marsstealer | d7676e38029789eb42452b343315be2187696c7432c3923281e961010c1c3913

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01/03/2025, 18:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Mega Spoofer perm and temp.exe
Size

22.4MB
MD5

317c5fe16b5314d1921930e300d9ea39
SHA1

65eb02c735bbbf1faf212662539fbf88a00a271f
SHA256

d850d741582546a3d0ea2ad5d25e0766781f315cd37e6c58f7262df571cd0c40
SHA512

31751379ad7f6c55d87e9a5c1f56e6211d515b7d9ae055af962ed6f9205f5abad302c2e47dd56325abff85327ec3b7f9a6cf76ed34b8cbe1da06549c622c7031
SSDEEP

49152:yIT4lj7Rl9HFoDi+3JK5CS2bV5IRtyrp63FDysl28Wvp/pUOmrscrdXuMIgqJ95+:yI6

Score

10^/10

marsstealer ragnarlocker xworm default bootkit credential_access defense_evasion discovery execution impact persistence ransomware rat stealer trojan

Malware Config

Extracted

Family

marsstealer

Botnet

Default

kenesrakishev.net/wp-admin/admin-ajax.php

Extracted

Path

C:\Users\Public\Documents\RGNR_86266DD0.txt

Ransom Note

Hello VGCARGO ! ***************************************************************************************************************** If you reading this message, then your network was PENETRATED and all of your files and data has been ENCRYPTED by RAGNAR_LOCKER ! ***************************************************************************************************************** *********What happens with your system ?************ Your network was penetrated, all your files and backups was locked! So from now there is NO ONE CAN HELP YOU to get your files back, EXCEPT US. You can google it, there is no CHANCES to decrypt data without our SECRET KEY. But don't worry ! Your files are NOT DAMAGED or LOST, they are just MODIFIED. You can get it BACK as soon as you PAY. We are looking only for MONEY, so there is no interest for us to steel or delete your information, it's just a BUSINESS $-) HOWEVER you can damage your DATA by yourself if you try to DECRYPT by any other software, without OUR SPECIFIC ENCRYPTION KEY !!! Also, all of your sensitive and private information were gathered and if you decide NOT to pay, we will upload it for public view ! **** ***********How to get back your files ?****** To decrypt all your files and data you have to pay for the encryption KEY : BTC wallet for payment: 1BKK8bsFfG3YxTd3N15GxaYfHopoThXoY4 Amount to pay (in Bitcoin): 25 **** ***********How much time you have to pay?********** * You should get in contact with us within 2 days after you noticed the encryption to get a better price. * The price would be increased by 100% (double price) after 14 Days if there is no contact made. * The key would be completely erased in 21 day if there is no contact made or no deal made. Some sensetive information stolen from the file servers would be uploaded in public or to re-seller. **** ***********What if files can't be restored ?****** To prove that we really can decrypt your data, we will decrypt one of your locked files ! Just send it to us and you will get it back FOR FREE. The price for the decryptor is based on the network size, number of employees, annual revenue. Please feel free to contact us for amount of BTC that should be paid. **** ! IF you don't know how to get bitcoins, we will give you advise how to exchange the money. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ! HERE IS THE SIMPLE MANUAL HOW TO GET CONTCAT WITH US ! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 1) Go to the official website of TOX messenger ( https://tox.chat/download.html ) 2) Download and install qTOX on your PC, choose the platform ( Windows, OS X, Linux, etc. ) 3) Open messenger, click "New Profile" and create profile. 4) Click "Add friends" button and search our contact 7D509C5BB14B1B8CB0A3338EEA9707AD31075868CB9515B17C4C0EC6A0CCCA750CA81606900D 5) For identification, send to our support data from ---RAGNAR SECRET--- IMPORTANT ! IF for some reasons you CAN'T CONTACT us in qTOX, here is our reserve mailbox ( [email protected] ) send a message with a data from ---RAGNAR SECRET--- WARNING! -Do not try to decrypt files with any third-party software (it will be damaged permanently) -Do not reinstall your OS, this can lead to complete data loss and files cannot be decrypted. NEVER! -Your SECRET KEY for decryption is on our server, but it will not be stored forever. DO NOT WASTE TIME ! *********************************************************************************** ---RAGNAR SECRET--- QWZjY0QxRTk2MWU4RTIwYkVCRUNhRWMzRjhCQTdlZDJkNUJCN2JkNDdDMzREMTYyNjNGNTdiZGFDYmI3ZEVhNw== ---RAGNAR SECRET--- ***********************************************************************************

Emails

[email protected]

Wallets

1BKK8bsFfG3YxTd3N15GxaYfHopoThXoY4

URLs

https://tox.chat/download.html

Extracted

Family

xworm

Version

5.0

outside-sand.gl.at.ply.gg:31300

applications-scenario.gl.at.ply.gg:53694

Mutex

uGoUQjcjqoZsiRJZ

Attributes

Install_directory
%AppData%
install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 53 IoCs

resource	yara_rule
behavioral1/files/0x0005000000019427-450.dat	family_xworm
behavioral1/files/0x0005000000019dc2-458.dat	family_xworm
behavioral1/memory/1796-453-0x0000000000190000-0x00000000001A0000-memory.dmp	family_xworm
behavioral1/files/0x000500000001a037-483.dat	family_xworm
behavioral1/memory/2000-475-0x00000000003D0000-0x00000000003E0000-memory.dmp	family_xworm
behavioral1/files/0x000500000001a45e-496.dat	family_xworm
behavioral1/files/0x000500000001a45c-500.dat	family_xworm
behavioral1/memory/1596-504-0x0000000000CC0000-0x0000000000CD0000-memory.dmp	family_xworm
behavioral1/memory/880-503-0x0000000000240000-0x0000000000250000-memory.dmp	family_xworm
behavioral1/files/0x000500000001a466-502.dat	family_xworm
behavioral1/files/0x000500000001a49e-537.dat	family_xworm
behavioral1/files/0x000500000001a4dc-535.dat	family_xworm
behavioral1/files/0x000500000001a502-591.dat	family_xworm
behavioral1/files/0x000500000001a4e4-588.dat	family_xworm
behavioral1/memory/2920-608-0x0000000000FC0000-0x0000000000FD0000-memory.dmp	family_xworm
behavioral1/memory/1752-607-0x0000000000C40000-0x0000000000C50000-memory.dmp	family_xworm
behavioral1/memory/604-605-0x0000000000F30000-0x0000000000F40000-memory.dmp	family_xworm
behavioral1/memory/1204-604-0x0000000000350000-0x0000000000360000-memory.dmp	family_xworm
behavioral1/memory/2664-603-0x0000000000AC0000-0x0000000000AD0000-memory.dmp	family_xworm
behavioral1/files/0x000500000001a4fc-597.dat	family_xworm
behavioral1/files/0x000500000001a4c8-590.dat	family_xworm
behavioral1/files/0x000500000001a4f1-578.dat	family_xworm
behavioral1/files/0x000500000001c77d-682.dat	family_xworm
behavioral1/files/0x000500000001a508-677.dat	family_xworm
behavioral1/memory/2868-697-0x00000000003B0000-0x00000000003C0000-memory.dmp	family_xworm
behavioral1/memory/1948-705-0x00000000008C0000-0x00000000008D0000-memory.dmp	family_xworm
behavioral1/memory/1512-702-0x00000000008A0000-0x00000000008B0000-memory.dmp	family_xworm
behavioral1/memory/1816-701-0x0000000000900000-0x0000000000910000-memory.dmp	family_xworm
behavioral1/files/0x000500000001c7ab-696.dat	family_xworm
behavioral1/memory/3056-695-0x0000000000040000-0x0000000000050000-memory.dmp	family_xworm
behavioral1/files/0x000500000001c78e-685.dat	family_xworm
behavioral1/memory/2088-690-0x0000000000ED0000-0x0000000000EE0000-memory.dmp	family_xworm
behavioral1/files/0x000500000001c87e-720.dat	family_xworm
behavioral1/memory/2368-717-0x0000000000D60000-0x0000000000D70000-memory.dmp	family_xworm
behavioral1/memory/216-709-0x0000000000B30000-0x0000000000B40000-memory.dmp	family_xworm
behavioral1/files/0x000500000001c88d-726.dat	family_xworm
behavioral1/memory/2860-728-0x0000000000F60000-0x0000000000F70000-memory.dmp	family_xworm
behavioral1/files/0x000500000001c8b3-751.dat	family_xworm
behavioral1/files/0x000500000001c8b7-740.dat	family_xworm
behavioral1/memory/2344-767-0x0000000000330000-0x0000000000340000-memory.dmp	family_xworm
behavioral1/memory/3012-771-0x0000000000F30000-0x0000000000F40000-memory.dmp	family_xworm
behavioral1/memory/2848-770-0x0000000000F60000-0x0000000000F70000-memory.dmp	family_xworm
behavioral1/files/0x000500000001c8b9-756.dat	family_xworm
behavioral1/memory/2560-766-0x0000000001080000-0x0000000001090000-memory.dmp	family_xworm
behavioral1/files/0x000500000001c8be-753.dat	family_xworm
behavioral1/files/0x000500000001c8c0-765.dat	family_xworm
behavioral1/files/0x000500000001c8c2-764.dat	family_xworm
behavioral1/memory/2616-772-0x0000000000A80000-0x0000000000A90000-memory.dmp	family_xworm
behavioral1/memory/2176-745-0x0000000000A00000-0x0000000000A10000-memory.dmp	family_xworm
behavioral1/memory/2904-731-0x0000000001290000-0x00000000012A0000-memory.dmp	family_xworm
behavioral1/memory/3452-19982-0x0000000000A20000-0x0000000000A62000-memory.dmp	family_xworm
behavioral1/files/0x001400000002120a-20049.dat	family_xworm
behavioral1/memory/3716-20367-0x0000000000290000-0x00000000002D2000-memory.dmp	family_xworm

Mars Stealer
An infostealer written in C++ based on other infostealers.
stealer marsstealer
Marsstealer family
marsstealer
RagnarLocker
Ransomware first seen at the end of 2019, which has been used in targetted attacks against multiple companies.
ransomware ragnarlocker
Ragnarlocker family
ragnarlocker
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (7804) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4496	powershell.exe
5068	powershell.exe
4168	powershell.exe
3792	powershell.exe

Downloads MZ/PE file 4 IoCs

flow	pid	Process
17	2008	4363463463464363463463463.exe
49	4896	Update.exe
69	2008	4363463463464363463463463.exe
306	2008	4363463463464363463463463.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Wave.lnk	XClient.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2fddd325.exe	explorer.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RGNR_86266DD0.txt	asena.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Wave.lnk	XClient.exe

Executes dropped EXE 34 IoCs

pid	Process
2008	4363463463464363463463463.exe
2556	a76e49df84ba2a7b33e8ea959995b5e6faecb90d551ef169d8272ce9042c35a5.exe
2736	asena.exe
1312	Bomb.exe
2580	CryptoWall.exe
1796	25.exe
2000	24.exe
880	23.exe
1596	21.exe
1752	22.exe
2920	20.exe
2664	19.exe
1204	17.exe
604	15.exe
3056	18.exe
2868	16.exe
2088	13.exe
216	14.exe
1512	12.exe
1816	11.exe
2368	10.exe
1948	9.exe
2904	8.exe
2860	7.exe
2176	5.exe
2344	6.exe
2560	3.exe
3012	4.exe
2616	2.exe
2848	1.exe
4896	Update.exe
3452	XClient.exe
3716	Wave.exe
4240	Setup.exe

Loads dropped DLL 11 IoCs

pid	Process
2696	Mega Spoofer perm and temp.exe
2696	Mega Spoofer perm and temp.exe
2696	Mega Spoofer perm and temp.exe
2696	Mega Spoofer perm and temp.exe
2696	Mega Spoofer perm and temp.exe
2696	Mega Spoofer perm and temp.exe
2696	Mega Spoofer perm and temp.exe
2008	4363463463464363463463463.exe
2008	4363463463464363463463463.exe
2008	4363463463464363463463463.exe
1208	Process not Found

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\2fddd32 = "C:\\2fddd325\\2fddd325.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*fddd32 = "C:\\2fddd325\\2fddd325.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\2fddd325 = "C:\\Users\\Admin\\AppData\\Roaming\\2fddd325.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*fddd325 = "C:\\Users\\Admin\\AppData\\Roaming\\2fddd325.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wave = "C:\\Users\\Admin\\AppData\\Roaming\\Wave.exe"	XClient.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	asena.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
68	raw.githubusercontent.com
69	raw.githubusercontent.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	ip-addr.es
7	myexternalip.com
18	ip-api.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	asena.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\chapters-static.png	asena.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationLeft_SelectionSubpicture.png	asena.exe
File created	C:\Program Files\VideoLAN\RGNR_86266DD0.txt	asena.exe
File created	C:\Program Files\Windows Sidebar\fr-FR\RGNR_86266DD0.txt	asena.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\SIST02.XSL	asena.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwresslm.dat	asena.exe
File created	C:\Program Files\Microsoft Games\Purble Place\RGNR_86266DD0.txt	asena.exe
File created	C:\Program Files\Microsoft Games\Solitaire\de-DE\RGNR_86266DD0.txt	asena.exe
File opened for modification	C:\Program Files\Windows Mail\de-DE\WinMail.exe.mui	asena.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14980_.GIF	asena.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\js\RGNR_86266DD0.txt	asena.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\7.png	asena.exe
File created	C:\Program Files\DVD Maker\it-IT\RGNR_86266DD0.txt	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.databinding.nl_zh_4.4.0.v20140623020002.jar	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-ui_ja.jar	asena.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tt\LC_MESSAGES\RGNR_86266DD0.txt	asena.exe
File opened for modification	C:\Program Files\Windows Media Player\fr-FR\wmpnscfg.exe.mui	asena.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\37.png	asena.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00935_.WMF	asena.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01243_.GIF	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-uihandler.xml	asena.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\item_hover_flyout.png	asena.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECHO\ECHO.INF	asena.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\FM20.CHM	asena.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Solstice.eftx	asena.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\OriginFax.Dotx	asena.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\RGNR_86266DD0.txt	asena.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\it-IT\msdaprsr.dll.mui	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Tucuman	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.ui.nl_ja_4.4.0.v20140623020002.jar	asena.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STUDIO\THMBNAIL.PNG	asena.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107152.WMF	asena.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\OLMAILR.FAE	asena.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CO.IN.XML	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\NetworkServerControl.bat	asena.exe
File opened for modification	C:\Program Files\Java\jre7\lib\psfontj2d.properties	asena.exe
File created	C:\Program Files\VideoLAN\VLC\locale\an\RGNR_86266DD0.txt	asena.exe
File opened for modification	C:\Program Files\Windows Mail\es-ES\WinMail.exe.mui	asena.exe
File opened for modification	C:\Program Files\Windows Media Player\en-US\wmplayer.exe.mui	asena.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN01084_.WMF	asena.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105336.WMF	asena.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02091_.WMF	asena.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Vienna	asena.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\it-IT\Chess.exe.mui	asena.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0235241.WMF	asena.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\Xlate_Complete.xsn	asena.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Premium.css	asena.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\macroprogress.gif	asena.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\RGNR_86266DD0.txt	asena.exe
File created	C:\Program Files\Windows Photo Viewer\de-DE\RGNR_86266DD0.txt	asena.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proofing.en-us\SETUP.XML	asena.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152722.WMF	asena.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL082.XML	asena.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\RGNR_86266DD0.txt	asena.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\YST9	asena.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\TipBand.dll.mui	asena.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Notes_btn-back-static.png	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\localedata.jar	asena.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\chkrzm.exe.mui	asena.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\RGNR_86266DD0.txt	asena.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Roses.jpg	asena.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0217872.WMF	asena.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\ONENOTE_F_COL.HXK	asena.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\RGNR_86266DD0.txt	asena.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a76e49df84ba2a7b33e8ea959995b5e6faecb90d551ef169d8272ce9042c35a5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mega Spoofer perm and temp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoWall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	asena.exe

Interacts with shadow copies 3 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2216	vssadmin.exe
1112	vssadmin.exe

Modifies system certificate store 2 TTPs 3 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	4363463463464363463463463.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4396	notepad.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4044	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4896	Update.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4496	powershell.exe
5068	powershell.exe
4168	powershell.exe
3792	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4896	Update.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2580	CryptoWall.exe
2196	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2976	wmic.exe
Token: SeSecurityPrivilege	2976	wmic.exe
Token: SeTakeOwnershipPrivilege	2976	wmic.exe
Token: SeLoadDriverPrivilege	2976	wmic.exe
Token: SeSystemProfilePrivilege	2976	wmic.exe
Token: SeSystemtimePrivilege	2976	wmic.exe
Token: SeProfSingleProcessPrivilege	2976	wmic.exe
Token: SeIncBasePriorityPrivilege	2976	wmic.exe
Token: SeCreatePagefilePrivilege	2976	wmic.exe
Token: SeBackupPrivilege	2976	wmic.exe
Token: SeRestorePrivilege	2976	wmic.exe
Token: SeShutdownPrivilege	2976	wmic.exe
Token: SeDebugPrivilege	2976	wmic.exe
Token: SeSystemEnvironmentPrivilege	2976	wmic.exe
Token: SeRemoteShutdownPrivilege	2976	wmic.exe
Token: SeUndockPrivilege	2976	wmic.exe
Token: SeManageVolumePrivilege	2976	wmic.exe
Token: 33	2976	wmic.exe
Token: 34	2976	wmic.exe
Token: 35	2976	wmic.exe
Token: SeIncreaseQuotaPrivilege	2976	wmic.exe
Token: SeSecurityPrivilege	2976	wmic.exe
Token: SeTakeOwnershipPrivilege	2976	wmic.exe
Token: SeLoadDriverPrivilege	2976	wmic.exe
Token: SeSystemProfilePrivilege	2976	wmic.exe
Token: SeSystemtimePrivilege	2976	wmic.exe
Token: SeProfSingleProcessPrivilege	2976	wmic.exe
Token: SeIncBasePriorityPrivilege	2976	wmic.exe
Token: SeCreatePagefilePrivilege	2976	wmic.exe
Token: SeBackupPrivilege	2976	wmic.exe
Token: SeRestorePrivilege	2976	wmic.exe
Token: SeShutdownPrivilege	2976	wmic.exe
Token: SeDebugPrivilege	2976	wmic.exe
Token: SeSystemEnvironmentPrivilege	2976	wmic.exe
Token: SeRemoteShutdownPrivilege	2976	wmic.exe
Token: SeUndockPrivilege	2976	wmic.exe
Token: SeManageVolumePrivilege	2976	wmic.exe
Token: 33	2976	wmic.exe
Token: 34	2976	wmic.exe
Token: 35	2976	wmic.exe
Token: SeBackupPrivilege	2308	vssvc.exe
Token: SeRestorePrivilege	2308	vssvc.exe
Token: SeAuditPrivilege	2308	vssvc.exe
Token: SeDebugPrivilege	2008	4363463463464363463463463.exe
Token: SeDebugPrivilege	1796	25.exe
Token: SeDebugPrivilege	2000	24.exe
Token: SeDebugPrivilege	880	23.exe
Token: SeDebugPrivilege	1596	21.exe
Token: SeDebugPrivilege	604	15.exe
Token: SeDebugPrivilege	1752	22.exe
Token: SeDebugPrivilege	2664	19.exe
Token: SeDebugPrivilege	2920	20.exe
Token: SeDebugPrivilege	1204	17.exe
Token: SeDebugPrivilege	2088	13.exe
Token: SeDebugPrivilege	3056	18.exe
Token: SeDebugPrivilege	2868	16.exe
Token: SeDebugPrivilege	1816	11.exe
Token: SeDebugPrivilege	1948	9.exe
Token: SeDebugPrivilege	216	14.exe
Token: SeDebugPrivilege	1512	12.exe
Token: SeDebugPrivilege	2368	10.exe
Token: SeDebugPrivilege	2904	8.exe
Token: SeDebugPrivilege	2860	7.exe
Token: SeDebugPrivilege	2176	5.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4896	Update.exe
4896	Update.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 2008	2696	Mega Spoofer perm and temp.exe	30
PID 2696 wrote to memory of 2008	2696	Mega Spoofer perm and temp.exe	30
PID 2696 wrote to memory of 2008	2696	Mega Spoofer perm and temp.exe	30
PID 2696 wrote to memory of 2008	2696	Mega Spoofer perm and temp.exe	30
PID 2696 wrote to memory of 2556	2696	Mega Spoofer perm and temp.exe	32
PID 2696 wrote to memory of 2556	2696	Mega Spoofer perm and temp.exe	32
PID 2696 wrote to memory of 2556	2696	Mega Spoofer perm and temp.exe	32
PID 2696 wrote to memory of 2556	2696	Mega Spoofer perm and temp.exe	32
PID 2696 wrote to memory of 2736	2696	Mega Spoofer perm and temp.exe	33
PID 2696 wrote to memory of 2736	2696	Mega Spoofer perm and temp.exe	33
PID 2696 wrote to memory of 2736	2696	Mega Spoofer perm and temp.exe	33
PID 2696 wrote to memory of 2736	2696	Mega Spoofer perm and temp.exe	33
PID 2696 wrote to memory of 1312	2696	Mega Spoofer perm and temp.exe	34
PID 2696 wrote to memory of 1312	2696	Mega Spoofer perm and temp.exe	34
PID 2696 wrote to memory of 1312	2696	Mega Spoofer perm and temp.exe	34
PID 2696 wrote to memory of 1312	2696	Mega Spoofer perm and temp.exe	34
PID 2696 wrote to memory of 2580	2696	Mega Spoofer perm and temp.exe	35
PID 2696 wrote to memory of 2580	2696	Mega Spoofer perm and temp.exe	35
PID 2696 wrote to memory of 2580	2696	Mega Spoofer perm and temp.exe	35
PID 2696 wrote to memory of 2580	2696	Mega Spoofer perm and temp.exe	35
PID 2580 wrote to memory of 2196	2580	CryptoWall.exe	36
PID 2580 wrote to memory of 2196	2580	CryptoWall.exe	36
PID 2580 wrote to memory of 2196	2580	CryptoWall.exe	36
PID 2580 wrote to memory of 2196	2580	CryptoWall.exe	36
PID 2736 wrote to memory of 2976	2736	asena.exe	37
PID 2736 wrote to memory of 2976	2736	asena.exe	37
PID 2736 wrote to memory of 2976	2736	asena.exe	37
PID 2736 wrote to memory of 2976	2736	asena.exe	37
PID 2736 wrote to memory of 2216	2736	asena.exe	39
PID 2736 wrote to memory of 2216	2736	asena.exe	39
PID 2736 wrote to memory of 2216	2736	asena.exe	39
PID 2736 wrote to memory of 2216	2736	asena.exe	39
PID 2196 wrote to memory of 536	2196	explorer.exe	44
PID 2196 wrote to memory of 536	2196	explorer.exe	44
PID 2196 wrote to memory of 536	2196	explorer.exe	44
PID 2196 wrote to memory of 536	2196	explorer.exe	44
PID 2196 wrote to memory of 1112	2196	explorer.exe	45
PID 2196 wrote to memory of 1112	2196	explorer.exe	45
PID 2196 wrote to memory of 1112	2196	explorer.exe	45
PID 2196 wrote to memory of 1112	2196	explorer.exe	45
PID 1312 wrote to memory of 1796	1312	Bomb.exe	47
PID 1312 wrote to memory of 1796	1312	Bomb.exe	47
PID 1312 wrote to memory of 1796	1312	Bomb.exe	47
PID 1312 wrote to memory of 2000	1312	Bomb.exe	48
PID 1312 wrote to memory of 2000	1312	Bomb.exe	48
PID 1312 wrote to memory of 2000	1312	Bomb.exe	48
PID 1312 wrote to memory of 880	1312	Bomb.exe	49
PID 1312 wrote to memory of 880	1312	Bomb.exe	49
PID 1312 wrote to memory of 880	1312	Bomb.exe	49
PID 1312 wrote to memory of 1752	1312	Bomb.exe	50
PID 1312 wrote to memory of 1752	1312	Bomb.exe	50
PID 1312 wrote to memory of 1752	1312	Bomb.exe	50
PID 1312 wrote to memory of 1596	1312	Bomb.exe	51
PID 1312 wrote to memory of 1596	1312	Bomb.exe	51
PID 1312 wrote to memory of 1596	1312	Bomb.exe	51
PID 1312 wrote to memory of 2920	1312	Bomb.exe	52
PID 1312 wrote to memory of 2920	1312	Bomb.exe	52
PID 1312 wrote to memory of 2920	1312	Bomb.exe	52
PID 1312 wrote to memory of 2664	1312	Bomb.exe	53
PID 1312 wrote to memory of 2664	1312	Bomb.exe	53
PID 1312 wrote to memory of 2664	1312	Bomb.exe	53
PID 1312 wrote to memory of 3056	1312	Bomb.exe	54
PID 1312 wrote to memory of 3056	1312	Bomb.exe	54
PID 1312 wrote to memory of 3056	1312	Bomb.exe	54

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Mega Spoofer perm and temp.exe
"C:\Users\Admin\AppData\Local\Temp\Mega Spoofer perm and temp.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
  "C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
  2⤵
  - Downloads MZ/PE file
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  PID:2008
- - C:\Users\Admin\AppData\Local\Temp\Files\Update.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Update.exe"
    3⤵
    - Downloads MZ/PE file
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:4896
- - C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    PID:3452
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4496
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:5068
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Wave.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4168
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Wave.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3792
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Wave" /tr "C:\Users\Admin\AppData\Roaming\Wave.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4044
- - C:\Users\Admin\AppData\Local\Temp\Files\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Setup.exe"
    3⤵
    - Executes dropped EXE
    PID:4240
- C:\Users\Admin\AppData\Local\Temp\a76e49df84ba2a7b33e8ea959995b5e6faecb90d551ef169d8272ce9042c35a5.exe
  "C:\Users\Admin\AppData\Local\Temp\a76e49df84ba2a7b33e8ea959995b5e6faecb90d551ef169d8272ce9042c35a5.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2556
- C:\Users\Admin\AppData\Local\Temp\asena.exe
  "C:\Users\Admin\AppData\Local\Temp\asena.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Writes to the Master Boot Record (MBR)
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\System32\Wbem\wmic.exe
    wmic.exe shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2976
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2216
- - C:\Windows\SysWOW64\notepad.exe
    C:\Users\Public\Documents\RGNR_86266DD0.txt
    3⤵
    - System Location Discovery: System Language Discovery
    - Opens file in notepad (likely ransom note)
    PID:4396
- C:\Users\Admin\AppData\Local\Temp\Bomb.exe
  "C:\Users\Admin\AppData\Local\Temp\Bomb.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1312
- - C:\Users\Admin\AppData\Local\Temp\25.exe
    "C:\Users\Admin\AppData\Local\Temp\25.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1796
- - C:\Users\Admin\AppData\Local\Temp\24.exe
    "C:\Users\Admin\AppData\Local\Temp\24.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2000
- - C:\Users\Admin\AppData\Local\Temp\23.exe
    "C:\Users\Admin\AppData\Local\Temp\23.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:880
- - C:\Users\Admin\AppData\Local\Temp\22.exe
    "C:\Users\Admin\AppData\Local\Temp\22.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1752
- - C:\Users\Admin\AppData\Local\Temp\21.exe
    "C:\Users\Admin\AppData\Local\Temp\21.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1596
- - C:\Users\Admin\AppData\Local\Temp\20.exe
    "C:\Users\Admin\AppData\Local\Temp\20.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2920
- - C:\Users\Admin\AppData\Local\Temp\19.exe
    "C:\Users\Admin\AppData\Local\Temp\19.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2664
- - C:\Users\Admin\AppData\Local\Temp\18.exe
    "C:\Users\Admin\AppData\Local\Temp\18.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3056
- - C:\Users\Admin\AppData\Local\Temp\17.exe
    "C:\Users\Admin\AppData\Local\Temp\17.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1204
- - C:\Users\Admin\AppData\Local\Temp\16.exe
    "C:\Users\Admin\AppData\Local\Temp\16.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2868
- - C:\Users\Admin\AppData\Local\Temp\15.exe
    "C:\Users\Admin\AppData\Local\Temp\15.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:604
- - C:\Users\Admin\AppData\Local\Temp\14.exe
    "C:\Users\Admin\AppData\Local\Temp\14.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:216
- - C:\Users\Admin\AppData\Local\Temp\13.exe
    "C:\Users\Admin\AppData\Local\Temp\13.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2088
- - C:\Users\Admin\AppData\Local\Temp\12.exe
    "C:\Users\Admin\AppData\Local\Temp\12.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1512
- - C:\Users\Admin\AppData\Local\Temp\11.exe
    "C:\Users\Admin\AppData\Local\Temp\11.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1816
- - C:\Users\Admin\AppData\Local\Temp\10.exe
    "C:\Users\Admin\AppData\Local\Temp\10.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2368
- - C:\Users\Admin\AppData\Local\Temp\9.exe
    "C:\Users\Admin\AppData\Local\Temp\9.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1948
- - C:\Users\Admin\AppData\Local\Temp\8.exe
    "C:\Users\Admin\AppData\Local\Temp\8.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2904
- - C:\Users\Admin\AppData\Local\Temp\7.exe
    "C:\Users\Admin\AppData\Local\Temp\7.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2860
- - C:\Users\Admin\AppData\Local\Temp\6.exe
    "C:\Users\Admin\AppData\Local\Temp\6.exe"
    3⤵
    - Executes dropped EXE
    PID:2344
- - C:\Users\Admin\AppData\Local\Temp\5.exe
    "C:\Users\Admin\AppData\Local\Temp\5.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2176
- - C:\Users\Admin\AppData\Local\Temp\4.exe
    "C:\Users\Admin\AppData\Local\Temp\4.exe"
    3⤵
    - Executes dropped EXE
    PID:3012
- - C:\Users\Admin\AppData\Local\Temp\3.exe
    "C:\Users\Admin\AppData\Local\Temp\3.exe"
    3⤵
    - Executes dropped EXE
    PID:2560
- - C:\Users\Admin\AppData\Local\Temp\2.exe
    "C:\Users\Admin\AppData\Local\Temp\2.exe"
    3⤵
    - Executes dropped EXE
    PID:2616
- - C:\Users\Admin\AppData\Local\Temp\1.exe
    "C:\Users\Admin\AppData\Local\Temp\1.exe"
    3⤵
    - Executes dropped EXE
    PID:2848
- C:\Users\Admin\AppData\Local\Temp\CryptoWall.exe
  "C:\Users\Admin\AppData\Local\Temp\CryptoWall.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Windows\syswow64\explorer.exe
    "C:\Windows\syswow64\explorer.exe"
    3⤵
    - Drops startup file
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2196
  - - C:\Windows\syswow64\svchost.exe
      -k netsvcs
      4⤵
      System Location Discovery: System Language Discovery
      PID:536
  - - C:\Windows\syswow64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:1112

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2308

C:\Windows\system32\taskeng.exe
taskeng.exe {23B96131-71E5-4338-8C7C-AE2D26F8BA03} S-1-5-21-2872745919-2748461613-2989606286-1000:CCJBVTGQ\Admin:Interactive:[1]
1⤵
PID:3632
- C:\Users\Admin\AppData\Roaming\Wave.exe
  C:\Users\Admin\AppData\Roaming\Wave.exe
  2⤵
  - Executes dropped EXE
  PID:3716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Windows Credential Manager

T1555.004

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt

Filesize
27KB

MD5
df8551fd30820e7ea2b43f10597851a8

SHA1
cd05daa442721071cb68d0a5b264bcce6ce951a6

SHA256
ce298010985891bfe11fb974802041dbb2e5661cc35053a270eeaf2f71d94717

SHA512
8b95bf12b2385664eab2d17b8e7ca8994757292674693d31eacc2d98af2d4c654bcb10f973ef6c3a77970d80984d5b8ad48a60222dfe6b48ce1a956d9291aeb2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_F_COL.HXK

Filesize
635B

MD5
07f9563469d0a8c2f9e87be16269cce5

SHA1
383891992ef51167ecad0feeb1277298dbe3a1e2

SHA256
bce7ea1f262f5bc1f1323a9bec3c4145edba3da139f4dc9c5c4c326b662b0d0e

SHA512
fe219363a4fc9b64d4c0716f5f24fe869bc735366bbed491b22e969c6902dfce5e4d3856e56258a6c204f71923b2cd676c1e1672a8c4aa5a165d32320f7ba735

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_K_COL.HXK

Filesize
634B

MD5
998014a414172502a1fec4a1d5faba56

SHA1
77d7a00cdb4409a61262e9580fd2c13138541509

SHA256
86a895ea5a0ec725f7474bc3dec680fd7be21e73d90717036f85b44e2c6a3722

SHA512
4a39fb5be8e68312644118dab07870811bdd0bbbc266e05ded256c7be70fd45f3de6381e3403574f360fb7a5e5b9ff645c4055a4df5ededf4f1be5f0843a9b61

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
862B

MD5
9bcb373c082da71e9715e89578aa63aa

SHA1
c73113bd5163f370e60fe53e859e5cbe5e9dd664

SHA256
5b888b73c0bfacb35b109b43b154d648c067c0aae98e39bff46463ca3480af30

SHA512
c1238cc787f205cf986a393b44e1f174952ab5e7ff2ac3604627cb63686973e235d10ee529e37612f2b492d037ad88a93e683056fb303a37a6050fccf9450782

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

Filesize
743B

MD5
3c25d1972fd08000d512450b56ed91ea

SHA1
d18ec5d970b22fa2f2491dd59d760fc491686988

SHA256
8b036072ddd0e6913c80c9d441da96c2b3c0b14f63257f2307caf52493112480

SHA512
221aedd3e2f4500512cf5fd188e527f87cd6c9b8367181d410dfbb50bbaf4d98e5aaaa47c9d3fdba26155371368057c86f44d558336d968807697ce4ed185498

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\SIST02.XSL

Filesize
239KB

MD5
a7c44f3e461af5dca5cde90fad5a909a

SHA1
c64303556851856eaf8e8c3e214f0a4eb967e9c3

SHA256
105292794df63e39c050ce74f4a0b63e3f3e2bcac84bc01e871df9d90339f9d6

SHA512
a8780e2c00359a24b68069e563ece165a984dd816901344fbefdefed6e3593e631b941bc9634e2fe7b515205beafdc2472c77d57695594355ab2ac88b79e670a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\BG_ADOBE.GIF

Filesize
24KB

MD5
f0bbfa3e23c40d625b8689e9c9ff20f3

SHA1
f522042f1c1d75f3345571f21381abb375da1cdd

SHA256
220cf6a42ec928c15a36f04a5c87f9c754967d00b2b4fc14e455468cc407e627

SHA512
9cf82135eecf4afc0b04cc695e62336e0f2ed2a57bbec8cb5418ad44d56cee25b49c7db71021f2233267905c7a01935dd6cbb9670d93bf094df2b0165798dc22

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\BUTTON.GIF

Filesize
706B

MD5
f4e5ac4adebcdadd5406e643ceb98938

SHA1
25f76fac0b74c436029d4fe75e6815c094d90ba8

SHA256
a7504e7bac716f41ef022164ddc98c49f44538def48134d1d27a3e2fc28b941e

SHA512
e5599fd8b4c895ef7ac58376d076e5c90479764258a10c15cea634fd0f9dc846c45994c8ddac522592ae8c20523b0ddba92374bf05ca5ec02373fee3462a367e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_OFF.GIF

Filesize
1017B

MD5
b0db6b6205234beac4bff432e48de9fc

SHA1
0709e48eb89e79f765f5712a06b064ceb2ffbcb2

SHA256
eb482aafed7ccb87b02f6c25d845d4d8e88b4381b3ca619ce940a319198e0250

SHA512
3fee111c47f79a017ddf413975017b0627ed0785cf6f73d5659ca6a716c3043587ae4d6b12d2394f0972096dc125816d19102c471f76c4e9aed13b9072c95c29

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_ON.GIF

Filesize
1KB

MD5
f8778e3dba8ed329b077931d5347d803

SHA1
b0c4c5501b706c356e84cc4899fc0f8f1aa1d443

SHA256
0e21bcf95c302150856146301e04b7a44cd9d4fdb7a753aaa94ffcd3ef5ab0bf

SHA512
12332756cbc9710c02744b1abef15cf34e19d983ff62d004709b0e85509990338f0f9b47417ec91e445dc89d02493f35f96f984db78ab7c561794716f56b6162

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif

Filesize
6KB

MD5
f301e18f1a487d1cf56284013137e888

SHA1
5f747dbd9dc2c9187811dd3a83e665281e153f7a

SHA256
b9c927a46041cf22668737863b52d98a3434d8c3bffcbd56724ae1e35aca167d

SHA512
419244255f292d768f2c837b106e2a7319033533458a2470b8efc6bb8b442d20022d567ecbe45593a4ce6667ee13ff37181452b30e96dae3e5940ca00f7baa48

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Country.gif

Filesize
31KB

MD5
88d73e635d5ca2135dee8aaed8a03857

SHA1
b05fdf813644e066a7d8b5892b3a36bc4ae7ef74

SHA256
762a3c03afa7db467b53492e3d8cb805571482b818ddd8b6734e4bd6eae95fdd

SHA512
05d84e1fcc81773c8b71d6e91fd1730ad3e8744ab37f9a7f1ba7d5f16306834e545f9f9b0623454d1ce37cb66772b011514c8be5f017dde3f9f45f4d4bde5235

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif

Filesize
5KB

MD5
3c30f3b97de3272aa85cdd90f3b507d5

SHA1
bdefad83361c67796b926d36cbc271df4a65eb14

SHA256
7dce146b138518921fd9dedb9806eac85b55f5ca9f1428b095d0a2229fb4b077

SHA512
ddb8a24eac7e88eae5bd7855acaaab16f4be423a450e9ee0f4b04dce8c29907db934b848e00a2b174b2b1e1ae0343aaf5be7ed66e5943c2c58727f8dce4735ec

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif

Filesize
22KB

MD5
845a73d388fe08b7f673d59ca26e72ef

SHA1
dda3890ab675df0bc205f53e698defbb24eb8273

SHA256
c033dec89432774f78424a5656350f803a7e1d19b929c80f8fddd84ea21513b5

SHA512
e79929603552642f0f3db1e390562d7739c5b0b4dc61d75f4654d8b4df3e007e0e9bb84bda132e3a33d1840c8be320bf208b96fbf1599312062d0bcb4de267ef

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Groove.gif

Filesize
627B

MD5
734d3d0c2268b19c89b7dfbc5c4fa217

SHA1
d316631a12f2c87bed4621411eda0ec58b3b11c8

SHA256
29f78f1ee6ca0c882591745959d614e5bf3763e891c30e667b567e7223c75c4c

SHA512
ee068eb533a93c43230a0d355d80feb03a37868ae0a839194427dc087b5bbb54521f10772df0ab7bf65d3148d02323bbe68ad7801ebc4e23da63212b7502824e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif

Filesize
8KB

MD5
5e7e8ff98151a4d89f5d8a13f6ab5310

SHA1
351a91b40ac882892afd86f9a1b3ec237bbf0f38

SHA256
5ef9b572707801c5729a0cf1a62c8fcb014b4850eaed3994f1eca0e5f88a40ad

SHA512
98086e8e5c90f482149274dc879286f707a542e602fa3a54e01d99f3c2f387518c08070033bfbb7f86d5906156d92f0b892c4ff097b6cad954401112a9598b1e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif

Filesize
15KB

MD5
13507a09451de782fdcd648e14edd8ab

SHA1
8c5556954bd3033ecf5b128278aaab2d7d9229a5

SHA256
ff094ae16050a832996b3a5d5bded34f15a6ce340bd783ba3c101c1376effbff

SHA512
716459f3dccfd574f055bb6c992ca28dc4d7aa0a10ecc26617e531c1537a7918dc62bd574a85b130a961ca51ebc16bc1a7596058b36af666683d5834734db1cb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif

Filesize
6KB

MD5
0c4e6818495e6c8a68d7b668ed338652

SHA1
02e2ae5e795d8077546f8da94bc9a16c4926c680

SHA256
64345652289cc33067a21713daa684570bf9e117f96401bca9de56aa61fda4db

SHA512
2fc3658fa1f66673c897cd674bca54757977c358a9fa6dd53df0bb8164decded950555a71741db97a77635e23dd09495ffe127f318071a905b8aa1c8a791f2ee

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif

Filesize
20KB

MD5
4c798f57aad1ce32fb3694d784575e88

SHA1
8a14e223881e7e0051e955f2cd681a9be605a19f

SHA256
a4ba2ae364e207d104ad051f586f9d5cd0ad8453eb91f083d7cfff486ebefc60

SHA512
dffe79120936f58aabc658ec2844f92558b217f5f2801c330cd23054c176f0ec7797642e039d03d77eddcb85e942e653df14efef1658acfa7afd3ff5d380e796

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif

Filesize
6KB

MD5
62428d985376e7602459c4d76ff28808

SHA1
e61d08b93ed87e8bd716afa358b60643c34f8403

SHA256
df801fa6344b0eb9ce394780df30911f3fdac5e81820e9a261ecc733cfb332c2

SHA512
3ec8370a371aa7436c8b438b5d5639bd5318db0e55a1549b0412ba8b73d917298ae9821df76f213bad3f1f6ce39b98111368d95d6fbeb5863f9da262309276bc

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif

Filesize
15KB

MD5
d0911d1303c1599b9794382427410f67

SHA1
d2727eae513d35a679dcf60d59cdfaaf91fc6465

SHA256
c51fce682189a3cab85e6abc078556e1bfd7948e344c6eb69044d3309c231085

SHA512
13b1651d5a61bac5c687143eab6ada7ee3f7cbd14341a696bf58c0488aeddac16f1f56c687ed0bf531f021a42c7fe1482e0569b7d58851b9552435fba4bacc3f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg

Filesize
3KB

MD5
9215cf8c67f0551e4043c01437fecf3e

SHA1
c70ada4da374b926e1d01114dd41f60f449b3fda

SHA256
ec79e5178c85793a32b756ba4b28cc72e1b6b9d4d9b300af19c7aa03766d3e86

SHA512
cf760393cbe6ab2a0a2c7ea0971974ecbcdfe56494e0f1452e3e26b180e3b49c30aae3eed4dbdc08804d490c66a619cc309a538a5a1fd0e23b2de41a6cea5cd5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp

Filesize
2KB

MD5
d04a4a93a03ad06c015ac83122c59b6c

SHA1
14b8cd6baf57085b21976bbe4010a3d01484cc7a

SHA256
664858c65aeaa26ead4d68177f78fae5e98803d383b19fa8d79ea5af5d843667

SHA512
73cf5c68574c9b9e92512ae927ab7e69939deeb571c2f688a72073d575ea373834c3ceed0748407e62ff6b0f2d42ed1ce26b9f5eb2b82caa22f962d5450d637c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FORM.ICO

Filesize
839B

MD5
754fdb409bcefb224df7b536e6220ce1

SHA1
bca5a4ab4544dac03560cf9b852a92cabd9e39e4

SHA256
414c70e6e37c349299b8332670a25e38e1df3601a82b60f1ccc2eee67a44051d

SHA512
3bc4bb858290eb20f49c19ebfabfd2816c049ad131f6494ec4a271b867f1879ee22ca51946ef3f9b99af78a2e4f7167be21dbc83e245e40da7c585132cd392a3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg

Filesize
7KB

MD5
891416a2b8ec77c900f9524219b51b23

SHA1
132c43addc0a32603bec6e520ce7d84845595fae

SHA256
fd4fdf8ccaac993232cf632f4ca75ae30a2d15c495abf3b4aabcd6f64227a784

SHA512
c996c3c3133f69d76a4a1e3a90d5793bc9bbe4b055a10a3c57df27690c60eadb151c216cda02284f63b4f9011ce889360d2ebf6b6a336ac265908854ebdc085c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF

Filesize
776B

MD5
8f55410711a24eb476992ab938d48af9

SHA1
4130799f979095b27daf8fab9f1a24529ab0a520

SHA256
90319e2138c63798e9bef91ae5181f04b2cfaaf6f20c06fed8b1a2bf719f6a37

SHA512
810cf4c0485bfca44c64ccb125193300527c59a7826ed52f3e3d5bfd907169e9120faaf0d40ec79bf7e768f38de48d4099e18e57cbd03cc7fec1fedb9f6df6b9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\background.gif

Filesize
844B

MD5
c6bf1f27c4430b8ebcb54377124dce68

SHA1
3f498d7669492abce8a0570e10eaafaf16375d40

SHA256
b3ece2f30be0335fef31729dd02b3dfd8af86b6f3d32f22a9d4a1c3c5af07c10

SHA512
aae207cc76c9b98225efd6993f47227df850a84dc0083f673d2f89926393e5a7965f65da326b70c032e12def5524ed3c5b20f7fe01ff306198097addeedb5894

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF

Filesize
888B

MD5
339f9c964bd62917d71ac1934ffa65e8

SHA1
9012ec9e3f91482a6da2c8e610e95ae5d090b592

SHA256
075a159dda868abfc122a443df43b6e21e35c09e82219486b5c36efe2b04a417

SHA512
f4475c49de2cf3c417bf8d3ff27ba593be6fd5b1f61fc0da5ca5b8504f428dabb3b3132b6c552670925bd561055b422c9448a7efae7327dd8c5564cdb2e7ffba

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF

Filesize
669B

MD5
32a4b6b4cf7e3ad571ab56e1b47c22e0

SHA1
fcb67fc2d4f5a22a6046772e7c8f717b7052fd8d

SHA256
4d07ad8804fb54eed7dd6f0bfd057a008978cdf53f6a9525d6fce546cce22604

SHA512
0120fd943e9334d8c978f58dccb677f2f0ac00c17b53b99e6811304b5544cae1b167629a76a6093489acf1cc1b0c8b224521d214bd8a8887bbf254137164e70d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HEADER.GIF

Filesize
961B

MD5
60c40715caa1f7af16c6789bd803aded

SHA1
a941ee81a140a7e5db575ca9d8173eab4563f230

SHA256
a1d31d54bc0a5dd617fb48e497c1aa8af2c9a9057f79ea0a4f0ee343052a2ef5

SHA512
5917cb7e10f010012b9e535c35d7c72f0bd33d22835c78525c79ed58ad9a7f401fc05230648b644ba8aa1fd8b549d216ae852245f8164d23a77510c8b26bacb1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_OFF.GIF

Filesize
983B

MD5
d73319860fa7d1828c1319d0b0605ad9

SHA1
bacf5013f207a50b7957189e8615be2ea4b5c1ef

SHA256
645b6ef4990841cf19223e6e9ac8e779422d804ad9c681b671b89534bee6add7

SHA512
6c0e432b6d743863e04ac22798dd5c03eba529fd0ecb1558387faf757109b9d8c139f70b83b7685595a1b60b350033f3122e7f26ea84608651543d63cfa52e9d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF

Filesize
788B

MD5
e6bdc7362ac905be85787ffe7467a857

SHA1
2fa6a430195636aecfb75a064dc161c4f288ff92

SHA256
023a3f3a654a60f852ff4ba9520a045cc9d7f82ff31a8abc3d17b02c5a5f629a

SHA512
40cb73c45e0570451a97fe60e1e7e4c0158912cf49263115530ecab508d161839608920df3a875bb3590a66956a7992ff1d038d1f5c0707ed9d33b687eab6294

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HEADER.GIF

Filesize
2KB

MD5
6e0ae55a7a839d89c9090005a0d32425

SHA1
94231f4bf807486cf89b32d1f76f9f323dacbf8f

SHA256
e1f2761f34f961423d8ed5a96e6ae89ba97f7ade4063f4e75f08b7316e7301a6

SHA512
ec1e1298f0e75d1cae42c5ad3fec4e04a9cfd158a0c8cc97e6f2c71f6aec65b45f419fceb5e76c794df01758d6300d5f85a9987ed79707b12d644f69b58b1926

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\HEADER.GIF

Filesize
3KB

MD5
f0803bbb42a53426295c9db7deb492e2

SHA1
8615b9ec39b21dc0057cccfb31f8dcc3ab66d470

SHA256
fa46734ae64c32c3d995927e130847b4dd9aec0de6325b932bc9b4d508e4c733

SHA512
8e7a6a24341a7a283186379b4bb5428ce25794cc12bdd122ba3c2b12b11d6d88860f98493d1aa54894c57e08be9b15581a0ca0650f3a4b2110b65c74a963f759

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\TAB_OFF.GIF

Filesize
983B

MD5
351649cbc97b33da6f925b2dc581fe84

SHA1
823d6c2bd8c742d51dfbcf7cc6a1a26cb8545d5c

SHA256
b977de05e20d8bf169362623525a3f318d8503b8e1d49ee32575f98a185d3d9c

SHA512
14abc986c651872746564274615aad4efa0f1b580e4438dea3095952aa689994ff7cd8af9868f697725084bbbe501274cd02e2006ae95bd2a738631016189e7e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\TAB_ON.GIF

Filesize
785B

MD5
de01a6352f2d7cc55f48febfdeaa123a

SHA1
f7772d7dce28a4baf2d673bb4d07fff30c4bf557

SHA256
b6278640e0e16f874a5e1a113cbfa24ce16c52a80763d7932fee40b6369573af

SHA512
19afc03f6706dddd7147293f84a7843091415adfec1666809e79a71dd2b53012d6bd4ddcd8cfc6ef1da1b0ea1b36d25454d444b1c951d5e150c91a22ddcd6db4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif

Filesize
754B

MD5
d58daef2ee5fb90cfd1fc9c6ae285f5a

SHA1
c6c63172dcbb16c947b20dce19b58bb390a8572a

SHA256
984b32d5b8ec68bcb364e94e29b5610259cebaa09940b953bc019763d03f4315

SHA512
0fb8f9c63333a1dfe6cb97c3e91eb020899a29b93e905ce411a7870af7ba62b04a5c64021857191fad5332233ce66e4fe4bf2a262934a90029d72e62c85a1050

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_OFF.GIF

Filesize
885B

MD5
62ecee0957fee24f112f76fdde57b9e7

SHA1
493e61ffc0e17e07349fe4106c4aa5d15fe6c417

SHA256
a108af0093b78f5a1e6469069d30672c7053de226036ae383fa133f9da664ead

SHA512
f4113ded9d1347e7eaa2dd0a36fa645b8e95d69b6878d6f9372f99cae5e2a5c2bf164a22ae1b8477e015aa8fcd96ac57bc925c941a58e5d59f068ffb5f765185

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_ON.GIF

Filesize
885B

MD5
9de73c5946f52ce9a496fb98e3b718b3

SHA1
abc693d5f3bbfd6de81578cfce23239b4efbe360

SHA256
ff66d217853d0dbb3b3061e4d94d3d153e4bf28c596d70167565951bf8e51579

SHA512
d759ff77d8519a1ee484df99e561aa7a85d253eeca86c96a13f94f7d92a19166f1db68bebd93f2f6b057371c51c8ba3af8f5be62b135bd4062cfe6e78f5dffeb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\background.gif

Filesize
7KB

MD5
f43c6231374c3a472bfcba6e611b4903

SHA1
d255a2c7c23086e5083163700b5a9b1bce6680b8

SHA256
cdc05fbb736c2ae7d2e20de1aa2bee33db6d3aef6c9de4b8b9b7a7148505a9b0

SHA512
e0a6b9b40570d2c5c4251c65fbb929fb907cdcf3185428de9181f8601654b5ddf6168e9cea6d88ff0f34b23aeebe3b7a008b325b797e64167e12f2c7c5bde60a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\BUTTON.GIF

Filesize
949B

MD5
660a2d578bd8fd7bc5a4889979c507b2

SHA1
9061c5c0a6be4345b64fa8c3d02c8bdf96942358

SHA256
6a7cc928e13eb79f08780f54ee10c00cd23708f0939f1ba13be0104fa80af1aa

SHA512
12265033c4e965095d08798d714eeff61cd14abc0e7138bed53373e68829267043818a0cfb905b4ab4c344f4964cea5f8e22aeb67e59cfe53dc97b363f0e5416

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\HEADER.GIF

Filesize
26KB

MD5
a46ff1c21025c7ee1818ed06f5e183c3

SHA1
cd66fd6782d8f3c09ac3031b6f038bbcca0af302

SHA256
dfb48848474bad970863406af2f1dc86c61c056be3f2968eaa0c36e72e1f6490

SHA512
474f30992b985647ab858448189cfe6523e5b05900c03cb8e57d3bf940db8a837304d9a4772fadb51b069b62362a61174a34570e9c95aa87dad60380b6bd8d52

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\background.gif

Filesize
1KB

MD5
1fe0738e8af4b14793fc4451dd0e2239

SHA1
fcb85742dfc2bd1662a5e86e8689e457d9626a69

SHA256
9e63fe30e951a26d5dc6e4ca972f1c7295bad8dddafc2b5a1699fc360350a734

SHA512
6d0894c19992fe18c43faf665713ccbb1ab9d28b2e063f307fd5639803855d1e7727d657686498d9474696058f8d5b8d4e899106e664ac883555c8e82b87b891

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\RTF_BOLD.GIF

Filesize
1KB

MD5
581fbf903f9a44c4d8e68768349eb30e

SHA1
6281d220bd6bb8f6713a9bf4b2d02a8ecdfb1f5b

SHA256
cc66c914a86f95204b2a9a03e5281a1ea8ca274d53323b9e05982ebfe0c2666f

SHA512
694017b90b75ece88449e542386d0904aa97a30d313235a86dc984a166f6b8987b99db012e503a99e05cfe1711dfa6e72f5dfbb4a87e13ca0fd1533608b6866d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\VIEW.ICO

Filesize
839B

MD5
e48389b35df25f872d1fc4cc64a79eff

SHA1
0f92419cb1089f54d88ba15948d0d730b5c32aa4

SHA256
41dc870c0e9b5bc4bb3764a3f40ca02fd394fe8f2d1db5c2056a296dd10e34cf

SHA512
b2c06fcd53df4a4a24b2d9b39873b1220b958423b71abd2715d0957b584c2f65eb299f0c5f971cdfe1a682d93b6fee62314d5a3275271de2c8f9ce079190936c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg

Filesize
3KB

MD5
83f51c601c670827a86eb89b6c60f504

SHA1
b4ea4e31397bf51374b924b5e14a2c98ec874c86

SHA256
7813a4d1d2d62fbc35e654dfe5c2b9ddf6b6cab9edcdcb8639689759174e2a3a

SHA512
6ee1fc27ee401e807298946e17ce5caa7e70ccca29dae5317c57bfcb9e3d5c1e49047a4b272d34dcb234ae6b2ebc574a2ed820450d21a592d02e749192aeb663

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif

Filesize
3KB

MD5
5b33f6d6eb2936eff6f5d30765e5d5e9

SHA1
64b3e8e4ce858ff33507e57bb9890ff177bf4c22

SHA256
81e26c90910f15294861f13b9ac477bc244be355b94fc0073bc2a5d5c0102b15

SHA512
1612f6b194a6d7208469fca7223e0516ac52ba73dbbe8e4ed393c808e090805df2a81e6fda9c99aaa11022d532e339875524b85764e734140989e8230ffa732c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif

Filesize
20KB

MD5
c1acaf8c4a342d76fb97c8d30ced49c5

SHA1
c4451e8fda2b7c968a1cd92b380e514eae0d10f1

SHA256
9042c38bc1dcd4d7f34652f76f8947b1db6e085f0bd5427b4aa6cec1613a423a

SHA512
cbfed8a8484f442c63cded5870969be46ac21d07de8cb3659c5252c6fe33eb6ef6df5b2fbeff763fb53dd10d6efd4122e4b9183f57fb307b587102dcbc9eddee

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosefont.gif

Filesize
1KB

MD5
2369928ba4b7b7a5c8a8a32b5de8cd2e

SHA1
ae20a9ae464b6f473d2b9360bc36b361a013112f

SHA256
f302e7486e5734fe66c472386abf3e63a3c1a0f6a3aebd8fae6f61391243e1c2

SHA512
4f288cc26eb8f31241d4fba3a3c346a0857021ed9055e6e587c90d22de4f9e23e6d4d716c62683d6d2f9e16115c43a7ee7cadd4f0c6ec04e0eb44756cef0e522

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif

Filesize
1KB

MD5
97d164bd99970d922ea07c9a4ba81572

SHA1
434849cd17784c90eb4b7d1a69d175004a2e9e69

SHA256
aea0711602a93c4c318a58c68665e8d8ef6ee2339bc2a7fd690f5c20b2603285

SHA512
ca9feb76c7454ddf7a44ebd4aa90834d3d805575b8be34d3a964b754aad64165775eef50752df0679f89ad5363311fd43e6782910a4d6ba359704dd511407754

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif

Filesize
1KB

MD5
4d80790b143513794a5eff99431d7dcb

SHA1
1058d186041fdc361bfe153ee55c7fe2e261cbff

SHA256
09beb5e2c4bc1c513f355415e2d37d709adbdff89090e7f854c4585db4b63f60

SHA512
a4a1ce9285ad553f3221dfe2d76cf2759852ed66c714ad29645db7f631efbda01b1365421c0305d69af882c71889fbb670f75192bacedd789dc2045d04e36de7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ADD.GIF

Filesize
1KB

MD5
3aac9ceaae4d0c4c84f445f5960226b4

SHA1
ea0b1e594ae175e2f369b16b29634c5fe00180e7

SHA256
055abdcb855ada0851840754f1372d25bb69e554180aaf76af610715c8b9587e

SHA512
a9281226d13bd6a92190826a2a856fe2c8f61bfa71a50f4f7590de5ae50a5ac269ae72d139aa44a18a2bc7e315a94e94235fe5a795b19d8ad2d366dcb713c175

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF

Filesize
1KB

MD5
19a65928820a73d095ad9333af476764

SHA1
3761900c49b6efba27a882adc361bf11df21d948

SHA256
0647952c4c456e74ac569676a249385a075a73a5b75457a8d9631c1d4da8f2ef

SHA512
883ddf61d550171681f9c2a5e80da42d89d030b65dbb4fc67c9d518193a4887059f86f19f9b290c0c4fe55ec234647526130ee7c18fb4ef5561ddf1e7bfa9132

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIF

Filesize
1KB

MD5
c8be38d6d0d8b5d3d00326ba534d8e2e

SHA1
a0016ed6d7f4cb59356e8f271a1960ecbc5a540f

SHA256
6492b1d793673cb9c3533def031a0bb06099adb18f5ee620bf6ded1ecf549907

SHA512
8e6e078237949cd4ce8c230603e311251efaa6791a0517fd43eb49ec699056a548741b4e6b32a697ae78f3484c88efa9b48ad3b23ea8bbf89ba7d1c6894296ab

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF

Filesize
1KB

MD5
12f7844355829b6df810bac496f1527c

SHA1
ff52088a6c94d03ae6b8b97cc6c46a0eb1e45263

SHA256
593f443b7772103aa84d5569571cfff68b3f0124638aa867d80c65bf1b76f7b4

SHA512
49d94a078c7f858bbbbcfd87bb9c80063dcc5f37e41b65ee61f565969aa707a986aa0386fc19dd5d2dff87d945a1b868803f69b18905710605dde4cd3e7ace7b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg

Filesize
5KB

MD5
b72ef27f80eaa88cc8dc4411d5fe8a66

SHA1
e71f2f4013180994b03722bc0069e1223b158bfd

SHA256
e3eb3d33d0b220a00a3137da959f9e2fcee70ac6912a719a97afb79d72e48017

SHA512
c98c21f7a3cdf3bdffbef17d884396c0d2bec82a7e42a07f0a390a75253c50d50b26c959e2612f42b5bfbf581e96292b479815f58d37a7a7373c5466c794f431

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp

Filesize
2KB

MD5
690fd44ec9438cda127c55faeaf82cdf

SHA1
c050d844548eeee694bf9c0f1e70fe51476372bc

SHA256
6be25015cb8c57902a634554231359e17be7ec7282a3804517ef66ce6571d5c7

SHA512
ad4bd548833fbde5b5bd9a5dcfcf8858a00068a6db4b1c8db6b901a02944b5588853f899fc4d0c08c656b0a93241eab3741c5f189d3edc39a1a152f7a0960f48

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF

Filesize
1KB

MD5
9cf917bf4385a05413288c54fa8ae3a1

SHA1
5bad46de9a161e0408c3f5fd6823a3964a9cbd98

SHA256
2d518687ba1615fb0d0af3ab2869c71f7d2908bc7e5d91c0e33dbf9a7c0388cc

SHA512
28be31efa9e10c05b9dd63abfc41e4ff33bbde6a79208140ce1221df48deeb4d65e05b0e11461f3f67534bafa0bd09bf1e1b32de2da0559ba2b4a1a1275615b3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

Filesize
1KB

MD5
fbfeba30568e3ffcfbb081447b159b93

SHA1
5bbfd9a53a58c8ee12e71973e69b8ada9fcb493a

SHA256
bde50e46ad1bdc47a3c8831cc5804247dd46ff710948f18f4fcf0a603e6269e5

SHA512
388c4fbe4eaa0f6f7252e70cefe4ab64f374643d9cf5747bfacf44087cf8abdae0b38b074d7a1fd9a1cf68e504b20a19a5c25edee1151f246025aa1e69100417

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

Filesize
1KB

MD5
d4340f8426f99cbf04ab10360b3b29c0

SHA1
f6589d63025c59a211ad338f3d4b13c6cdcaff35

SHA256
515fce63b59d5ceb3579a3285422926072e1f0dd6d1a029eeae3f60766c32159

SHA512
d1c2409dc70fd66ba878a20f3f651bf3c386f4352980f42c1ba2721fdd834d56fc7467e67af95a03a9ec1cc18e9a3f5de9f78ab3a88e5e15f5ac352fe99acbee

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

Filesize
1KB

MD5
f5518aa296b3bf80b82368b7efe5c7d0

SHA1
468632de1fdcdcaaa63e86a885d772f2a8f90403

SHA256
97c3fe35424096950327b1c1094811100e72dcc3e5cc3720ed038d02ec50036a

SHA512
0838a94ecf4bd51c4d1a38994529c42a6eb16e5854bc4c806024c2e2db91d3f7b76160725c27fe798de04e5a1b473092148c4982e3466e43c0e3d855546e6af2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

Filesize
1KB

MD5
df736581c356581a82f2f1e91d4507a5

SHA1
d5a766d8fa6fbba2f981675d1a41374a96849801

SHA256
e67c375429260a318d4bab9e4a85e0fadbc4ab12d8b444a00f6e226c3714ced1

SHA512
a80f8162a6a477790f1ac92666ccb7f87f756e98d2fcd791c88ee934334b8bf253a7a072fe79df2886c4bc741cb47372a723b7c4cf063eb07412969006c8659a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

Filesize
1KB

MD5
4dee9ca7fe31d64c0a841dce29fa8120

SHA1
d082f4a613b7f24856a6a9450ad45c3c290a80b9

SHA256
1ccd1e3f111004afe707039eca3da6a231537c8b1ace1c448ca606fd2c2c7d63

SHA512
46734b0222fe28f7039e49b13ce4eb55a7eb288a1adea111bfd07aab0bea52af1884d70e58980ac5abff51a8328ad3d5220c435f6f6726d7c4c888a770deb72f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

Filesize
1KB

MD5
279840ca54634ced47cf131ec70d6b26

SHA1
48903a3a6ca3cf8d720c6a40081372424db9fddb

SHA256
4d3a65082814191a048b5ab562d8369f5e360445e03864d05752d5ab2c2cfdd9

SHA512
3e2bab789f0b8713fb6a965e39065f763fc337fe7e57b0a59833fa1547d391bbe15caffdddfa7e55195fd23d168bed427a953e0a0f60dc7f72e211b26e169f2b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

Filesize
1KB

MD5
d18f253a75e1f267519776200d9d48b2

SHA1
fed4262ea5a530addecb27b57abdaf256368b74f

SHA256
d2225ade8daf6519833cc0ba4fcd5b26faec8a97a6c126e5f113b90db79bfd6a

SHA512
9229a6aae2411789b297d723af42fdbdb996f53d54e83b5f9644727d279b0a49e54ecffdac0288ecaa0bfe4776449d917d2077e8aca6740a134382291449ddfd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

Filesize
1KB

MD5
d6ad9e5cbeaf002c7c192f8b18aad3e5

SHA1
629b93584b51521921a4a68b8770bd70d5cd5753

SHA256
4c7722a0e3f21cad34c6f2d6288715bbac73b633b18403ce3d6619f430f8fd5e

SHA512
b3c90e6c2191617a66be44160e8cf580b63ccf5e4936454a100ad97eac07faf7983a34a7681c323c0befc22e207a95660e948f5b84a5619743a3dc172acf47b5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\Microsoft.Office.InfoPath.xml

Filesize
247KB

MD5
c9af0e1969a9c83535f966293493b4be

SHA1
f98c129c049a0c2997ecd97c9edc20a6145b7829

SHA256
36f39c2612ef296099e8b89f581f25ba20667300f61df5287abe8ab08e2aeecc

SHA512
ca4399f6071a855b5c4b869922e2884c397249b9b8b3e8421e08df06ad28ca323d5f23d1482a4adf77945291a7a0ca018c244ae7c2e8494deca39a3d1770432c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\TALK21.COM.XML

Filesize
1KB

MD5
85e1f4a4f68bb14db6e5a85473e6c01c

SHA1
af43360c664a20b234a516fe8f6583c7af39a7b8

SHA256
6a13425a3eb12b3d915c94bb9a2ffee5e1055ad3d1a221c5e0aacdc5a52ced93

SHA512
4d2ffaf6a4d146fbb1662f11b15e1e9bfb977118b6d3948ad70236d8f1aeaa4682a5d33b42ea12360b4fe16e649e532b931a19d99ecdb8f6d1844d8b1e7bf79b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.XML

Filesize
1KB

MD5
02348b2fffa36c622a4c623c8c0ac765

SHA1
e3133e49722075461f129502bc23f07c73415360

SHA256
39c1ebc804df72b516f12733fbbd1b6e9fa8f1df66bc159854c702e22a56f77a

SHA512
9272cd520b516f7d0c3cfc19219cf081e30173abcbcdb1848de1857b10415563213b27dd1c8a1d61e68aa056ed5f4e0c561bf7a2bf7f3b036bbf83b99df3c05c

Download Submit
C:\Program Files\Java\jdk1.7.0_80\db\bin\NetworkServerControl

Filesize
6KB

MD5
7e4b684d4f51707b3cd17f5304f31fb7

SHA1
d4136a957ff62aef634bd1bf09ffb448c90893c0

SHA256
01f3fccc2a33dd745c410eb7221d8591d58c7710b1b6dff050eefe3271f0190f

SHA512
fdcc8bec446a86afb738be3f54c0e91803b8c2d08da60e4e644d0df00fef23bfa7b6327fb01bc1a84cbd61e115bee8a63b3325bab4f416572ad75028f7412ea6

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
674B

MD5
bb9a98c7870621bee96a42cd49a9d996

SHA1
1346004bf770af3decd7900cf7b6f4a8c992e535

SHA256
fa70765164c57f21c38df3b9f1954126974d26672f8990c60fe388105316e1ed

SHA512
41395b90975a3e9fadabe722a9f381cde5f96f113ad1d63e8c88ed937afd246e94601953c54c3c6477116c8c3b8c7304e8e6c6fe544eaa110759e4cccc47f5c4

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\EST

Filesize
548B

MD5
fc5fc20dcf17794baceca19e16dad163

SHA1
ea08771c998a90c10a421a127929469ec150e2d8

SHA256
c9b592bb916c37b6e1ff3bc14ea8f1d26ba3a6d15dec76718a64ba39b09b6b60

SHA512
ae4684d8834caed1fb67cea40c7978b1a0e6036f2e8ba18d1142a75d7a06ae86266ae858b38f3194fe916ec782496b497a446733de9901099d89131466003bae

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UTC

Filesize
548B

MD5
97853e434b892fb1283ac8b59f4b7d5f

SHA1
0a639d7b5913396f13c5d3990026e0f6def577c5

SHA256
3f64dadb947e7da441cbfa84baa65649b7b0f774e2c9fadef7335b60885cf4ec

SHA512
71d54a74ad3d9f7c30b7c0a4baa41188852d265d38c7cacef6fc723fbfe49aa1035b1dd8b6fdbbd96500676c976df9729230bd9668211c6d0a26ff34410e822b

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\HST

Filesize
548B

MD5
56e9ae7c78d1e080a3b8460983d98372

SHA1
240b1b6f1cf603017b7718de03810eeb6facd1d3

SHA256
6edf07f444d01358ba1dc32dc09091827362ce5f05f823a42059e3d8c4c8012c

SHA512
3bc84a5490a3215fe702c556fc28f943ec5fb803d8f72d7a762596fbbe11b62cbe93f184e970ab041a84ff845f549a0caf0f63dba7732a06cf745e26211a5528

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\MST

Filesize
548B

MD5
1435d0f6f8405dc7932c7e0af5d581eb

SHA1
6ee6f33f9d456a5b81a3f06de41dc7a81881b491

SHA256
cf2120d46d5adc9e02ce1a9ed3120e42ea78bbbd8868cd9199afb51e9cc18ca4

SHA512
01ae740d061d5fad24450ff17b6ecb0bb57b6decb22c410dd1233b4ce46b0f7fff5475646748ead648fde67fdbdbd991bcf3ef4b433761b271c2ee578d982497

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
a6a0b68b8cfd9319bf58cda92fd742d2

SHA1
d8253cf05a04021be9987ac080e936f981694c8c

SHA256
4dc7a11571c40ac92255ec6e6f35cdb60c39aa07526a3604adda7d6516afffb2

SHA512
a506e765e05b30ed2ef778393d774b193b264642821f102e91da6f08b76e9d5362d6948f744d0ad373f438586541c9bb952831fede26ce5f61b46f745669f9de

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
9KB

MD5
0b72dbdbfb27be1f30f612c1ba5c1341

SHA1
7b7cd6a935a9314b180941f50a25a313c5b51034

SHA256
24b795bdf7f9f8295b5de22c7d3992ff4fe590cabb5a120a0ee368f07cfc6520

SHA512
0ab337549cce17e4f3bfb6fa36c172e27c9206871278d1f212999c135155e0b35f2995803c156bf8a28c04efff836a3e5914bd16fed50ed8a8f5379c1bbbba16

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf

Filesize
578B

MD5
0006564ac7a439c4db56dcd5e4b5be1d

SHA1
c0b938f95286759dd0d3c6bc1bf7980c7c9345a0

SHA256
31d08fca09f2823cf8943550f6a157fdbf90ea159771b2d3ab27b6e4e4cc3056

SHA512
24be452fdb3cb6fef838c5f8c049766b85fd5ff82e306fdee58ac5f92e451159676de6c04ea48dc30d4c7b429a6ab9e583ac5af7335bb7c4bb715349772ed709

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
90cc99e93b6d2ba75aa7c5db90ff381f

SHA1
193744d6cec11eb73182f1ac31d0e3204d4b68d9

SHA256
55a577fdbfd6f70d4c579ae232d761638d99996f076a9266f8b97ae2a2bf241a

SHA512
f617a799803f5e0ef6e990a016c6dec7241e11a0abe68559e2b0cd7378a7431703284686735d762754891395e4719c80989cdf0071e16f3e40eece545a4b0f6a

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA

Filesize
8KB

MD5
21d95bf809ef328b96590c75c38c02af

SHA1
c2248f37af8d7c092ee0b39ee51d63d6470219a6

SHA256
abdc2cd3198e053e7ebd615b55c6518dc43cb33d25804c0d2416af9c3f79038f

SHA512
b19c805e66440b5ebfdedf8be95a02bbf2c3757aa0b0e84e980c3299baa56f3570fc42aaf6461b3085964375208d878e60d53df6c0806835b89b8d8a78a963a3

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA

Filesize
8KB

MD5
dadd52e97fad45867b176d798c8a7500

SHA1
ac3727c269d96714eba2435d0f2d1a57b854eaa2

SHA256
f54617ecdb034754b60e0ff642ef0ca0d7050cafbb489f0f452ea05b6cf984fd

SHA512
1bd6c77b918fad842d666347955c616ea09175959c80cd03d0b564a291b3256dbe1a7fdd36ad176dcaa82849f91f7cc7394e3bc522519aedae4f15eb1d1380e6

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\MANIFEST.MF

Filesize
654B

MD5
9a576fe994b8b7efad4a6cda0872f01f

SHA1
866f0f84e44a62cf44deec0d0b1e32845cb4822f

SHA256
51ec1cf11123c65520513590e349c8189e7de79ef3bb636867e76ada70df7546

SHA512
6591e7743c36281c8d84decdde464eebf21860fea1a41ffa153173c4c168f5abf05e3d9b1eccb3a589737d55b26bf8d2a6329ebaa25a1724720618eb170511b2

Download Submit
C:\Program Files\Java\jre7\COPYRIGHT

Filesize
3KB

MD5
795198df49ca2dda6783223225747c78

SHA1
eaa48259598edf7f4efdac1d0a5fff29ae8dded2

SHA256
cd9e6c08deaff9ce2f75abae1944c5037195a805aa5dddfa8c8c247a71033412

SHA512
867615130c0e33665e03f73731b2c014ff540320570c6f9a7679925a51599171bc2ea4b47b97ca0bde400986d86581fa9cdb2adac414add96b4063ad45c901ce

Download Submit
C:\Program Files\Java\jre7\LICENSE

Filesize
562B

MD5
0c3adac335a0596bbf41c588bb67b356

SHA1
bee2674cf18bc0309b0cc106f3c8151374666b0d

SHA256
1b077780bfd5f80d8ca94d86bbb6c86013e55ab2103c888ae864f5edd135570d

SHA512
b62c8dddc4a79a852009928375c295c7118ce884f8015fca6f31e01e2dd4c9d42e50b12209ee53232cb953ca707c24b2c35aea80f07e342e92e6b19ede9d2850

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
9a468d7fef9f691a0c960a194e85ed88

SHA1
63a2be33f41c984a0c1f7e38d607f2a681d32b73

SHA256
321c29227fb1514e8bb703e7cd4bc5ef783917a7ac561660513af426cc16771b

SHA512
16102c6d6be3861272e78fb62c3ce246eaae6a5e7a94ce9d08bdfe0126a26b50f86ee803ca4ef19ef5f56ba4de21c4cae7eed23789f4d6a402144cb41722941e

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
04d1755b0372aa2cf84bc452a4efc67d

SHA1
cc6169792acd07f39e44f70392baafd9d9a206d8

SHA256
6d297a3c2fc7e1bc2c3437ee7cbd2b19de4dd7f5b0ce680386a23e6876a18e7e

SHA512
8b50c13ef5b3d76ba3027725a55da537bc14e878ca438aebede5b29e78f3baba49b684ab7574a04b6af7241adc361d37636aced04bbbfa31c23f3589474560f7

Download Submit
C:\Program Files\Java\jre7\lib\deploy\messages_zh_HK.properties

Filesize
4KB

MD5
7664e4d5eaa292c573a94ab2d24271a8

SHA1
e688746f02afecb9da41ac92e2a0fa740a4baf7b

SHA256
f025959471aa014e9e2984a4923a743db78859ec5fc8d0c4dbbb6d7ac6091cef

SHA512
d9279312bb1bc2e0595ac44bde81a40d3363c8f9611153b9084b0bd136a9003ddf00bbc2302a5ffeeb123a5012ce80b33017f1150936684a5fb4794baaf1f8fc

Download Submit
C:\Program Files\Java\jre7\lib\zi\Atlantic\South_Georgia

Filesize
548B

MD5
c7e3d8491c78edf870a3d4e4dc7daf34

SHA1
eb146d1461cab21d661c55747fe68bff093ccacd

SHA256
c911df6bceb16823b3fc7d835d322f7bf49d841015f8356161f4208fa94ada1e

SHA512
c5b9fd2d2a860c066d09878fcded6048edb767cac2988ad6202be5344d95b84035970df44bf59f65cbc7df4a8586daeacea70949b0c87667341dc438315a7b6e

Download Submit
C:\Program Files\Java\jre7\lib\zi\CET

Filesize
1KB

MD5
791561a6dc7db2db361cfefcf1827ecb

SHA1
8b12a76daa4a21ea8b99634df4b1637b1c62efdf

SHA256
20d8b63590999bae98717d7550cdabea9e167fae5e72dc999f35b3dd9c553625

SHA512
a7b623b2e78793894a97e48eb511063936f299d45be548523fc4a4bdd9f744c9135c18e0bbd6a1757e13c5460ff17d7fb39bb69004a852cf5064f211dd49acfd

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\GMT+4

Filesize
548B

MD5
568904485e8fc83dac895387b1163187

SHA1
e201d1b83c79b5a04879feeac8d4a8e0cbc1ea94

SHA256
d79daf92949f32823609c634b35ecbb43724f989608fd5c112ef8d0995f777e7

SHA512
79b63d8ec245325b61b5a3c24f83a957c48ebe37ba2bb48e5e9f3d12282e6f53eaad45a067cba3911027a730a24c961aa93945f8f6d85ca25e2e5025686772b6

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\GMT+6

Filesize
548B

MD5
1ac5c735c029e387a0df5d2ce2d96552

SHA1
51e55fec109ab84f2cb72c0b97fe18c85f0d2486

SHA256
960a65a20b3c869e2175a1a29fcb20bfd8fcef7d2b91d0f7b951537df4359564

SHA512
fca748a2eb1a9a7f2fd8369493af0a232950322940fcedadf0b7feb83548d3f80cecd0edfb23b2e04ced9ef49caad6944aa7626bb8288b17f4171c77d1efd89a

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\GMT+8

Filesize
548B

MD5
c4709d3bb87df3399246ee314f2cfec2

SHA1
3667bbcd92764a2dd8c1a749924f78b52fbd25b3

SHA256
fbadfced214cd70c2a81d6c8420437c7ed54159f0437d901ab66faa58429e815

SHA512
76d38fa550177a439acef94691b86e90d9df00a715494ea06c0fde8e5d1b98811afe46dfdcc1925485f448b0167a9acdcc235cbfa43d8321d44ce81b69a9f46b

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\GMT+9

Filesize
548B

MD5
35bf3f77a1ac6536b23aca9cad864a1f

SHA1
06c1ecc49780d9fa333855338fcc631031afabd1

SHA256
99d89992b21cfaea6c7ab82758e8afcf2150f0dac19a573b3e608742a83cb707

SHA512
697f387e9789084e44f6cd497f599198c2b458a767a7ccd1b6ebcbe155349e5c7a9b1ff126c2c72ce1237a814f78f5533ccf9b455c3fd89b5a3edb81630fd818

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\GMT-10

Filesize
548B

MD5
076972c9f045cf78ea59837c81f28fc0

SHA1
f2e802e33c61c88abac638f84f1921f23e641603

SHA256
b50c6ad76fccd4fbc931acd64e55e712702c8291458e6336c7a0b098cf38c910

SHA512
03b599930976544d0aecf119e52c0e6b47d5140019261900e76cdbbec1a3414d688b441b376a34f8f2885fe9b9a4257d96e51f39f4bf7ed2bc899311fa945374

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\GMT-7

Filesize
548B

MD5
c7a00816cf569ed12bd549cc9807092d

SHA1
01583a61ce1090f0b145c8d2cc0e149f53b7061e

SHA256
5eb48cfdbc14f47ad1ac27a6c56170324283b9044bd10320d68b0ada873a9a65

SHA512
fc673b340369d8277cfd0950dd540a7872cf45537efd9fccee9cd1101901e86e6f1c11b0f7e5371c851cd156a95ad109454bf9bcbe205f6f226a7ba6fe21ccee

Download Submit
C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\vlc.mo

Filesize
584KB

MD5
eb100b96cab159833acc3c33d896c96f

SHA1
6dc3ee07616ae7ba8a931cdd38a6ddbce7473a8b

SHA256
a319fcc6bc0f42eaa45abea0bf7092157e9d61413aa4ca14011d364e3755e6c9

SHA512
13d718253d7c3eb7a6de39f4b5ff5f2740bdd54c7891d69327814170be112cf4312157dd27527dba00d7d3ceed11565bf03704404e9e4245dd4353121bc83634

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
71KB

MD5
83142242e97b8953c386f988aa694e4a

SHA1
833ed12fc15b356136dcdd27c61a50f59c5c7d50

SHA256
d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

SHA512
bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c05bed8e615bcb31fa113ac543d73cd9

SHA1
5be62262334df1951138f40e592d72c84bd22343

SHA256
f78ee8c9fdb6dc503e03fd2f2a283aa473e9c3fc6cc65fee12847b43958de7a0

SHA512
845ed4149bc9e348c93ef40a6e41738aa0fcd21245e6c57ca42dd869bcb9c0a5312f1f05307d53c882dab06104517a8dff4867154c5484242a6c81bc82741931

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
ccd358a0dd29bb037d1d38a3a49a678c

SHA1
f817bbc058368c253e15147b65fb908934880b6b

SHA256
4346adb2fd7d592f7d6d84516d8be0349548b7cf36dbab5b7ac665ac0375bca7

SHA512
09e7fa5c2013bece2ed688a3a553d8cdf306469639bcf458c14a1f61bb185d95b1d39fdf1043d9c31e4a386b5df37b3ddfafafc130c7e6b9ce99127fc81f325f

Download Submit
C:\Users\Admin\AppData\Local\Changguang\CGMB\cache\15D4AC19BAAF5F9428406241FBB0C59EEBA477BC.temp

Filesize
888KB

MD5
8a0b2168a80875c91debfdd09af175e6

SHA1
15d4ac19baaf5f9428406241fbb0c59eeba477bc

SHA256
56f6c9af4731133846b86f5104be3b1e7833e236733b70ed88dbb678b10591cc

SHA512
2a5f42f350143a675e383e45d117473d42c24e262d81786876586f6ba167f5ef01dce91b8640df4df4a9b3ba3a882e6893266a0ebc664f2aa43f4967ccccd0df

Download Submit
C:\Users\Admin\AppData\Local\Changguang\CGMB\cache\4345E7698404ADBE57001C3E1169AF9062B581FA.temp

Filesize
38KB

MD5
8bfcd058665796dd419b2bfe4eff759a

SHA1
4345e7698404adbe57001c3e1169af9062b581fa

SHA256
a68b13758107f27bf56f06b25c0eacaf2b3b7a27e701ab0ab12c7a5dcb58ca4b

SHA512
71d1be497c77c776e10ae017b1e0994622dbc94ae24187a5009f51816f614a1b1eb7d371a3b5973ce58a1b6a5d4ffa730a2ceb7de80aba85b14db46acce705bc

Download Submit
C:\Users\Admin\AppData\Local\Changguang\CGMB\cache\8ABADBB65B133EF9BEAA818DBFB5536B1A3DBE2C.temp

Filesize
256KB

MD5
7bf3e1350ba9f40f34460d0ec1b8a57d

SHA1
8abadbb65b133ef9beaa818dbfb5536b1a3dbe2c

SHA256
6f390b56c887cbbb9f0e42de782868dcca1452895bbe9416ab3a82d9d5546197

SHA512
df690423bd47f2cd1f15e8d6e81308f019fa54fb9fb3227d50067c5ed89df2a6d2eb8f641b0846577c50a1c81c5b831c2ef2ef24b8f79d3ee0b1557e336a980c

Download Submit
C:\Users\Admin\AppData\Local\Changguang\CGMB\cache\9A39C38566EB3F4B07EDBBF6873D5833680EC0D3.temp

Filesize
960KB

MD5
aa6d60af49893bec2226c3dc1d284bc3

SHA1
9a39c38566eb3f4b07edbbf6873d5833680ec0d3

SHA256
e3503aa25bfb95342091df9b0cb8e2e9df6dcf16ade9aecb960d1ac2025fb9af

SHA512
301759a565b3d5eec40145e8978703f0f04e489a790bdeb48dc8d85a5f74a4f3c85366e69c04321174105af1056250a7bc86613dcab57e53ad0b22655663606a

Download Submit
C:\Users\Admin\AppData\Local\Changguang\CGMB\cache\D54EF8AC1FB811D687A676772058C3EE29F1744F.temp

Filesize
8KB

MD5
66169b3c52912d12f79ef3fbd69af35d

SHA1
d54ef8ac1fb811d687a676772058c3ee29f1744f

SHA256
b4215b475ff8d72fe8f2f64550af0b0eee0165dc14453ae6248b93946dc9ef87

SHA512
f1b737e67e524cfce763ee7a19b0025a9fc113b9c018267931a5d6cd666d6fb8846349289f923d10df77f9808dfbd6495e473db0f77717a55075cee13ae80ef6

Download Submit
C:\Users\Admin\AppData\Local\Changguang\CGMB\cache\FC7CA9EA508FB7F2ADDD9026F12D85B58668062A.temp

Filesize
4KB

MD5
3c67d224668df34eaa0b274c62ad6390

SHA1
fc7ca9ea508fb7f2addd9026f12d85b58668062a

SHA256
a7390d72338ce3019fcdb13f1eaa0e52a6c475489cbf7fe38213749ac4cf7b01

SHA512
6c48a9d14aae60579192d8391c6e4c63d3168f1dbad56da8b456ee7ff78aeb4de2517b26a9a7a61778368f9c1d52731f14fe9a145f5b20e0b70a5e9009c5f329

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\Microsoft at Home~.feed-ms

Filesize
28KB

MD5
75e71f4bdf940b41b278ba6edfc6623c

SHA1
3d3b1bc0aef00c33b01064269c2e225e622aa0db

SHA256
9592d35d949c1017d52a42a0b5f5b6b45e04f65b4ef9d25e6d4f3612e0efeb26

SHA512
517aa7a5e6970546bf85a172994d6fa6c8b02a5a34b11692d5247004ebfc99da89851e39f8f302da04c93156f9bac54782b8c2b00f2956c41141232a006374dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
37KB

MD5
8ec649431556fe44554f17d09ad20dd6

SHA1
b058fbcd4166a90dc0d0333010cca666883dbfb1

SHA256
d1faee8dabc281e66514f9ceb757ba39a6747c83a1cf137f4b284a9b324f3dc4

SHA512
78f0d0f87b4e217f12a0d66c4dfa7ad7cf4991d46fdddfaeae47474a10ce15506d79a2145a3432a149386083c067432f42f441c88922731d30cd7ebfe8748460

Download Submit
C:\Users\Admin\AppData\Local\Temp\10.exe

Filesize
37KB

MD5
d6f9ccfaad9a2fb0089b43509b82786b

SHA1
3b4539ea537150e088811a22e0e186d06c5a743d

SHA256
9af50adf3be17dc18ab4efafcf6c6fb6110336be4ea362a7b56b117e3fb54c73

SHA512
8af1d5f67dad016e245bdda43cc53a5b7746372f90750cfcca0d31d634f2b706b632413c815334c0acfded4dd77862d368d4a69fe60c8c332bc54cece7a4c3cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\11.exe

Filesize
37KB

MD5
6c734f672db60259149add7cc51d2ef0

SHA1
2e50c8c44b336677812b518c93faab76c572669b

SHA256
24945bb9c3dcd8a9b5290e073b70534da9c22d5cd7fda455e5816483a27d9a7d

SHA512
1b4f5b4d4549ed37e504e62fbcb788226cfb24db4bfb931bc52c12d2bb8ba24b19c46f2ced297ef7c054344ef50b997357e2156f206e4d5b91fdbf8878649330

Download Submit
C:\Users\Admin\AppData\Local\Temp\12.exe

Filesize
37KB

MD5
7ac9f8d002a8e0d840c376f6df687c65

SHA1
a364c6827fe70bb819b8c1332de40bcfa2fa376b

SHA256
66123f7c09e970be594abe74073f7708d42a54b1644722a30887b904d823e232

SHA512
0dd36611821d8e9ad53deb5ff4ee16944301c3b6bb5474f6f7683086cde46d5041974ec9b1d3fb9a6c82d9940a5b8aec75d51162999e7096154ad519876051fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\13.exe

Filesize
37KB

MD5
c76ee61d62a3e5698ffccb8ff0fda04c

SHA1
371b35900d1c9bfaff75bbe782280b251da92d0e

SHA256
fbf7d12dd702540cbaeeecf7bddf64158432ef4011bace2a84f5b5112aefe740

SHA512
a76fee1eb0d3585fa16d9618b8e76b8e144787448a2b8ff5fbd72a816cbd89b26d64db590a2a475805b14a9484fc00dbc3642d0014954ec7850795dcf2aa1ee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\14.exe

Filesize
37KB

MD5
e6c863379822593726ad5e4ade69862a

SHA1
4fe1522c827f8509b0cd7b16b4d8dfb09eee9572

SHA256
ae43886fee752fb4a20bb66793cdd40d6f8b26b2bf8f5fbd4371e553ef6d6433

SHA512
31d1ae492e78ed3746e907c72296346920f5f19783254a1d2cb8c1e3bff766de0d3db4b7b710ed72991d0f98d9f0271caefc7a90e8ec0fe406107e3415f0107e

Download Submit
C:\Users\Admin\AppData\Local\Temp\15.exe

Filesize
37KB

MD5
c936e231c240fbf47e013423471d0b27

SHA1
36fabff4b2b4dfe7e092727e953795416b4cd98f

SHA256
629bf48c1295616cbbb7f9f406324e0d4fcd79310f16d487dd4c849e408a4202

SHA512
065793554be2c86c03351adc5a1027202b8c6faf8e460f61cc5e87bcd2fe776ee0c086877e75ad677835929711bea182c03e20e872389dfb7d641e17a1f89570

Download Submit
C:\Users\Admin\AppData\Local\Temp\16.exe

Filesize
37KB

MD5
0ab873a131ea28633cb7656fb2d5f964

SHA1
e0494f57aa8193b98e514f2bc5e9dc80b9b5eff0

SHA256
a83e219dd110898dfe516f44fb51106b0ae0aca9cc19181a950cd2688bbeeed2

SHA512
4859758f04fe662d58dc32c9d290b1fa95f66e58aef7e27bc4b6609cc9b511aa688f6922dbf9d609bf9854b619e1645b974e366c75431c3737c3feed60426994

Download Submit
C:\Users\Admin\AppData\Local\Temp\17.exe

Filesize
37KB

MD5
c252459c93b6240bb2b115a652426d80

SHA1
d0dffc518bbd20ce56b68513b6eae9b14435ed27

SHA256
b31ea30a8d68c68608554a7cb610f4af28f8c48730945e3e352b84eddef39402

SHA512
0dcfcddd9f77c7d1314f56db213bd40f47a03f6df1cf9b6f3fb8ac4ff6234ca321d5e7229cf9c7cb6be62e5aa5f3aa3f2f85a1a62267db36c6eab9e154165997

Download Submit
C:\Users\Admin\AppData\Local\Temp\18.exe

Filesize
37KB

MD5
d32bf2f67849ffb91b4c03f1fa06d205

SHA1
31af5fdb852089cde1a95a156bb981d359b5cd58

SHA256
1123f4aea34d40911ad174f7dda51717511d4fa2ce00d2ca7f7f8e3051c1a968

SHA512
1e08549dfcbcfbe2b9c98cd2b18e4ee35682e6323d6334dc2a075abb73083c30229ccd720d240bcda197709f0b90a0109fa60af9f14765da5f457a8c5fce670a

Download Submit
C:\Users\Admin\AppData\Local\Temp\19.exe

Filesize
37KB

MD5
4c1e3672aafbfd61dc7a8129dc8b36b5

SHA1
15af5797e541c7e609ddf3aba1aaf33717e61464

SHA256
6dac4351c20e77b7a2095ece90416792b7e89578f509b15768c9775cf4fd9e81

SHA512
eab1eabca0c270c78b8f80989df8b9503bdff4b6368a74ad247c67f9c2f74fa0376761e40f86d28c99b1175db64c4c0d609bedfd0d60204d71cd411c71de7c20

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe

Filesize
37KB

MD5
012a1710767af3ee07f61bfdcd47ca08

SHA1
7895a89ccae55a20322c04a0121a9ae612de24f4

SHA256
12d159181d496492a057629a49fb90f3d8be194a34872d8d039d53fb44ea4c3c

SHA512
e023cac97cba4426609aeaa37191b426ff1d5856638146feab837e59e3343434a2bb8890b538fdf9391e492cbefcf4afde8e29620710d6bd06b8c1ad226b5ec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\20.exe

Filesize
37KB

MD5
f18f47c259d94dcf15f3f53fc1e4473a

SHA1
e4602677b694a5dd36c69b2f434bedb2a9e3206c

SHA256
34546f0ecf4cd9805c0b023142f309cbb95cfcc080ed27ff43fb6483165218c1

SHA512
181a5aa4eed47f21268e73d0f9d544e1ceb9717d3abf79b6086584ba7bdb7387052d7958c25ebe687bfdcd0b6cca9d8cf12630234676394f997b80c745edaa38

Download Submit
C:\Users\Admin\AppData\Local\Temp\21.exe

Filesize
37KB

MD5
a8e9ea9debdbdf5d9cf6a0a0964c727b

SHA1
aee004b0b6534e84383e847e4dd44a4ee6843751

SHA256
b388a205f12a6301a358449471381761555edf1bf208c91ab02461822190cbcf

SHA512
7037ffe416710c69a01ffd93772044cfb354fbf5b8fd7c5f24a3eabb4d9ddb91f4a9c386af4c2be74c7ffdbb0c93a32ff3752b6ab413261833b0ece7b7b1cb55

Download Submit
C:\Users\Admin\AppData\Local\Temp\22.exe

Filesize
37KB

MD5
296bcd1669b77f8e70f9e13299de957e

SHA1
8458af00c5e9341ad8c7f2d0e914e8b924981e7e

SHA256
6f05cae614ca0e4751b2aaceea95716fd37a6bf3fae81ff1c565313b30b1aba2

SHA512
4e58a0f063407aed64c1cb59e4f46c20ff5b9391a02ceff9561456fef1252c1cdd0055417a57d6e946ec7b5821963c1e96eaf1dd750a95ca9136764443df93d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\23.exe

Filesize
37KB

MD5
7e87c49d0b787d073bf9d687b5ec5c6f

SHA1
6606359f4d88213f36c35b3ec9a05df2e2e82b4e

SHA256
d811283c4e4c76cb1ce3f23528e542cff4747af033318f42b9f2deb23180c4af

SHA512
926d676186ec0b58b852ee0b41f171729b908a5be9ce5a791199d6d41f01569bcdc1fddd067f41bddf5cdde72b8291c4b4f65983ba318088a4d2d5d5f5cd53af

Download Submit
C:\Users\Admin\AppData\Local\Temp\24.exe

Filesize
37KB

MD5
042dfd075ab75654c3cf54fb2d422641

SHA1
d7f6ac6dc57e0ec7193beb74639fe92d8cd1ecb9

SHA256
b91fb228051f1720427709ff849048bfd01388d98335e4766cd1c4808edc5136

SHA512
fada24d6b3992f39119fe8e51b8da1f6a6ca42148a0c21e61255643e976fde52076093403ccbc4c7cd2f62ccb3cdedd9860f2ac253bb5082fb9fe8f31d88200d

Download Submit
C:\Users\Admin\AppData\Local\Temp\25.exe

Filesize
37KB

MD5
476d959b461d1098259293cfa99406df

SHA1
ad5091a232b53057968f059d18b7cfe22ce24aab

SHA256
47f2a0b4b54b053563ba60d206f1e5bd839ab60737f535c9b5c01d64af119f90

SHA512
9c5284895072d032114429482ccc9b62b073447de35de2d391f6acad53e3d133810b940efb1ed17d8bd54d24fce0af6446be850c86766406e996019fcc3a4e6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\3.exe

Filesize
37KB

MD5
a83dde1e2ace236b202a306d9270c156

SHA1
a57fb5ce8d2fe6bf7bbb134c3fb7541920f6624f

SHA256
20ab2e99b18b5c2aedc92d5fd2df3857ee6a1f643df04203ac6a6ded7073d5e8

SHA512
f733fdad3459d290ef39a3b907083c51b71060367b778485d265123ab9ce00e3170d2246a4a2f0360434d26376292803ccd44b0a5d61c45f2efaa28d5d0994df

Download Submit
C:\Users\Admin\AppData\Local\Temp\4.exe

Filesize
37KB

MD5
c24de797dd930dea6b66cfc9e9bb10ce

SHA1
37c8c251e2551fd52d9f24b44386cfa0db49185a

SHA256
db99f9a2d6b25dd83e0d00d657eb326f11cc8055266e4e91c3aec119eaf8af01

SHA512
0e29b6ce2bdc14bf8fb6f8324ff3e39b143ce0f3fa05d65231b4c07e241814fb335ede061b525fe25486329d335adc06f71b804dbf4bf43e17db0b7cd620a7c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe

Filesize
10KB

MD5
2a94f3960c58c6e70826495f76d00b85

SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a

SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

Download Submit
C:\Users\Admin\AppData\Local\Temp\5.exe

Filesize
37KB

MD5
84c958e242afd53e8c9dae148a969563

SHA1
e876df73f435cdfc4015905bed7699c1a1b1a38d

SHA256
079d320d3c32227ba4b9acddf60bfcdf660374cb7e55dba5ccf7beeaedd2cdef

SHA512
9e6cb07909d0d77ebb5b52164b1fa40ede30f820c9773ea3a1e62fb92513d05356dfef0e7ef49bf2ad177d3141720dc1c5edceb616cef77baec9acdd4bbc5bae

Download Submit
C:\Users\Admin\AppData\Local\Temp\6.exe

Filesize
37KB

MD5
27422233e558f5f11ee07103ed9b72e3

SHA1
feb7232d1b317b925e6f74748dd67574bc74cd4d

SHA256
1fa6a4dc1e7d64c574cb54ae8fd71102f8c6c41f2bd9a93739d13ff6b77d41ac

SHA512
2d3f424a24e720f83533ace28270b59a254f08d4193df485d1b7d3b9e6ae53db39ef43d5fc7de599355469ad934d8bcb30f68d1aaa376df11b9e3dec848a5589

Download Submit
C:\Users\Admin\AppData\Local\Temp\7.exe

Filesize
37KB

MD5
c84f50869b8ee58ca3f1e3b531c4415d

SHA1
d04c660864bc2556c4a59778736b140c193a6ab2

SHA256
fa54653d9b43eb40539044faf2bdcac010fed82b223351f6dfe7b061287b07d3

SHA512
bb8c98e2dadb884912ea53e97a2ea32ac212e5271f571d7aa0da601368feabee87e1be17d1a1b7738c56167f01b1788f3636aac1f7436c5b135fa9d31b229e94

Download Submit
C:\Users\Admin\AppData\Local\Temp\8.exe

Filesize
37KB

MD5
7cfe29b01fae3c9eadab91bcd2dc9868

SHA1
d83496267dc0f29ce33422ef1bf3040f5fc7f957

SHA256
2c3bfb9cc6c71387ba5c4c03e04af7f64bf568bdbe4331e9f094b73b06bddcff

SHA512
f6111d6f8b609c1fc3b066075641dace8c34efb011176b5c79a6470cc6941a9727df4ceb2b96d1309f841432fa745348fc2fdaf587422eebd484d278efe3aeac

Download Submit
C:\Users\Admin\AppData\Local\Temp\9.exe

Filesize
37KB

MD5
28c50ddf0d8457605d55a27d81938636

SHA1
59c4081e8408a25726c5b2e659ff9d2333dcc693

SHA256
ebda356629ac21d9a8e704edc86c815770423ae9181ebbf8ca621c8ae341cbd5

SHA512
4153a095aa626b5531c21e33e2c4c14556892035a4a524a9b96354443e2909dcb41683646e6c1f70f1981ceb5e77f17f6e312436c687912784fcb960f9b050fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bomb.exe

Filesize
457KB

MD5
31f03a8fe7561da18d5a93fc3eb83b7d

SHA1
31b31af35e6eed00e98252e953e623324bd64dde

SHA256
2027197f05dac506b971b3bd2708996292e6ffad661affe9a0138f52368cc84d

SHA512
3ea7c13a0aa67c302943c6527856004f8d871fe146150096bc60855314f23eae6f507f8c941fd7e8c039980810929d4930fcf9c597857d195f8c93e3cc94c41d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\BenzMonster.exe

Filesize
12.1MB

MD5
85906c322e465c74b6652c84dd4710c3

SHA1
027d1cf625c8d0549b4b4a2ca83bd0b075de64b6

SHA256
2797cd2708d03e708d2cc95b3f66f4c1e6e07e7c16c1a9db5f709c72892cd3f0

SHA512
d97dd25c9e3500a9ff558dbb4e93af803efd4833b03e6a5c20d40132b96338b25bac67c778e55543d9c332d12deb995a53dfa69adacd7a51cd548fc40283b235

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar105D.tmp

Filesize
183KB

MD5
109cab5505f5e065b63d01361467a83b

SHA1
4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

SHA256
ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

SHA512
753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\asena.exe

Filesize
39KB

MD5
7529e3c83618f5e3a4cc6dbf3a8534a6

SHA1
0f944504eebfca5466b6113853b0d83e38cf885a

SHA256
ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597

SHA512
7eef97937cc1e3afd3fca0618328a5b6ecb72123a199739f6b1b972dd90e01e07492eb26352ee00421d026c63af48973c014bdd76d95ea841eb2fefd613631cc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZSSSXYGRXYQEUPW8HBH5.temp

Filesize
7KB

MD5
3e60c624a239fd2cf99bef2cf31fe534

SHA1
cecefc7b0b9172edd09e3812408ec569cffa21ec

SHA256
77a3a24b5bf4448abb978d6b733e7d2f3475e90da67e131689fff4a858d3793e

SHA512
535ea7d2699059d554905a19434dfa725a6bbcf6021c2ac79229151798592f78360b2af4319ce6e9208fe4c52bcba0cd73d330efe42cb6b6149d0552caaa0b37

Download Submit
C:\Users\Admin\AppData\Roaming\Wave.exe

Filesize
237KB

MD5
34d6274d11258ced240d9197baef3468

SHA1
21f0e4e9f0d19ecb2027cbd98f6f7e1e5c2be131

SHA256
25179f1c63031ba0b4daf7ff315f008d6f794eed2b5d486c796457cd4a8b4bce

SHA512
54f123f82a53b402bbfdfbf5da99ca84cdff4ba1ff1494cd2c983541fb100a8239e799de2e1f4d2de189f1b31bcd1354c5f88b726424bae055053b57c204ccfb

Download Submit
C:\Users\Admin\Documents\DebugExit.xlsx

Filesize
10KB

MD5
f5ef30758aa3741cfa4e8fa8b0e771ee

SHA1
132b992afbca11473e7f39a180101769769edc44

SHA256
ddd99bcdf30665f69afc49346207012fc163d3eea40b711ee84a956c8495464c

SHA512
da637bde6c860261837312e5afbb6bb99b7c0aff2c72c6fa68c886d5f4866c0af4cf12b006f91cb7aa7bebe237b61ec572696eb8956fb60e575389842ae0d3ca

Download Submit
C:\Users\Public\Documents\RGNR_86266DD0.txt

Filesize
3KB

MD5
0880547340d1b849a7d4faaf04b6f905

SHA1
37fa5848977fd39df901be01c75b8f8320b46322

SHA256
84449f1e874b763619271a57bfb43bd06e9c728c6c6f51317c56e9e94e619b25

SHA512
9048a3d5ab7472c1daa1efe4a35d559fc069051a5eb4b8439c2ef25318b4de6a6c648a7db595e7ae76f215614333e3f06184eb18b2904aace0c723f8b9c35a91

Download Submit
C:\vcredist2010_x86.log.html

Filesize
80KB

MD5
a9fd35323cc4dc48e957760838a4c315

SHA1
f5b751d8b275752709389b44e3201c259e392369

SHA256
fb16f6ee479a9061ec34db1dd0df1532dc1a03bc65bd7dbe781c9c4ea6ca9c7a

SHA512
6125589990ce2046ef1a727d3103fd1efb4414dc451fcc88c9afb848f626cc88651fef1353e366d29729e26896bb731289990b213f5159bf728d937bcbce84c4

Download Submit
\Users\Admin\AppData\Local\Temp\CryptoWall.exe

Filesize
132KB

MD5
919034c8efb9678f96b47a20fa6199f2

SHA1
747070c74d0400cffeb28fbea17b64297f14cfbd

SHA256
e036d68b8f8b7afc6c8b6252876e1e290f11a26d4ad18ac6f310662845b2c734

SHA512
745a81c50bbfd62234edb9788c83a22e0588c5d25c00881901923a02d7096c71ef5f0cd5b73f92ad974e5174de064b0c5ea8044509039aab14b2aed83735a7c4

Download Submit
\Users\Admin\AppData\Local\Temp\a76e49df84ba2a7b33e8ea959995b5e6faecb90d551ef169d8272ce9042c35a5.exe

Filesize
159KB

MD5
6f8e78dd0f22b61244bb69827e0dbdc3

SHA1
1884d9fd265659b6bd66d980ca8b776b40365b87

SHA256
a76e49df84ba2a7b33e8ea959995b5e6faecb90d551ef169d8272ce9042c35a5

SHA512
5611a83616380f55e7b42bb0eef35d65bd43ca5f96bf77f343fc9700e7dfaa7dcf4f6ecbb2349ac9df6ab77edd1051b9b0f7a532859422302549f5b81004632d

Download Submit
memory/216-709-0x0000000000B30000-0x0000000000B40000-memory.dmp

Filesize
64KB

Download
memory/536-52-0x00000000000C0000-0x00000000000E5000-memory.dmp

Filesize
148KB

Download
memory/604-605-0x0000000000F30000-0x0000000000F40000-memory.dmp

Filesize
64KB

Download
memory/880-503-0x0000000000240000-0x0000000000250000-memory.dmp

Filesize
64KB

Download
memory/1204-604-0x0000000000350000-0x0000000000360000-memory.dmp

Filesize
64KB

Download
memory/1312-48-0x0000000000B60000-0x0000000000BD8000-memory.dmp

Filesize
480KB

Download
memory/1512-702-0x00000000008A0000-0x00000000008B0000-memory.dmp

Filesize
64KB

Download
memory/1596-504-0x0000000000CC0000-0x0000000000CD0000-memory.dmp

Filesize
64KB

Download
memory/1752-607-0x0000000000C40000-0x0000000000C50000-memory.dmp

Filesize
64KB

Download
memory/1796-453-0x0000000000190000-0x00000000001A0000-memory.dmp

Filesize
64KB

Download
memory/1816-701-0x0000000000900000-0x0000000000910000-memory.dmp

Filesize
64KB

Download
memory/1948-705-0x00000000008C0000-0x00000000008D0000-memory.dmp

Filesize
64KB

Download
memory/2000-475-0x00000000003D0000-0x00000000003E0000-memory.dmp

Filesize
64KB

Download
memory/2008-49-0x0000000000E50000-0x0000000000E58000-memory.dmp

Filesize
32KB

Download
memory/2088-690-0x0000000000ED0000-0x0000000000EE0000-memory.dmp

Filesize
64KB

Download
memory/2176-745-0x0000000000A00000-0x0000000000A10000-memory.dmp

Filesize
64KB

Download
memory/2196-45-0x0000000000080000-0x00000000000A5000-memory.dmp

Filesize
148KB

Download
memory/2196-5084-0x0000000000080000-0x00000000000A5000-memory.dmp

Filesize
148KB

Download
memory/2344-767-0x0000000000330000-0x0000000000340000-memory.dmp

Filesize
64KB

Download
memory/2368-717-0x0000000000D60000-0x0000000000D70000-memory.dmp

Filesize
64KB

Download
memory/2556-26-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2556-20270-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2560-766-0x0000000001080000-0x0000000001090000-memory.dmp

Filesize
64KB

Download
memory/2616-772-0x0000000000A80000-0x0000000000A90000-memory.dmp

Filesize
64KB

Download
memory/2664-603-0x0000000000AC0000-0x0000000000AD0000-memory.dmp

Filesize
64KB

Download
memory/2696-1-0x0000000074F50000-0x00000000754FB000-memory.dmp

Filesize
5.7MB

Download
memory/2696-0-0x0000000074F51000-0x0000000074F52000-memory.dmp

Filesize
4KB

Download
memory/2696-2-0x0000000074F50000-0x00000000754FB000-memory.dmp

Filesize
5.7MB

Download
memory/2696-24-0x0000000000BD0000-0x0000000000C0D000-memory.dmp

Filesize
244KB

Download
memory/2696-6774-0x0000000074F50000-0x00000000754FB000-memory.dmp

Filesize
5.7MB

Download
memory/2696-20269-0x0000000000BD0000-0x0000000000C0D000-memory.dmp

Filesize
244KB

Download
memory/2696-25-0x0000000000BD0000-0x0000000000C0D000-memory.dmp

Filesize
244KB

Download
memory/2696-20268-0x0000000000BD0000-0x0000000000C0D000-memory.dmp

Filesize
244KB

Download
memory/2696-4790-0x0000000074F50000-0x00000000754FB000-memory.dmp

Filesize
5.7MB

Download
memory/2848-770-0x0000000000F60000-0x0000000000F70000-memory.dmp

Filesize
64KB

Download
memory/2860-728-0x0000000000F60000-0x0000000000F70000-memory.dmp

Filesize
64KB

Download
memory/2868-697-0x00000000003B0000-0x00000000003C0000-memory.dmp

Filesize
64KB

Download
memory/2904-731-0x0000000001290000-0x00000000012A0000-memory.dmp

Filesize
64KB

Download
memory/2920-608-0x0000000000FC0000-0x0000000000FD0000-memory.dmp

Filesize
64KB

Download
memory/3012-771-0x0000000000F30000-0x0000000000F40000-memory.dmp

Filesize
64KB

Download
memory/3056-695-0x0000000000040000-0x0000000000050000-memory.dmp

Filesize
64KB

Download
memory/3452-19982-0x0000000000A20000-0x0000000000A62000-memory.dmp

Filesize
264KB

Download
memory/3716-20367-0x0000000000290000-0x00000000002D2000-memory.dmp

Filesize
264KB

Download
memory/4496-20013-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/4496-20007-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/5068-20019-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/5068-20018-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download