xorist | f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9

Analysis

max time kernel
118s
max time network
131s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
30-07-2023 07:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
Size

5.1MB
MD5

b41e4136edba950ee7d0a2a338d18d20
SHA1

637b5649d08e92bf809a707b0f4ec2c40d074126
SHA256

f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9
SHA512

2145c236f5b47d20ebc9ad34c6e97ebd1857bbc33b3bc3de65c1556883f3c18ff129cfe5244fa15d2733f72243edee8e4c50da60496eb930e0d80605789c8700
SSDEEP

98304:m37k/NEnIyzZiW8DI/Pzw744D0QOIk+6JuI3l0Rdb0ms:wM+nIyz0Izw7P/OeI3Oq

Score

10^/10

xorist ransomware spyware stealer

Malware Config

Signatures

Detected Xorist Ransomware 6 IoCs

resource	yara_rule
behavioral1/memory/3016-53-0x0000000000400000-0x0000000000C5A000-memory.dmp	family_xorist
behavioral1/memory/3016-56-0x0000000000400000-0x0000000000C5A000-memory.dmp	family_xorist
behavioral1/memory/3016-96-0x0000000000400000-0x0000000000C5A000-memory.dmp	family_xorist
behavioral1/memory/3016-1281-0x0000000000400000-0x0000000000C5A000-memory.dmp	family_xorist
behavioral1/memory/3016-2105-0x0000000000400000-0x0000000000C5A000-memory.dmp	family_xorist
behavioral1/memory/3016-4244-0x0000000000400000-0x0000000000C5A000-memory.dmp	family_xorist

Xorist Ransomware
Xorist is a ransomware first seen in 2020.
ransomware xorist
Renames multiple (2153) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\migwiz\PostMigRes\Web\base_images\WindowsMail.bmp	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_do.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Language_Keywords.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_functions_advanced_methods.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Command_Syntax.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Assignment_Operators.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_environment_variables.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\PostMigRes\Web\base_images\WindowsOutlookExpress.bmp	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Comment_Based_Help.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\default.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Automatic_Variables.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_remote_troubleshooting.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Signing.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\erofflps.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Continue.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Signing.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_regular_expressions.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_remote_FAQ.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_remote_output.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_locations.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_jobs.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Arithmetic_Operators.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_remote_FAQ.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_pssessions.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_profiles.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_trap.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\erofflps.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_format.ps1xml.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_profiles.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_functions_advanced.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_properties.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_transactions.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_join.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_preference_variables.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_split.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_type_operators.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_format.ps1xml.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Special_Characters.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Comparison_Operators.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_join.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Language_Keywords.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_remote_output.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Automatic_Variables.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Ref.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Signing.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Assignment_Operators.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_trap.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_pssession_details.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_properties.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Line_Editing.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_remote_FAQ.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_environment_variables.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_debuggers.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_pipelines.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_do.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_While.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_objects.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Quoting_Rules.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Automatic_Variables.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_preference_variables.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_job_details.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_types.ps1xml.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_functions_advanced_methods.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_providers.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3016	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierUpArrow.jpg	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange\button.gif	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_rainy.png	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_VideoInset.png	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground.wmv	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR2B.GIF	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03380I.JPG	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\HEADER.GIF	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_rest.png	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382957.JPG	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0390072.JPG	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\TEXTAREA.JPG	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsDoNotTrust.html	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_up.png	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\divider-horizontal.png	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_Buttongraphic.png	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_VideoInset.png	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPOlive.png	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14982_.GIF	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationRight_ButtonGraphic.png	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR6B.GIF	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waning-crescent.png	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-new.png	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341557.JPG	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR15F.GIF	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HEADER.GIF	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\HEADER.GIF	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffffff_256x240.png	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR42F.GIF	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR13F.GIF	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\PreviousMenuButtonIconSubpi.png	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00175_.GIF	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD10289_.GIF	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\VERSION.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\spacer_highlights.png	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02040U.BMP	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\CalendarToolIconImages.jpg	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked-loading.png	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\calendar.html	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_m.png	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\verisign.bmp	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143750.GIF	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\TAB_ON.GIF	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\EXPLODE.WAV	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\203x8subpicture.png	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECLIPSE\THMBNAIL.PNG	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\back.png	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext-down.png	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-crescent.png	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01743_.GIF	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15132_.GIF	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\SplashImage.jpg	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\vignettemask25.png	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_double_orange.png	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECHO\PREVIEW.GIF	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsColorChart.html	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\cpu.html	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_all.gif	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\search_background.png	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\404-12.htm	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_remote_output.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_4db0b909695af8f9\undocked_black_foggy.png	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\Media\Quirky\Windows Information Bar.wav	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..disc-style-babygirl_31bf3856ad364e35_6.1.7600.16385_none_b2bd01695c9021fd\flower_trans_MATTE_PAL.wmv	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_Special_Characters.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..l-soundthemes-delta_31bf3856ad364e35_6.1.7600.16385_none_fbf7e0678b64a4b8\Windows Feed Discovered.wav	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..allpaper-landscapes_31bf3856ad364e35_6.1.7600.16385_none_e57abb2f66db71a9\img9.jpg	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-shell-soundthemes-raga_31bf3856ad364e35_6.1.7600.16385_none_2fe300bf8e73cdbd\Windows Hardware Insert.wav	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\(120DPI)greenStateIcon.png	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\about_eventlogs.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\winsxs\amd64_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.1.7600.16385_none_3b995fcfc0e586ab\image1.gif	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-garden_31bf3856ad364e35_6.1.7600.16385_none_f7a4bf1e15863e21\Windows Pop-up Blocked.wav	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\about_Windows_PowerShell_2.0.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\Media\Garden\Windows Battery Critical.wav	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\500-13.htm	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c02a16e1ae17ab94\about_remote.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-photosamples_31bf3856ad364e35_6.1.7600.16385_none_f36e0e659b8042be\Tulips.jpg	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\Media\Afternoon\Windows Print complete.wav	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..ediadisc-style-full_31bf3856ad364e35_6.1.7600.16385_none_ce3a164d3f0fa152\NavigationUp_SelectionSubpicture.png	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\about_Windows_PowerShell_2.0.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-tabletpc-inputpanel_31bf3856ad364e35_6.1.7601.17514_none_6fb51b358e21d75f\split.avi	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_c1ab456ba37238a2\settings.html	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\404-7.htm	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_56cc3687acc564e8\about_command_precedence.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_4db0b909695af8f9\docked_black_moon-waning-crescent.png	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_56cc3687acc564e8\about_locations.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-cpu_31bf3856ad364e35_6.1.7600.16385_none_4b7bf556f6fe4db9\back_lrg.png	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\alert_lrg.gif	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\404-4.htm	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_remote_output.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_parameters.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-g..ets-slideshowgadget_31bf3856ad364e35_6.1.7600.16385_none_815d27dbb889ba17\pause_down.png	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\401-3.htm	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..yle-specialoccasion_31bf3856ad364e35_6.1.7600.16385_none_01242a21ddccaf3b\specialoccasion.png	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_56cc3687acc564e8\about_Quoting_Rules.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-dxp-deviceexperience_31bf3856ad364e35_6.1.7601.17514_none_a54b31331066c8e2\background.png	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\403-15.htm	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_11.2.9600.16428_none_11b913172f0cb26f\Windows Navigation Start.wav	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_PSSnapins.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-cpu_31bf3856ad364e35_6.1.7600.16385_none_a79a90daaf5bbeef\glass.png	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\42.png	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_eventlogs.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_Automatic_Variables.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\Performance\WinSAT\Clip_480i_5sec_6mbps_new.mpg	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_format.ps1xml.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_environment_variables.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..calmediadisc-styles_31bf3856ad364e35_6.1.7600.16385_none_dac1eab162daeb45\Heart_ButtonGraphic.png	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_d7244b05e242e449\cronometer.png	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_hash_tables.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\winsxs\amd64_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.1.7600.16385_none_3b995fcfc0e586ab\selectedTab_1x1.gif	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_properties.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\404-9.htm	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..soundthemes-savanna_31bf3856ad364e35_6.1.7600.16385_none_8501e89d0b011992\Windows Logoff Sound.wav	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\500-17.htm	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\about_Arithmetic_Operators.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4a6b77ab9aa530d\about_requires.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-usertiles_31bf3856ad364e35_6.1.7600.16385_none_f385bacaa98d1e8b\usertile32.bmp	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_56cc3687acc564e8\about_Signing.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..c-style-performance_31bf3856ad364e35_6.1.7600.16385_none_1d8aecb671a2bda5\Perf_Scenes_Mask1.png	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_command_precedence.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4a6b77ab9aa530d\about_type_operators.help.txt	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-g..howgadget.resources_31bf3856ad364e35_6.1.7600.16385_es-es_6d48bdce24e57241\slideShow.html	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.BADRABBIT	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.BADRABBIT\ = "ZALCJXNIKQSJGXB"	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ZALCJXNIKQSJGXB	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ZALCJXNIKQSJGXB\ = "CRYPTED!"	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ZALCJXNIKQSJGXB\shell\open\command	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ZALCJXNIKQSJGXB\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6xqQNF6ae4TUq5Y.exe"	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ZALCJXNIKQSJGXB\DefaultIcon	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ZALCJXNIKQSJGXB\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6xqQNF6ae4TUq5Y.exe,0"	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ZALCJXNIKQSJGXB\shell	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ZALCJXNIKQSJGXB\shell\open	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3016	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
3016	f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe

C:\Users\Admin\AppData\Local\Temp\f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe
"C:\Users\Admin\AppData\Local\Temp\f61daa71ae495f7233d2329cdf5264060e77e436f15bb7906c16882bc539b6c9.exe"
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
341B

MD5
b39f0d7be7c219c025c6080fa6233fa6

SHA1
e89304912d855d7206b250809e247c6b4c5bb2fb

SHA256
8768026ef9d02df0d7f9411edb46bbb38bf7bddb801d100ab4095ba12899f56c

SHA512
a2b50442764e3a2e6f7ac1efad79dc48e16929da27de1ebe4ccca8c4e11c8c96203fcb690868a7e8cb1515b051853666dc0903b8c8682eca26e6caeb305f447a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

Filesize
222B

MD5
1f4d7ff71c6f176f4182c7a8bddce457

SHA1
bee6834a99d9dd242fa90c23ff46752f2c3744a3

SHA256
17339a857bd13bc9bca75c301bd176a8a1b8229c4ddc9ef213b608991cf978b8

SHA512
c087a53fd5984825ca683591cb81c5432a3ba84457b40567f428c15ba44c99a2362ab566129311d352613c20296e1f883122c9d3673e20e20f23f22fa10c6fc6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\BG_ADOBE.GIF

Filesize
24KB

MD5
742ee298866e739d5e932f05164b5314

SHA1
8d87678eec4e27921a15a922066e8dd0aca59aa5

SHA256
52d1de143a1c771ad3becf8df39253791c6532d1e46c6e863a834ef5ac880508

SHA512
a8ae28edf867178e597fe6913726b8a7abe2be08a557609735c79f8b3ac401250db205408a986a1842763a3a31b1cb641b7a451dcb78a13fbb8aae131f70f0cd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\BUTTON.GIF

Filesize
185B

MD5
a64bc4f65570e96968962252fdc794e2

SHA1
84eb9a4431997bfb0bc1cebbf6fa502ad4a73d3a

SHA256
98b21bce0885755cc810a72068f3c91064c274ba4b5fe7a71f82040ce0357ec8

SHA512
88db968b1e87ff7731c108f019dc044a3326e83256e2bc3b94b7234cd229f0cd3d4f965f1d5c1cbac8bd587ef31d0fc81c2aa7334576f6fdf9d7d4328574673e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_OFF.GIF

Filesize
496B

MD5
220b4b2e6d02a691b432d2e8614d300d

SHA1
afb41bff7b25826c3a1dd1451745302e19cdc9cf

SHA256
8c5cd1da82c6c71994810d4219b103a441ff960612e542ad2bb4ebaced4a7b0b

SHA512
de3cdabc4033915c4cda27720c560c7b2357364ad521eca6adde0ec5f36f8d3ee2b74ff87eabdff729d63fff01dd1c0d2bc5d6232769acce1e9f604c06665efe

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_ON.GIF

Filesize
1KB

MD5
0914bfc1f5655191868573ab347ead29

SHA1
802839c98a70b323d4d878f22fbb6606890bbecc

SHA256
bae4358cd5af00b1dbf1dd788a824f91a6d255cbb29e163da86f121da62e6512

SHA512
e2492b277a8b09385349cbd9d3da58a75877557cdb15f0f1d2e0fa47d40c8b27576925f970afa663ce5d38d994200c888b6dc9b992ac6e50d9f9b86436403687

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif

Filesize
5KB

MD5
42a2324088d2afa425f255c91c2f572a

SHA1
bb45663d922d17610b058178179f037257174824

SHA256
f3048c56d91f5cadc730baca5db9d54260d2a2139c5951cd231511027de89e3f

SHA512
7c3cdf7cb7cbb6e745958ec257fd4d4f4fa0e86dc82d86724a7ac7f2d85d4f7f85a3a1827f97f41642ac612b8d779424ba19883ee0571cbe30933befd7fd433a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Country.gif

Filesize
31KB

MD5
d1fac59738a60c680abbb7557e7bc60c

SHA1
faac6cb0e3cbf3d09a0df968108bdd009dc3c491

SHA256
beb94afd9630bf9c9a6ae059693cf26c84024772a98edb44c11be6dae9a17dc9

SHA512
8e81897c2fee2e9250857eb4d5f584aa233914fc2601eb3d392fcad9b015addb71d3397fb72283e9673f876f462ba195cd992fb8cc65807738215aaadcc2ada3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif

Filesize
4KB

MD5
9472d0d3ca5419199b1c3da8dfc1ecd1

SHA1
beec1b171a47443150af1ffbefb05208f07a6986

SHA256
9bb431a1030c3e05a9702c203759eb0475bcba434790270fe386f9d795c430cd

SHA512
5ccd774643a47c5a072ee297dec697f3183d31e543d69b14db067162de2fb6378d9e4be8d041b80f50ff29862686459dc7507d33aafc1aa1d68c25156f22f183

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif

Filesize
21KB

MD5
7e8aaf346590e0b84a21ceb2ed08c2fe

SHA1
3b60d7676253ad2bfbc591940c6deeb8b7c31176

SHA256
b163613a0ec39ac7963b156e8ce44fe2b7bb4bf71999c1aa743ee7691c98f4cc

SHA512
03d8ccb8bee3e42b093e78931bc4a1c1351bed64e2a9eba49e32562aa73806713e1c43cda2f14f2cfd50896e64993d98f125e5d8b38cc67d5bc5aee4d68eac1a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif

Filesize
8KB

MD5
57c7e7afc576fa3992b9ecc2eea4b6af

SHA1
2c2ef9d33f4b4cbd5413e674e0d7db3e124bcb75

SHA256
fdbeb78c85fef70ba3552fd527a4085d7a89b22f5d8bfa18f47ca1930a5d6c8d

SHA512
bac22fc7082d12c23cd77fc5051db805de625aa17daabc6aa24f5b10c9f69f8b484ccd9271f8e3fb921de6755c5a9bb9757e548d25e34939efa57da954071bf1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif

Filesize
15KB

MD5
efc7f4a55f3284cdd8fa8e152b393f95

SHA1
9548d0bfcfdfac86c1e1fdf3187c15ea8b86139c

SHA256
7df0b68fca99b1602b835212903cc440216ee5005f100f45a50d0dd02a89c524

SHA512
f55650f5cb3c758e6a78e80ca3ca2d050993f6f124b33873f8ce71ee000d54a974df6c9bb0000247f93f4efd3a01db1a126709b8f4d31e1d496ed68953506bd5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif

Filesize
6KB

MD5
fb3e6f728c1bbdf14367de4ce9d2aa41

SHA1
46caf62340365eff25c70151597e76ab3c6328ad

SHA256
8fcd9ea3aa979e6d204928d7e862dac9602f3cfd6e84b70b6e06759e4a8690a2

SHA512
629b62345ffdf5b4f53e7731a198a5e05e2274a5ca876880a61ffe60d6c821275a8cd77bf354053ad5163b731751073b08e23624f77c430954b18683bccbd580

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif

Filesize
20KB

MD5
1cdd8628f33f52c7e1c44eb67a4689a5

SHA1
b8d8edf08648c8e802d7f9dcb470a2fb298ddc18

SHA256
65cbad3bf34e8793b6e2232a85b9b8a86bb6872f4953b6d758d0517a165d415c

SHA512
3878d88fdb5cc072482e4b91b8014a66e1373b1220eeaef905f5e3fdeaec95d8ddf71f50211bc62e002d736f5056dbeb54e540bcdc56fab5d6347116eba99f4a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif

Filesize
6KB

MD5
5cf64336251ebb36c3ba33471e24f0bd

SHA1
8d9ee98486bd363eb554f7b1dade3aaee1268a61

SHA256
0800dc373c75dbaa131f5c48497a0990609b81a5507ba73143f1df2576c6289b

SHA512
ebbd6054efef547eabb08f3762a9107e2b2b2835a60853100cf92a0429c4c630d146cfdb8496208a2e2364bd98fa95aef5b17f327dd650fe7d45ea51d640ebd8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif

Filesize
15KB

MD5
700cef108a0c75e28f691a56a8a29f5c

SHA1
c63c83885b05eb8684ad4d22028321ec9a8fcfac

SHA256
d2a603bac3794ba0823106b915ef5615150a3b3e94e10028ad94bbae17daac60

SHA512
afec68d336dffe72d443f36e2a9e92bd9b4cc8e4a4e9a98093a3eb411b6aafe4c2168c14155aece73bac0ab19b5e18f221e5b3d0c4523580cf722bd163b6671e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg

Filesize
2KB

MD5
567848b36cc607e8efe75dc76411b3dc

SHA1
6a8265ae606ced469b13e06983a199adc7624624

SHA256
e5de5ca71ef5acd139a85c0005b564b4589ccdb61ebd7a80ff9ab11dcc6efd46

SHA512
557d28e11e827de7e23ad233a11128ff2f6512f9be29303c397ea40194530fc05a7da77c98ca3845f2b124489253de8cb2c054f970b1c23fb54805b9efc03d58

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp

Filesize
2KB

MD5
a9b3ab63aa18e4abb38b50959cc2df81

SHA1
5c5d002120d762482449be6b60bd1d9cbd801881

SHA256
94502002ee4690f8b64c3efe7fcd856e5e6207ca485f9ca844a79cb8af095d29

SHA512
911129e6e8af61b0538ba032c38ea88759f34ec7f0afbead9847bdfcbd114cfa60224fc485a70ea7e951a3513043ea67453a2fed68703663bc542a11870a9d5d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg

Filesize
6KB

MD5
9fec5ba5ff116f20a690b273de0ba63a

SHA1
dac9507f1fec708fb422432532d6422bf5c8c98d

SHA256
84f30f41571938a8a1ee69952c707e80fe6bacbf0f8d078ae36fb2051a0571f1

SHA512
a6f70a5c87d7622d662db7077b6d2a332d3f3601f9167fd2f8f31f395827b0a2d3a50bb2f06f13309a9c91b8d80fae5798061ca8660b84afa339644d3cf2ba09

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF

Filesize
255B

MD5
d21e508ce8d449bbacad2c532ee18588

SHA1
3a1a63cf8ce6d23b7c7df2bc978bc0a87aa334ba

SHA256
073d49ead4e92c5e93b02e2f5cadc35ad02090501aa359e88439bf52d6a7e1f1

SHA512
4c349b80a15cd8890c1e4705c5d53890ebf69fdedeafbe460b0ff92674ca4cad93c6464d873ca28f721417240f0bb57a5bc712930a74df6f19a69d6b24fb2a06

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\background.gif

Filesize
323B

MD5
fd253a8a09d9f2dc4e99726b78fe5522

SHA1
a5ce137c912d832fa796943ba9a98bfbfc9a2a34

SHA256
03d643f6c478a46d5f3637a4e3075e3e3b467efc47c3b0bebd87608fac88df2a

SHA512
a6cd3b1cafb98bca41b0f6c6d0dd8bea2d54f7facf255be1ece03150a16bb35cacaed8670f573c4548edcaa422d25a889c05470c2a98d93bc5abafa8d1af27a2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF

Filesize
367B

MD5
bdbccd5c9ba72f65eb3b4d41cd0a4cd2

SHA1
bde821f5a3391a1d0b69ac49561506c494deae38

SHA256
5b4e0fc5b8c0ac237f51fe3d34482d25cb844b01005110f467af4fde04d0d401

SHA512
26d70ee689baa32a3f93e4708d5ca463d01a20ea9858a38369e4a35bed52f967536ef78fb4d1381b7b5432b17588213eb717ca1aba0fe9ec535807d7e2bfaad2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF

Filesize
148B

MD5
7c1c7439189078eb5c8f0b4091610011

SHA1
5506fcc7cd98681968a3ec21c2a49983d00540cd

SHA256
dd1c8bc20be7666b6012a7bebec9b3da69aa19b085d726c7c0b48b2501c8135b

SHA512
d6bdcfff6b6abd020ea5493c2e15bede72100f1502243023527c8ee7bbb7844d909f6147093a9a2ea2469ed81ae93f134ed68778eac336cb2331f1693fa4227b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HEADER.GIF

Filesize
440B

MD5
d73abde7c28d4a300b360f61892599d7

SHA1
5bc78eea4dc6f73871477b622108a3345b778da1

SHA256
71535552dc65c6a3cb8f61ebba2ff66c3e0c1a80476ca10e44bcef5335cd78c5

SHA512
837ef8d13cc8bf926dfcf447821c81a06bab2fa76ba300b5aedf0e69543ca42c3f9209b11665450bfd1632d1758bf311afb8bf5ab2db094df099c688a018d062

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_OFF.GIF

Filesize
462B

MD5
6e572e2658e5c1e08c1c51ef67d560b9

SHA1
b9e38fba3fa5bc5313da7729d0db89ace29e7aae

SHA256
29d49e6d8176692190381d24ca59ef4c7a1426500935d84651289907ac3bbefc

SHA512
7b1093e57b27495125fad31912ecebb43ef4071341adbaab2335d89e533d14ab566c1212b98ebef759d50a2d3f83a6be39fa9903bc6eb25f9cef434c3c508d83

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF

Filesize
267B

MD5
791063d3af3ee448881059f0d414328a

SHA1
8794e0a42b6866bf6888be3779fbc44964d5e042

SHA256
8c37640821c4efe49f0b0ef183afb17e9a88e451666fb886f73717d72a2fcf30

SHA512
489e19030d064110eec3cf509038de02bfdebc37fbbcbdac348e87473b6fb696461964ebf789da2656ae0bc967bb8e4f82361f383c460c30768819fc3deee2fe

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HEADER.GIF

Filesize
2KB

MD5
6e12396f977facdcbb162cd58d54ed9a

SHA1
790845fb5b24997735a187ecce801b16285a6005

SHA256
3502df1d724158ebe258b983d7775e17ac12438ec3a0190089d08002fb11a16c

SHA512
0ae68bd038e88fe1b45a1f3cda1486c480b16b4a00963e807f3eb50fb0992dbffd36633ae23e5f4ce17fa8ceeda8c9b61f75848eaa087c37e2e1359cf36cb16b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\HEADER.GIF

Filesize
3KB

MD5
7a115212202cb3fab739b8635f5791cc

SHA1
0f683cbe61cd996ef8e7fee0d44c1dc135dc4b57

SHA256
b3b37e60836cfdc6ff5a0e5fe77f169d32969e5ab5c750da3458dbd5662f6a96

SHA512
2b9b49e8056917bfa518770b8bea4a22a92bf4b99a128da26585f2bde5499ad49be67ea92e8686d3931295f93c815ba2d4055a6a85e8bc888e6334e759ff523e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\TAB_OFF.GIF

Filesize
462B

MD5
45022e2f735e52fcb1056d2294a6d39e

SHA1
a6698ad6d3616b12fcaaacb2d5b7fb583ba5289a

SHA256
a815360625744fb279acc5fa37c045a8f15fb50d36a833907b5bc1cc1517aa7c

SHA512
955c109b8cfa1bda959e6180e894a859f6f055e8bc0b1c02d1f7ba101935a6055a53aeff06e3591bc1f2bab7f9aa1fe2f4c546d7a645321fe3650564a5682b57

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\TAB_ON.GIF

Filesize
264B

MD5
29de19232fe4097ddbeec2e3271b0791

SHA1
ebae0d6f69fbe626c045fa58f94c18b6af893563

SHA256
ff9818355bb6564648dce97394df28b8791a81d49d1a0865f34b53c0d90c19e0

SHA512
9d39a3eca8dbff8e81d6deb52862d2d99044e4008d4dc88a09a3021cfbfc6b6dceb1ef921ef38b4ac13096b86948434831d22f58705a9aacf36d580bde1de7f7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif

Filesize
233B

MD5
0266ae78510695dddb3c20dabf3a94e3

SHA1
e2dacd654e1e066ee0635d46ba62e324c648c675

SHA256
5969532e14340b39ac4d9ae6bce115b9e8b79eee818e053acffbfc7f0ee46233

SHA512
30e2a6a3e6462427b19536799b89313989e7e65993835a32353e59f6a5a4f0a904ae4777e149c2dff5f39ae9e9aeb1ee2f42f637002121b36d98d5e016eddfa0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_OFF.GIF

Filesize
364B

MD5
f2fe5c13ce0d993d5b97d09017fc4590

SHA1
8d21546c9c116b13c822fab8be95251aadea205a

SHA256
bae6997b44384b5f3fc123c35044c14d59a05e6927cf741d7619510a042f4cf8

SHA512
379d13c9987722631b80d8e8bdb4c95748715990e0772e45b5d89689bf32683b73e1deaeed915373df07e307b4f6c9598b6155171062de42c515e223287372d0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_ON.GIF

Filesize
364B

MD5
9b9de50f650182133675338e587c8e01

SHA1
993ceff77fb154f0a2ff52696e25f4bb34d90604

SHA256
45158a1426f8a1cb05580ad2b89835f09db26ad6de975577254123a304d55494

SHA512
a0a0f4dce6e9af2432fae9accca3a04aa031d889ee6ce337b60753749f2f336c0ba99963148a7b8f67e15184013f3eec5eee0a45511229dc32015bbeeb480179

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\background.gif

Filesize
6KB

MD5
9a55477eeafe0c71ba19a6dd38e73ee5

SHA1
297a2b859d8ba9801b9caf7e1d03372c273cec60

SHA256
35f9439fd046ed28b0ac1f60d23963890029fe09ba3ed7847b7d5f48663979bd

SHA512
98226ca90b6942e3e79d06586a6177d415ee7898f8ed664c05adca98ef43ab8d375e66ff1e660f9d3b927bec2bfb1534d68660969a8f7b0d565c89145fb9edd8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\BUTTON.GIF

Filesize
428B

MD5
5c58984f59d0ce504c4fcbc80a7ee401

SHA1
15bbc528dbb58ecfdf28d57ce0f5ed09a8c1b937

SHA256
219ba4ab8586ea4799065219e35ae93c21cbf04a4224ef50d683753d88bef552

SHA512
d7de57972428e529f293f914abdf762fed850a8ecee8dfeb8ffdeadc40660dec614785cc56f3686a1fd6afde64be4594ccbe4099ae566fb493d87b3351678b20

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\HEADER.GIF

Filesize
26KB

MD5
f363a91360e2ff566d3854d8fd9f7b83

SHA1
18bb1814a46d6d18a87c93465cda3e7376afdc7b

SHA256
ddce79af4fc8082792c7f9c2b24466adf805167c803d77ab11c9be838b2cc2e5

SHA512
76e93db33b63879ea73287899e5e1ff2926ab33c9925b58889d504b8e297f190e5fcc48fa9d01d96e4c6bdfdddc0925b6778eb1572967f877c6f9a0b23e06a65

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\background.gif

Filesize
815B

MD5
ddc573d31f18a762e844996887e2f581

SHA1
4d01d579cfed419a7879d080ebc24b3f2d8e72f4

SHA256
cb0fadd056cdb12b3354ccc10f025c6014c1c89dcbc5f6b59a8a7584fc7236b4

SHA512
314c909bd64511aeec3c7ab2c06b0f1a98177d34ad8ed150aa2226c1e155cad10040096a4e584a3ab09da400de00c15f3a2a4cc48b701454aeaf099519e7a86d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\RTF_BOLD.GIF

Filesize
870B

MD5
6c441b087844f28bea13936ff58c52b7

SHA1
0c264526dfb03aba59acfd96f54201c9105c1606

SHA256
9ed09b5cedc29889b17e0040406e52128a65364feaea993a9f309da494030736

SHA512
8fdb07b8da90c5572ef28c0d9a1dd66bdb3aee4173f01f3964772f0dbb094dbd9ef92b4bbb041afb55a9ab2975b3c08ab348e651325921283cdb49bf5a74339d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg

Filesize
3KB

MD5
9272777b788b145ab53948aa3b12569a

SHA1
f9556b87cd64dd37dce83abe11362917f378663d

SHA256
abe829b4d09353c1e99d94df0ef331e31254bb238103ce819435c41705d0cebf

SHA512
48bd101fd691b2ad17471493972ae2e2c997a4e98e26d4dddeebe17de6ccfd2cb8ddd483815e04a6d8e896a14636a73b9e80c4195ee2deae2fb6da5d8bcdd85a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif

Filesize
2KB

MD5
56723d0b7a37a97283ca26f229f4c3ba

SHA1
c3d7b4980bca8baf1797d022cd4f5793d44b3765

SHA256
63589efd263d78ca0cc260d4610ca744e47106abc1c0b541987fbfe561be097d

SHA512
27fb11e097b901f2f3d0b9473bcc5b6b3e500bab1fa481e2bd3526fa1da3e5cf75c7ddb3f4dd42174e623218c2008f8db855727ff0be8c9f6276239c900890e9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif

Filesize
19KB

MD5
8cac96e2178eb6469f95836e0a8854d7

SHA1
0a837d6d71b59bb9979f11082b3ee2ae1f36a73f

SHA256
1923741a6801b3381734938da76b0c3159b7cba0a3e917dbe9fb717abb2160da

SHA512
5be496b5c979c2bd8ed2915420e6d8caaf0bf3f6fc5dc89be6c3f7f3d9bc9e995b4203d46b0d35fbe212bf992f7ef389b29c038cfbdaafa8a6f1edcb606b89a8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosefont.gif

Filesize
890B

MD5
50f7e598c5fc5ac9869c429fa5b67be1

SHA1
8d48fef6737be0177cac458f995603f73ed97199

SHA256
75909c9f163674fca0896e1792de67992f9f9a27e24ad26e52c6c6e505e5014f

SHA512
311df9e4a4f5603bcd163121646c17b4e4e4f50e476a3f9c7e2d3fa178ef293f62b2981101c22da19f0f8a06af1ed949fa357d550f72c673b04ddd7e79dff298

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif

Filesize
852B

MD5
0219acd03e74a95d99174f34e23bd411

SHA1
654b7bb03aba0d99195da0e91185d0e6ad395c9b

SHA256
7e49b6a3a0237517e72bc0187ae1e4b2bec77c676da1288f4a5815872a30f269

SHA512
852774f25505e62af94151caf2fef47a50032d9bf3ade6c20d1c22cd98cb509085bf56ed5e0435fb89833148ec16301849aaabeb79bc665a120e1718b617e6ed

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif

Filesize
860B

MD5
abc3cac652c59943c6be9522a6110185

SHA1
6d8b4cba11270d579f66c417aa29f45fbe14554d

SHA256
92cc88681c2a35fb7b3bde36a7e46049f85a14cd472d56e88f49db3f746062de

SHA512
091f35e852fc09091a0751a3f445250cc225761c71c37c93c4bb87f2eb50a1721a3cff948bf7fc966ac41cbd0653554b740cd06d7bda4df75b8ecb404181dbcb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ADD.GIF

Filesize
580B

MD5
c8784a374780e6810f1910928854a563

SHA1
9c06a8cfcc40fc862046c918e459a546aa6ed57d

SHA256
d5a3ad4dc6e28936a0eab9b1f4fab3c7b0ac03a1ce6018d704be1943ad77fb55

SHA512
cc2f7d226c755a6a2bd9549958cd9783e010d93f468c97b2ae4b356687c0ee3a97911c91ce8a7aac1bdee10b55105082e6f7c47f0161b3673438fa8558539724

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF

Filesize
899B

MD5
8833842db26bfb9eb68c6bea5e68a9cf

SHA1
2d0a10132d2922bc75b14731eea4bb058c225d72

SHA256
c82e8bfa5be5dcd1851c4ecc656dfc7963ef67db41be803066aa23959dbb4e17

SHA512
40c9c71d746ff5d883cff9eec815434089614928110591045f613e604bd604a0dfb62aa86805397c3f2f3328e582cfe362d9ca0db4c352caf3df758ca0232535

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIF

Filesize
625B

MD5
6dd7ffe3f0508a7d6a05e8399fe297a4

SHA1
168478ee2c1f540fdb2b4fd7bd7f6dde2f4ad8fe

SHA256
43778f140fa9199ea900294688a819b16cf1960afbbd33ec8536f8744f56d83a

SHA512
a47f0f8e29f0c55bbaaa823c55eccbb6a547979aa3ca12a4e68d1473b7d60721913c2a2d990fd0b55ccd2df84fa513b7f49116ecdb58ba56d361124013e5f7b5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF

Filesize
873B

MD5
0c3ae8e0dd9d40931ee45b91116fc949

SHA1
6aac47261a4d78d8214375c979f6895b43612b4d

SHA256
748e017955936dd28c43f772d3bd16257f517c0e1263c90d696d9611efd824be

SHA512
63b176951d8beb8621ca3ab65fefcc3ecfafe118f1c13f562d345b72c5d3549ca959b717bbd124ef582384d4d7a48ed4b90168865c10195d6f4a211238bc53f4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg

Filesize
5KB

MD5
dd54243a1599be75d5722469bee81cd0

SHA1
c5582ab6a714b772851cf2a3e90999795162e7da

SHA256
b7c4b3ecd9a84a6089e33bbac3b8bff0cbeac6755eb5c6bb106a87cf45c7628b

SHA512
54808ac647a20e9e8bf8b1bafe344e4298520f90d0d251a4286fb06548594bd6073f0967ed52fe2f4c3ca668af7e896e3d0211ecffd8cc6fdff870fee0be9e73

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp

Filesize
1KB

MD5
4bacf5bfec91b586fbd98cabe4558af5

SHA1
866e404f1af91cdc9a15eec8b890a45a75da90f2

SHA256
ac3dd4abd717aa2cdab8f0b44f110e814be3a997c312b7aa567e655bce59f632

SHA512
baac98bac43b0caba11b1efdf64c3757c060b5e307404525ad9f095ff1af23e8c946c8b48fadc8836bd124c5b40b5d12e991fd109036def9e1791affd293681b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF.BADRABBIT

Filesize
615B

MD5
aaebc4b10e9602ec10601e05d899edc5

SHA1
eac8c4ffd1ce5954b8500b8c7dd3e870abd34c3e

SHA256
a194747aa129714f8cbcc7c10eaec9e88e52c0aee232b1067d089841fd61322c

SHA512
3e1c9a52e52201ac6ee032a32dd4b57613d489119b2009b53c0edb69ba0a57c00db068b995180e75558a4cdc05a57e5d8644be03ae81b5d35114b752f7d88c1a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

Filesize
848B

MD5
1433494b664d492c4c97916d6eec5c94

SHA1
bb0538b2f65b3b565de94d99dd4a6d40a095ad98

SHA256
361950c175295d4ef2ec167a62f64827ead1208a2d72b272b534097af9f57749

SHA512
05aa8518d79765f898ab409f54c3ecfe95bdcacf4940367fd62bc555d2c6d4124f3afe682732ff3761852d420ae23d626c86f1d450ae9c5ad674ea3c186e3cee

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

Filesize
847B

MD5
5f3729fa6433728c6055e9c03086eb6e

SHA1
bd12dd4366f130cea8f91be98503a40b64e771aa

SHA256
b69015a11af6aed16f8a033c946d78bf5f33b5c9ebd5092c37abd69821c9bf80

SHA512
5555df74751aa6c1e246d2d36d6b68d9d46857a94bd93083a0d55bd03434d510307fb553d540055f342d7021e77a85b1ba8b68b31fc5582050157e65b80943b6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

Filesize
869B

MD5
335a6c8692c586c8529fd747848f3c48

SHA1
e7908d33dfd035239fb7ff3a87cbfbe008778e78

SHA256
5ef06d13b74a07134bdbee0c8bd82e8c2c9634b19f3be4485d16e9c919530b7f

SHA512
2219f1720bb28c52366ea8e4983303a942746990e01f10460f559304581af445045d19d23d571c47207c2aeb3d788dfe9878050808ad38f0a6a5fa051e61e61c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

Filesize
847B

MD5
99edeae3759900d3b026634c21514506

SHA1
861b24f044d34823a2ed71d87586a4fb866d805e

SHA256
323c0d952346698b2c999ace0489ebe872d472d0bf0f811eba55089f84ba229d

SHA512
e9063b53bdaa01f52e42d3855d90692a712db7309808ff48069c0e800204e6fc31e40cddff03cebfc989f5d3e15db7715670d8ff5bb4bc2ff374f6acbde2edab

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

Filesize
863B

MD5
171801b3d029d1546aabe6893565541a

SHA1
85d0846d7a0c9a9b69dccb660c9ccbc4d2550963

SHA256
891675ae93b3f69e308ef5c543b469a72afcfb32fd5bd55d84c4084bdc529d78

SHA512
677a3e7ea5adf4ecbd9ece3c2956b305471ef168976ea503dee158b58af4c323f059870f32f9b6d328d1beea56ca1b0ab58a2ba6cfaafc67a4ca4d6861ca9f64

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

Filesize
861B

MD5
c1971aa259cd65fa8af3737e612d9de6

SHA1
c4fea1a6837662dd26518ab2314dad2a29c09aeb

SHA256
f9a49874e54c913b597a879e64687c9b187df0a2a0e592eb03fcbf2861029274

SHA512
75cded4fe1071e846e0035b6ce24c808d5352828429f0f15254d6a82f888dc6f4acd6973c4f1c1b42155c48e3f8d9fc932649414ebca35956e1767e5bfc32a6e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

Filesize
850B

MD5
350358010f6af938d8bc91fcf7be57da

SHA1
41ee7407ace61756690413048cbfa1b6469e5108

SHA256
03d1634597f7f0850a593a76417213d0dcb70c7a7c190db7575285d3c1e9c903

SHA512
05697809c0c96ac31eba854eb53ce4151ba175266c28abc8082539b2873f1406942e2793ab04b03f8f48997d0ffd8371ce12f030122e70c0776761893365e70a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

Filesize
883B

MD5
c2912f919b53387224d4d360097d8710

SHA1
d5e570d2353e60c2e58fcdc511e61786521364d0

SHA256
1f2b36df66149ade1ab25f6ebf16ecde6ba2114201d26ab9c185c57b073328f7

SHA512
56c7b485b2a4f7cebe42bd61aebce9c5dedd2828328fb80118bee33c6a92366e39af2c6299f83a8fa2381fce217633e3a807dc39f22cea28dbb984f67a3658f5

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
153B

MD5
909f75af44671a6368b8c478223112f0

SHA1
feff39c33e9f8b941df1f213178c57e51e567021

SHA256
6a1f124f34b68baf24865ffb02b5cacb07ba5acf2df0e15edd42dd5de06a04eb

SHA512
5fefc54d7330ebcdd65e05202e98a6a715e975501bcc908dc5b89ef531d607043eb36aa6d630db2b7f140d8984d7aeebbb724129d659ce2e07cd5392c8df0942

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
52648124a5c1df3df250058f5e013fe6

SHA1
692a99bdbf0bb9573568b4e5677182a2a3265b26

SHA256
bd9ab76d8414e8782d57463ad7485e8943824e4ff568919eeec8be0b4183fcff

SHA512
7423432fc4b0c9f6dd3cb19c2fde09bda234d57f5460beed7f3a21b1cece66202ca27209a5b3911b1b03cb9fff2c7d28d26a63acf770c8695f94269e9350c8b9

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
8KB

MD5
a8238dbd35e817a421d6e6db52b21163

SHA1
65351fc01902237a182deed6b98e0f55860aac42

SHA256
b5fdcf0cca4891fa6f1aee3466fd170becf2fd736f8ea6b5263396af8e814d0d

SHA512
23dfd7c9f3f9c81bc7df9ba04e1b3198548fdf1a15539bd499264caa6f3e4b93d4555c45aa05ad00bbac05a13b10dfad723270c09c2b5777b252a5143ca3308a

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
00cf1c37ee0778e14ee511268ccb35b5

SHA1
5d1da9863c7c3030cd8d19adac4b6efe8b0e5cc7

SHA256
3ffdee2460fe9f94d52b29926885c380420eb088e3aadf71e3abb223395cf6cf

SHA512
160207028ad96cb8ea7b96a9ff7c7d97a58782843063864e949010afa3ced0b3b3311262fa4f15166569a40c1ee50db1eb61d5749950a655ff8760c398ef45c5

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
1e1dff9d7f35b15f8a85078b16a4ac6a

SHA1
2dbe954f810a3bd63fb474ad80822af2cb95317a

SHA256
e2ac46d49f3cd6edae4c794e259fe4eeaa25b12a3c6163bac5b7eff68506db98

SHA512
3e42dd46f58588ca541ca8d1a8be1205771ce5d236c8ebf30fb171cb656542397f5258013fede5ba331add17e59eb3498ec769edb77ef6c3ce9193775015488f

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
172KB

MD5
63af09154e2597757e135a3d5754cfc3

SHA1
2106137aa2a6d1897ccfe50ee9918875f6d32ddb

SHA256
3583abb7a36753c64fccc70b1c49869c029ac02e27da3b8b4890e4c2979fbff9

SHA512
caf232e730d7a799392859e2d8bc8254e92dd63989d48542137922210d3322f21a5f6a9e159fd3bd9ea03b405c5bd53226ed1e1c7a7d5a44e4039934e1dabfac

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk

Filesize
1KB

MD5
0980fe882c53cdf46f34301f210eb2d8

SHA1
73f9639ff5643a4d83719d577fbb7e3df17cbb85

SHA256
2d143f5717abbc876fca8f8acb0ff7c37671e831eea1d2226aa74404024d29be

SHA512
5a6c7cb753217c95046eaba06b5971091cd944166946a99d214e5772805dcf79adc9b45d4d5ec1a4cb66d4fa054245aa6b46bf23cf5d4ad5a916723522dd64f0

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg

Filesize
21KB

MD5
8b40b30e5a0598ae0a7a1e05da638f8a

SHA1
3faa38b15472e0ecab52d641f83ec9f17c53f0f5

SHA256
f19e6872de8a63821d294d57dc2a6440d9e6374d65f89603b9beb5a228a578a8

SHA512
b39546c8e19b612fc336be2197f5c461149493caead1bc7a4865cec51571cfa81315b7c9f33f72f6136b15cbf50681dde0d57c82470eba85cea743fc524371a6

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\HelpIcon_solid.gif

Filesize
1KB

MD5
8dd37ee19b13bfb268e480d97f984f4b

SHA1
73af16c464b4ec59b179662a2ee98b0643e2e615

SHA256
29b9d8d036f1e867d2fcc859286828b4d756fa8266c4b1fa5b5015ea1ce10268

SHA512
f0e69d1c3e89019f6e00f1206c5990b949acb4688828f02462ece1b3dae2c7a8f149495fec4fe0685ee7bb7d63899e319ca3d9bd47fd932d4abd2bed20947e3d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\alert_lrg.gif

Filesize
952B

MD5
64037334c949111cb50053dba7709d26

SHA1
5658be9d00de2a031b6e2591bbe72b931bcc5dfc

SHA256
db7615a163bd223625abb6e933a167face98a317f972dc705e1b9d9bdc6f5f7e

SHA512
d691309c4fddb3f02407e6f1bb2bba8195700158ceff9a6a7323be45235078d15984d0b8039fe38af35da72df814117406c333f643fbbbce2f776de85e602fca

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\branding_Full2.gif

Filesize
1KB

MD5
d4d4b4c75e92b79f0b53e8a6ee49d7bc

SHA1
12b4dea17d2ec2b9f975b1e999be3cc81e5b5fc1

SHA256
afedc522e0f0394ad18f96d595a37fe5c03a7e50f588575c96da9212285001b9

SHA512
328a814b216f87ce10f09618b6f71f064a8bfa5e0d36b0224248ccfb7fcb3386e64b7c593f94b43dced23748d1e4077173b929dae2e56395798a5a436fe7fd3a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg

Filesize
8KB

MD5
3486572f277c8ef2270e7f1e6c59fdb4

SHA1
b61de0f75d4892e770424736883466bf19c2f34b

SHA256
3a9c7390165b91cbf0bd982ffbb7063b38252e29eb64bb57a0c60cf80411ffe4

SHA512
b48e564de5ba26a7db97b008626911f581b945b1a9894851dee005d888448523ed3cd1f5623487cba35d14c94a74622e8bd12028638a2f059d26d65f4cac4a51

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\folder.gif

Filesize
914B

MD5
cfe1e150ff62833a5c948288c294d230

SHA1
b8252032e2a8df5b779b4466faadfc9f25eb8a65

SHA256
8f0cb6f218bbd27ad190e49105ae0e47e08038462d6fbf92740c29b830c49574

SHA512
8666d1bf2a24818d3fedfae79834f0b5bbd750bd1ad27ee2a242b7d25e53f847f0237c240e8e08d7c1e78119e42fbba40df23185b62b0bfc67a588047784d872

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\headerGRADIENT_Tall.gif

Filesize
328B

MD5
d389abcbe3c95cb4902d27b388326980

SHA1
2220333c0684792f4ec54659206ccd5952b6f025

SHA256
342fa9bdfc0d95fddbd7cc1ba29a626f5bc2a6fc0540ee61553bed75c4e3ef0d

SHA512
9e7c51bb1e8a1fb7039739065bd0bd45c3f797e09e78a9892503b4d6d246db91c4c5506bcb2a1cdf9c80f62194b0184a178766cfaddf9716164e8636f205fa66

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\help.jpg

Filesize
1KB

MD5
13506a5207bb142a78a4568cd4eac700

SHA1
5d16b879c9b97295f1a5945fe9c18af1c91d8a2e

SHA256
0fb742b8c12f3e2831c1c4651bc4f861b9f7a5eb0a54a11ff56963898da12af0

SHA512
d202d43ef39d008c91a3ce7d2b55d298eff1cb7612b9fae77cab290eb617659c2d0e3cd618d92abb959f042bb37f733b51dbb25c504e20c7057f31dcae5cab07

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image1.gif

Filesize
162B

MD5
f2b06fcc30d18a9560e3d23741d682e8

SHA1
f7af0965fce32822e9acd8f53087edc8ae4dbca3

SHA256
822c3b54d1eafff36f9c435aad5f55afe7b172b018b5db81e5da0d98530f0644

SHA512
fc2ea5942dcfb8cfd2353db5a22e41b60764b21c8b66d1a0709200f245a2c05bc3b5cc4a67d4a6e417674fe371dea1a5747efc87cae690b3377b7ac74618330f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image2.gif

Filesize
586B

MD5
e66533417a6e6d50d2a487ac891482de

SHA1
937f7a1103cc554d08ed954724ffd8b6cdf05865

SHA256
5f2f56241de8b02267a1f7a73c8ed15e4695daebe2841681c45b920a7c5e2851

SHA512
4f9351bc7822024d9644de22e74dae03b796c6dadc66ae7717d65ac0be78c6ca327c7501236b111e2481ce7b6764635d8bb06ee00d922a8a3d7f738195b920cb

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg

Filesize
8KB

MD5
0756140bd47685225a399bd42055f220

SHA1
b3cb5f9978968225562b301c56d976457790cc46

SHA256
c66ea1da450fd764ff60ef9348c6f2029e8f5f1ac7e5246c59d6980ce0edfb3c

SHA512
e76cdb48dd688e5671984bd432a7525f51482878dce74bafd2e389ce71fe04c584cf9cb0b12132d6dc1bcf369f9c0250463261a703e7975b9fb28bf68b34cad7

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\yellowCORNER.gif

Filesize
880B

MD5
22f8e27a9728f4ff495cff610d4699d8

SHA1
0c00302f1e63b302dbdd8b353573efad5e92534e

SHA256
8de57f9f2098c498373c2c4779a9169ef68b48592dcdf97fac860aabc7b81911

SHA512
b38f13f2d580e790970486381ea7d16cedb25db5cac25607e4174d3cd81fc7f37e0ba40791c0a231dd92c1276b3ba2c85094a04b6599fae5775c2467e090f99b

Download Submit
C:\vcredist2010_x86.log.html

Filesize
81KB

MD5
a2ff0331a94f78a07eeabb775fa6b1bf

SHA1
4507e222b07d1ad1fb9a525cda28728bc4682545

SHA256
bca300d07c4f96da2007ce53f4758effebfbdae3f8925831b6259dc18804b79f

SHA512
a9d5abc19840d4a60b26a4d9aa1e65442ab7112f2aeeb9a0827fbeec3caa13e9969762f1dfa42c285e46e40ed3bc805b5c726fab9ac807445eb18984209c4680

Download Submit
memory/3016-87-0x0000000000E10000-0x0000000000E11000-memory.dmp

Filesize
4KB

Download
memory/3016-53-0x0000000000400000-0x0000000000C5A000-memory.dmp

Filesize
8.4MB

Download
memory/3016-54-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/3016-56-0x0000000000400000-0x0000000000C5A000-memory.dmp

Filesize
8.4MB

Download
memory/3016-57-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/3016-59-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/3016-62-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/3016-60-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/3016-64-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/3016-67-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/3016-69-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/3016-72-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/3016-74-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/3016-77-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download
memory/3016-79-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download
memory/3016-82-0x0000000000E00000-0x0000000000E01000-memory.dmp

Filesize
4KB

Download
memory/3016-84-0x0000000000E00000-0x0000000000E01000-memory.dmp

Filesize
4KB

Download
memory/3016-85-0x0000000000E10000-0x0000000000E11000-memory.dmp

Filesize
4KB

Download
memory/3016-2105-0x0000000000400000-0x0000000000C5A000-memory.dmp

Filesize
8.4MB

Download
memory/3016-91-0x0000000000E20000-0x0000000000E21000-memory.dmp

Filesize
4KB

Download
memory/3016-90-0x0000000077670000-0x0000000077671000-memory.dmp

Filesize
4KB

Download
memory/3016-89-0x0000000000E10000-0x0000000000E11000-memory.dmp

Filesize
4KB

Download
memory/3016-93-0x0000000000E20000-0x0000000000E21000-memory.dmp

Filesize
4KB

Download
memory/3016-95-0x0000000000E20000-0x0000000000E21000-memory.dmp

Filesize
4KB

Download
memory/3016-96-0x0000000000400000-0x0000000000C5A000-memory.dmp

Filesize
8.4MB

Download
memory/3016-1281-0x0000000000400000-0x0000000000C5A000-memory.dmp

Filesize
8.4MB

Download
memory/3016-4244-0x0000000000400000-0x0000000000C5A000-memory.dmp

Filesize
8.4MB

Download