff24

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_OFF.GIF

Filesize
368B

MD5
aabc6bf4445beccb95082e0515e69527

SHA1
e13640881b3f10d9215741767f90929886dac877

SHA256
4718c2396cc61f9fe515049d314a314cabe763885b766d8114b66e1252f0739e

SHA512
03e913df3f3b8d0cc1a0c72b786deaf5640653b0f8e3da4636eafeb56f50007f41e4a0b4fb5e8428b5595bcdfe2202bec94f5f985389c9c7ecc18771fbd925c4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_ON.GIF

Filesize
368B

MD5
72f12dc5f29a95f33c9988f2f83a0f30

SHA1
39f6690edd7c4da956b8750aab90195991b35960

SHA256
af6e4098d503d0896df8c2d595893350e343de66e0c6b7ecb2dcddaa649ad74e

SHA512
25d21c3d33b4756746bea1400fbbe1cb7b5394a6eb196c3a894d2374d2a3b4196adee7ba45eefbfa5916fa9e4713a9340607145a48862416cfe7b0c7c05f6f59

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\background.gif

Filesize
6KB

MD5
09215e2d5b462b68c0d1249c141bf225

SHA1
e7384c589eb3cac2f76e3231c362b86e68c6ba75

SHA256
3cdde29f32ba28091dfecb9508114fc3d0e3797b789afda38e3619e632817994

SHA512
1c809939795d5602aeffd8daf438c804a665d99d97fc6e6e7e774d470cf716d2765dd6cf38c39fdfc186f20ee8b088f6cb27aa28947c3459764ef9cfa0945772

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\BUTTON.GIF

Filesize
429B

MD5
4c04b58dad390308dfa1b682c94781fb

SHA1
7eb2370644bd0280a959204fee7f9456959afe11

SHA256
7da4d1e4053dfb121326d3eff37fb3688a711686abba367bd7a62160146b91d6

SHA512
86d9fb2268f080d19186bf2a2a70f6db5bb073309763e53f72c379be1c9dcde619ad10d09456190671da4c67af014e50658b8303082777105d3dd0fb02dcc44d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\HEADER.GIF

Filesize
26KB

MD5
3fd46ac1a10f0b09b9cef3620bd4d825

SHA1
cdab9abeff80ca77ca5ba2ceb9d07301b0f0a5b3

SHA256
5aea7fc46f9632bb40c20fdf932bb137a9cbd802e69205887feb31ed88507c5c

SHA512
853a33dafd040e731f5dfab8b0f58959b5d1d7d853123f990f45b2235a031091b288395c804903b0fbb942875ff65b939c98d08bb0fc545e9016b634f10d59fc

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\background.gif

Filesize
722B

MD5
dc7f69b83bb91bbfe87ed13624074432

SHA1
18c4ad0e351cce5b1d52a44e7be426a0dc03f6e6

SHA256
f5b99784c2912e278a8c3a5de7ed226532a4500e3213e72354c3f74ce649c3a2

SHA512
6f654a8bb020af22a5e9403f0c3f2703c557c7e48198c10c31dad0ec676d3095f92c99e3bccc07c910418bb8e3993fea49ab890a7e4b302a8472649a7c400048

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\RTF_BOLD.GIF

Filesize
524B

MD5
2b568a6fd8dc439b7f7ad3ce36c5f7f4

SHA1
11d0fe35e6e7e685e8a8d759fc07d09bd53d7270

SHA256
6d71accb730487f3edebaca0ee36af39f8df436cc6eea44fe3b2ec97c3708e70

SHA512
654bc655946c6ac7db77b9603eeafc7230fac3dfa7dd8d80b9a12516991f4e039e1fc58d027f54db25961a9da1e722f8273ebc7d95588c12a4f57691dbe7a848

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\VIEW.ICO

Filesize
105B

MD5
8c9c97990ca70efbe10d4aa31f532f69

SHA1
3c3f3b75152f7f162b044aa735fc50eff276ff04

SHA256
f954aaea4dee30ab0969bfc66f117ed5f9115582ea8065721e71ab3ecfdcced3

SHA512
de2e31e65e8a0de8ab967157d5fc70390d30837a6560b88bfda90527ba6c7b2c25a0103508ac21189646aa59a05da768c1380d69097a796cdddf8c8766371cd5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg

Filesize
2KB

MD5
80427d50bfb1c0ffa66742dea3e4e77d

SHA1
6552387ea2bc9faea78ad99256841e0e62a31cbb

SHA256
26c25a65054257f8b68390b2947fc9d4da02f73ad2a697080d96a73d7ff1c988

SHA512
487170c1f68aa06e6a9e3ab67ba133943db33ef24546b669330cd5c9cc7e51c83922be322c9fe76278bd842fad3cfc06ce3293872443342f9e3ea5fb9f2ecf82

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif

Filesize
2KB

MD5
e529e3b9dc0b0ed78ae20b9fdaf80c84

SHA1
e5165f37ecde6723595bc7a1e73461ae760f6441

SHA256
80dcb81957429a9182b973175df1d98d0b710fc443b107e2ee36e8c4650d9af1

SHA512
812aabde1f94d3ebf77b09cf3032f40ea126e68bc0833ad7034edc64f6b8d394bdaf37493643d5db6aea8f819f5244b9c45aea4d89c7088e0583d36c3dbca6d4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif

Filesize
19KB

MD5
507e878eaca51573db3f17a9b31eaa10

SHA1
7ec7ad803384247bbc9a0216098779dcb49e03c6

SHA256
91c34d1f204971c6db24a6a2579638c77a07869e38740e151f2a930b560e0c39

SHA512
bf24529a35f81c9c4e42785d22fbbe561a9a46bd8e70c71c5baed728fdc77b09eafc6f8338375c14606ea0a67b384e87cb749d05ddee64b96b60133100ef3887

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosefont.gif

Filesize
559B

MD5
ed2ca59ba64685e5a0e67c3d4fc6a96b

SHA1
5f19a2d83dc3ae17dcbf15aac5f4e8d0a836350f

SHA256
d37897ad2d3609ee23ed690eb66e8749dd14cd9bab8ee9be3650a967f4219549

SHA512
d6cbd3939152c2b28d2b7bb45c63be25027426b16690094076201d3788018266a239bf8ed7a33d422baf5d44c8b15335d58541829d51454c68fda87c76c60b01

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif

Filesize
505B

MD5
dcaaae52409efa735b187b822cafb8ab

SHA1
6040254ff5074826c56fe07c1a1dc3bc7ad43858

SHA256
72ecc9702716a2ade2ddabc46426dc9391e847281636104c0e90da90f97da7fa

SHA512
2e7c1a4d4bef061bcb18dcfdc1940b31160e305aae7747cddb5803b0eb429c88f41c57f0d8b7fcc738bc91bf1e7976e67be08193963a67874b9f60ee645945ee

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif

Filesize
516B

MD5
61565e33b3922ac1586db9b275759c13

SHA1
8f254c464870abac674fd481aed42ea978388d06

SHA256
5d6fae4b5f6c6eaf206f37d01a4709cf064fecd7c3c2c03867181638af05dbc1

SHA512
8235a2a5e661c54ec1aaa56c4267240f4407ac5cf59ced8edc9b433a2a2d6a06ddfc269889c6349d908bae5fda817e57641a43c72d5891554d315e26d5dd9085

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ADD.GIF

Filesize
435B

MD5
849758419025ab5a8e5277a4389faeda

SHA1
5ab896c6ca2867147a9a2b68095779b062e5e0e6

SHA256
5857edb16797c2d16d22193c69e06194e3c129e04c0629ceaaf7720439c57b91

SHA512
2ad048865e2a24bb8e0704b321b27eed9a82cf8dbf8b000ee5fcdcda630a648cba1b5cb11431f9dc19528e6de031f55035822cb5d496f34c5896721861a629b9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF

Filesize
566B

MD5
a22a3750ed8b4242fe8a87ac7c9c57f1

SHA1
ea7b4cf41e00d027481071efe7389b43a0046483

SHA256
b51d5ac3e0f9f1153311f8d50e077fb2a4282559fbf9f213857c3042172ee164

SHA512
adf62cd8060ab92275134264434e8a8a416f1afda1aa1e099e0621b89cba5264fa4f2e9a61ab92bda2ae4c9f6e90e1177680715a9f02724fc4a022b97e588037

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIF

Filesize
642B

MD5
f16d6b0ba8bb7dde965677f131475c48

SHA1
b056b4b25cae98ed274acd6252966b2e97a331bb

SHA256
c9991e7ddc62f0349eb42d0f3c3c79e9ac0c4ed4a15bb723fc1a83e38164c7bf

SHA512
5b407b90df8d4e8e2ae5fb9d610af3781d1e3cc60fdc6ec867bc8850134916c575cc1240acb9becd1a254c9b236921bb9dd38c34faad94e947f6a15945cada8b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF

Filesize
534B

MD5
b6d48f68cd1acbba4e17d77bc33bf1db

SHA1
0548e185a11621be8b57079d31b676e996c07748

SHA256
a0bad428610f288cbafa842f97893de70b9d26795d2421dc9e81b6e66c6dfec5

SHA512
2f24a36ace9dcf85f50b5ea422766612710485ee2a04a6fd19449f98914b0ecf7667e52e12e135e1e0168081297b54171fe483ba4e0652c715b717e4140fa4c3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg

Filesize
3KB

MD5
21a8fa54a550130045f9b29697a0e1e0

SHA1
8a5078ade9c7ad06fe908c2bfc15bf3e3ea7f41c

SHA256
5428bdc68f8a07e8b34df055b605ade6f3b52d3c2fff32eb11bacc22afbc2937

SHA512
c00f942a85529d5439f49c5412c0ca229b51189865e5b21657a902197134f47c791c3b00a9a64478f699d006f0f23a066ea40ac34cafb388e21fa839d131ee3d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp

Filesize
1021B

MD5
002ae61f91bce3868d010831a25698c8

SHA1
cfd660c50ef7f7561a0a2b5360c6dedf79fdcaa8

SHA256
642526dee8e257afd80af9f4e22ba2ca4ed62bf98959ccd8f47c2a3617c9d711

SHA512
f658a1a33c97c34aa27ca2ceb9650ea565abdd104eacf31c4e48bae80a391f9c55c6418d4f5428953fbb8c49fbbfe486361d40d05b295028e189231e4e2e60d3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF

Filesize
560B

MD5
d149b91b771655e37056da2de23b062a

SHA1
74fe827a6659954effecd6f0d52f042d00ce7bfd

SHA256
47d5917da6576d1a4f596c5074e258ea9521cdff84d292251481e917259d0023

SHA512
c1c7023da8c0a38a0a3ecba7cbb000da63ea67b8cb6ecda90d855fca2d27af254aabfc8907a53f66d5d3c1f53c7e79017066d809b18efbc1e6bfd74cffcfbe70

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

Filesize
496B

MD5
3288411dc0fe8fb031374710fdd14877

SHA1
94dc2e9de686d6e13bb9ea119ee7af3a870224f5

SHA256
aa6983c055f9d7b398fe5dc03e45a96d7571974207d9edee5cb0883085ebea61

SHA512
3b71b2b4114f25d7250d46c0b3fef835924e5705f510cc4afec22343320bb4297890ff320a98808dfc3bfa92e124726fa98e7cfa2e198545ac1c4eb9baa6d837

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

Filesize
496B

MD5
73aa43a90ffc880d641c3fb69c3a74f4

SHA1
a2ad32af76d4b536283fc9cfbb1b1fabad3be74e

SHA256
4b650d68619d899f064791db4dfee791ff76500a3259882ae5f18f0a75945675

SHA512
550925c8dc29a62583a4ea729b8c81d6468a9b0a6006a25fe7a6f9e25733f4633f2ace2eb44284a697e10ce83bde91bf147770e8006a5a10f2c3e497ae1d1de3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

Filesize
522B

MD5
a14e8481a1c0239b2394fd1f82d398f4

SHA1
7faa3a35edf2f4193f7783e4007f84b445f7468f

SHA256
b9a4c78962c15d791845c550b272b55f48f9b2c6f54201e770551f6a6ddd1628

SHA512
5dfe4d056b371997f136f533eddf75b880d4de5020aece2c4ea880e7bc584feb8b26e6dd1ca81a8a5a7ba288330a95f9281c20c03fbdfa53de5b9f9c0117b483

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

Filesize
497B

MD5
e58a6558e6949b8d9792868f4578fa42

SHA1
9d49d6d86395b9a485419d16b31970a6d7ec4512

SHA256
68a079fe1a1c72a24fbd3673d85a55d8d85bc2438db2c10ea6ee340645f7bdcb

SHA512
514557fad2dea0a63984fc7604b956676c0323457399b8ecee545a9fca75472fa729b2754166c862116a6a2dfbb64e6ef95b9a8ea3f1c56d6ac47b6444a53033

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

Filesize
519B

MD5
33844af3ee014eae122240a7a16e94b4

SHA1
b5d1a28b112a90cf1ba7d4af707cc2a9a3d0a357

SHA256
73f3fe41f85259a843671b863ea7bda29a20b62ae6b42b2915c468ff8565d067

SHA512
d9da48e6c4fe03be33dc1ca9c0a2fe56ad678e6ed8e1692255faea7526a2ee5263a0646111bf933d5f548913187f39353067d515d2d362ba09955a9c386fd104

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

Filesize
513B

MD5
5f52d9216b8622a3215757686c94563e

SHA1
291daae82bf12a24b0431e7f1ad19db47364b106

SHA256
591ca14ec37635be78e6d87615a2c2291cea9f13942343b135f550d1d0d68cc6

SHA512
41f943d0928c66983efc4a8376171b18237a2c4f7e3b3bbd00db1b5b62b839d1305910f96203763eb13e0f26966104c59edfb911b2701863d8196e4d762a6c5a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

Filesize
499B

MD5
5626d68997538bbac1762e5a49f312c9

SHA1
35b03c1d5c2565f8eba8c8a510f067c3f498ec05

SHA256
5561a587e98299bd41f38c9fa78eb8242451247aac3aa684113a028cf65a63a4

SHA512
2d0c41aa82b24c01f77e03a1552227fd723c2e77bd25c4a052b49539e0ca93aee401a380344aad2a5277011572636cf0357affef3d7c59c1cefd1dcfbff3ae19

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

Filesize
549B

MD5
0cf8784086800384e9d0935adc6affbc

SHA1
dda23f84e471f067bb2a78613d2c07fd2cca9e1f

SHA256
97f74be07b9bb24a73aafd2d7a605ef173d75add9be6bb0815359519925f5cb9

SHA512
1e134b17dafe759673774b422e21d80f943a476d2323fa70063886e530235ec2eef2fa9734c23c3ff50b948659bd4eb4cb76f9ed4077d7f9366c66ca9370c384

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\InfoPathOMFormServicesV12\Microsoft.Office.InfoPath.xml

Filesize
25KB

MD5
9abb8560a11c0df5892b9377f637a826

SHA1
d62a8b77f8c08dbd413d4d2cac4c9c8467b59933

SHA256
fe28096205f86e5c4ea7bf43274d78e87a3472ff33aa60b18972d33e6dcf4d8a

SHA512
4f130996e211a4b6a85272da504952c061a08037c957be1387d8f72572a025222bd660c96568f1655805cca8289ae35e2c410af487d5bcb037b5e9f1c85a5c90

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\TALK21.COM.XML

Filesize
311B

MD5
1f0fdbd8d6ccd9d8f0f9fbaf8656ca7b

SHA1
f0c97a219f449bde263abbd3d49901eaf13bdc37

SHA256
46cdcd3d3b0f13867d26f2a0a949a9f9c74c8352ef99bccfadcaa950fddc64ba

SHA512
1dc21041f7fffbae5cbb4752ef7ce5eaad074ee1368ceda87f855202756710817a3bb86ab06a9b31465b6f6987bd2f2a707d0b2f9e800b77cd0fe5f015934334

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.XML

Filesize
318B

MD5
2b62e8e6575acaf71008c89e84b44335

SHA1
f46561e4fb29cee4a70e61ac958c65a80641b6f4

SHA256
d83b05f4b20f1f4ce9fe0fd8c37bdeca1ebed6913fb4d9520bcf8bad18e4d09e

SHA512
0966e00a977c12850caeee3eff39799439560b2905d5ef5c00e07d34ffec21b3a84742bd02cbe29682f2e476d171d3f72ed53d2c0671cb062ab59023b43dee60

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\msvcr100.dll

Filesize
375KB

MD5
5e404bb67dd9d20b0f08b21cd1f3ae68

SHA1
532becd695689ecce264825d73b8c37fcabe5966

SHA256
2a0f5f06b26794ff941ae932fb46c0895ef3e6ea5f7c92e7272b7eae306a40ab

SHA512
6a05e8858a60062f86d709ced88eb80e23a7303c6ecac90cc297e5a87c5e67d7c1ddc2f3ab1d66482735af71549c4dbaed5efd4eddeeb9b19a7f7d5c9a4d0699

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
172B

MD5
b5253f3ba4f5262cc603ba8eb5584629

SHA1
79bf660b0cee4672829a22d2f682006a45cb4729

SHA256
386c349dc246e61351ccf0f42b9314d0ede44c0acdb7fed7998e25e3d797302a

SHA512
b26e0365f57b7b1e7ee9913d5b96a1196b34eebee9e712ef8d1dc83f3b799fdde3b2afb2c990c32d74a0e0b3365d9f3c990ab89eb8815a80608d1f4f2f5438da

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UCT

Filesize
35B

MD5
78e8ba27731332d4186a0cdb839d0074

SHA1
35c2270c57f2a2977848c159315ebbc68c17686c

SHA256
fb2c7a2e5dba6542482ef369f551b8413cf8399ae95c64933149021653eebf3b

SHA512
af6aa6768f8b334ed0add5a17b7466c42043fcdc792e2f4ad5ee45e04c5057d145119a30d57b9be592ef7de7adf38619e16bddbd9683508a36ebf3b96f2460ff

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\EST5

Filesize
41B

MD5
29520dfc4ce72fbc762c9c9fe8cb22f0

SHA1
7c381ff0d88ea91124b557958a3dfdb4992df62e

SHA256
95b782a72a1668cf78252021da9e31c21a3503c807456370acb3294a298f9f2a

SHA512
1ef295c13ab087bd2f29086516ac412e8cca5d67f61db7fa9c69a19dc4253e623c88ade4e6805ab6495bbf038126aca4a895d58c6b48948a7b75e81c233cac83

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\HST10

Filesize
40B

MD5
f667f1132ee3822e3fd94f315e7320eb

SHA1
8a1b13fbdcdf695a6319f978e4e8f66388ccb507

SHA256
8ecab7eed782799074adc2d6d48a80832a3702efd6eb323bf53ce8a78de47d3a

SHA512
f0b35d991e504523cae3fc623ac40ccf41c9294ef0827f8103fe30f01fccfbedbf602c9074673e4891c2ec196c5065a9c5847558764f2631fa00df88d808e246

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\MST7

Filesize
41B

MD5
1bbd18182f84f13e1d8f745a3cd8b987

SHA1
1f8d011f0a5a793cf8c998ad02991919247d837f

SHA256
4a777a308883b69d3b851c6ae3669868176ce76ce4f81039e7513bafc8d6c55e

SHA512
7e28762033c93998f9e1b8281a814325f93f3d9e13e8eddbb03e2b08541f38641b8b3c3b6e871510b2758ff71e82dee45fdeddb3a2ed9eeec51c1be9a9bdb4ac

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
4KB

MD5
03c99cb81708d2ddf8a2253bca66799b

SHA1
9a65e92ab9c49da96202fbe46ee5263550059fe5

SHA256
9dafe0a77da244bc552a85c340ef46f1a2151912c339719bdf875a200bc7e7c0

SHA512
d56623390d3cc71a4cadf3329b1c16b880290a351d0600b9880c9a52ec9e4895d5bc30e71fa73bb43fc736c89f432f5f2ff10718ebb74a30fac64126d4af92a8

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
2KB

MD5
f2ee98e6f23770b5835d2e084f1bbef6

SHA1
9a6560a13b248324155902c6bbe457122d67cd3e

SHA256
2b3cbdd5227232ac17921e827cc5f56edff55fe8706f4dade3958aa60bbb56bd

SHA512
f61537494f75f84c9ccd9bc8e82c46c6a5bf013431a995eac1bf483ec751c7b85bf154a2c1bdb9a57a1918c851ba5cef6d0a1246e27992894eb2aa55d8daf9df

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf

Filesize
68B

MD5
96490d55c41e2b7e8a4448c0c5d90dfd

SHA1
7d815354db789604c17c6e4c3d068c6393dd4df2

SHA256
d201cbf0642f63f6f563ee494454668d32f533124dc96d53f53f513ae07907a9

SHA512
8a529ac15423f59b3a1eea5afeba5304072c59a0dff42b0c973655cb68ec144374657972b57f2708c830be26c1d45eb5c9cb3f35cf5ecb39539dc202057cfe92

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt

Filesize
3KB

MD5
87533f3f6909c385f9022df9418f5806

SHA1
7e8c3e07b24414db64f92403f7ba7073b219dfd4

SHA256
effa73252718aa67bcc65e467de7d1709920d6fa37268a43b87c60ac2808ac3a

SHA512
6fe026cdc5fbd7c0100628e6af531153ef1dff709a8a93633f7ff409c7cb6960743ae69b3a5fbf25e203ae48ece5f4b8095561a1f66b04258ff34e9aa12d0dc7

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\MANIFEST.MF

Filesize
124B

MD5
2829b5073b1120dc17e01095e79f0c73

SHA1
f8343b8ad7d202ca3552e9690c6cee517e7a5063

SHA256
184bb0d56948793779e905dba8a05fe5824f4d5701e49c7c0f0b2c6eec9a4113

SHA512
1fb7959f22285b6ad9aef3af2856c191b5e03af393f693f012655791a88a5471c4b646cfcdd6a2decf830eeb09a991248d713c53b60f39d3679fec73289478c0

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\.lastModified

Filesize
8B

MD5
e986099de28a3f04e2da018ef2c99254

SHA1
55d6d8b1af2795b42320f114e52651e15c946eb6

SHA256
753067e33ab9d5e182dd29f43ee027f5555060587406b4f56646d6b56490dfd6

SHA512
23819053d09a19065ff604bfb9002a2f4751a96fd4d1afb0f4c8079b138782eff17542cadaa0efe680dc61913e4a9ca078c8a8e74994febbbb2ccc00e1ba4e8d

Download Submit
C:\Program Files\Java\jre7\COPYRIGHT

Filesize
1KB

MD5
a20529a96d00362b899684496941b9a3

SHA1
0affdc12999a50aae36c0dce00ce59fb55b86dfa

SHA256
88d785b94cdd085663f4d777b6f876d93ca0a27a5172b2fac8c8ab4893eebd1d

SHA512
0e4a282bf20dfe529f4740d3d7f89a79c5a305ef62b18bb2de2d9d8d30c885415776c60c2065fc92a3e4dcf8af708102b8bd6ad652929563d9d8db761d43af41

Download Submit
C:\Program Files\Java\jre7\LICENSE

Filesize
57B

MD5
b5b21f09e072532cdd3314cef0e53407

SHA1
f6885a579119620644e1b11bb0bcabc2645e1704

SHA256
e315da4835cc04296c3b48e96651b1929bff592cc93de4bdbf52b194168f78ae

SHA512
05065bf21ae83c3869008442925780747d7d07ae89843cd08a2a1658797a161aa0989ef5ade9af120ea44bef221c9a652e792600026f98cb487303e8e7c03f8f

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.Encrypted[[email protected]].XiaoBa

Filesize
28KB

MD5
c81b609cdbad4ecc26803e7e7515197b

SHA1
a5b0ba894c6ffdfe7cec46f7123b397ed1c38e14

SHA256
243d3f9964d4c091db9c6bdfa4d948bc1830cdb6758d56c4f114a5e5bc4a609f

SHA512
3012df41c52b39940d46ed1e694a8d7e88b214f8357f716f13a66b2056bfd92d6aee88cd5603b184e3054354915ed46dd1683531ae9219eea3ad47a7398667e4

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
44KB

MD5
84448bafb280422e0087863ed2c57897

SHA1
7d14d51c0714a983078757df7b08f842c75007b8

SHA256
07839b20af3873799f749511519c0dbf4b647661c7747a122586e872511a9986

SHA512
15b5646544dc943b47434a4b333b9232a9a2d5e4fe96aa5e6fe1204b9c39173d69cd598c1e53480be4aa6520ffa6202fb9f77d7f0221c25dd4a864366284ac19

Download Submit
C:\Program Files\Java\jre7\lib\deploy\messages_zh_HK.properties

Filesize
1KB

MD5
0b9455d6fe5bb17838d8165f5c55c977

SHA1
6f64e1203ec3cec2150716334fd2c90750d8c8db

SHA256
faba7e12fb69548858ecd751ebc6041c741d7cf065c3c6f73c50ca53d2f1d557

SHA512
ca9313d9aeb13536ef818173d1a9e533bd1ac6410d95f0ed53c2ec00ee0689a9191d9dbc34ee19339da5c31ffcaa83a5b8618737426559a9f3d8fb9653e6f918

Download Submit
C:\Program Files\Java\jre7\lib\zi\Atlantic\South_Georgia

Filesize
40B

MD5
f999423f899c8a83df8e9b5b0d435774

SHA1
58f66eb8ef753a7dddf66461c9ffe97c53b87fdf

SHA256
c74154a41e98cc23cc742488052c75f43cff038513947b958e7326a2f38a117c

SHA512
529f3b2b61e76be790d899fa1eaeb09439d800d8369018d69d735a034c16bd4cc9061fb0b43d25d6eaaa0fe37bcb09220ae6352c1350ba46501d80bc441461c5

Download Submit
C:\Program Files\Java\jre7\lib\zi\CET

Filesize
791B

MD5
559ab7c040b3ac38d7a20983ce516641

SHA1
2072e270d96dd38a207f5df07c72519f2e7fab61

SHA256
548c3b415b1d0340887f953d4b8176d7c0ec90d64eab3c4281c749a7ad7476ad

SHA512
dca4a6e76e9bd297946cfac98b3861224fb0ae45ee6f8afbef1084f7a3380fecc18336eb17816c628614109a39f19edec3758cb68d4f4385bc9958205db43d96

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\GMT+4

Filesize
40B

MD5
f53c539087bac433556487cdb540c581

SHA1
194fca4a29787826c55b9a96dac73290dd5442b7

SHA256
7e12323c0abaefd72f1facfc642d52ff272ec3df5134a5012876b0ec47101d5e

SHA512
c85e581eb426f3cde102bcb51e517eab0a399f24495aa2f6c7faadd156c0e24b31d3c88dc29202eb01263915c462342f2c724d1d61387facaf5b9804b52b755b

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\GMT+6

Filesize
40B

MD5
df60f3f472140f1f092cbc019977c451

SHA1
de49d055a4a49d0a1a03e4807655e13a3ffc0908

SHA256
d1b11ab6196404953831442a8108c822b9c567f65ef2f5b6f056ba12c889c1f0

SHA512
db6d451ac7d41998878119f5464fc53242d9f0a2062c9db7bb60cd76bee0b6155e747b71609b046a171950e7ed52960f6db6362c7e0fa650141af9ec04432e40

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\GMT+8

Filesize
40B

MD5
aa2c7e1db809a48b5c0862032e816131

SHA1
17387a87314a4d0ef8dffb9e189de75a2bdd3f06

SHA256
a8772a92549db4a6accc6a6b39c10b21a2d3467202846a440edf046f772ee2ea

SHA512
01e0c81c93417a62c427463648b018d4bb9aabfd3288a23bf97b3edafa01b8ae28d3d8e9489c2dabf127aae6c22ae04fe580d28cc6b1c9d71f58f3c760648804

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\GMT+9

Filesize
41B

MD5
13167b40b84d20748cc10032d98118f6

SHA1
662cf3afa29bd5c78280e464303085f877c142c0

SHA256
062d532d85545f42187f51585b558fe8480a9184ac5d52d85673af167f9d0476

SHA512
cac288e4594881c0f6c1624c0bd7bcff1b9c015e6bd8c81b48c0cbbdfa4ddcf8125c5116be96964e301e7565f48f92ea9629d96d7e70e233d02277af1fc7a730

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\GMT-10

Filesize
40B

MD5
8a97aa28bfc5e125aaaab001239d695c

SHA1
9e6485d115ba50b20b59ffcdda6ca0a644c029c3

SHA256
2341a6cb30e1a9cd10fba8938514a13104b1e13899069bd16a7a47b87d9aafeb

SHA512
840a5b37700941601dda552e7c5ab98063104fd148b4ac0a6779cd89d73cdf733eda6342943e10ddf795b4ffbabd35cae475e09fd99fcf4103c26707e22bc270

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\GMT-7

Filesize
41B

MD5
5922b82fd31679c9b0e81e4a4dfeb05b

SHA1
473a670c92f10147a8df1e93d39290a154372671

SHA256
138dc082b1de36085228d4c3fab394969de1bf60c2b49710b3f45af95e473b8d

SHA512
fbbcbe68a7d3dbe6816f9a34cd3d7fe9ba5111cff74fdbe89e9912e6d4de06a65e1443bf65bcb7b72414619b60930ae7b47be38807071746f51f347cfbe3c674

Download Submit
C:\ProgramData\Microsoft\MF\Active.Encrypted[[email protected]].XiaoBa

Filesize
2KB

MD5
fea825aa65c000741188c9681ff09cd0

SHA1
b2cb2cdd85c68d5f1fd8747894e9fb819904f12a

SHA256
f0d0d09536de5916505678a549c6861308af159ca0c735e18b218a467aea55f0

SHA512
f5417ad3f7975e1a0710e80b5c4d1b931f2a42f654879df9c6bf82be9bf0ef2e50b0deb2879ee4585e9e91a8f1e8f4b79cf1faab9a901804809ebc96adc484c4

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSSres00001.Encrypted[[email protected]].XiaoBa

Filesize
11KB

MD5
79c01454d16cb4466cff5cb253f9e6fd

SHA1
01ec22a6198b14932e0cb4c4d33322f1f69e5d3e

SHA256
c62066accfae5e2129ff2f6b12b0c6a3ba16bbe406bc86f15754667196e22ec0

SHA512
9aec9130e4b41ed880f89b1b5320accf9451148c7e83dcdfd1dc7fe58fc24f42f3599038b23796135b9ef161adacda53747ebfadcb1ac8b229c0cce8ad804bdc

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0002.001

Filesize
22B

MD5
2e7e51c61642cf118c30b86091da3dd2

SHA1
3b77ea265a5d938ccf749addfe22a1837db37c58

SHA256
92dc402f48fad06e69a96c1b60e393fb5714a9ca455c6c19de94cc2da027d89c

SHA512
05e2c756f2d38cea6f3e4c7e4ca1e17d81d1b6d47ed9973b9ae2efa503b4212e23b8417aa065e35fed6410b886b4cd556674a44df560db9f4a35147b1b71c254

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAD0001.000

Filesize
33B

MD5
7d7652ada9e1afe7ccac262690e34eb2

SHA1
0425268e30c64288eefbc36ef5a73170a9e05cf8

SHA256
4e9ce61665a21c49ed07a889a8d3f5dd9c81c63d21020b521430422325af13f5

SHA512
1fb4c5bc6ca44d8490f1bcf73fa04e7085e392f5bd65be824a28439609f482c02743356d0102875f45f654859d1b6fc9089c8cb1d39314a0078f83b1b5b13522

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAD0001.Encrypted[[email protected]].XiaoBa

Filesize
50B

MD5
273b22d4e10b9781eef4c997da8e5389

SHA1
f277ae5c382f154d36f100413635def9bf29df16

SHA256
7d7153e214658b3258e64378180de5567b6b85ca8b0593a228b52ff3984b42b7

SHA512
d39dda089ddbef2a8ad27e7c9d09e275949113507dc2b71abf15aab4ceafdd34777f7a6c324aca4b28fa1be37bfa3c0d2ca48d9133a2f90c2dc930ac75e59f42

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.001

Filesize
123B

MD5
5b2c4da85467015d84670fe16d2011e7

SHA1
a303402e4703b3d9ec8d1995f775b7624167c284

SHA256
9d43daadd7a08d903a547c270d2339dfb7348dd7f519f51bdd88cd5f502a0f4e

SHA512
581b0dc8e87e464f63e482e244fef23e6d6aae045abfc25ebdd8195ce51e1aee93b1ab9f3a6394f8204ac84487e19df493c20e8f7fd9b08537b04625fb56214e

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.001

Filesize
6KB

MD5
b3a95ca4fb464050ba55308da5f04b75

SHA1
7864305fefaa9ccaae8a921679f77ec7a1dbb7fe

SHA256
8172d7635d9dbb30dedd9712645d9b95d1c2739f45423ce01bac6a31a2a1af8b

SHA512
6f1dc8454efff46750f530fcd572cc1a03fbe79dfb7c623d25d6343b0f93e077d0be64f23a7d3d7315801fe017b294589f63deda0b85dd238e45267a2037ea71

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.001

Filesize
246B

MD5
ffc73e6dce53da116e068a511831b0a6

SHA1
26f52102942f1441857e95ec4f254a60e0c92e42

SHA256
9e006e38381c15268f2dba84e594789ea239da0f2f3f5b70684c2989ac90dd57

SHA512
b253f1a54cacde482e8d4f998f121777082574dabfedf5824295a83b7e586fca7b8d3fff251af2ebaf3fa6853d4c07eed06ecf89c2408b739e84228a0a46b0d1

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user.Encrypted[[email protected]].XiaoBa

Filesize
30KB

MD5
5d428758fe7140ab5c1ea04b289d3571

SHA1
f80332158ce404b52846ec320f64d9196d46a760

SHA256
976bab06e6ba67f45253303d7c18f8b8403b86c13425f2493fe6dcbfc8ae35f6

SHA512
69a9073657517d69f2a5a4cccc3902521a66706d1fb3753810f462ec1481baf076786dda2a0aac3e4563d1d0297a8484f396e006afa7873ff7dd9afbb81f3b35

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.Encrypted[[email protected]].XiaoBa

Filesize
753B

MD5
3b754b3aaaf298695ec84d14c826e0a0

SHA1
b5e456228c4146c209117b0664ec401a603056af

SHA256
b6d0b5eda16d830f1f0f23322e4d66704327cfc3a9e2dae432c9e4557a61e76b

SHA512
8ce9e2efffe5fbb70284c5f69bc8f68f50de1dcb449f21bb8903cf6fa42c603169885236d8af11307cb972548776707dcf909e598ee1794ba34ab01103ca1f76

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office\Microsoft SharePoint Workspace 2010.Encrypted[[email protected]].XiaoBa

Filesize
739B

MD5
0c121555eb6cb31c56e1d29686fb1f06

SHA1
6dc10b31408414cdcee3c27dc7c09dca89997b77

SHA256
acdfcd4dc914b51d950d5981d8c7c2f0db5f37d41f1136ee9aba47f5e12e92b0

SHA512
c8e8842cdec69e7dbdd9052c853bd138ac77d098a3dfa1c2587e18da9a9c50edfe933f745e38dbc80347919bdec0c6cd08bcfe73b0248d54aac4d7f89b03e282

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.Encrypted[[email protected]].XiaoBa

Filesize
444B

MD5
2d23f6f879d9e587735d55f35e976998

SHA1
a558ea743a8dc7805c1c4482abf955ef47aca905

SHA256
4ae3f7964726b66062fbfe1378390c34a510902a9d66fabf73c9dc15452be8df

SHA512
a849fb6c63da54a7e7ac729d52c5fa08f5433609ce7a457027a0b819f1912d9cc77fa6123f465e1c4144f318bdf0240cf9658af3c80785029294c921c95d4b72

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\CURRENT

Filesize
29B

MD5
01cd1347701ef49b560dbe3ded5bd53a

SHA1
a5829d00170c372aab4599fec5aac974d8fe33a8

SHA256
84a68107dc5c38c39b82c914f15383d404f01da350827b3f5bfbe80b319855fa

SHA512
139fe8ca6994feb80548d14bad379b933b62dcbd5f7902b69bb5d9220b60035f2c5119bbbf5fda658e39b4890be952b37fd10bc373243e863810659e3253fef9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_0

Filesize
52B

MD5
21a62c567d1f27c8f3a132882490579c

SHA1
2a5628e6c56cc6864960201acc4db21cf84a21b0

SHA256
2d996cceff65fc138111d0d1f3842e01daa8cc640a9fe038d5f12ca0a44cfa0c

SHA512
5a1de05ef18f7255f44a680183c18e2f31cc978ec57f3d1df76ddee73e10c82be17cd1bfc4eafca7a32e688b0e1a15f3dfab115c3cf8956ddbb81c5b174c6c4a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1

Filesize
334B

MD5
29a33a93daaae879274d9701ebdec720

SHA1
6bc4b771e7df2434731bf1936fe23e812085fcaa

SHA256
b1adf6c66fe56c0baaa8e61b84d0d8f5a1cc438207f196947e1f542bcaf9bffe

SHA512
ee81d5425074764bebf87dd02a470ab340796d1dfbd748b5ac8a4d5b1408b2967993c0af3e8d88bab13f6bf3024c57b601f5a79a8c837bfc37c890aaf8e8fb69

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_2

Filesize
50B

MD5
aca97f28f0670c5b7b65445055f5b5ef

SHA1
03929563edeaac05d22fdffc9bc4674cd32a6f56

SHA256
b771d5e7e154d22c7de7415623ec6613d240ed68ee451df8faa8b77730ed98fb

SHA512
35c630e8cde6e6a6239660595d0ad6bbc28b925be4813b4add9d2530c54ecf4adce26bb60774115caeac3ec46222876d9229c7995e9de77361d532d44950ac48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_3

Filesize
52B

MD5
dfc671078eceec909130a26d1ec7f9de

SHA1
a26a1fd4194cc3d91fd3507706ed1bc6a9eadb31

SHA256
da49f178cec6b1ca33f085a1625ac1f04297ceba912d42c6dfb1257cb48657b3

SHA512
3f75f53b12b57844d2cd74436164e7eac6d61b0f5f177bf966c40e3845fc9ae923162c9fb618a820be2cfc9c4f385cf97c28f882baf98b64d754df5a4d0d9849

Download Submit
C:\Users\Admin\AppData\Local\Temp\_XiaoBa_Info_.vbs

Filesize
756B

MD5
2f3557201cbb8ad90af3a8c5f1296ebf

SHA1
da6c0ce4d74c84b4e5b035e32543a1ab4aa51cf8

SHA256
3dc4bc98798b11433b7d514b965fddc24198d11db589067b8e90b46e47c9bf23

SHA512
2be27353374bcdf3ec4c31c25ec9e8fcf7cb6eec3930f23474f38c2e0b35782717233c926228aae27de5f9f26d5fbf1742f0eed8bc789679e4f8330ea4b6d625

Download Submit
C:\Users\Admin\AppData\Local\Temp\a42252e674a09a0b689e71c88f59969f538a473da647cc4eb5457a5d5e03a234.exe

Filesize
53KB

MD5
7ec602659ba8dfa6e01f2c2e2b8cbcd2

SHA1
e982921ab25d5af470b543f46cdbfc6e7be6d946

SHA256
90f146df472e9fec3902caa07abf8192de50a626d41b3e6168e24bee8b9d43b1

SHA512
f40b0a649a6d0d2ac99c5acec9e3d9e0488b99c18fc6bd96806dc747f841bae6f1ca09f2ec2074a7af28af1c2d4278b33cffa4149116e4116c7e7c9a8f84bfe5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_BD8E313A98534229A258A1A10021E8CC.dat

Filesize
940B

MD5
ace41fe13d5830bcf4adba406131483d

SHA1
f5b1ef68af2ceee63ccd7d9f85dc3373b0eb5c93

SHA256
409c2cc9578cd403133a98532df85fdff6700085343be5ed232d528eefe5dd35

SHA512
8373f215408c92a7df1c3c42ed615d07918c85f9f44b52350a68dff8e4a9aef2772091ac21839a2df52bef5f0b5fef1f36a695cd64ecb8c756c76a0e8845f4fe

Download Submit
C:\Users\Admin\Desktop\_XiaoBa_Info_.bmp

Filesize
40KB

MD5
9bea599d3317877ccff93580da6cbe2e

SHA1
5f5fb0ffcc1b59899ae30576e665902e5b67328d

SHA256
bfe1891fa21032b8618178d10cef812315fa7d038d6e6d8ae80736e170188ea2

SHA512
7ef7002905cd09316c59c55b2c4eb79e5b67f0cb0d1edb5aa8127b1b04751940c7b11791494c2bd26cb9546931feec42ad706da32e0ddc375ea1423faafd1af2

Download Submit
C:\Users\Admin\Desktop\_XiaoBa_Info_.hta

Filesize
26KB

MD5
42ae8cfdcc8d65f610ee938467d64c95

SHA1
be41b152d9fe99a8585bfad8a9200a4adfa58f5e

SHA256
d9422e5b86ec97c3636ade428385520d1d4697b5f2db2770b2a12f617f77ae4a

SHA512
18d5c5f2754f168af1f2d3bc4c4a7fdcd3845eb868c163e5010dd09b3e61ded18d53e2fa8ce7bac7b272f83c607734fa362570f4f37dfbbc61538ae72d16a100

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk

Filesize
309B

MD5
f66a62aab0bd2e55c0f9f5180c442d91

SHA1
f50087bc972fade3a27701ddf3ac2dfe47b764a9

SHA256
db0163fcc3d2a93ab362f93ffba2c6f76c24d47b9dca070d206f546bc1b915da

SHA512
87ff5d3258cb363b931dd7229ceac204f036478f7ae05503dec6c721e3d725ef7e2a2130c67f1d9ee4cecf891eae9d8bb68443b55a3c7617754f4881d433ed70

Download Submit
memory/2816-21265-0x0000000000190000-0x00000000001F9000-memory.dmp

Filesize
420KB

Download
memory/2816-20568-0x0000000000190000-0x00000000001F9000-memory.dmp

Filesize
420KB

Download
memory/2816-20948-0x0000000000190000-0x00000000001F9000-memory.dmp

Filesize
420KB

Download
memory/2816-19172-0x0000000000190000-0x00000000001F9000-memory.dmp

Filesize
420KB

Download
memory/2816-21560-0x0000000000190000-0x00000000001F9000-memory.dmp

Filesize
420KB

Download
memory/2816-21819-0x0000000000190000-0x00000000001F9000-memory.dmp

Filesize
420KB

Download
memory/2816-22330-0x0000000000190000-0x00000000001F9000-memory.dmp

Filesize
420KB

Download
memory/2816-22669-0x0000000000190000-0x00000000001F9000-memory.dmp

Filesize
420KB

Download
memory/2816-22874-0x0000000000190000-0x00000000001F9000-memory.dmp

Filesize
420KB

Download
memory/2816-23279-0x0000000000190000-0x00000000001F9000-memory.dmp

Filesize
420KB

Download