General Info

File name

454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111

Full analysis
https://app.any.run/tasks/f316f43a-5403-43e3-b331-5993891edbc5
Verdict
Malicious activity
Analysis date
2/10/2019, 17:28:58
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

ransomware

gandcrab

trojan

Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386, for MS Windows
MD5

c8b8a95bb271b661ca6a5bbda914b33a

SHA1

d2432c48a146f7ac7afaaebf58cd2050f8b5672a

SHA256

454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111

SSDEEP

12288:hdpI8dpIq7e7OWx35OYTKWbfzjUFkMouhJpKilTI9T817WgEDWjwxrZeC5r/jTIX:hd28d2B7kYTM0jFrs4/YJOlHH3qSr27X

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
240 seconds
Additional time used
180 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
off

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (68.0.3440.106)
  • Google Update Helper (1.3.33.17)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Deletes shadow copies
  • 454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe (PID: 3688)
Connects to CnC server
  • 454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe (PID: 3688)
Changes settings of System certificates
  • 454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe (PID: 3688)
Writes file to Word startup folder
  • 454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe (PID: 3688)
Dropped file may contain instructions of ransomware
  • 454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe (PID: 3688)
Actions looks like stealing of personal data
  • 454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe (PID: 3688)
Renames files like Ransomware
  • 454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe (PID: 3688)
GandCrab keys found
  • 454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe (PID: 3688)
Adds / modifies Windows certificates
  • 454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe (PID: 3688)
Reads Internet Cache Settings
  • 454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe (PID: 3688)
  • WINWORD.EXE (PID: 2420)
Creates files like Ransomware instruction
  • 454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe (PID: 3688)
Reads internet explorer settings
  • 454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe (PID: 3840)
Reads the cookies of Mozilla Firefox
  • 454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe (PID: 3688)
Application launched itself
  • 454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe (PID: 2852)
Creates files in the program directory
  • 454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe (PID: 3688)
Creates files in the user directory
  • 454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe (PID: 3596)
  • 454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe (PID: 3688)
Changes tracing settings of the file or console
  • 454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe (PID: 3596)
Creates files in the user directory
  • WINWORD.EXE (PID: 2876)
  • WINWORD.EXE (PID: 2420)
Reads Microsoft Office registry keys
  • WINWORD.EXE (PID: 2876)
  • WINWORD.EXE (PID: 2420)
Dropped object may contain TOR URL's
  • 454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe (PID: 3688)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.dll
|   Win32 Dynamic Link Library (generic) (43.5%)
.exe
|   Win32 Executable (generic) (29.8%)
.exe
|   Generic Win/DOS Executable (13.2%)
.exe
|   DOS Executable Generic (13.2%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2012:08:28 21:03:59+02:00
PEType:
PE32
LinkerVersion:
6
CodeSize:
667648
InitializedDataSize:
49152
UninitializedDataSize:
null
EntryPoint:
0x1100
OSVersion:
4
ImageVersion:
1.5
SubsystemVersion:
4
Subsystem:
Windows GUI
FileVersionNumber:
1.5.0.1
ProductVersionNumber:
1.5.0.1
FileFlagsMask:
0x0000
FileFlags:
(none)
FileOS:
Win32
ObjectFileType:
Executable application
FileSubtype:
null
LanguageCode:
English (U.S.)
CharacterSet:
Unicode
FileDescription:
cites7
ProductName:
Agriculturally
FileVersion:
1.05.0001
ProductVersion:
1.05.0001
InternalName:
DIABOLICAL
OriginalFileName:
DIABOLICAL.exe
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
28-Aug-2012 19:03:59
Detected languages
English - United States
FileDescription:
cites7
ProductName:
Agriculturally
FileVersion:
1.05.0001
ProductVersion:
1.05.0001
InternalName:
DIABOLICAL
OriginalFilename:
DIABOLICAL.exe
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x000000B0
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
3
Time date stamp:
28-Aug-2012 19:03:59
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
.text 0x00001000 0x000A22E0 0x000A3000 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 7.01513
.data 0x000A4000 0x00000D58 0x00000000 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 0
.rsrc 0x000A5000 0x0000A542 0x0000B000 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 5.17273
Resources
1

30001

30002

30003

30004

30005

30006

30007

30008

30009

30010

Imports
    MSVBVM60.DLL

Exports

    No exports.

Screenshots

Processes

Total processes
46
Monitored processes
10
Malicious processes
2
Suspicious processes
0

Behavior graph

+
start 454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe no specs winword.exe no specs 454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe no specs #GANDCRAB 454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe 454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe no specs wmic.exe vssvc.exe no specs winword.exe no specs notepad.exe no specs notepad.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
2852
CMD
"C:\Users\admin\AppData\Local\Temp\454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe"
Path
C:\Users\admin\AppData\Local\Temp\454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
cites7
Version
1.05.0001
Modules
Image
c:\users\admin\appdata\local\temp\454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll

PID
2420
CMD
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE"
Path
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft Word
Version
14.0.6024.1000
Modules
Image
c:\program files\microsoft office\office14\winword.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\microsoft office\office14\wwlib.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\program files\microsoft office\office14\gfx.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\msimg32.dll
c:\program files\microsoft office\office14\oart.dll
c:\program files\common files\microsoft shared\office14\mso.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\program files\common files\microsoft shared\office14\cultures\office.odf
c:\program files\microsoft office\office14\1033\wwintl.dll
c:\program files\common files\microsoft shared\office14\1033\msointl.dll
c:\program files\common files\microsoft shared\office14\msores.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dwmapi.dll
c:\program files\common files\microsoft shared\office14\msptls.dll
c:\windows\system32\uxtheme.dll
c:\program files\common files\microsoft shared\office14\riched20.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppc.dll
c:\windows\system32\winspool.drv
c:\windows\system32\shell32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\profapi.dll
c:\program files\common files\microsoft shared\office14\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\program files\microsoft office\office14\msproof7.dll
c:\windows\system32\sxs.dll
c:\program files\microsoft office\office14\proof\mssp7en.dll
c:\program files\microsoft office\office14\mscss7en.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcp90.dll
c:\program files\microsoft office\office14\css7data0009.dll
c:\program files\microsoft office\office14\proof\1033\msgr3en.dll
c:\program files\microsoft office\office14\mscss7cm_en.dub
c:\program files\microsoft office\office14\mscss7wre_en.dub
c:\windows\system32\networkexplorer.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\msftedit.dll
c:\windows\system32\msls31.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\searchfolder.dll
c:\windows\system32\structuredquery.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\mssprxy.dll
c:\windows\system32\thumbcache.dll
c:\windows\system32\psapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\mssvp.dll
c:\windows\system32\mapi32.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\actxprxy.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\program files\microsoft office\office14\gkword.dll
c:\program files\common files\system\ado\msadox.dll

PID
3596
CMD
C:\Users\admin\AppData\Local\Temp\454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe"
Path
C:\Users\admin\AppData\Local\Temp\454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
Indicators
No indicators
Parent process
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
cites7
Version
1.05.0001
Modules
Image
c:\users\admin\appdata\local\temp\454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\crtdll.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\iertutil.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\version.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\winrnr.dll

PID
3688
CMD
C:\Users\admin\AppData\Local\Temp\454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe"
Path
C:\Users\admin\AppData\Local\Temp\454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
Indicators
Parent process
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Description
cites7
Version
1.05.0001
Modules
Image
c:\users\admin\appdata\local\temp\454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\psapi.dll
c:\windows\system32\ntkrnlpa.exe
c:\windows\system32\kbdus.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\netutils.dll
c:\windows\system32\browcli.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\netprofm.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\userenv.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\schannel.dll
c:\windows\system32\credssp.dll
c:\windows\system32\secur32.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll

PID
3840
CMD
C:\Users\admin\AppData\Local\Temp\454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe"
Path
C:\Users\admin\AppData\Local\Temp\454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
Indicators
No indicators
Parent process
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
User
admin
Integrity Level
MEDIUM
Exit code
1337
Version:
Company
Description
cites7
Version
1.05.0001
Modules
Image
c:\users\admin\appdata\local\temp\454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\iertutil.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\sxs.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\version.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\mlang.dll
c:\windows\system32\wship6.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\msimtf.dll
c:\windows\system32\jscript.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\imgutil.dll
c:\windows\system32\pngfilt.dll

PID
4072
CMD
"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
Path
C:\Windows\system32\wbem\wmic.exe
Indicators
Parent process
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
WMI Commandline Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\wbem\wmic.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\wininet.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\program files\common files\microsoft shared\office14\msoxmlmf.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll

PID
2988
CMD
C:\Windows\system32\vssvc.exe
Path
C:\Windows\system32\vssvc.exe
Indicators
No indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Microsoft® Volume Shadow Copy Service
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\vssvc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\atl.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\vssapi.dll
c:\windows\system32\vsstrace.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\clusapi.dll
c:\windows\system32\cryptdll.dll
c:\windows\system32\xolehlp.dll
c:\windows\system32\version.dll
c:\windows\system32\resutils.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\authz.dll
c:\windows\system32\virtdisk.dll
c:\windows\system32\fltlib.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\vss_ps.dll
c:\windows\system32\samlib.dll
c:\windows\system32\es.dll
c:\windows\system32\propsys.dll
c:\windows\system32\catsrvut.dll
c:\windows\system32\mfcsubs.dll

PID
2876
CMD
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\~$ch ist alles unverschluesselt.docx"
Path
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft Word
Version
14.0.6024.1000
Modules
Image
c:\program files\microsoft office\office14\winword.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\microsoft office\office14\wwlib.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\program files\microsoft office\office14\gfx.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\msimg32.dll
c:\program files\microsoft office\office14\oart.dll
c:\program files\common files\microsoft shared\office14\mso.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\program files\common files\microsoft shared\office14\cultures\office.odf
c:\program files\microsoft office\office14\1033\wwintl.dll
c:\program files\common files\microsoft shared\office14\1033\msointl.dll
c:\program files\common files\microsoft shared\office14\msores.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dwmapi.dll
c:\program files\common files\microsoft shared\office14\msptls.dll
c:\windows\system32\uxtheme.dll
c:\program files\common files\microsoft shared\office14\riched20.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppc.dll
c:\windows\system32\winspool.drv
c:\windows\system32\shell32.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\devobj.dll
c:\windows\system32\profapi.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\program files\common files\microsoft shared\office14\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\program files\microsoft office\office14\msproof7.dll
c:\program files\microsoft office\office14\proof\1033\msgr3en.dll
c:\program files\microsoft office\office14\gkword.dll
c:\program files\common files\system\ado\msadox.dll
c:\windows\system32\netutils.dll

PID
1820
CMD
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\TSHAM-DECRYPT.txt
Path
C:\Windows\system32\NOTEPAD.EXE
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Notepad
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\notepad.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\winspool.drv
c:\windows\system32\oleaut32.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\uxtheme.dll

PID
3684
CMD
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\TSHAM-DECRYPT.txt
Path
C:\Windows\system32\NOTEPAD.EXE
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Notepad
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\notepad.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\winspool.drv
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\uxtheme.dll

Registry activity

Total events
2419
Read events
2194
Write events
216
Delete events
9

Modification events

PID
Process
Operation
Key
Name
Value
2420
WINWORD.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
2420
WINWORD.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency
2420
WINWORD.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\DocumentRecovery\1A136B
2420
WINWORD.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\DocumentRecovery
2420
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
|%#
7C25230074090000010000000000000000000000
2420
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
Off
2420
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
On
2420
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
WORDFiles
1313472543
2420
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1313472656
2420
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1313472657
2420
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
MTTT
740900002AA896CE5DC1D40100000000
2420
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
p'#
702723007409000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
2420
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\Usage
SpellingAndGrammarFiles_3082
1313472553
2420
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\Usage
SpellingAndGrammarFiles_3082
1313472554
2420
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\Usage
SpellingAndGrammarFiles_1036
1313472553
2420
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\Usage
SpellingAndGrammarFiles_1036
1313472554
2420
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1313472574
2420
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1313472575
2420
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\Usage
SpellingAndGrammarFiles_3082
1313472555
2420
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\Usage
SpellingAndGrammarFiles_3082
1313472556
2420
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\Usage
SpellingAndGrammarFiles_1036
1313472555
2420
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\Usage
SpellingAndGrammarFiles_1036
1313472556
2420
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1313472576
2420
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1313472577
2420
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Licensing
019C826E445A4649A5B00BF08FCC4EEE
01000000270000007B39303134303030302D303033442D303030302D303030302D3030303030303046463143457D005A0000004F00660066006900630065002000310034002C0020004F0066006600690063006500500072006F00660065007300730069006F006E0061006C002D00520065007400610069006C002000650064006900740069006F006E000000
2420
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1313472578
2420
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1313472579
2420
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1313472580
2420
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1313472581
2420
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1313472658
2420
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1313472659
2420
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Open Find\Microsoft Word\Settings\Save As
ClientGUID
0AD0D33548A7FF4A967CB24592EFE075
2420
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\CIDSizeMRU
2
7B00330035004400330044003000300041002D0041003700340038002D0034004100460046002D0039003600370043002D004200320034003500390032004500460045003000370035007D00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000
2420
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
NodeSlots
02020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202
2420
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
MRUListEx
0200000000000000010000000700000006000000030000000500000004000000FFFFFFFF
2420
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\50\ComDlg
TV_FolderType
{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}
2420
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\50\ComDlg
TV_TopViewID
{82BA0782-5B7A-4569-B5D7-EC83085F08CC}
2420
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\50\ComDlg
TV_TopViewVersion
0
2420
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
2420
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}
Mode
4
2420
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}
LogicalViewMode
1
2420
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}
FFlags
1092616257
2420
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}
IconSize
16
2420
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}
ColInfo
00000000000000000000000000000000FDDFDFFD100000000000000000000000040000001800000030F125B7EF471A10A5F102608C9EEBAC0A0000001001000030F125B7EF471A10A5F102608C9EEBAC0E0000007800000030F125B7EF471A10A5F102608C9EEBAC040000007800000030F125B7EF471A10A5F102608C9EEBAC0C00000050000000
2420
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}
Sort
000000000000000000000000000000000200000030F125B7EF471A10A5F102608C9EEBAC0A0000000100000030F125B7EF471A10A5F102608C9EEBAC0E000000FFFFFFFF
2420
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}
FFlags
1
2420
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CIDSave\Modules\GlobalSettings\ProperTreeModuleInner
ProperTreeModuleInner
EB000000E70000003153505305D5CDD59C2E1B10939708002B2CF9AE4F0000003E000000004E0061007600500061006E0065005F00490073004100700070004C006F0063006100740069006F006E00730045007800700061006E0064006500640000000B000000FFFF00003B0000002A000000004E0061007600500061006E0065005F004300460044005F0046006900720073007400520075006E0000000B000000000000004100000030000000004E0061007600500061006E0065005F00530068006F0077004C00690062007200610072007900500061006E00650000000B000000FFFF00000000000000000000
2420
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane
ExpandedState
07000000160014001F8080A63C324DC29940B94D446DD2D7249E0000010000004D0000002D00000031535053357EC777E31B5043A48C7563D727776D1100000002000000000B000000FFFF0000000000001C00000031535053A66A63283D95D211B5D600C04FD918D00000000000000000160014001F4225481E03947BC34DB131E946B44C8DD50000010000004D0000002D00000031535053357EC777E31B5043A48C7563D727776D1100000002000000000B000000FFFF0000000000001C00000031535053A66A63283D95D211B5D600C04FD918D00000000000000000160014001F43983FFBB4EAC18D42A78AD1F5659CBA930000010000004D0000002D00000031535053357EC777E31B5043A48C7563D727776D1100000002000000000B000000FFFF0000000000001C00000031535053A66A63283D95D211B5D600C04FD918D0000000000000000002000000010000004D0000002D00000031535053357EC777E31B5043A48C7563D727776D1100000002000000000B000000FFFF0000000000001C00000031535053A66A63283D95D211B5D600C04FD918D00000000000000000160014001F580D1A2CF021BE504388B07367FC96EF3C0000010000004D0000002D00000031535053357EC777E31B5043A48C7563D727776D1100000002000000000B00000000000000000000001C00000031535053A66A63283D95D211B5D600C04FD918D00000000000000000160014001F50E04FD020EA3A6910A2D808002B30309D0000010000004D0000002D00000031535053357EC777E31B5043A48C7563D727776D1100000002000000000B000000FFFF0000000000001C00000031535053A66A63283D95D211B5D600C04FD918D00000000000000000160014001F8066607AC5A366914D9EB941532179F0A50000010000004D0000002D00000031535053357EC777E31B5043A48C7563D727776D1100000002000000000B000000FFFF0000000000001C00000031535053A66A63283D95D211B5D600C04FD918D00000000000000000
2420
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU
2
7B00330035004400330044003000300041002D0041003700340038002D0034004100460046002D0039003600370043002D004200320034003500390032004500460045003000370035007D0000000000
2420
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU
MRUListEx
020000000100000000000000FFFFFFFF
2420
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\docx
0
AA003200000000000000000080004E6F63682069737420616C6C657320756E7665727363686C75657373656C742E646F63780000760008000400EFBE00000000000000002A000000000000000000000000000000000000000000000000004E006F00630068002000690073007400200061006C006C0065007300200075006E007600650072007300630068006C00750065007300730065006C0074002E0064006F0063007800000034000000
2420
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\docx
MRUListEx
00000000FFFFFFFF
2420
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\*
1
AA003200000000000000000080004E6F63682069737420616C6C657320756E7665727363686C75657373656C742E646F63780000760008000400EFBE00000000000000002A000000000000000000000000000000000000000000000000004E006F00630068002000690073007400200061006C006C0065007300200075006E007600650072007300630068006C00750065007300730065006C0074002E0064006F0063007800000034000000
2420
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\*
MRUListEx
0100000000000000FFFFFFFF
2420
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\CIDSizeMRU
2
7B00330035004400330044003000300041002D0041003700340038002D0034004100460046002D0039003600370043002D004200320034003500390032004500460045003000370035007D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080020000E0010000000000000000000000000000000000000100000000000000
2420
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\CIDSizeMRU
2
7B00330035004400330044003000300041002D0041003700340038002D0034004100460046002D0039003600370043002D004200320034003500390032004500460045003000370035007D00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FCFFFFFFFCFFFFFF04050000B802000000000000000000000000000000000000000000000000000080020000E0010000000000000000000000000000000000000100000000000000
2420
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\CIDSizeMRU
MRUListEx
020000000100000000000000FFFFFFFF
2420
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\82\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
Mode
6
2420
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\82\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
LogicalViewMode
2
2420
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\82\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
FFlags
1092616257
2420
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\82\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
IconSize
48
2420
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\82\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
ColInfo
00000000000000000000000000000000FDDFDFFD100000000000000000000000040000001800000030F125B7EF471A10A5F102608C9EEBAC0A000000A000000030F125B7EF471A10A5F102608C9EEBAC0C00000050000000A66A63283D95D211B5D600C04FD918D00B0000007800000030F125B7EF471A10A5F102608C9EEBAC0E00000078000000
2420
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\82\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
Sort
000000000000000000000000000000000100000030F125B7EF471A10A5F102608C9EEBAC0A00000001000000
2420
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\82\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
GroupView
0
2420
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\82\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
GroupByKey:FMTID
{00000000-0000-0000-0000-000000000000}
2420
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\82\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
GroupByKey:PID
0
2420
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\82\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
GroupByDirection
1
2420
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\82\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
FFlags
1
2420
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Place MRU
Max Display
25
2420
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Place MRU
Item 1
[F00000000][T01D4C15DDD41BFE0][O00000000]*C:\Users\admin\Desktop\
2420
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Max Display
25
2420
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 1
[F00000000][T01D4C15DDD4409D0][O00000000]*C:\Users\admin\Desktop\Noch ist alles unverschluesselt.docx
2420
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2420
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2420
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Place MRU
Item 1
[F00000000][T01D4C15DDD6EEA60][O00000000]*C:\Users\admin\Desktop\
2420
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 1
[F00000000][T01D4C15DDD715B60][O00000000]*C:\Users\admin\Desktop\Noch ist alles unverschluesselt.docx
2420
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\DocumentRecovery\1A136B
1A136B
04000000740900003B00000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C004E006F00630068002000690073007400200061006C006C0065007300200075006E007600650072007300630068006C00750065007300730065006C0074002E0064006F0063007800240000004E006F00630068002000690073007400200061006C006C0065007300200075006E007600650072007300630068006C00750065007300730065006C0074002E0064006F0063007800000000000100000000000000268365DD5DC1D4016B131A006B131A0000000000DB040000000000000000000000000000000000000000000000000000FFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFF
2420
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Toolbars\Settings
Microsoft Word
0101000000000000000006000000
2420
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Data
Settings
C00010033001000034010000040000001E0000001E0000001E0000001E0000001E0000001E000000220000001E0000001E0000001E000000060000000600000006000000060000000600000000000000060000000600000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000C00000002000000020000000200000002000000000000000000000000000000480000000600000006000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004000000DC000000E25026A1100A00633090060007000A002D001600000016000000C0030000F501000004060300000000000000000000000000040087010C000600C80009000180FFFF000006000000040000000C0100000502000000000000A004020000001200000000603090000064000000000000FF0000FF000000000000FF01000000010000005C08E0100000000000010000E40400001D000100000000000000020050000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000D000000000000000000000000D4944600D49446010000002F91010000080A000600000003333296040000000A050C0C0302040600000300000101010606060000000000000000000000000000000000000063631900000001000000000000000000000000000000030000002000640000006363190000008C0A00000000E01000004B0000004B0000002000640000006363190000008C0A00000000E01000004B0000004B0000002100190000006363190000008C0A00000000E01000004B0000004B0000002000640000006363190000008C0A00000000E01000004B0000004B0000002000640000006301190000008C0A00000000E01000004B0000004B0000002000640000006301190000008C0A00000000B01300004B0000004B000000640000002000640000006363190000008C0A00000000E01000004B0000004B0000002000640000006363190000008C0A00000000E01000004B0000004B0000002000640000006363190000008C0A00000000E01000004B0000004B0000009002000002000001010101010101000101010101010001010100010001000101010101010101000100020003010301030103000301020003010301030103010000230101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101120101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010301010101010101010101010101FFFFCFFFFFFF00008602FFFF00008602FFFF00000C00FFFF00000100FFFF00000100FFFF0000010061000000610064006D0069006E000000000000000000000087FFFF0300003E00020200000600090034000000000090009000000000000F000000FFFFFF000000000000001400140000000000000002637800C80000000000140000000000900090008000FFFF00000800FFFF00000800FFFF0B00040001002000018014000B0043006F007500720069006500720020004E0065007700018014000B0043006F007500720069006500720020004E0065007700018014000B0043006F007500720069006500720020004E00650077000180140001002000018014000B0043006F007500720069006500720020004E00650077000180140009004D005300200047006F0074006800690063000180150007004D0069006E0067004C0069005500018018000600530069006D00530075006E0001801500050044006F00740075006D00018014000100200001801C0000000000
2420
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1313472660
2420
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1313472661
2420
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
MTTF
112
2420
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
MTTA
112
3596
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
EnableFileTracing
0
3596
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
EnableConsoleTracing
0
3596
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
FileTracingMask
4294901760
3596
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
ConsoleTracingMask
4294901760
3596
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
MaxFileSize
1048576
3596
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
FileDirectory
%windir%\tracing
3596
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASMANCS
EnableFileTracing
0
3596
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASMANCS
EnableConsoleTracing
0
3596
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASMANCS
FileTracingMask
4294901760
3596
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASMANCS
ConsoleTracingMask
4294901760
3596
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASMANCS
MaxFileSize
1048576
3596
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASMANCS
FileDirectory
%windir%\tracing
3596
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
3596
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
3596
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3596
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\ex_data\data
ext
2E0074007300680061006D000000
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\keys_data\data
public
0602000000A4000052534131000800000100010017602527959CF7A72B6541A78C89BF6CBCA4992C78D334B81B0AF0B96BB386F6B9A33764E5801281ACCE6FA17394CB4C7D82239083AF0458BDB27C22A9E06511AE073C104DC8875F95724C5823916D8E5B51C715C4411D592914C5FFB525E9AD9A167EE2A00559A58B26D30BB07FC39DDF618563A70BFDFC830D62099EB9DCADC98079558734F9958AB176FCD21DBCE9D849AACBABEC25AE44DBDD52E38DF76DB48F114480BBE61738EAD49DEA4B24ED30D280963F058074C9CA64D95908D4CF2A1F976C06F8AE6AE168C6430638EE85F86C8ED3F4760D54FF4AB9E2D257EBEAAF7BB4B615A666A65356018DF4CB4CF6FD639323D0520886E898233F7F4FBBC2
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\keys_data\data
private
94040000593F4A9A4EEA2E28CB0DC31FC02AAA3E6D87CDA39F5ABB83C212DE638AA4A332C00326965AA1FBC9DA7B8839C246BD0A0A1B10CF5CB1B40A084B53B8260FDDEFDBA625F823A890DB89373B7DA39122D8330B954375F16BE1E1E3C81BD23C4C1182111E917BA9198E4851D4F033163B5C61D312585D4A9C7DEE63D5F356BD05037F50BE57E19AB52C5FD85A770F0583C560BE1F60734572C6800142C03D81AAE011AB85517E189C369E557FFF897C1CC4B6D5E8A37F84ED46EAFEDE3CE18FEE45EFF20303486139DD4F21DA2AD532EAFF6944FAF24096E8B4A4EEC06157475C90622B7CC293468CE45FD9CC93C681C2305808FF10A12F44C710C87DC3A5AF449F562D17DE75B17021E617756C7DA90D2390AE10028976E832971725344B561FE6837CCF31E9473258C26EE16449BB134DF2128D16F919DE2C221B71F76FC74591D9A47782451FDBDA6775A86232328C855E52AA21FE9C27453394CDB3F82299C034361017F8D15DCAC9D7F0ED3E30038442474BAA75EC5A96A916E3A62E2CE65FD556FCAFCC1A2A317AAB85FFCB90C694A80B3A511CE63717A183D76CD20872B25E3FE212E9FBDC51230DDE449572799BA2DADBFF5B8EC11C5A068638F236CF5A3A2376D91BA7F71EFE7301D810773BCEFB38E5F030EDE637B0BCFD0DEDCA679FA9E9D5E0772321C1E2D964C50668936C1C3DEE698FD683D4FB00BD0194F7A3516BF2374E6FB9B29C90C491CA7EBA2D9D4E99D0FF0C8725E69D20011E13DB0CEEC0E7B4320A13F831E30AC3DD1B9B8C8E2B50A51F261203057961D00EA94810D6E763CEEAF72286BEB4D8A0AD2BB8D5CD9E5B1920AA5F2ED049F7D30BF3FEA1767523075285E963758105CC1E824F4DC3D14F6C08E49FBC2F78572E4FF1E5BA3C3A74828D4DF92AE23B1B5CBF012E0E0F6FF7C5F0F28E74C3C9B8DF5018FF4F3F08D69E7DA89612A57BD3D0656F704CCB8A10DA43FC2B866F3BCB698A8C1D40F8B97AD6623575E5A54275E05B79F44AF41C7C1C480C9B172321458A623F70C205E10E40EFC77D0C020513BC4B3A41E8164FFEF083A2449BE024A915B501D758A7CE8E90089D88C9C752463AFB26CEC5D9D4374C5CEA68DAE5755A2B401AA2477112E2C42B95A80B3AA8205858CE5F39E50C81577936BABAD87BA37AD8F7332A0A69DA6E0CE13970FE7FBBAF0FA7617B41C75BF7DE5A809BBF1F94931BD897E906A3B52FEDA979F30E0B38FD3A7A8FDE1D7AD5651EAFDBF0D9C0C3C8A44ECD6D717A8DE68DBC0F1016C6C5C7C63C1D2B0D6F37105F3D640F086A7AEEE8B4FB6BB6BDC4AC3283A20E35DB1CB680607ABE61E1FEBDC651BEC11828BB83875767B8083A0401FDF06BEEB9863C28C025947CBDB2CC665BFCCDDCE3001ABB6FA0BBB750667BDEC27E124EAC9AA803AADAFEF0108C81040E71A7263ED5979EF3E507C693F91A399DF4A92D9530B6C98533DCF8456C8B700EB5BC961581D237E171027EF9B94C8EA7813C52EE8DE45CFA00486E267E775AB38F5E3DC994AF119822DA61980AA4B14892131BD7E6B138F821AD939832DA07760C7C6221796B6D4A052BCBF47531EE89B7B036A6AF99302A94B7131BC080D758585BA639A77D387286D067C34825332BF5E5464C414F36117A668AC991A4B0AD50403DE772EC019D55BC0107FEE3927D42EF67776FF7D22197367C6CDD40BBDDCF0D5379D44F9E761A5C82B20949994224BE975C7026FE88AF92127F17C28F9647A92634FA04EBFFF3286CBBC9591FB852527CE9EB001D40E8C8BEC2171AE42715CB9A86E407BC1E7EFB90B6BA03F1C3DFE95B53FC50DC6A33D6142F5249E88F8C783C39ACAD27142B6442A138F1D77C0A98CE460D53339970885A89B9D87FCA584629368920220F0E5BC5276A73F13B36022EBFE7EECC6CC5A79337690F3CF571A2B9F2E3FDE9BF6661D6848757F2FE92EAA84F7D898D8C5C91F1CDBDE5CE5F3A533BC629AD998A94DF272F7CB1D2B8E69A9F647E1475EB0792F31F507B19F826FB9E8FF59F2C71208FE5B350B614C66F983405E2377D4DD2B52670A2302615B043AD2D8D677911AC8809400847116323E67C91D1307F34B001D87D51E606EC713BEBCA8FF24A0AC2A5740F5BEC25A522605351B4A16E721726F7E226EEEF8E003B975FFE78D0988494FF77739F9F2621FC638F069EF6EDDD9E17D9292A56D48EBF8E059C375334740F86A3A86F30C08090BEE9BD58BB1B6D0DBD60CB562428ABBEB8631E3EE5A062741687946B00675640994B8CA6B5D32E5CE396D284D50C40327B135FD0442723336FCBB74E58898A54EDD462DC82D7E386F1D17284277366A202475232BA5869185114BEEEAE65C8E6AFA2340BF0ED5AF21D5C72F2296F
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000003000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
DefaultConnectionSettings
4600000002000000090000000000000000000000000000000400000000000000801D04FA5DC1D401000000000000000000000000020000001700000000000000FE80000000000000A179B3FF019923140B0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A864C3000000000000000000000000000000000000000000000000000000000000000000000000000000000A00000A58D00000C00C3A00009A8B06000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000020ED0000088758B06C4002C00
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad
WpadLastNetwork
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
write
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13
Blob
040000000100000010000000410352DC0FF7501B16F0028EBA6F45C50F00000001000000140000005BCAA1C2780F0BCB5A90770451D96F38963F012D090000000100000042000000304006082B0601050507030406082B0601050507030106082B0601050507030206082B06010505070308060A2B0601040182370A0304060A2B0601040182370A030C6200000001000000200000000687260331A72403D909F105E69BCF0D32E1BD2493FFC6D9206D11BCD67707390B000000010000001E000000440053005400200052006F006F0074002000430041002000580033000000140000000100000014000000C4A7B1A47B2C71FADBE14B9075FFC415608589101D00000001000000100000004558D512EECB27464920897DE7B66053030000000100000014000000DAC9024F54D8F6DF94935FB1732638CA6AD77C131900000001000000100000006CF252FEC3E8F20996DE5D4DD9AEF42420000000010000004E0300003082034A30820232A003020102021044AFB080D6A327BA893039862EF8406B300D06092A864886F70D0101050500303F31243022060355040A131B4469676974616C205369676E617475726520547275737420436F2E311730150603550403130E44535420526F6F74204341205833301E170D3030303933303231313231395A170D3231303933303134303131355A303F31243022060355040A131B4469676974616C205369676E617475726520547275737420436F2E311730150603550403130E44535420526F6F7420434120583330820122300D06092A864886F70D01010105000382010F003082010A0282010100DFAFE99750088357B4CC6265F69082ECC7D32C6B30CA5BECD9C37DC740C118148BE0E83376492AE33F214993AC4E0EAF3E48CB65EEFCD3210F65D22AD9328F8CE5F777B0127BB595C089A3A9BAED732E7A0C063283A27E8A1430CD11A0E12A38B9790A31FD50BD8065DFB7516383C8E28861EA4B6181EC526BB9A2E24B1A289F48A39E0CDA098E3E172E1EDD20DF5BC62A8AAB2EBD70ADC50B1A25907472C57B6AAB34D63089FFE568137B540BC8D6AEEC5A9C921E3D64B38CC6DFBFC94170EC1672D526EC38553943D0FCFD185C40F197EBD59A9B8D1DBADA25B9C6D8DFC115023AABDA6EF13E2EF55C089C3CD68369E4109B192AB62957E3E53D9B9FF0025D0203010001A3423040300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020106301D0603551D0E04160414C4A7B1A47B2C71FADBE14B9075FFC41560858910300D06092A864886F70D01010505000382010100A31A2C9B17005CA91EEE2866373ABF83C73F4BC309A095205DE3D95944D23E0D3EBD8A4BA0741FCE10829C741A1D7E981ADDCB134BB32044E491E9CCFC7DA5DB6AE5FEE6FDE04EDDB7003AB57049AFF2E5EB02F1D1028B19CB943A5E48C4181E58195F1E025AF00CF1B1ADA9DC59868B6EE991F586CAFAB96633AA595BCEE2A7167347CB2BCC99B03748CFE3564BF5CF0F0C723287C6F044BB53726D43F526489A5267B758ABFE67767178DB0DA256141339243185A2A8025A3047E1DD5007BC02099000EB6463609B16BC88C912E6D27D918BF93D328D65B4E97CB15776EAC5B62839BF15651CC8F677966A0A8D770BD8910B048E07DB29B60AEE9D82353510
3840
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3840
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3840
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
3840
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
460000006A000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
2876
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
:k&
3A6B26003C0B0000010000000000000000000000
2876
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
Off
2876
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
On
2876
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
WORDFiles
1313472552
2876
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1313472662
2876
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1313472663
2876
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
MTTT
3C0B00004658B6005EC1D40100000000
2876
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1313472582
2876
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2876
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2876
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
|m&
7C6D26003C0B000006000000010000008800000002000000780000000400000063003A005C00750073006500720073005C00610064006D0069006E005C006400650073006B0074006F0070005C007E002400630068002000690073007400200061006C006C0065007300200075006E007600650072007300630068006C00750065007300730065006C0074002E0064006F0063007800000000000000
2876
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle
ReviewToken
{35793DB7-9F03-4890-90BB-375DAAF29813}
2876
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Place MRU
Max Display
25
2876
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Place MRU
Item 1
[F00000000][T01D4C15E01323060][O00000000]*C:\Users\admin\Desktop\
2876
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Max Display
25
2876
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 1
[F00000000][T01D4C15E01323060][O00000000]*C:\Users\admin\Desktop\~$ch ist alles unverschluesselt.docx
2876
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 2
[F00000000][T01D4C15DDD715B60][O00000000]*C:\Users\admin\Desktop\Noch ist alles unverschluesselt.docx
2876
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\DocumentRecovery\1AFE09
1AFE09
040000003C0B00003B00000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C007E002400630068002000690073007400200061006C006C0065007300200075006E007600650072007300630068006C00750065007300730065006C0074002E0064006F0063007800240000007E002400630068002000690073007400200061006C006C0065007300200075006E007600650072007300630068006C00750065007300730065006C0074002E0064006F0063007800000000000100000000000000E046D5E05DC1D40109FE1A0009FE1A0000000000DB040000000000000000000000000000000000000000000000000000FFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFF
2876
WINWORD.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
2876
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Licensing
019C826E445A4649A5B00BF08FCC4EEE
01000000270000007B39303134303030302D303033442D303030302D303030302D3030303030303046463143457D005A0000004F00660066006900630065002000310034002C0020004F0066006600690063006500500072006F00660065007300730069006F006E0061006C002D00520065007400610069006C002000650064006900740069006F006E000000
2876
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\Usage
SpellingAndGrammarFiles_3082
1313472557
2876
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\Usage
SpellingAndGrammarFiles_3082
1313472558
2876
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\Usage
SpellingAndGrammarFiles_1036
1313472557
2876
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\Usage
SpellingAndGrammarFiles_1036
1313472558
2876
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1313472583
2876
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1313472584
2876
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\Usage
SpellingAndGrammarFiles_3082
1313472559
2876
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\Usage
SpellingAndGrammarFiles_3082
1313472560
2876
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\Usage
SpellingAndGrammarFiles_1036
1313472559
2876
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\Usage
SpellingAndGrammarFiles_1036
1313472560
2876
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1313472585
2876
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1313472586
2876
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1313472587
2876
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1313472588
2876
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1313472589
2876
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1313472590
2876
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Toolbars\Settings
Microsoft Word
0101000000000000000006000000
2876
WINWORD.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\DocumentRecovery\1AFE09
2876
WINWORD.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\DocumentRecovery
2876
WINWORD.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency
2876
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1313472664
2876
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1313472665
2876
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Data
Settings
C00010033001000034010000040000001E0000001E0000001E0000001E0000001E0000001E000000220000001E0000001E0000001E000000060000000600000006000000060000000600000000000000060000000600000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000C00000002000000020000000200000002000000000000000000000000000000480000000600000006000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004000000DC000000E25026A1100A00633090060008000A002D001600000016000000C0030000F501000004060300000000000000000000000000040087010C000600C80009000180FFFF000006000000040000000C0100000502000000000000A004020000001200000000603090000064000000000000FF0000FF000000000000FF01000000010000005C08E0100000000000010000E40400001D000100000000000000020050000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000D000000000000000000000000D4944600D49446010000002F91010000080A000600000003333296040000000A050C0C0302040600000300000101010606060000000000000000000000000000000000000063631900000001000000000000000000000000000000030000002000640000006363190000008C0A00000000E01000004B0000004B0000002000640000006363190000008C0A00000000E01000004B0000004B0000002100190000006363190000008C0A00000000E01000004B0000004B0000002000640000006363190000008C0A00000000E01000004B0000004B0000002000640000006301190000008C0A00000000E01000004B0000004B0000002000640000006301190000008C0A00000000B01300004B0000004B000000640000002000640000006363190000008C0A00000000E01000004B0000004B0000002000640000006363190000008C0A00000000E01000004B0000004B0000002000640000006363190000008C0A00000000E01000004B0000004B0000009002000002000001010101010101000101010101010001010100010001000101010101010101000100020003010301030103000301020003010301030103010000230101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101120101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010301010101010101010101010101FFFFCFFFFFFF00008602FFFF00008602FFFF00000C00FFFF00000100FFFF00000100FFFF0000010061000000610064006D0069006E000000000000000000000087FFFF0300003E00020200000600090034000000000090009000000000000F000000FFFFFF000000000000001400140000000000000002637800C80000000000140000000000900090008000FFFF00000800FFFF00000800FFFF0B00040001002000018014000B0043006F007500720069006500720020004E0065007700018014000B0043006F007500720069006500720020004E0065007700018014000B0043006F007500720069006500720020004E00650077000180140001002000018014000B0043006F007500720069006500720020004E00650077000180140009004D005300200047006F0074006800690063000180150007004D0069006E0067004C0069005500018018000600530069006D00530075006E0001801500050044006F00740075006D00018014000100200001801C0000000000
2876
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Options
BackgroundOpen
0
2876
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1313472666
2876
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1313472667
2876
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
MTTF
119
2876
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
MTTA
119
1820
NOTEPAD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Notepad
iWindowPosX
132
1820
NOTEPAD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Notepad
iWindowPosY
132
1820
NOTEPAD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Notepad
iWindowPosDX
960
1820
NOTEPAD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Notepad
iWindowPosDY
501

Files activity

Executable files
0
Suspicious files
439
Text files
334
Unknown types
20

Dropped files

PID
Process
Filename
Type
2876
WINWORD.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\Templates.LNK
lnk
MD5: 36582bac66d0e309af07cb7d3a2f2b6b
SHA256: 308bb9539ff75d16f3d0a0b7fc745286d8eff51f038295aa8f4182ae8c1fdc15
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disablepositioning.css
––
MD5:  ––
SHA256:  ––
2876
WINWORD.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
document
MD5: c17a49e180ab3e1704ad966b03fb2a60
SHA256: a52235d911d73433f286fe757c81afe0a4f15651376adcef1c5ee063a83b71b3
2876
WINWORD.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Templates\~WRD0000.tmp
––
MD5:  ––
SHA256:  ––
2876
WINWORD.EXE
C:\Users\admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
text
MD5: f3b25701fe362ec84616a93a45ce9998
SHA256: b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
2876
WINWORD.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
text
MD5: fab4e2c397d8ba2edbaeca6dc9884329
SHA256: 25eac43257aba5605ec8ea5b58706e4aeb35f9c2478358745c59560c1713389b
2876
WINWORD.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
text
MD5: d24434f7a36ac98150ba6a30eefeebef
SHA256: 97f522be18e77d60bc11299a05bf46b249b58634fdc750dd7d53f5c3d6c0b2d8
2876
WINWORD.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\~$ch ist alles unverschluesselt.docx.LNK
lnk
MD5: b1b900fd0b892fd9ecda959324445435
SHA256: 00dbee53f24f836d47d19fb3a0ab720400919938ccd2c7deb7d8c1a461513c0a
2876
WINWORD.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Office\MSO1033.acl
binary
MD5: 4110915ce34bca751919a0417ffb3161
SHA256: b3fea7dbcbc45c0ea0ceac48338f9f1983b0b3bd2137ad231c1d7ffe09d7c7aa
2876
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\CVRFB1A.tmp.cvr
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Videos\Sample Videos\Wildlife.wmv.tsham
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Videos\Sample Videos\Wildlife.wmv
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Videos\Sample Videos\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Recorded TV\Sample Media\win7_scenic-demoshort_raw.wtv.tsham
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Recorded TV\Sample Media\win7_scenic-demoshort_raw.wtv
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Recorded TV\Sample Media\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg.tsham
binary
MD5: de65b5d65871101d7ea2aa014e994b28
SHA256: fd4494503d369aabe7253723b0abc05766c0d6527712a19fd25ee6b81f479221
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Recorded TV\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg.tsham
binary
MD5: aa1e0e6d2acde70910168683e55bd1aa
SHA256: cc655b94e4443917969553eee39cafbfcc19b2cb1ba6becc88562829e23ac84f
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg.tsham
binary
MD5: 1c5d21988f7110a8981a6bde70708e8e
SHA256: 6fd79ca6d173b57d65180043167a8d2fb9f0b81fd5bfd4e451fe9dbc7e159ea4
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Pictures\Sample Pictures\Koala.jpg.tsham
binary
MD5: 1ac12bc9836fc4022bba924e3d8375b9
SHA256: 5c94283d2cd9904364698de49c87fa35694c167a1c5f656632c11e5154829ff8
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Pictures\Sample Pictures\Koala.jpg
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg.tsham
binary
MD5: d0639c8e295e0adcca6ec6ce9e276749
SHA256: a028029cfb6833a5d57b016e57b62fd6c889cc2820a8604aab99bf9a32ded6ad
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg.tsham
binary
MD5: 128628df082a5d87e501ae8fe8e1bcf9
SHA256: c9fba3ad9539e4503c7f8110157a69cdf5f9e154b237eea421452eef76d800a4
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Pictures\Sample Pictures\Desert.jpg.tsham
binary
MD5: 09bb6a9c78cac8c972cfa4d935641de0
SHA256: 8f5b61ae70ca3239a22549fe8ccd38120838ca38f6759b530cebe17673bdb30c
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Pictures\Sample Pictures\Desert.jpg
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg.tsham
binary
MD5: 63504aa40de27e8b30bb62594c1ae673
SHA256: 11f0cb332b13876a878df650adb53e135d9aa6a567dca976f92dad7cd45db0e2
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Pictures\Sample Pictures\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Music\Sample Music\Sleep Away.mp3.tsham
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Music\Sample Music\Sleep Away.mp3
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3.tsham
binary
MD5: 34a049f758c6c07690ddb6c052394ae8
SHA256: 5d53a62b2c2448eab92588e97c921a613e197e67fb4f8a6401b31ab5b5700a64
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Music\Sample Music\Kalimba.mp3.tsham
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Music\Sample Music\Kalimba.mp3
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Music\Sample Music\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Libraries\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Favorites\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Libraries\RecordedTV.library-ms.tsham
binary
MD5: 30f9beeb0e1bbe238eb363a01b39a4c4
SHA256: b8100a87129074d8fc281dc26beb05a881eb75c6928f7699e3d69212fcaa944b
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Libraries\RecordedTV.library-ms
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Music\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Documents\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Desktop\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Downloads\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Pictures\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Public\Videos\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Default\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms.tsham
binary
MD5: 6b735efb522efdefc748f4b8fcecd9f8
SHA256: a861cb2612a7fede58b71d876ed60795c262bc1fe9422ce1f666c137a5dfad9a
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Default\Saved Games\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Default\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Default\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms.tsham
binary
MD5: 8651e76bb74298c09b4c3ae35c5de18a
SHA256: 510d4cfb8c609cc7752d0c5dbfdb5cc55b2f308571020cbe1ef4d1dab3085baf
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Default\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Default\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf.tsham
binary
MD5: 934e1aaf36a1689ef7e168e6eeb9d23b
SHA256: 2f18ad6c96e3d7c89415718d99e77b50cd94821a42b3a9f10a54a997d51855c1
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Default\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Default\NTUSER.DAT.LOG1.tsham
binary
MD5: 1bf37100da31ee8751905b1f0ae1af29
SHA256: dbf7a8cbdfbfb83c540832cd445a92424e0e43d910389760ea18dfa76e8b2ac5
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Default\NTUSER.DAT.LOG1
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Default\Videos\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Default\Documents\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Default\Pictures\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Default\Desktop\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Default\Links\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Default\Downloads\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Default\Favorites\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Default\Music\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Default\AppData\Roaming\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Default\AppData\Local\Temp\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Default\AppData\Roaming\Media Center Programs\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Default\AppData\Roaming\Microsoft\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Default\AppData\Local\Microsoft\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Searches\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Default\AppData\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\SendTo\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Default\AppData\Local\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Default\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Default\AppData\Local\Microsoft\Windows\History\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\ntuser.ini.tsham
binary
MD5: 6d6a34cc76dea2cdeb1e3f9ca23da922
SHA256: d53f7e7183822b7ce38001f8dc1723d84281b4255455a8a83575b128a5356141
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms.tsham
binary
MD5: d0c3c6111e40e334be367c70130fa7f4
SHA256: fb38d7478abb2ab1ae207eacb3ee27f178cbc4950606a0f9cc2c92ac02825bdf
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Saved Games\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\ntuser.ini
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms.tsham
binary
MD5: 9657b2c1ef0d777d48da125dc6806c32
SHA256: 3dcd47530f88f1debc8302d1a5d5ef560e021fc12d39a8e4ce4c15fd4c466405
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf.tsham
binary
MD5: 4aa81b2cb24093b8a4dc0f7f8fd3d43c
SHA256: f8fe690ec7d0537f0398a5b4752c05a49953da868d23f41dc3b6db90848712a5
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\ntuser.dat.LOG1.tsham
binary
MD5: 6f6dcf6a141754cff34b7af5d44f36cd
SHA256: 69c7e8417cfc607bf44e861913b6730c44e4544b6449249b3894b1096ff3387c
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\ntuser.dat.LOG1
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Favorites\Windows Live\Windows Live Spaces.url.tsham
binary
MD5: 3630e33c4120ac9ebe26d5c8d95e0bca
SHA256: 9e6086a032e0506b6aacc800916134da6f22bb74a035851a4b26842a66cdba2a
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Network Shortcuts\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Links\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Favorites\Windows Live\Windows Live Mail.url.tsham
binary
MD5: 3e54a2b884761da17745bc2acc772289
SHA256: 552e49f2e8e2b3fb3795452bb9e8bd654f5b46ba6da8178c46e86ff658e7904b
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Favorites\Windows Live\Windows Live Spaces.url
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Favorites\Windows Live\Windows Live Gallery.url.tsham
binary
MD5: 5fe48135726e8cd5e2dfd0709414fcc4
SHA256: 8373bac3aa912e689a4a4f592b2dad9cadbf4882a3d3e336e5eeb5d9bd5c1734
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Favorites\Windows Live\Windows Live Gallery.url
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Favorites\Windows Live\Windows Live Mail.url
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Favorites\MSN Websites\MSNBC News.url.tsham
binary
MD5: de3b16c1cddd39c334b7ab33fd5ab468
SHA256: 69e71748c891003a9be21b7a0b7bc55625e37888a536432b7154452a1701f1f0
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Favorites\Windows Live\Get Windows Live.url.tsham
binary
MD5: bbf9f0de46cb38d07f88e511a427aac0
SHA256: 519351615088f7c2fa502ab7277497b79085f78e4f999f0289f0233d9dba2fbe
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Favorites\Windows Live\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Favorites\MSN Websites\MSN.url.tsham
binary
MD5: 875763efc3b77719ef582e4fbd4d8208
SHA256: 5d30ad23fba768a58b201aca5e5f502d0ac9304b820c97e7e49daafff3d52e47
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Favorites\MSN Websites\MSNBC News.url
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Favorites\Windows Live\Get Windows Live.url
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Favorites\MSN Websites\MSN Sports.url.tsham
binary
MD5: 98cedd1adf1acbb01d340a651dc42f35
SHA256: 79e5d7cb75c986c5bb0389c1cb1b32821afedf6762ddf16c93c6080c1292f05c
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Favorites\MSN Websites\MSN Money.url.tsham
binary
MD5: 9efa23133d9c7423517c113579571254
SHA256: 55e7ad65692565fad3bfe169acaaa693c9c6085920379d0f0d4e6ea366558cfd
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Favorites\MSN Websites\MSN Money.url
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Favorites\MSN Websites\MSN Sports.url
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Favorites\MSN Websites\MSN.url
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Favorites\MSN Websites\MSN Autos.url.tsham
binary
MD5: aaf78ef71b77a617d678f75f248ebc5f
SHA256: 0bd5db0ca17f80bb0220d61437fb4aa049ba666b5b99f0884e7b16bd8b65752b
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Favorites\MSN Websites\MSN Entertainment.url.tsham
binary
MD5: 49e9883bc9cf056e1669077d5b95a024
SHA256: 9e55f85490f66f5b7cb09e11828a494f14b7b4b3d2d5fa842bc1271de7142757
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Favorites\MSN Websites\MSN Entertainment.url
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Favorites\MSN Websites\MSN Autos.url
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Favorites\MSN Websites\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Favorites\Microsoft Websites\Microsoft Store.url.tsham
binary
MD5: 06b207840beb270da9644dcd156be95e
SHA256: 593ab3f20c317ffa8b1c2ddf026aea48d02c589838f13e3536ce9a108aff907f
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Favorites\Microsoft Websites\Microsoft Store.url
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Favorites\Microsoft Websites\Microsoft At Work.url.tsham
binary
MD5: 75b5688129e32c8510248ba7e664c9ef
SHA256: 362238fab5490c11f241e96ad935c9ddee746a08eded8a9874c7496e514a5c82
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Favorites\Microsoft Websites\Microsoft At Work.url
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Favorites\Microsoft Websites\Microsoft At Home.url.tsham
binary
MD5: 0e5f40f4fa7581da4297441915466cbc
SHA256: 6d07dc670f4e8cbe5cc5ea3017c674db8f8f18df94ed9f4b8caf5ae6ab0d559e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Favorites\Microsoft Websites\IE site on Microsoft.com.url.tsham
binary
MD5: daf3cc351cac0da638dabbdbfc5f9ca4
SHA256: 97f7dc57d213082190802b378b88c3915d089ad9564ba0b77ceb6b0485885509
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Favorites\Microsoft Websites\Microsoft At Home.url
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Favorites\Microsoft Websites\IE site on Microsoft.com.url
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Favorites\Microsoft Websites\IE Add-on site.url.tsham
binary
MD5: cee330fa29f49cb92d2b506339c0fc2d
SHA256: c185ef8450d8af5055b6fce6f04a1e0364d3ba18fb6285652684e07f136c00fc
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Favorites\Microsoft Websites\IE Add-on site.url
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Favorites\Microsoft Websites\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Favorites\Links for United States\USA.gov.url.tsham
binary
MD5: cb1540b7bd72cff48acfc1d727e4fbc0
SHA256: bc149530e3720c8571616cd7a88da97c91d941ae2bca2af1eadb2f087bc43d90
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Favorites\Links for United States\GobiernoUSA.gov.url.tsham
binary
MD5: bf7575fcd0e851fba80b766fdb29ff82
SHA256: 60779f6add339f4214a8878139e9eb4d5aafedd9fa58d7c94312daa9fa056b55
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Favorites\Links for United States\USA.gov.url
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Favorites\Links for United States\GobiernoUSA.gov.url
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Favorites\Links\Web Slice Gallery.url.tsham
binary
MD5: 9ee65953cfad2b270e17f3b240ac649f
SHA256: a1160a480cda2c9c92f7b1ebb28fe6fea4b8476b88c4fc3d43b488fcd573caad
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Favorites\Links for United States\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Favorites\Links\Web Slice Gallery.url
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Pictures\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Videos\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Favorites\Links\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Favorites\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Downloads\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Desktop\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Music\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Contacts\Administrator.contact.tsham
binary
MD5: ce1b7d573a446cc1b5318346efc25b6c
SHA256: fafc4c9f68acf85190be5b09413cd8e7706b0f12754815d3e6d7e651124e0dae
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Contacts\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Documents\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\Contacts\Administrator.contact
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-1302019708-1500728564-335382590-500\e772058d-056e-4021-b783-db194666b156.tsham
binary
MD5: 30314a7da79bae513fe8b5f56a838b86
SHA256: 101b41f2098b5bc3b166d79b90c95cec1e6909b77557d82aaed159a2eabce5e3
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-1302019708-1500728564-335382590-500\Preferred.tsham
binary
MD5: 9312a64d68ccb577ae684656ab39212e
SHA256: 14b61ae50431df013088589e0f208f3585004f12d13251408abd55edfd3eb3bd
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-1302019708-1500728564-335382590-500\Preferred
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-1302019708-1500728564-335382590-500\e772058d-056e-4021-b783-db194666b156
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\CREDHIST.tsham
binary
MD5: 2a69c9e9ca5580114bbc44f156c9133e
SHA256: f8acea8aa759ac844513d2f7d5f5f81129468d9ba331550e0e20645ead39edf9
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-1302019708-1500728564-335382590-500\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\CREDHIST
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\Credentials\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Roaming\Media Center Programs\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Roaming\Identities\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Roaming\Identities\{BA2162A3-2F32-4850-8D8C-B3C9A2AA9D43}\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Roaming\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\LocalLow\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Temp\wmsetup.log.tsham
binary
MD5: ec81ad4793089381940b9eaa3f9f880f
SHA256: b5e7057e7b773a2b7f59fda24f502f701f6bbff99c73c9fef47cbbedf059eaf8
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Temp\WPDNSE\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Temp\wmsetup.log
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Temp\Administrator.bmp.tsham
binary
MD5: 92fcc649d5f6c02a19f6136f0402e18e
SHA256: 91ba9aa41fc70ab36fffcb2a3da13cb057188c7b57632f732be408daf44b551f
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Temp\Low\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Temp\Administrator.bmp
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Sidebar\Settings.ini.tsham
binary
MD5: d805fae86a506e516590565e65063c30
SHA256: 99b9b6dce0f6a08aa15a39268754825c054d3a25863838929514e2b7be3bf238
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Temp\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Sidebar\Gadgets\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Sidebar\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Sidebar\Settings.ini
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.tsham
binary
MD5: 8e19c6de0f05e17ea71079cfbfc2c3f6
SHA256: 9bed5bd3194d93d37fb4c4acbc336d3a710608ccd4ac0c37cabb7923e18b5c10
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD.tsham
binary
MD5: 176a5aa9fa154c09376fcd2a2cf1c004
SHA256: c8c785b3678b5f0a9d51f2124fd6f2190a21f87a0cba1e366f0f4bd62e288b27
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Media\12.0\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Media\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\WindowsMail.pat.tsham
binary
MD5: e0fdf969d99b16bb0309746685554f2a
SHA256: 6583038126ac313b49db58b881255d30f406057afe513a59ae10894f696128dd
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\WindowsMail.pat
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStore.tsham
binary
MD5: bbbdd1f35540ec6048606ea5df65d2ac
SHA256: e1761be4a747f83b5f885b192bc2200773a2c351ed7f5161dd6dbe273bf74fe4
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStore
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Wrinkled_Paper.gif.tsham
binary
MD5: 5a6e59e0b032286745c5a71140927b77
SHA256: d6b613f3667fe2663485dd2475edd2f684f822eee0c301ebdf152181d9c08b85
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\White_Chocolate.jpg.tsham
binary
MD5: c5747f317bcbf0e9d108d6231aeb3c0e
SHA256: dc898ba1ac25772f8b5840c17f77f5a0d7b2fb6f7df0a548e153f5f00a9b72e8
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\White_Chocolate.jpg
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Wrinkled_Paper.gif
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\To_Do_List.emf.tsham
binary
MD5: 7062c45665deee36f138943c4800310f
SHA256: e0841cb56f35eea230cf5833f16f246f49ce9c0fd37065ff0abdcc6b6d78c879
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\To_Do_List.emf
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Tiki.gif.tsham
binary
MD5: 24b3fcc80b026250ab9f8b7759e6e03f
SHA256: ef6b5b9b6723e0219aca0a141880a8b3016301cbe43b96e7cd9444b433f73274
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Tiki.gif
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Tanspecks.jpg.tsham
binary
MD5: 56988c15607204bf998a7d61e3ed7ec8
SHA256: 9617edf37dba7166bd4e70dc134ece0dfa7231914f18c062c149cd79ad194b53
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Tanspecks.jpg
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Stucco.gif.tsham
binary
MD5: 1286d48c68065ebdf2712d2cd0c76d0c
SHA256: b106f33a8c6cdb4bd3fb68c1559aa1c9a2d390a4d384f787e15202832d3699ab
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Stucco.gif
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Stars.jpg.tsham
binary
MD5: c43f32109027993bcf3078b9b37d5da3
SHA256: 4f9e64a5014527a7b298b84096bc8d932b1f1713d711b7336d18020e5c84a932
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Stars.jpg
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Stars.htm.tsham
binary
MD5: 683b4d8cc91c3353c82e6fe25ba4348c
SHA256: dd993173d519eb69f14f5c6fbe89f2942459c93347d0aa844e2cd04dd56180d0
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Stars.htm
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\SoftBlue.jpg.tsham
binary
MD5: a1345c5d1402f356cbe7160c5cd5bec8
SHA256: 0cb46fec957b63e21f67a4d1467718be0220862812c315521c3f0ab0a0e66409
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\SoftBlue.jpg
––
MD5:  ––
SHA256:  ––
3596
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
dat
MD5: d7a950fefd60dbaa01df2d85fefb3862
SHA256: 75d0b1743f61b76a35b1fedd32378837805de58d79fa950cb6e8164bfa72073a
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Soft Blue.htm.tsham
binary
MD5: 90f983ed5bf4bd42d6c9d600535320eb
SHA256: 76a998e4b531ef9dd7f2f6165b401d54117f5958a9838ed5dd9904ec74728105
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Soft Blue.htm
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Small_News.jpg.tsham
binary
MD5: be8ccdd871f0f0464715555ffed2b7c9
SHA256: 89a245d61d93dc3f43b7171952f33cdc93050e3f869eefc16254f61de16d82da
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Small_News.jpg
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Shorthand.emf.tsham
binary
MD5: 09bf7b6fbd40f9a84d256dcd276a1572
SHA256: 7aebfc8779b84d74c6a95a03e6fcd47b8d6f2bf7e312e629a91ec08d55e8f78d
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Shorthand.emf
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\ShadesOfBlue.jpg.tsham
binary
MD5: a6ba3b7327704619f31f4cea7b7b96c8
SHA256: a49fa4714cdbd90b8567b0a3a5abf6805039cdba4d1ce6bac6328022c8c8500b
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\ShadesOfBlue.jpg
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Shades of Blue.htm.tsham
binary
MD5: 9302e8d2dcf8e698225d3ef5b5cca49c
SHA256: 93c47adf57a6f142a0ba8979aaa418fdb162de0fd3d79e3170b5728a0c5c8951
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Shades of Blue.htm
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Seyes.emf.tsham
binary
MD5: ff860a3b725d6c1278b946e2714ebf27
SHA256: 026b741fb2d12f30b6e0f83f26ff805850f1ff777c5d36411de7614524b9fcb2
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Seyes.emf
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Sand_Paper.jpg.tsham
binary
MD5: 39986c71b6e061c59309eb700f569cf0
SHA256: 0b1b52c54cc4875b84b1a15f05449b2eb2adc68a465a17389e6318d8e95e61b4
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Sand_Paper.jpg
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Roses.jpg.tsham
binary
MD5: ba12beea0ba9b4e01f67359dbadc68db
SHA256: e0998fafdd9e3f87ad306aecc284fff8af51bf440e64a39ba11da9d4dc353b1f
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Roses.jpg
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Roses.htm.tsham
binary
MD5: 43cecd6f916cc4c24f5b93bb0b66bd0c
SHA256: 6195a3d8fd715a9e76225a459c36797bd244f63baba42829a669093b5676d2ae
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Roses.htm
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Psychedelic.jpg.tsham
binary
MD5: 34490f9c0589e2f0bf04b7d59c3bc13f
SHA256: fa01166f63f0dc82adaa32e57cf008771d1acf886c04df208de3b9cd4100a707
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Psychedelic.jpg
––
MD5:  ––
SHA256:  ––
3840
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\bullet[1]
image
MD5: 0c4c086dd852704e8eeb8ff83e3b73d1
SHA256: 1cb3b6ea56c5b5decf5e1d487ad51dbb2f62e6a6c78f23c1c81fda1b64f8db16
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Pretty_Peacock.jpg.tsham
binary
MD5: d6b0a8bb456eb1881b9678548c8282a2
SHA256: c17d0a126d91cab2f198b6334510c20a35b1887c25dbdfcdd1c4584834320fe3
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Pretty_Peacock.jpg
––
MD5:  ––
SHA256:  ––
3840
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D2YPIJ90\info_48[1]
image
MD5: 49e0ef03e74704089a60c437085db89e
SHA256: caa140523ba00994536b33618654e379216261babaae726164a0f74157bb11ff
3840
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\errorPageStrings[1]
text
MD5: 1a0563f7fb85a678771450b131ed66fd
SHA256: eb5678de9d8f29ca6893d4e6ca79bd5ab4f312813820fe4997b009a2b1a1654c
3840
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\background_gradient[1]
image
MD5: 20f0110ed5e4e0d5384a496e4880139b
SHA256: 1471693be91e53c2640fe7baeecbc624530b088444222d93f2815dfce1865d5b
3840
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D2YPIJ90\httpErrorPagesScripts[1]
text
MD5: e7ca76a3c9ee0564471671d500e3f0f3
SHA256: 58268ca71a28973b756a48bbd7c9dc2f6b87b62ae343e582ce067c725275b63c
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Pine_Lumber.jpg.tsham
binary
MD5: 39cab54578efcb56a6760b23ed345f5b
SHA256: fa4360641922fa81a0a3cee0a09a870328cd01ce98397fba61db725975e9c1a6
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Pine_Lumber.jpg
––
MD5:  ––
SHA256:  ––
3840
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\ErrorPageTemplate[1]
text
MD5: f4fe1cb77e758e1ba56b8a8ec20417c5
SHA256: 8d018639281b33da8eb3ce0b21d11e1d414e59024c3689f92be8904eb5779b5f
3840
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\navcancl[1]
html
MD5: 4bcfe9f8db04948cddb5e31fe6a7f984
SHA256: bee0439fcf31de76d6e2d7fd377a24a34ac8763d5bf4114da5e1663009e24228
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Peacock.jpg.tsham
binary
MD5: 12bf8222510219d48426ec600f26bf55
SHA256: c1ecbea73d9523bc25019073b8f533ebe28206fa623beaaee9f48fb8d743831b
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Peacock.jpg
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Peacock.htm.tsham
binary
MD5: b5454380548b60c2b829f997180b403b
SHA256: 9cb42c604683eedf38ed85c68825116245ca3de795bf90716051d833da8052b9
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Peacock.htm
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\OrangeCircles.jpg.tsham
binary
MD5: 9dc0619dd03e7e183689c0661318eac1
SHA256: a0f899701b47283aeac12f23453c9126c3d8ffd0f62399564a043ed06da4fe81
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\OrangeCircles.jpg
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Orange Circles.htm.tsham
binary
MD5: 5c999c743c43ab282cba856a768fc17c
SHA256: d2f515c5a7d83996cbcb290dd332ae9d8d0d763cea7479730c68463971ae1b7a
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Orange Circles.htm
––
MD5:  ––
SHA256:  ––
3840
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D2YPIJ90\errorPageStrings[1]
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Notebook.jpg.tsham
binary
MD5: 0e3658e2e80105da045c37f59f9fcf0a
SHA256: 82142652099699d43fa6a637a880894416e9cdcd76f06efa0c9d176568771997
3840
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\ErrorPageTemplate[1]
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Notebook.jpg
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Music.emf.tsham
binary
MD5: 4134a714107318a26998db6d16aee8e7
SHA256: 5a7f23a69d10e9a58aa0066e9d10f8165474dca5e323effaf496617aed539169
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Music.emf
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Month_Calendar.emf.tsham
binary
MD5: e35c527daa8f8ebc0a4fd9b579db3288
SHA256: a83ad2f336fed5973dab2d0e3f71a1d3bd3ccafe46268aef867bebdf9412e2a2
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Month_Calendar.emf
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Monet.jpg.tsham
binary
MD5: 9bc200e708aab827f6d8999676a52023
SHA256: 4f54413c0482be56b4580e9b6d89b7324b0e2f04795d240bfc08a3b334cdbdc0
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Monet.jpg
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Memo.emf.tsham
binary
MD5: 080fae59c552c1e1d6d1f6edeea6cb16
SHA256: 91738e5ca94df8a3522540089e7fbeff5ae968a2dc9080cbca1d32779386b731
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Memo.emf
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\HandPrints.jpg.tsham
binary
MD5: 45bda560320175871060f67855caf0ec
SHA256: 6d7bef862ba0915dfd87b0cf76f3ac726c86979e943431534ae740a705c526e1
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\HandPrints.jpg
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Hand Prints.htm.tsham
binary
MD5: b598c2fcdcbbe9ef452656a167c0c25f
SHA256: 6ff33e55a761e0fde647af4facfae9e2e18aab3f09455105a87e6464f1fe60af
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Hand Prints.htm
––
MD5:  ––
SHA256:  ––
3840
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\dnserrordiagoff_webOC[1]
html
MD5: 3948ef3d9f9fb9fd68bfbbcdbdcfc605
SHA256: 1d5e9dc7114347ef6c6e7a89ebe73cab3fa45cc9728943a5ffb3cb91adf6e8fe
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\grid_(inch).wmf.tsham
binary
MD5: 68260b4678ef218933c9b094ba6d05a9
SHA256: 6eba1a6ff2ecb59d0fa32c7102fbe8f0216d249e0924eead61a78872bf837aaa
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\grid_(inch).wmf
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\grid_(cm).wmf.tsham
binary
MD5: 520e42c5ac760fa718f03fbff7f5f38b
SHA256: 963fd1f439d4ce527568f5dfbd29b7279346eff0d4766cceebfc59f846ad665f
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\grid_(cm).wmf
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\GreenBubbles.jpg.tsham
binary
MD5: a4b053f0e5c9bc0823ef2d2dbc3905aa
SHA256: 178881d66d6372983bef53322ac2b9c132811c9fce65aee95299d170054e1e11
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\GreenBubbles.jpg
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Green Bubbles.htm.tsham
binary
MD5: 4bd80d34e39df4f10b79582e3948afac
SHA256: f2e1ff86530f39161868b218104c4ce1cc3fdde935416de7a3fec26b9cdd3fe2
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Green Bubbles.htm
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Graph.emf.tsham
binary
MD5: 2737ae306e08dc1ddacf7eb6c9125da0
SHA256: 3d907561a4357be4a19b25daf16420b442cda1d42d0c720ec11c39c4760ab05a
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Graph.emf
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Genko_2.emf.tsham
binary
MD5: f3d12de0c1e25192f5836db4449577fb
SHA256: 6f2a31fa237d320d840b4a92e612bab05888fc44dd2f7e44a17c136ad71e1f37
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Genko_2.emf
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Genko_1.emf.tsham
binary
MD5: 468af10add4de84f5fbd589bcf6627e8
SHA256: 84b6fbe16d11b22f526ff289468aec05bd32a33080e866e0b6b0350928820187
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Genko_1.emf
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Garden.jpg.tsham
binary
MD5: 9936105c69245f1d3afb425d550f45fb
SHA256: 683341119f8d7591aa9a354d5f24faa64b69460dab993a5d20affe6b795bae8a
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Garden.jpg
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Garden.htm.tsham
binary
MD5: 3d27c93c695c3f69c11e6ed6506f509c
SHA256: 817f7cbde41fcc42a9f27858c525c316bb0df08fd548518d4a877872d237de12
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Garden.htm
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Dotted_Lines.emf.tsham
binary
MD5: ca5b22fce29bfcc621bc7c4369c2c2a6
SHA256: 9fc2ff4d8e37ee629fd9dca6afd18281610f2febd4e8b7c6aca090dd63d99d73
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Dotted_Lines.emf
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Connectivity.gif.tsham
binary
MD5: 5098e7fc83f617d9946fa284dbe91f4d
SHA256: 09361974a0bf9a9bd74e9c512ef4eda70e18718ed3a2424a85769715179a424c
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Connectivity.gif
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Cave_Drawings.gif.tsham
binary
MD5: 8e1c190c743151165fe02996d82a04b8
SHA256: 2c1d54c8949dc95e3fb0981675db6e6f16815b7adf1154d182f6260f5a7a7095
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Cave_Drawings.gif
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Blue_Gradient.jpg.tsham
binary
MD5: 3eab32163312d69df094732413762631
SHA256: c45f9e016d881688648db9aaca9aa7690aee840fc90542796efd9c7067dd1117
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Blue_Gradient.jpg
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.jpg.tsham
binary
MD5: 19bb4d0d96154700840b40475b441725
SHA256: 52e6582edd19fd9f71dd88dc09d35d51712c1fbbfeae88ee4139b7df5a6da070
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.jpg
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.htm.tsham
binary
MD5: f537d0852666ef2d669316d5335cec5a
SHA256: b94e7e5ca805f53f2b8d1302c4d77e9982b5f66f627476e3a1f454798992c634
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.htm
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\oeold.xml.tsham
binary
MD5: 381ce2e1b4a0a2a00bc7e6c92328668a
SHA256: 9e595fb3325df6ec990f2646180343b62baed011707c57dc32f2330b6e395316
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\oeold.xml
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\edbres00002.jrs.tsham
binary
MD5: 4c4fc8f50bf7ae60f14482f2d5c10e1f
SHA256: 2be36ae51b7fc0f5a1dba5098963a75154b2323987f8479314368029f0ebc5a2
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\edbres00002.jrs
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\edbres00001.jrs.tsham
binary
MD5: 87f57fb70fad089b8f7fbbbfd4e91d42
SHA256: 1555c999ab408b08543ff9b4ef04ac79dd5479278cfadc1cbc31d2aff921522c
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\edbres00001.jrs
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\edb00001.log.tsham
binary
MD5: 33921e2ea8d58ca990b9fa07787fbf93
SHA256: 0eb15f7b26a64aa99b51bee300a92e3b9d76ca4b7461b86a99bc08de2ac858f1
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\edb00001.log
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\edb.log.tsham
binary
MD5: b7b0b4e6dcb4eb811998948a12f0beb9
SHA256: 3a6262336214e6220d80d0cab183493079e29de74af5e23ba8005522908a86f2
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\edb.log
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\edb.chk.tsham
binary
MD5: c817d6203673a4edec426dc62bfd4170
SHA256: d7b13c94a31ccbfbbd8e5cf90bd351ea93e895028e8fbddb7ecbaef0355783a6
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\edb.chk
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Backup\new\WindowsMail.pat.tsham
binary
MD5: 564655af8b99ad55fad4069761304a8b
SHA256: 30b0aa10f39390ed01d32dd69223e5924597bdc8d597d811e93135dfebb93a29
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Backup\new\WindowsMail.pat
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Backup\new\WindowsMail.MSMessageStore.tsham
binary
MD5: 28a53a6a525c6366caf4d2f93e00c419
SHA256: 2ef1c6d7ff1f85052659b24d8ddb3b82579f9d04568f8560e94385633837f7ce
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Backup\new\WindowsMail.MSMessageStore
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Backup\new\edb00001.log.tsham
binary
MD5: 81d0cf360d755a28194a5d8038e53e67
SHA256: 44b7e1ef6c396973330b7054528a0f1354efb9219c3f33d0490b2d077f17477b
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Backup\new\edb00001.log
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Backup\new\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\account{CBB626B1-8A75-4171-911F-13C42949168F}.oeaccount.tsham
binary
MD5: a672332bc3ae5d2d00b037da7e5b87b8
SHA256: 9aec7b9596e7b4d8914571d6c87663cbbd3fbeb594f57f32867f05276df42728
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Backup\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\account{CBB626B1-8A75-4171-911F-13C42949168F}.oeaccount
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\account{C6756DF7-BE4A-458E-9C7E-535BEC29FB9E}.oeaccount.tsham
binary
MD5: 2e7ed54fe7a50943ab5a4473a7995822
SHA256: 78b7bc1178a6694b70e3a08a58ff2b3ccf670ff159bce36696d54e2655c00f9d
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\account{C6756DF7-BE4A-458E-9C7E-535BEC29FB9E}.oeaccount
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\account{A9BA3523-71CE-43CF-BD95-F75C31E87D1A}.oeaccount.tsham
binary
MD5: 566b585faf4204cb2f3958cfad0a2949
SHA256: e93da1ebac4f7c3b8efff0f004f789c23e7617db1a35eea15a5992f10d68f88f
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\account{A9BA3523-71CE-43CF-BD95-F75C31E87D1A}.oeaccount
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\12_All_Video.wpl.tsham
binary
MD5: ad80ad61211581000f0e0fd9842348cb
SHA256: 96d00cb71330a88f7bda7a3e1ddd0eebf5a6d6f7059eb60e05baa4ac051cf3b2
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\12_All_Video.wpl
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\11_All_Pictures.wpl.tsham
bs
MD5: 6ce229a93f2498299d20d978897cc639
SHA256: 13894fd908d969457b94240b94df9a236dea72068716d2532b4c432c530e1c3e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\11_All_Pictures.wpl
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\10_All_Music.wpl.tsham
binary
MD5: dcd452f56fe2718cf3bc4498a75832f7
SHA256: efddc47cf81833f53088ff36dd9bcdcd5c4628abe77e53caff98f9db06b47570
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\10_All_Music.wpl
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\09_Music_played_the_most.wpl.tsham
binary
MD5: becd84f5d3b19775de4e3830b298a577
SHA256: 5774cd7df36ae6740325e76f9467999697cf492d89de75be1bab1a93c981ace0
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\08_Video_rated_at_4_or_5_stars.wpl.tsham
binary
MD5: 4af5acf6914994b5f967555254c0d5e4
SHA256: 57a69898ac05191e8d9b9220cc344bfac12f8b2124c87dd17e5d362264077529
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\09_Music_played_the_most.wpl
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\08_Video_rated_at_4_or_5_stars.wpl
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\07_TV_recorded_in_the_last_week.wpl.tsham
binary
MD5: 6ecbf6a3a3266f6c9c70ebdbeed62200
SHA256: a502227d23f119698a5a721bf44066e14af3cb5240162a76939c2043235c7cb9
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\07_TV_recorded_in_the_last_week.wpl
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\06_Pictures_rated_4_or_5_stars.wpl.tsham
binary
MD5: ea40834941f34ded66716fdab60ce923
SHA256: 698cc95eb4280368e49d7d1006cac3f9d0507353a44324c6f88809fd85206c5b
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\05_Pictures_taken_in_the_last_month.wpl.tsham
binary
MD5: 3ea2c47e23ae7dce61e2c1a1182ffda7
SHA256: bf009e70e70677e0c5b567e53497225e2d9c6585a996fcb48b6c7309ebda1fd5
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\06_Pictures_rated_4_or_5_stars.wpl
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\05_Pictures_taken_in_the_last_month.wpl
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\04_Music_played_in_the_last_month.wpl.tsham
binary
MD5: 866c0fe0eb8296b83c1422e8b1662303
SHA256: 48e6fb4a2667b274d72b88c715befbd16292fdef4522b0e8b3a1d77f7bcf989a
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\03_Music_rated_at_4_or_5_stars.wpl.tsham
binary
MD5: 2bb15f461ebd6479895b2414b440d2a2
SHA256: 17c8f24c64e85fe20de34121e20fb5fcf8f7863f255c2c3a69e40c7260c87f53
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\03_Music_rated_at_4_or_5_stars.wpl
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\04_Music_played_in_the_last_month.wpl
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\02_Music_added_in_the_last_month.wpl.tsham
binary
MD5: 53933627f248aea4f6a52b1feb644bf2
SHA256: 0f100cf4080b73967f69a83440774e660ace256c4b183273bfbeb67341ee25ef
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\02_Music_added_in_the_last_month.wpl
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\01_Music_auto_rated_at_5_stars.wpl.tsham
binary
MD5: 0da98ae5e2a6ee0a47b788ed1214d023
SHA256: fc08ed592e934fefaaea76b93b07f3407db6c8adc1278684d3ac26ed59f1cfe7
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\01_Music_auto_rated_at_5_stars.wpl
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb.tsham
binary
MD5: 4670fa8594104a0f5b65c9fc972d4946
SHA256: 34bc40e0c091b823794cf0e3244660d63a27ceee1883bc00a6fda8ce6e81dec5
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\CurrentDatabase_372.wmdb.tsham
binary
MD5: 6e823ccb64e74e36e448a4a5e016707d
SHA256: 0c79d295839435463bea3a2a57bdc92de08fc86390dccedfd5e447b16cde1251
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\CurrentDatabase_372.wmdb
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.tsham
binary
MD5: df46cc89ec2107cdee5e8279d8d89c5b
SHA256: 2d3c68ce5ba4700da0654bd0583e449faa160daecdefb457a542bab4043cc6d7
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\brndlog.txt
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds Cache\index.dat.tsham
binary
MD5: 3215264e8e6e848fc9f77aa8820a3313
SHA256: 77e762afd5b2cbefc068d6476436a0d7aa73cd42d71e127fa521e13452cc0611
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds Cache\HPSK10OB\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds Cache\VM3JD5NM\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds Cache\index.dat
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds Cache\G4PHTCUR\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Web Slice Gallery~.feed-ms.tsham
binary
MD5: 67b3454d1b08e8a4ad0fc17ce59829e5
SHA256: b9c3b3958abb0fe2e340a272b1459d06a5fa7aec6762d32c9d440f6f2d4c21f6
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds Cache\9RI45C46\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds Cache\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Web Slice Gallery~.feed-ms
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\MSNBC News~.feed-ms.tsham
binary
MD5: b55a2af0aa3e9a313f29df19a642795a
SHA256: 30994b82ef898c13840f6cb8381236dc7d66cc07e49962f73adb11b47c53a56f
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\Microsoft at Work~.feed-ms.tsham
binary
MD5: 63821373889d9697ce492e680deb9a04
SHA256: 1dabc499cdc552b2b488d3c4db2f35f415e298fdfa61c0eaf622ac35a846a55b
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\MSNBC News~.feed-ms
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\Microsoft at Work~.feed-ms
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\Microsoft at Home~.feed-ms.tsham
binary
MD5: 5f865265ddcd9c02cbf55da36b00c1ba
SHA256: 092cab5627fc9e89b4ff7ff4753b6c0306747c6aafdf22211db24d8622779774
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\Microsoft at Home~.feed-ms
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds\Feeds for United States~\USA~dgov Updates~c News and Features~.feed-ms.tsham
binary
MD5: 410e8f1dd6242685c43ade5048ea5a31
SHA256: 634c7a39f992665047c90bebe6fa4a5df1e65d8daa16572f4b4b9fe40f10d659
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms.tsham
binary
MD5: 142d36612669a75f6696957ab7ce6f8a
SHA256: d661e58bac68ef19525f2e4c2345a283be81886b01f5fca8ffdd1793906eca9f
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds\Feeds for United States~\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds\Feeds for United States~\Popular Government Questions from USA~dgov~.feed-ms.tsham
binary
MD5: 235f92db29abf740c15aa27cd9255387
SHA256: 4cf07a8773376e2f600214a2dd803cc66ec95011c55ebb0f7af53656f82c2565
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds\Feeds for United States~\USA~dgov Updates~c News and Features~.feed-ms
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds\Feeds for United States~\Popular Government Questions from USA~dgov~.feed-ms
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\Local\Microsoft\Credentials\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\admin\Searches\Microsoft OneNote.searchconnector-ms.tsham
binary
MD5: c3004c1370c6bdec2c1a855d78782861
SHA256: 096c0caf6721380fdefe948650d37d67920eeea0126546d4cd5d1afe4b1719f2
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\admin\Searches\Microsoft Outlook.searchconnector-ms.tsham
binary
MD5: 7223ff016380519d74069c4babc5bf5a
SHA256: a2b743d87b002f2b9c9199b6d0fe768044b9075d4b43257765670fc943536367
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\Administrator\AppData\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\SendTo\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\admin\Searches\Microsoft OneNote.searchconnector-ms
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\admin\Searches\Microsoft Outlook.searchconnector-ms
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\admin\Pictures\thisreport.jpg.tsham
binary
MD5: 2572eae29aee50b6cf6f2fbe21d8ab02
SHA256: 1e6cc591a7d066a27be2dc5ab07d3358674b9a129a9f148c8a85954952cd7be3
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\admin\Pictures\silverstatistics.jpg.tsham
binary
MD5: 5d51b31dac49578b5375e1ba862471d3
SHA256: 73d566aa5eedb8b4c6a53fbf3b77a30a5719f97d38f208d22d2360aa53b79b9a
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\admin\Saved Games\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\admin\Searches\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\admin\Pictures\thisreport.jpg
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\admin\Pictures\silverstatistics.jpg
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\admin\Pictures\ratedgame.png.tsham
binary
MD5: 4ea1f78b0943a5b74f05ccf895787eb6
SHA256: 82c53d3f4abc136a805a830ab99d61d9afd9b3eede27e80750a9d0527faa427d
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\admin\Pictures\ratedgame.png
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\admin\Pictures\multitaking.png.tsham
binary
MD5: 0ae41332eba215940b34ba6be61d2b89
SHA256: dad7d9cec2ab86dd2375271897218b5c4cf4dc6e2379a40f1df62abca612cbee
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\admin\Pictures\multitaking.png
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\admin\ntuser.ini.tsham
binary
MD5: 0ffbd3e1a5e4a55e461a7ddbaaa4c8f7
SHA256: 1fd6f5d200eeec8f1a969aa7994f9b5dff1004a1cf60a8783202a9db4e065bc0
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\admin\Pictures\exampleprotein.png.tsham
binary
MD5: 3991551b3e87607857c57ceb6298a930
SHA256: b28acb9b3677352145af42fb33400dd2b797608658963dec7a554c2cbdba2779
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\admin\Pictures\exampleprotein.png
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\admin\ntuser.ini
––
MD5:  ––
SHA256:  ––
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\admin\Favorites\Windows Live\Windows Live Mail.url.tsham
binary
MD5: 9d70231b367f09dca3078d4c70a26ef3
SHA256: 73dd2189fb0f45c0068d440fbb66e66358732063bedf464d133b76eeb15258fd
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\admin\Links\TSHAM-DECRYPT.txt
text
MD5: 38df7a9719cb97e33eb8ef2e9310d98c
SHA256: 9c0714a313abd6c62321c595096b1178cdd98bb781526df1fd9c978d9845e35e
3688
454c7c90c090ff8a0c47c6059047fc0643d0aac055ef9ec460aa15565a8e1111.exe
C:\Users\admin\Favorites\Windows Live\Windows Live Spaces.url.tsham
binary
MD5: f9d98a00d448262cbb646078bfa8bc72
SHA256: 9b0b95c07c40e75535d35cbcc3e39c5b2be74c16c4e3705def0d6a26b0e75887
3688
454