phorphiex | d850d741582546a3d0ea2ad5d25e0766781f315cd37e6c58f7262df571cd0c40

Analysis

max time kernel
30s
max time network
31s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-09-2024 03:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PCCooker_x64.exe
Size

22.4MB
MD5

317c5fe16b5314d1921930e300d9ea39
SHA1

65eb02c735bbbf1faf212662539fbf88a00a271f
SHA256

d850d741582546a3d0ea2ad5d25e0766781f315cd37e6c58f7262df571cd0c40
SHA512

31751379ad7f6c55d87e9a5c1f56e6211d515b7d9ae055af962ed6f9205f5abad302c2e47dd56325abff85327ec3b7f9a6cf76ed34b8cbe1da06549c622c7031
SSDEEP

49152:yIT4lj7Rl9HFoDi+3JK5CS2bV5IRtyrp63FDysl28Wvp/pUOmrscrdXuMIgqJ95+:yI6

Score

10^/10

phorphiex ragnarlocker xworm bootkit credential_access defense_evasion discovery evasion execution impact loader persistence ransomware rat stealer trojan worm

Malware Config

Extracted

Family

xworm

Version

5.0

outside-sand.gl.at.ply.gg:31300

Mutex

uGoUQjcjqoZsiRJZ

Attributes

Install_directory
%AppData%
install_file
USB.exe

aes.plain

Extracted

Path

C:\Users\Public\Documents\RGNR_A0710810.txt

Ransom Note

Hello VGCARGO ! ***************************************************************************************************************** If you reading this message, then your network was PENETRATED and all of your files and data has been ENCRYPTED by RAGNAR_LOCKER ! ***************************************************************************************************************** *********What happens with your system ?************ Your network was penetrated, all your files and backups was locked! So from now there is NO ONE CAN HELP YOU to get your files back, EXCEPT US. You can google it, there is no CHANCES to decrypt data without our SECRET KEY. But don't worry ! Your files are NOT DAMAGED or LOST, they are just MODIFIED. You can get it BACK as soon as you PAY. We are looking only for MONEY, so there is no interest for us to steel or delete your information, it's just a BUSINESS $-) HOWEVER you can damage your DATA by yourself if you try to DECRYPT by any other software, without OUR SPECIFIC ENCRYPTION KEY !!! Also, all of your sensitive and private information were gathered and if you decide NOT to pay, we will upload it for public view ! **** ***********How to get back your files ?****** To decrypt all your files and data you have to pay for the encryption KEY : BTC wallet for payment: 1BKK8bsFfG3YxTd3N15GxaYfHopoThXoY4 Amount to pay (in Bitcoin): 25 **** ***********How much time you have to pay?********** * You should get in contact with us within 2 days after you noticed the encryption to get a better price. * The price would be increased by 100% (double price) after 14 Days if there is no contact made. * The key would be completely erased in 21 day if there is no contact made or no deal made. Some sensetive information stolen from the file servers would be uploaded in public or to re-seller. **** ***********What if files can't be restored ?****** To prove that we really can decrypt your data, we will decrypt one of your locked files ! Just send it to us and you will get it back FOR FREE. The price for the decryptor is based on the network size, number of employees, annual revenue. Please feel free to contact us for amount of BTC that should be paid. **** ! IF you don't know how to get bitcoins, we will give you advise how to exchange the money. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ! HERE IS THE SIMPLE MANUAL HOW TO GET CONTCAT WITH US ! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 1) Go to the official website of TOX messenger ( https://tox.chat/download.html ) 2) Download and install qTOX on your PC, choose the platform ( Windows, OS X, Linux, etc. ) 3) Open messenger, click "New Profile" and create profile. 4) Click "Add friends" button and search our contact 7D509C5BB14B1B8CB0A3338EEA9707AD31075868CB9515B17C4C0EC6A0CCCA750CA81606900D 5) For identification, send to our support data from ---RAGNAR SECRET--- IMPORTANT ! IF for some reasons you CAN'T CONTACT us in qTOX, here is our reserve mailbox ( [email protected] ) send a message with a data from ---RAGNAR SECRET--- WARNING! -Do not try to decrypt files with any third-party software (it will be damaged permanently) -Do not reinstall your OS, this can lead to complete data loss and files cannot be decrypted. NEVER! -Your SECRET KEY for decryption is on our server, but it will not be stored forever. DO NOT WASTE TIME ! *********************************************************************************** ---RAGNAR SECRET--- QWZjY0QxRTk2MWU4RTIwYkVCRUNhRWMzRjhCQTdlZDJkNUJCN2JkNDdDMzREMTYyNjNGNTdiZGFDYmI3ZEVhNw== ---RAGNAR SECRET--- ***********************************************************************************

Emails

[email protected]

Wallets

1BKK8bsFfG3YxTd3N15GxaYfHopoThXoY4

URLs

https://tox.chat/download.html

Signatures

Detect Xworm Payload 50 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\25.exe	family_xworm
behavioral1/memory/2408-114-0x0000000000890000-0x00000000008A0000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Local\Temp\24.exe	family_xworm
C:\Users\Admin\AppData\Local\Temp\23.exe	family_xworm
C:\Users\Admin\AppData\Local\Temp\21.exe	family_xworm
C:\Users\Admin\AppData\Local\Temp\22.exe	family_xworm
behavioral1/memory/1724-141-0x0000000001060000-0x0000000001070000-memory.dmp	family_xworm
behavioral1/memory/2072-169-0x0000000000AC0000-0x0000000000AD0000-memory.dmp	family_xworm
behavioral1/memory/1632-151-0x0000000000970000-0x0000000000980000-memory.dmp	family_xworm
behavioral1/memory/944-176-0x0000000000E40000-0x0000000000E50000-memory.dmp	family_xworm
behavioral1/memory/2372-207-0x0000000000990000-0x00000000009A0000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Local\Temp\20.exe	family_xworm
C:\Users\Admin\AppData\Local\Temp\19.exe	family_xworm
behavioral1/memory/2700-256-0x0000000000DF0000-0x0000000000E00000-memory.dmp	family_xworm
behavioral1/memory/2724-262-0x0000000000BE0000-0x0000000000BF0000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Local\Temp\16.exe	family_xworm
C:\Users\Admin\AppData\Local\Temp\18.exe	family_xworm
C:\Users\Admin\AppData\Local\Temp\17.exe	family_xworm
behavioral1/memory/2044-220-0x0000000000290000-0x00000000002A0000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Local\Temp\15.exe	family_xworm
C:\Users\Admin\AppData\Local\Temp\9.exe	family_xworm
C:\Users\Admin\AppData\Local\Temp\12.exe	family_xworm
behavioral1/memory/1396-390-0x0000000000090000-0x00000000000A0000-memory.dmp	family_xworm
behavioral1/memory/2320-389-0x0000000000090000-0x00000000000A0000-memory.dmp	family_xworm
behavioral1/memory/848-385-0x0000000000C40000-0x0000000000C50000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Local\Temp\14.exe	family_xworm
C:\Users\Admin\AppData\Local\Temp\11.exe	family_xworm
C:\Users\Admin\AppData\Local\Temp\6.exe	family_xworm
C:\Users\Admin\AppData\Local\Temp\1.exe	family_xworm
C:\Users\Admin\AppData\Local\Temp\2.exe	family_xworm
behavioral1/memory/2484-435-0x0000000000EF0000-0x0000000000F00000-memory.dmp	family_xworm
behavioral1/memory/2828-414-0x00000000013A0000-0x00000000013B0000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Local\Temp\7.exe	family_xworm
behavioral1/memory/1020-428-0x0000000000F30000-0x0000000000F40000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Local\Temp\4.exe	family_xworm
C:\Users\Admin\AppData\Local\Temp\3.exe	family_xworm
C:\Users\Admin\AppData\Local\Temp\8.exe	family_xworm
behavioral1/memory/1352-396-0x0000000000C80000-0x0000000000C90000-memory.dmp	family_xworm
behavioral1/memory/1720-394-0x0000000000B40000-0x0000000000B50000-memory.dmp	family_xworm
behavioral1/memory/2300-393-0x0000000000B10000-0x0000000000B20000-memory.dmp	family_xworm
behavioral1/memory/2540-381-0x00000000000B0000-0x00000000000C0000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Local\Temp\5.exe	family_xworm
C:\Users\Admin\AppData\Local\Temp\10.exe	family_xworm
C:\Users\Admin\AppData\Local\Temp\13.exe	family_xworm
behavioral1/memory/2360-476-0x0000000000A10000-0x0000000000A20000-memory.dmp	family_xworm
behavioral1/memory/2868-475-0x0000000000AA0000-0x0000000000AB0000-memory.dmp	family_xworm
behavioral1/memory/2308-472-0x0000000000050000-0x0000000000060000-memory.dmp	family_xworm
behavioral1/memory/2576-469-0x0000000000960000-0x0000000000970000-memory.dmp	family_xworm
behavioral1/memory/2312-468-0x0000000000C60000-0x0000000000C70000-memory.dmp	family_xworm
behavioral1/memory/1864-463-0x0000000000F90000-0x0000000000FA0000-memory.dmp	family_xworm

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

sysblvrvcr.exesysklnorbcv.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	sysblvrvcr.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	sysklnorbcv.exe

Phorphiex payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\newtpp.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\Files\t1.exe	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
RagnarLocker
Ransomware first seen at the end of 2019, which has been used in targetted attacks against multiple companies.
ransomware ragnarlocker

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

sysblvrvcr.exesysklnorbcv.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysblvrvcr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysblvrvcr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysblvrvcr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysklnorbcv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysklnorbcv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysblvrvcr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysblvrvcr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysblvrvcr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysklnorbcv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysklnorbcv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysklnorbcv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysklnorbcv.exe

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (7765) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

5000 powershell.exe
1592 powershell.exe
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

pid	process
5000	powershell.exe
1592	powershell.exe

Drops startup file 2 IoCs

Processes:

explorer.exeasena.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9bf0c776.exe	explorer.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RGNR_A0710810.txt	asena.exe

Executes dropped EXE 47 IoCs

Processes:

4363463463464363463463463.exea76e49df84ba2a7b33e8ea959995b5e6faecb90d551ef169d8272ce9042c35a5.exeasena.exeBomb.exeCryptoWall.exe25.exe24.exe23.exe22.exe21.exe19.exe20.exe18.exe17.exe16.exe15.exe13.exe11.exe14.exe12.exe9.exe7.exe10.exe5.exe3.exe8.exe6.exe4.exe1.exe2.exe66b9e7f54cf7b_pro.exenewtpp.exe66b9e7f54cf7b_pro.exe66b9e7f54cf7b_pro.exe66b9e7f54cf7b_pro.exe66b9e7f54cf7b_pro.exe66b9e7f54cf7b_pro.exe66e42cf42e212_otr_raccoon.exetpeinf.exesysblvrvcr.exepp.exeLummaC22222.exesunset1.exet1.exesysblvrvcr.exe10.exesysklnorbcv.exe

pid	process
2436	4363463463464363463463463.exe
2764	a76e49df84ba2a7b33e8ea959995b5e6faecb90d551ef169d8272ce9042c35a5.exe
2900	asena.exe
2676	Bomb.exe
2448	CryptoWall.exe
2408	25.exe
1632	24.exe
1724	23.exe
944	22.exe
2072	21.exe
2372	19.exe
2044	20.exe
2700	18.exe
2724	17.exe
2320	16.exe
2540	15.exe
848	13.exe
1396	11.exe
2300	14.exe
1352	12.exe
1720	9.exe
2828	7.exe
2484	10.exe
1020	5.exe
1864	3.exe
2360	8.exe
2308	6.exe
2868	4.exe
2312	1.exe
2576	2.exe
3108	66b9e7f54cf7b_pro.exe
3836	newtpp.exe
4760	66b9e7f54cf7b_pro.exe
4720	66b9e7f54cf7b_pro.exe
4776	66b9e7f54cf7b_pro.exe
4832	66b9e7f54cf7b_pro.exe
4840	66b9e7f54cf7b_pro.exe
3716	66e42cf42e212_otr_raccoon.exe
4632	tpeinf.exe
4712	sysblvrvcr.exe
4788	pp.exe
4832	LummaC22222.exe
4740	sunset1.exe
4640	t1.exe
4904	sysblvrvcr.exe
4916	10.exe
5020	sysklnorbcv.exe

Loads dropped DLL 31 IoCs

Processes:

PCCooker_x64.exe4363463463464363463463463.exe66b9e7f54cf7b_pro.exesunset1.exetpeinf.exe

pid	process
3028	PCCooker_x64.exe
3028	PCCooker_x64.exe
3028	PCCooker_x64.exe
3028	PCCooker_x64.exe
3028	PCCooker_x64.exe
3028	PCCooker_x64.exe
3028	PCCooker_x64.exe
2436	4363463463464363463463463.exe
2436	4363463463464363463463463.exe
2436	4363463463464363463463463.exe
3108	66b9e7f54cf7b_pro.exe
3108	66b9e7f54cf7b_pro.exe
3108	66b9e7f54cf7b_pro.exe
3108	66b9e7f54cf7b_pro.exe
3108	66b9e7f54cf7b_pro.exe
2436	4363463463464363463463463.exe
2436	4363463463464363463463463.exe
2436	4363463463464363463463463.exe
2436	4363463463464363463463463.exe
2436	4363463463464363463463463.exe
2436	4363463463464363463463463.exe
2436	4363463463464363463463463.exe
2436	4363463463464363463463463.exe
2436	4363463463464363463463463.exe
4740	sunset1.exe
2436	4363463463464363463463463.exe
2436	4363463463464363463463463.exe
4632	tpeinf.exe
4632	tpeinf.exe
2436	4363463463464363463463463.exe
2436	4363463463464363463463463.exe

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

sysblvrvcr.exesysklnorbcv.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysblvrvcr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysklnorbcv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysblvrvcr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysblvrvcr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysklnorbcv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysklnorbcv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysblvrvcr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysblvrvcr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysblvrvcr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysblvrvcr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysklnorbcv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysklnorbcv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysklnorbcv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysklnorbcv.exe

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exenewtpp.exetpeinf.exet1.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*bf0c77 = "C:\\9bf0c776\\9bf0c776.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\9bf0c776 = "C:\\Users\\Admin\\AppData\\Roaming\\9bf0c776.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*bf0c776 = "C:\\Users\\Admin\\AppData\\Roaming\\9bf0c776.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysblvrvcr.exe"	newtpp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Users\\Admin\\sysblvrvcr.exe"	tpeinf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysklnorbcv.exe"	t1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\9bf0c77 = "C:\\9bf0c776\\9bf0c776.exe"	explorer.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

asena.exe

description ioc process

File opened (read-only) \??\E: asena.exe
Looks up external IP address via web service 9 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

17 ip-api.com
18 ip-api.com
19 ip-api.com
9 ip-addr.es
14 ip-api.com
15 ip-api.com
13 ip-api.com
16 ip-api.com
45 myexternalip.com
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

asena.exe

description ioc process

File opened for modification \??\PHYSICALDRIVE0 asena.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

66e42cf42e212_otr_raccoon.exe

description pid process target process

PID 3716 set thread context of 3864 3716 66e42cf42e212_otr_raccoon.exe MSBuild.exe

description	ioc	process
File opened (read-only)	\??\E:	asena.exe

flow	ioc
17	ip-api.com
18	ip-api.com
19	ip-api.com
9	ip-addr.es
14	ip-api.com
15	ip-api.com
13	ip-api.com
16	ip-api.com
45	myexternalip.com

description	ioc	process
File opened for modification	\??\PHYSICALDRIVE0	asena.exe

description	pid	process	target process
PID 3716 set thread context of 3864	3716	66e42cf42e212_otr_raccoon.exe	MSBuild.exe

Drops file in Program Files directory 64 IoCs

Processes:

asena.exe

description	ioc	process
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_VideoInset.png	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-templates_ja.jar	asena.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\css\RGNR_A0710810.txt	asena.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\css\RGNR_A0710810.txt	asena.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\TAB_ON.GIF	asena.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\CNFNOT.CFG	asena.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\VelvetRose.css	asena.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\RGNR_A0710810.txt	asena.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\play-background.png	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench_1.2.1.v20140901-1244.jar	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-core.xml	asena.exe
File created	C:\Program Files\Java\jre7\lib\amd64\RGNR_A0710810.txt	asena.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ie\RGNR_A0710810.txt	asena.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\RGNR_A0710810.txt	asena.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\localizedStrings.js	asena.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationLeft_ButtonGraphic.png	asena.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Apex.xml	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.widgets.nl_ja_4.4.0.v20140623020002.jar	asena.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RGNR_A0710810.txt	asena.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0174315.WMF	asena.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Solstice.eftx	asena.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21422_.GIF	asena.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR49F.GIF	asena.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR6B.GIF	asena.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\ShapeCollector.exe.mui	asena.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSWORD.OLB	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Budapest	asena.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_bw48.bmp	asena.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\timeZones.js	asena.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02218_.GIF	asena.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\SAVE.GIF	asena.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif	asena.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_performance_Thumbnail.bmp	asena.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\en-US\sqlxmlx.rll.mui	asena.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Austin.xml	asena.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_decreaseindent.gif	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-tools.jar	asena.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02252_.WMF	asena.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR8B.GIF	asena.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\DISTLSTL.ICO	asena.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\RESENDL.ICO	asena.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\RGNR_A0710810.txt	asena.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Vladivostok	asena.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\js\timeZones.js	asena.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Technic.eftx	asena.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Araguaina	asena.exe
File created	C:\Program Files (x86)\Common Files\System\en-US\RGNR_A0710810.txt	asena.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0157831.WMF	asena.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\background.gif	asena.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\2 Top.accdt	asena.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\system_s.png	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\DumontDUrville	asena.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Warsaw	asena.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME24.CSS	asena.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\RGNR_A0710810.txt	asena.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02503U.BMP	asena.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTaskIcon.jpg	asena.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\js\RGNR_A0710810.txt	asena.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SecStoreFile.ico	asena.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\settings.html	asena.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\RGNR_A0710810.txt	asena.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107182.WMF	asena.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0183574.WMF	asena.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif	asena.exe

Drops file in Windows directory 5 IoCs

Processes:

t1.exenewtpp.exetpeinf.exe

description	ioc	process
File created	C:\Windows\sysklnorbcv.exe	t1.exe
File opened for modification	C:\Windows\sysklnorbcv.exe	t1.exe
File created	C:\Windows\sysblvrvcr.exe	newtpp.exe
File opened for modification	C:\Windows\sysblvrvcr.exe	newtpp.exe
File created	C:\Windows\sysblvrvcr.exe	tpeinf.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

5080 sc.exe
3124 sc.exe
3572 sc.exe
5064 sc.exe
5052 sc.exe
5108 sc.exe
2512 sc.exe
3480 sc.exe
3824 sc.exe
5032 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
5080	sc.exe
3124	sc.exe
3572	sc.exe
5064	sc.exe
5052	sc.exe
5108	sc.exe
2512	sc.exe
3480	sc.exe
3824	sc.exe
5032	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

4363463463464363463463463.exeCryptoWall.exesc.exesc.exesc.exenotepad.exesc.exesc.exesysklnorbcv.execmd.exepowershell.exePCCooker_x64.exesvchost.exenewtpp.exeLummaC22222.exe10.exeexplorer.exevssadmin.exeMSBuild.exeasena.execmd.exesc.exe66b9e7f54cf7b_pro.exesc.exesc.exea76e49df84ba2a7b33e8ea959995b5e6faecb90d551ef169d8272ce9042c35a5.exe66e42cf42e212_otr_raccoon.exesysblvrvcr.exepowershell.exesc.exesunset1.exetpeinf.exet1.execmd.execmd.exesc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoWall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysklnorbcv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PCCooker_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	newtpp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LummaC22222.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	asena.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66b9e7f54cf7b_pro.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a76e49df84ba2a7b33e8ea959995b5e6faecb90d551ef169d8272ce9042c35a5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66e42cf42e212_otr_raccoon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysblvrvcr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sunset1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tpeinf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	t1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe

Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Direct Volume Access
T1006

Processes:

vssadmin.exevssadmin.exe

pid process

2632 vssadmin.exe
1804 vssadmin.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

notepad.exe

pid process

2568 notepad.exe

pid	process
2632	vssadmin.exe
1804	vssadmin.exe

pid	process
2568	notepad.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

66b9e7f54cf7b_pro.exepowershell.exepowershell.exe

pid	process
3108	66b9e7f54cf7b_pro.exe
3108	66b9e7f54cf7b_pro.exe
3108	66b9e7f54cf7b_pro.exe
3108	66b9e7f54cf7b_pro.exe
3108	66b9e7f54cf7b_pro.exe
3108	66b9e7f54cf7b_pro.exe
3108	66b9e7f54cf7b_pro.exe
3108	66b9e7f54cf7b_pro.exe
3108	66b9e7f54cf7b_pro.exe
3108	66b9e7f54cf7b_pro.exe
3108	66b9e7f54cf7b_pro.exe
3108	66b9e7f54cf7b_pro.exe
3108	66b9e7f54cf7b_pro.exe
3108	66b9e7f54cf7b_pro.exe
3108	66b9e7f54cf7b_pro.exe
5000	powershell.exe
1592	powershell.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

CryptoWall.exeexplorer.exe

pid process

2448 CryptoWall.exe
2572 explorer.exe

pid	process
2448	CryptoWall.exe
2572	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exevssvc.exe4363463463464363463463463.exe25.exe23.exe24.exe21.exe22.exe19.exe20.exe18.exe17.exe16.exe14.exe12.exe15.exe13.exe9.exe11.exe7.exe5.exe10.exe6.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2616	wmic.exe
Token: SeSecurityPrivilege	2616	wmic.exe
Token: SeTakeOwnershipPrivilege	2616	wmic.exe
Token: SeLoadDriverPrivilege	2616	wmic.exe
Token: SeSystemProfilePrivilege	2616	wmic.exe
Token: SeSystemtimePrivilege	2616	wmic.exe
Token: SeProfSingleProcessPrivilege	2616	wmic.exe
Token: SeIncBasePriorityPrivilege	2616	wmic.exe
Token: SeCreatePagefilePrivilege	2616	wmic.exe
Token: SeBackupPrivilege	2616	wmic.exe
Token: SeRestorePrivilege	2616	wmic.exe
Token: SeShutdownPrivilege	2616	wmic.exe
Token: SeDebugPrivilege	2616	wmic.exe
Token: SeSystemEnvironmentPrivilege	2616	wmic.exe
Token: SeRemoteShutdownPrivilege	2616	wmic.exe
Token: SeUndockPrivilege	2616	wmic.exe
Token: SeManageVolumePrivilege	2616	wmic.exe
Token: 33	2616	wmic.exe
Token: 34	2616	wmic.exe
Token: 35	2616	wmic.exe
Token: SeIncreaseQuotaPrivilege	2616	wmic.exe
Token: SeSecurityPrivilege	2616	wmic.exe
Token: SeTakeOwnershipPrivilege	2616	wmic.exe
Token: SeLoadDriverPrivilege	2616	wmic.exe
Token: SeSystemProfilePrivilege	2616	wmic.exe
Token: SeSystemtimePrivilege	2616	wmic.exe
Token: SeProfSingleProcessPrivilege	2616	wmic.exe
Token: SeIncBasePriorityPrivilege	2616	wmic.exe
Token: SeCreatePagefilePrivilege	2616	wmic.exe
Token: SeBackupPrivilege	2616	wmic.exe
Token: SeRestorePrivilege	2616	wmic.exe
Token: SeShutdownPrivilege	2616	wmic.exe
Token: SeDebugPrivilege	2616	wmic.exe
Token: SeSystemEnvironmentPrivilege	2616	wmic.exe
Token: SeRemoteShutdownPrivilege	2616	wmic.exe
Token: SeUndockPrivilege	2616	wmic.exe
Token: SeManageVolumePrivilege	2616	wmic.exe
Token: 33	2616	wmic.exe
Token: 34	2616	wmic.exe
Token: 35	2616	wmic.exe
Token: SeBackupPrivilege	1868	vssvc.exe
Token: SeRestorePrivilege	1868	vssvc.exe
Token: SeAuditPrivilege	1868	vssvc.exe
Token: SeDebugPrivilege	2436	4363463463464363463463463.exe
Token: SeDebugPrivilege	2408	25.exe
Token: SeDebugPrivilege	1724	23.exe
Token: SeDebugPrivilege	1632	24.exe
Token: SeDebugPrivilege	2072	21.exe
Token: SeDebugPrivilege	944	22.exe
Token: SeDebugPrivilege	2372	19.exe
Token: SeDebugPrivilege	2044	20.exe
Token: SeDebugPrivilege	2700	18.exe
Token: SeDebugPrivilege	2724	17.exe
Token: SeDebugPrivilege	2320	16.exe
Token: SeDebugPrivilege	2300	14.exe
Token: SeDebugPrivilege	1352	12.exe
Token: SeDebugPrivilege	2540	15.exe
Token: SeDebugPrivilege	848	13.exe
Token: SeDebugPrivilege	1720	9.exe
Token: SeDebugPrivilege	1396	11.exe
Token: SeDebugPrivilege	2828	7.exe
Token: SeDebugPrivilege	1020	5.exe
Token: SeDebugPrivilege	2484	10.exe
Token: SeDebugPrivilege	2308	6.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

PCCooker_x64.exeasena.exeCryptoWall.exeexplorer.exeBomb.exe

description	pid	process	target process
PID 3028 wrote to memory of 2436	3028	PCCooker_x64.exe	4363463463464363463463463.exe
PID 3028 wrote to memory of 2436	3028	PCCooker_x64.exe	4363463463464363463463463.exe
PID 3028 wrote to memory of 2436	3028	PCCooker_x64.exe	4363463463464363463463463.exe
PID 3028 wrote to memory of 2436	3028	PCCooker_x64.exe	4363463463464363463463463.exe
PID 3028 wrote to memory of 2764	3028	PCCooker_x64.exe	a76e49df84ba2a7b33e8ea959995b5e6faecb90d551ef169d8272ce9042c35a5.exe
PID 3028 wrote to memory of 2764	3028	PCCooker_x64.exe	a76e49df84ba2a7b33e8ea959995b5e6faecb90d551ef169d8272ce9042c35a5.exe
PID 3028 wrote to memory of 2764	3028	PCCooker_x64.exe	a76e49df84ba2a7b33e8ea959995b5e6faecb90d551ef169d8272ce9042c35a5.exe
PID 3028 wrote to memory of 2764	3028	PCCooker_x64.exe	a76e49df84ba2a7b33e8ea959995b5e6faecb90d551ef169d8272ce9042c35a5.exe
PID 3028 wrote to memory of 2900	3028	PCCooker_x64.exe	asena.exe
PID 3028 wrote to memory of 2900	3028	PCCooker_x64.exe	asena.exe
PID 3028 wrote to memory of 2900	3028	PCCooker_x64.exe	asena.exe
PID 3028 wrote to memory of 2900	3028	PCCooker_x64.exe	asena.exe
PID 3028 wrote to memory of 2676	3028	PCCooker_x64.exe	Bomb.exe
PID 3028 wrote to memory of 2676	3028	PCCooker_x64.exe	Bomb.exe
PID 3028 wrote to memory of 2676	3028	PCCooker_x64.exe	Bomb.exe
PID 3028 wrote to memory of 2676	3028	PCCooker_x64.exe	Bomb.exe
PID 3028 wrote to memory of 2448	3028	PCCooker_x64.exe	CryptoWall.exe
PID 3028 wrote to memory of 2448	3028	PCCooker_x64.exe	CryptoWall.exe
PID 3028 wrote to memory of 2448	3028	PCCooker_x64.exe	CryptoWall.exe
PID 3028 wrote to memory of 2448	3028	PCCooker_x64.exe	CryptoWall.exe
PID 2900 wrote to memory of 2616	2900	asena.exe	wmic.exe
PID 2900 wrote to memory of 2616	2900	asena.exe	wmic.exe
PID 2900 wrote to memory of 2616	2900	asena.exe	wmic.exe
PID 2900 wrote to memory of 2616	2900	asena.exe	wmic.exe
PID 2448 wrote to memory of 2572	2448	CryptoWall.exe	explorer.exe
PID 2448 wrote to memory of 2572	2448	CryptoWall.exe	explorer.exe
PID 2448 wrote to memory of 2572	2448	CryptoWall.exe	explorer.exe
PID 2448 wrote to memory of 2572	2448	CryptoWall.exe	explorer.exe
PID 2900 wrote to memory of 2632	2900	asena.exe	vssadmin.exe
PID 2900 wrote to memory of 2632	2900	asena.exe	vssadmin.exe
PID 2900 wrote to memory of 2632	2900	asena.exe	vssadmin.exe
PID 2900 wrote to memory of 2632	2900	asena.exe	vssadmin.exe
PID 2572 wrote to memory of 2852	2572	explorer.exe	svchost.exe
PID 2572 wrote to memory of 2852	2572	explorer.exe	svchost.exe
PID 2572 wrote to memory of 2852	2572	explorer.exe	svchost.exe
PID 2572 wrote to memory of 2852	2572	explorer.exe	svchost.exe
PID 2572 wrote to memory of 1804	2572	explorer.exe	vssadmin.exe
PID 2572 wrote to memory of 1804	2572	explorer.exe	vssadmin.exe
PID 2572 wrote to memory of 1804	2572	explorer.exe	vssadmin.exe
PID 2572 wrote to memory of 1804	2572	explorer.exe	vssadmin.exe
PID 2676 wrote to memory of 2408	2676	Bomb.exe	25.exe
PID 2676 wrote to memory of 2408	2676	Bomb.exe	25.exe
PID 2676 wrote to memory of 2408	2676	Bomb.exe	25.exe
PID 2676 wrote to memory of 1632	2676	Bomb.exe	24.exe
PID 2676 wrote to memory of 1632	2676	Bomb.exe	24.exe
PID 2676 wrote to memory of 1632	2676	Bomb.exe	24.exe
PID 2676 wrote to memory of 1724	2676	Bomb.exe	23.exe
PID 2676 wrote to memory of 1724	2676	Bomb.exe	23.exe
PID 2676 wrote to memory of 1724	2676	Bomb.exe	23.exe
PID 2676 wrote to memory of 944	2676	Bomb.exe	22.exe
PID 2676 wrote to memory of 944	2676	Bomb.exe	22.exe
PID 2676 wrote to memory of 944	2676	Bomb.exe	22.exe
PID 2676 wrote to memory of 2072	2676	Bomb.exe	21.exe
PID 2676 wrote to memory of 2072	2676	Bomb.exe	21.exe
PID 2676 wrote to memory of 2072	2676	Bomb.exe	21.exe
PID 2676 wrote to memory of 2044	2676	Bomb.exe	20.exe
PID 2676 wrote to memory of 2044	2676	Bomb.exe	20.exe
PID 2676 wrote to memory of 2044	2676	Bomb.exe	20.exe
PID 2676 wrote to memory of 2372	2676	Bomb.exe	19.exe
PID 2676 wrote to memory of 2372	2676	Bomb.exe	19.exe
PID 2676 wrote to memory of 2372	2676	Bomb.exe	19.exe
PID 2676 wrote to memory of 2700	2676	Bomb.exe	18.exe
PID 2676 wrote to memory of 2700	2676	Bomb.exe	18.exe
PID 2676 wrote to memory of 2700	2676	Bomb.exe	18.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\PCCooker_x64.exe
"C:\Users\Admin\AppData\Local\Temp\PCCooker_x64.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3028

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2436

C:\Users\Admin\AppData\Local\Temp\Files\66b9e7f54cf7b_pro.exe
"C:\Users\Admin\AppData\Local\Temp\Files\66b9e7f54cf7b_pro.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3108

C:\Users\Admin\AppData\Local\Temp\Files\66b9e7f54cf7b_pro.exe
"C:\Users\Admin\AppData\Local\Temp\Files\66b9e7f54cf7b_pro.exe"
4⤵
- Executes dropped EXE
PID:4720

C:\Users\Admin\AppData\Local\Temp\Files\66b9e7f54cf7b_pro.exe
"C:\Users\Admin\AppData\Local\Temp\Files\66b9e7f54cf7b_pro.exe"
4⤵
- Executes dropped EXE
PID:4760

C:\Users\Admin\AppData\Local\Temp\Files\66b9e7f54cf7b_pro.exe
"C:\Users\Admin\AppData\Local\Temp\Files\66b9e7f54cf7b_pro.exe"
4⤵
- Executes dropped EXE
PID:4776

C:\Users\Admin\AppData\Local\Temp\Files\66b9e7f54cf7b_pro.exe
"C:\Users\Admin\AppData\Local\Temp\Files\66b9e7f54cf7b_pro.exe"
4⤵
- Executes dropped EXE
PID:4832

C:\Users\Admin\AppData\Local\Temp\Files\66b9e7f54cf7b_pro.exe
"C:\Users\Admin\AppData\Local\Temp\Files\66b9e7f54cf7b_pro.exe"
4⤵
- Executes dropped EXE
PID:4840

C:\Users\Admin\AppData\Local\Temp\Files\newtpp.exe
"C:\Users\Admin\AppData\Local\Temp\Files\newtpp.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3836

C:\Windows\sysblvrvcr.exe
C:\Windows\sysblvrvcr.exe
4⤵
- Executes dropped EXE
PID:4712

C:\Users\Admin\AppData\Local\Temp\Files\66e42cf42e212_otr_raccoon.exe
"C:\Users\Admin\AppData\Local\Temp\Files\66e42cf42e212_otr_raccoon.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3716

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
4⤵
- System Location Discovery: System Language Discovery
PID:3864

C:\Users\Admin\AppData\Local\Temp\Files\tpeinf.exe
"C:\Users\Admin\AppData\Local\Temp\Files\tpeinf.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4632

C:\Users\Admin\sysblvrvcr.exe
C:\Users\Admin\sysblvrvcr.exe
4⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
PID:4904

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
5⤵
- System Location Discovery: System Language Discovery
PID:4896

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
6⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5000

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait
5⤵
- System Location Discovery: System Language Discovery
PID:4952

C:\Windows\SysWOW64\sc.exe
sc stop UsoSvc
6⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:5032

C:\Windows\SysWOW64\sc.exe
sc stop WaaSMedicSvc
6⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:5052

C:\Windows\SysWOW64\sc.exe
sc stop wuauserv
6⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:5064

C:\Windows\SysWOW64\sc.exe
sc stop DoSvc
6⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:5080

C:\Windows\SysWOW64\sc.exe
sc stop BITS /wait
6⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:5108

C:\Users\Admin\AppData\Local\Temp\Files\pp.exe
"C:\Users\Admin\AppData\Local\Temp\Files\pp.exe"
3⤵
- Executes dropped EXE
PID:4788

C:\Users\Admin\AppData\Local\Temp\Files\LummaC22222.exe
"C:\Users\Admin\AppData\Local\Temp\Files\LummaC22222.exe"
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4832

C:\Users\Admin\AppData\Local\Temp\Files\sunset1.exe
"C:\Users\Admin\AppData\Local\Temp\Files\sunset1.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4740

C:\Users\Admin\AppData\Local\Temp\Files\t1.exe
"C:\Users\Admin\AppData\Local\Temp\Files\t1.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4640

C:\Windows\sysklnorbcv.exe
C:\Windows\sysklnorbcv.exe
4⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
PID:5020

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
5⤵
- System Location Discovery: System Language Discovery
PID:2616

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
6⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1592

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS
5⤵
- System Location Discovery: System Language Discovery
PID:3504

C:\Windows\SysWOW64\sc.exe
sc stop UsoSvc
6⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2512

C:\Windows\SysWOW64\sc.exe
sc stop WaaSMedicSvc
6⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:3124

C:\Windows\SysWOW64\sc.exe
sc stop wuauserv
6⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:3480

C:\Windows\SysWOW64\sc.exe
sc stop DoSvc
6⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:3824

C:\Windows\SysWOW64\sc.exe
sc stop BITS
6⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:3572

C:\Users\Admin\AppData\Local\Temp\Files\10.exe
"C:\Users\Admin\AppData\Local\Temp\Files\10.exe"
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4916

C:\Users\Admin\AppData\Local\Temp\a76e49df84ba2a7b33e8ea959995b5e6faecb90d551ef169d8272ce9042c35a5.exe
"C:\Users\Admin\AppData\Local\Temp\a76e49df84ba2a7b33e8ea959995b5e6faecb90d551ef169d8272ce9042c35a5.exe"
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2764

C:\Users\Admin\AppData\Local\Temp\asena.exe
"C:\Users\Admin\AppData\Local\Temp\asena.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2900

C:\Windows\System32\Wbem\wmic.exe
wmic.exe shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2616

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2632

C:\Windows\SysWOW64\notepad.exe
C:\Users\Public\Documents\RGNR_A0710810.txt
3⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:2568

C:\Users\Admin\AppData\Local\Temp\Bomb.exe
"C:\Users\Admin\AppData\Local\Temp\Bomb.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2676

C:\Users\Admin\AppData\Local\Temp\25.exe
"C:\Users\Admin\AppData\Local\Temp\25.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2408

C:\Users\Admin\AppData\Local\Temp\24.exe
"C:\Users\Admin\AppData\Local\Temp\24.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1632

C:\Users\Admin\AppData\Local\Temp\23.exe
"C:\Users\Admin\AppData\Local\Temp\23.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1724

C:\Users\Admin\AppData\Local\Temp\22.exe
"C:\Users\Admin\AppData\Local\Temp\22.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:944

C:\Users\Admin\AppData\Local\Temp\21.exe
"C:\Users\Admin\AppData\Local\Temp\21.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2072

C:\Users\Admin\AppData\Local\Temp\20.exe
"C:\Users\Admin\AppData\Local\Temp\20.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2044

C:\Users\Admin\AppData\Local\Temp\19.exe
"C:\Users\Admin\AppData\Local\Temp\19.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2372

C:\Users\Admin\AppData\Local\Temp\18.exe
"C:\Users\Admin\AppData\Local\Temp\18.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2700

C:\Users\Admin\AppData\Local\Temp\17.exe
"C:\Users\Admin\AppData\Local\Temp\17.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2724

C:\Users\Admin\AppData\Local\Temp\16.exe
"C:\Users\Admin\AppData\Local\Temp\16.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2320

C:\Users\Admin\AppData\Local\Temp\15.exe
"C:\Users\Admin\AppData\Local\Temp\15.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2540

C:\Users\Admin\AppData\Local\Temp\14.exe
"C:\Users\Admin\AppData\Local\Temp\14.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2300

C:\Users\Admin\AppData\Local\Temp\13.exe
"C:\Users\Admin\AppData\Local\Temp\13.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:848

C:\Users\Admin\AppData\Local\Temp\12.exe
"C:\Users\Admin\AppData\Local\Temp\12.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1352

C:\Users\Admin\AppData\Local\Temp\11.exe
"C:\Users\Admin\AppData\Local\Temp\11.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1396

C:\Users\Admin\AppData\Local\Temp\10.exe
"C:\Users\Admin\AppData\Local\Temp\10.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2484

C:\Users\Admin\AppData\Local\Temp\9.exe
"C:\Users\Admin\AppData\Local\Temp\9.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1720

C:\Users\Admin\AppData\Local\Temp\8.exe
"C:\Users\Admin\AppData\Local\Temp\8.exe"
3⤵
- Executes dropped EXE
PID:2360

C:\Users\Admin\AppData\Local\Temp\7.exe
"C:\Users\Admin\AppData\Local\Temp\7.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2828

C:\Users\Admin\AppData\Local\Temp\6.exe
"C:\Users\Admin\AppData\Local\Temp\6.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2308

C:\Users\Admin\AppData\Local\Temp\5.exe
"C:\Users\Admin\AppData\Local\Temp\5.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1020

C:\Users\Admin\AppData\Local\Temp\4.exe
"C:\Users\Admin\AppData\Local\Temp\4.exe"
3⤵
- Executes dropped EXE
PID:2868

C:\Users\Admin\AppData\Local\Temp\3.exe
"C:\Users\Admin\AppData\Local\Temp\3.exe"
3⤵
- Executes dropped EXE
PID:1864

C:\Users\Admin\AppData\Local\Temp\2.exe
"C:\Users\Admin\AppData\Local\Temp\2.exe"
3⤵
- Executes dropped EXE
PID:2576

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
3⤵
- Executes dropped EXE
PID:2312

C:\Users\Admin\AppData\Local\Temp\CryptoWall.exe
"C:\Users\Admin\AppData\Local\Temp\CryptoWall.exe"
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2448

C:\Windows\syswow64\explorer.exe
"C:\Windows\syswow64\explorer.exe"
3⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2572

C:\Windows\syswow64\svchost.exe
-k netsvcs
4⤵
- System Location Discovery: System Language Discovery
PID:2852

C:\Windows\syswow64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
4⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:1804

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Direct Volume Access

T1006

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Credentials from Password Stores

T1555

Windows Credential Manager

T1555.004

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt
Filesize
27KB

MD5
c1f1ecd4e83e07cc580e9271a4f505a3

SHA1
a760a9af6e515626f6bacb0f7364f0fccfcc4b55

SHA256
02588d47064fa12d6fab5674b6b162940273e649734cbd2cac3af65f4fa841ca

SHA512
c7ee907fd401f7843c874f7e95fe16a3011218e4fb54e6cc8f623e2b3e354d71064a7343cce555cae18fcc8cf8007e7a19f371ee2af3badf54d49a44a558a54e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_F_COL.HXK
Filesize
635B

MD5
4a9c82337a3d7ac090b138d45e3c8702

SHA1
533e8a0051a2b83b7abfc565bf5061222f9701bb

SHA256
a2d664b1a961f73c2c530752e8c7b7e43554fcaf42abe977d4c7b7da967522b1

SHA512
f6489cf38b0d93aa3e35a7aec96c9551d3cd0121c6cf375f1455ad761cd66163d227f70743e881df884752a5d235b939eba7922267e4ba30cb33322a2addab45

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_K_COL.HXK
Filesize
634B

MD5
5ba25aff6722a7fc322a266c265ebf3c

SHA1
f64580208d45be70689e81a30d2758259b5f0101

SHA256
951423f86d43238e3d3d99af1f99a186bf0cedd8d2ebab3d19208a72af456084

SHA512
e83cd4cdeb7d8cc23b99da16eccc9e11e859ed92f37ca132cc8060372936667d2cf38058e6a6fd807fccfc49b883b99b5ffba432b79e2696fb8b623b8e24654e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF
Filesize
862B

MD5
7602dd80c8ce6554bf353d660045c206

SHA1
95b4b193152e196a7f0f9a04724f34919c8975fa

SHA256
84826aff5ed6227bd065338554b470e4ae0fd24ff38367acfa846c35e20fd266

SHA512
0ec002e286aa7aec40ea7d96d6e8862a6d3a7877fd1965be9e24632947050eaa4e2b696b857001c6fadf463b6002976e9a6933d1bdb021ad2c6924891e8f2098

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF
Filesize
743B

MD5
449a0a268501767bc71644540069d5ed

SHA1
79ace3e3fb1132f38c70128700ecf75e44074a18

SHA256
0fef26c94af1cf48b5047613ffb4ab6a51ab2bb664d80f1dc2f5ea3e5bf8c6fc

SHA512
3fd1dc0f93704d8bc4cecda13a6927d3ac81d825f38bfa7b2c2e9be44a1f2ea2c9efaaf4d012b63d63d20da8cbcd58d78f17bc8d18499da99a57decef8541475

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\SIST02.XSL
Filesize
239KB

MD5
716ce90209e693b25b98db85221f7c6b

SHA1
6160cca31cb7139ec9ee384d7de8ae4c91ef0053

SHA256
5878e3e230dfc63323ab6f6bb18d34bc3cdc655a554e4d4b2c4216170a86b1ea

SHA512
d60430fcfbd64dfe3446da346450de145b9598d6072a9be34972a6455768969cadd608ca5b8e521c448c047d7750d81fb65995403d413a2d5f9e9a9a5da2087b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\BG_ADOBE.GIF
Filesize
24KB

MD5
f2fc30d208d15cc0424222dbcb51bb99

SHA1
e3e299011ff678492c74233e0b337cbb6fa8be4b

SHA256
a20fb94874c519fdc664865867a9a3add7cc25728fbad6de77ce5f51b59732fd

SHA512
a03d2f209507fa54337c982dac37d9167e66a53626f523c218f708329157c75dbc269a78143ff2ace45b11d234c697124c25af16c09cd66e96b22f21c4e73073

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\BUTTON.GIF
Filesize
706B

MD5
a9e6fc476d1b7ea36281b033b820023d

SHA1
2661bb95838fab356193774a87612fd4c59f2b7d

SHA256
50a249f1c576698823711bfbe5fe3dc0afaefce3be940fa9ab00055290c8484d

SHA512
e5e730a6abd80c21766a79f1237c502a90ba8ec11baff75d5ad3dbdad49ebeb8a5bf97a8869ce0691e825a326ef90c1792fb885dd187b9ca2be0a86ff2ab85fc

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_OFF.GIF
Filesize
1017B

MD5
8dc580abfb0285722460d05018198b2e

SHA1
7aea42bbb2a83d65cd9325552bbfbc089a8c37f3

SHA256
bb875a835b5ba98c28a183c972274b412a326cb2d6185ca74e548f9004eed85a

SHA512
4f23a0feaa52e996bd2594199848040a0cf5f69c0ed7e3988cbbc52835a29d1cd4dce669c880bce3f7274a7fa2182c6e85ca1ccb9837b90a28bbb9cbc2ff1e29

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_ON.GIF
Filesize
1KB

MD5
00b572d24971884a045b28cf97b24ebf

SHA1
ae663004c9f9bef1bdbc30ffc7d45525676cf8d1

SHA256
ff8b2550160b54c93d7ddab4ba91f326552e8bf3b378b7813d0c01e09bb50795

SHA512
fbd890372a9243092c82fa61821732591f4d6cf0f2420797de7ba8bc4a27f19c4dba353d8854dc36a3baf11d4184c737f82337aa0fcc27abf418580a374ec275

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif
Filesize
6KB

MD5
cf0f2f84db81b3ddadc6bbd60b91da7c

SHA1
7a2fc939a35480f11900c2fca2c393fcfdc8249e

SHA256
f3b7af76a4fb478281930e0f4b01ddedb223eff5312574175f88611bd078de61

SHA512
2b9e256665c942dd472571612892e8c740346707a3ec85d198ce4cc89ad229f5f801ca38eba43c517e2eb839f6c0904f41be93fcce9ad7c39f6f1a70e72808eb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Country.gif
Filesize
31KB

MD5
73ea91ac3d9e5396bf1203f3e2655982

SHA1
9dfe36642634089889630ff9fd19671538f52a9f

SHA256
d9a8b803480b97ed5da2cc8e76e7815242987f9d125dbf1a0c31428495134e91

SHA512
c7288579cb704a3b43a791dd92630db3ce99e692ff644cb8f57c27ae46f22c8332e24dfec0f73999d395c591db6d1693bfd8a605e3e3a195fdbc991fccab1dc0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif
Filesize
5KB

MD5
d9a70ee6499e30fde56745b535739989

SHA1
35b3bddda873564cc5021aed1350bc8bd6059bb6

SHA256
4fd3306f52275eb157f91a142248eb8b025a8e28878e8cc4d06a91b9954e3ddb

SHA512
2dbc2f30ba63601c801b69806fd3c622e3d3ae1fd703a9abf566c9df382de97c51c1cab64b93d096e861e49b5806977b887bf57238cbf97104f56e57b5d35ff4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif
Filesize
22KB

MD5
0daecbaa82729dda5a5c3ce3de319fd0

SHA1
bd528e50f76c0a916e9936324f8fbcba9142a1ea

SHA256
964909d6276580c501cc61666ce773a710c4a910667a2a5cea3aa2c2bb64842d

SHA512
3f59ad54470f1592bdbbcdf1c931769568d3ad7db2447e76c1276a0b07d55ea96809f8f5ba390bf5e0e97cc36ceba0f7b159aadd17650f301e02e45c4275f1c0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Groove.gif
Filesize
627B

MD5
f472e7ca4889fa01a5217d1745dafe13

SHA1
e76efe418e46ae51209a632c234e97ed70826e02

SHA256
5e631a1a0e91add3618877884188bfb5f90743fba81ceca4fc28b072b6a5d97f

SHA512
5aaa00a4d4259552500da7a8f75ed62bf0f925e54d75cda83ccaef1cd1759cd3be0db8d4410c9147e97bdaedc6a294513baf92e20e4ff0ed81461a6031fa227c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif
Filesize
8KB

MD5
52a0b0b22724f129a6e4fe3b292c7913

SHA1
8f48d3cbfa21df21b43c769d8e0b93ab0b3fa81b

SHA256
7026d5fd27af68ef86d4b81b6f4f057c1414f3f2284e1ec55051fd00f336831f

SHA512
a0513f4e5314534313c8d343388ab899fec7c2531478938031502da55d476ccd65df757eeef21facd18ad590cedc289f4dbb8bb77e620b983cc25b9d18d899fc

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif
Filesize
15KB

MD5
42e5a0bcdfc9e5c1ef71ee9d7383e2d6

SHA1
d814eec874b0bd5d5431b35b49c150eb926cfafb

SHA256
95cdc8bfb5a1db2a4a6b8e8badefba4d520f72b876d846f8aa6bd976f31cb425

SHA512
211f6b13e418ba042709a14e83b35f9879e57702c7b143feefe694b1e63c3f5216fb1e4dea4b6bbbe943fef74e108896d0b99a0be6f355563724bbbc69341cb6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif
Filesize
6KB

MD5
33ed8eafb9bc930cb552c03e4ee51b1c

SHA1
a40ad80470f835f5d7256f8d4229d6353d862c48

SHA256
d825b8ec9554d88b7ef8934e2fa46a36fe7025f3c69ba9de062857415d91f50e

SHA512
75a6709bddfdd18eb1c1be7aba334586ae3ab40c5c053fa3c786024e89fe856b1b0e7f0f3c8ed658a2a7639989a3014e19d2b8d7cb975ff9b79e8a781cfd54e6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif
Filesize
20KB

MD5
9962ee4575119c87784ec6355dc8977f

SHA1
9ad655c034587464dd67b0e4989387db940126f0

SHA256
463cd738eee57a3b5291cc3b36b488b8465a84e1af014cd1e36d62a7112d93ba

SHA512
b2b50ed617f555b89840e5acd31453cbb54cc89816f6e3f8c538612f3e4414a7b9dbba9ea5f5fc8702b780cc8ba097d45892680cba7dfc82f511ae4c75872d89

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif
Filesize
6KB

MD5
d0abcdc14eb9a779388f8796a519d34d

SHA1
29d88097d25af34d1a03aa16a229c9f71e51f8ca

SHA256
a2a697d922beedcb8a347932fe48a47e1413c22a44bdba906a7bfdac054771aa

SHA512
825583c6700fdad38040978bef0f6129c69b005fa14b5bb5f7d59b5c30b583a844e2bafdf0bd21492a50b86379a265a3e148b626053d569dbdb5911c0b9ef237

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif
Filesize
15KB

MD5
80c72c1fa315d9c1be767c3e6e5374cc

SHA1
e5356eb603fac97a139634f35dcb7580ba1a5363

SHA256
030a1dbb623f4f4a80e7ee72a50e3abf8fd757e8fb5d30bf07bc3a4223f904cc

SHA512
34b4b4d70b606afd427bd0753977c2ff755135c69f600391d30c96ebf0c3bc9dfcdae5a6c257ee23ca701ada656b575e3e5f2e846e3495344f266d956df434e1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg
Filesize
3KB

MD5
5a3fd97c457d09e0b9e4d9b0e12a3d19

SHA1
740e833f014172fa16a75a9a4dc11da91a4b5173

SHA256
77db34a93dcc020b998f6f1cba83262bafeb892b880a593bfb52ec4c35bf6b87

SHA512
c9f56e8e678c05da3d22777d61e0568c66594a0439ea854543711efe6eca245416f5ca8bb650c9b617ef4ddb5d2d5e77274db4a07c112410cdf4e76fe9f1a32d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp
Filesize
2KB

MD5
9ef1598e1a7cf2c2c421aa4986703297

SHA1
7d54ec90e662075b4eb6e9fa047bbfe89729c8e4

SHA256
56f147e85ac2714b5800a03e03e4c70f84037bb8685d6f990d0ca6da8eb7e4f2

SHA512
611461f5db5db20fa1007de3e46205480333e0bc496dacb761177803fd1721dbf05133f4b118ab267e860d19cf7c83c5e38ca9bc9e2a5c4ff546cadcd560deee

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FORM.ICO
Filesize
839B

MD5
238cfe9c37413f63e74a07858f895e27

SHA1
cb5117b2ac878e72c83ea6074c90774bc631c311

SHA256
53cc590bf60a44d354ec35d0225d49ada4f96c19c3c1d84c172a898046e93bf7

SHA512
91d27f9cd0bc63e907d189610d1b58a4f280a121985b0dae5c8eff825048c3be873b541a65448afc754f7b2d3c5cd3451237d5943b21d03313dc4a83e8c2deaa

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg
Filesize
7KB

MD5
84ea233279e787c58daafbe433cc6169

SHA1
d8d17e18a78a36fdf2cb3570dfa8fe3f75172d98

SHA256
3976175fab269f1927e48b8d9d490e44e4ba2ec5ee38c35438e723476e2fe4d3

SHA512
ba01cd4bd50da3348e9be3e5d9feed610a327c49065ed4b6eebc3d91bf6f7b0a4a92abd6c379ff0e1bedeca7098892f2f311646c5af1ebe78e9d3150d22e1bc6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF
Filesize
776B

MD5
d1cd049895df7c50ae234f2919cdcb0c

SHA1
a674bc001be86efa85e30f2ea3247501e07d5017

SHA256
7a9d281065e39d5123698c0828ce16f7d803ab5208439d32c0cf27e267ba4419

SHA512
d0f305e4ebc4db071928270bc198cfc9b4bb0470724e126def5dc29489d37aedd9146b8a6b4b3499ba9b2babe5bf4a50310adce3df710f24c59c1ac636ada795

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\background.gif
Filesize
844B

MD5
f29b2422e8d88cff7e5c0bf74275e028

SHA1
9d48126f63ee4fcfd5e16ba093b61e2d1dc8c618

SHA256
051140402463dbbf122daf532e5947c76414be7119a5993fc1ca535976208ca4

SHA512
3d660b64f7e73b2055576b1a2a450758db7576f93fb6a970c31dcd69222bba6b375e0dba26a7f320547e766852940a87fed4d4a7bb0424b494474d4480d5fe5f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF
Filesize
888B

MD5
d0f4097824a5768ccb37ff36a2561e68

SHA1
257b3baf375b549bf94c4811a7c6626e53f29ccc

SHA256
6c0a957ebe679d2c7f9119701ea739851664b4b5a3adc048f54f1f2554c8602b

SHA512
25e41f68e62fb2d3967fc0dd2481cec2494785808458cdbd02714205bc7c3ad630a609f14f3e63228aaa9da38a5d0c533334e712ddd073a6755a17a47665493f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF
Filesize
669B

MD5
9d32ec13eb57aa6f341a13ec4ab81f15

SHA1
929c0989188fa7affe7809e5c6ffc40397063a58

SHA256
995598f760a7c84a6217ae9e4b170bef4f244197ecb186fa2236669bc1337b69

SHA512
414bd6c9bb22c538e209d068317f848b4ab94159502cbfb5b73e5eb5e65c7e9c784ec7262438aa5b82fcf35cd09adecec624144f961d959b933bc01640800e09

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HEADER.GIF
Filesize
961B

MD5
f124578b0c27d3c2ffc0cf45071c1e30

SHA1
343d0d6cd08460023ab85827c65171a237862bb0

SHA256
13dc3b6c761e6184b297b96805683d72343a94ce5af33ccc7156b2c88210deab

SHA512
2b918920614b941412756483ae29adbfd67e5196a6df5a5b0d4cd9fe137ba8558463b2cacb518d08c6fefab39d0a572c38e063c43940d6ee776ca81c5f170dff

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_OFF.GIF
Filesize
983B

MD5
932e37e632fda5d05d0c2f0775292e51

SHA1
a952fa9e8df6dc0c189adc81644a1dd6611479f9

SHA256
ae1c6bfbce43593346b8cd37225eab4140d20c733549a1794404a9b763762bb0

SHA512
9fe8326faae096d43f4298e5e45e4cfede7898aa47d4f3dbf90c2ae1720119e0dbc6d3bdfb769ce8e0c4b516163387ad5383bdf526334b78b4cb3192b567ab9d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF
Filesize
788B

MD5
253de2c1b85855a0b601cbeccb0de17e

SHA1
e989eeaf148391e2bad2e262af612644f91eab10

SHA256
c2dd75d1f303ec62f0864ec43aee04fc889334883dfe1e545a53ef2aa8264315

SHA512
475e4b94db6c72c4889f7e24dc4439b414856ae480058c01f5c5840d9c70acb034d1e32013ad1fe0854b779180ca678b43cc01b7228e0d338c25866f08f4eb53

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HEADER.GIF
Filesize
2KB

MD5
314225c75929342c03211795c5027ee0

SHA1
8207f707b1334094eadfe857ad85a4e8c0762e05

SHA256
9a2f49261b02010e3a53038f8edfbf27fbf9e75ff2175f876ac8de0096096d57

SHA512
05ab61287248dd34ba73d847d516dec1aaab8fe79580a727c4780b9d04d27d720129d8dd7a7071f99cc976d3083b1af1b7083b4066e19772bca28635e3d2658e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\HEADER.GIF
Filesize
3KB

MD5
9995b85032c5e61980d7441730cc3496

SHA1
f40fbf62df059b498f92bb0ba04f0a384bde5b54

SHA256
f8198f947c2ca48e9449f03950c3605a0e0f071722551c9bf1f174027e11bc21

SHA512
99c6525ff47be78a4feb0e70ee4ccf884509a84bed1fce381bc2a30fa65ce05274e6ee5cde051e68b468e7a664e276561a46ae2addaa646b961d9dce9f0b8cee

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\TAB_OFF.GIF
Filesize
983B

MD5
3553b002484f8f1b93e8b76888618e58

SHA1
a407be938c161816c2993fedf0f452942dd021cf

SHA256
04478bda783bcb5d9412f5e6680b3d2b6239d29f63934f54c45ff439a50a3215

SHA512
88e0f946a16ff8437e75063969686d0d750da2f941f9eff2c69f1800abb952ab6445708dc821edc46607f8b434028ef8c91122f52f0fd213bb917bbe119cb7da

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\TAB_ON.GIF
Filesize
785B

MD5
f90b9bbba4c6efced565675cb5b79f98

SHA1
174c9abd199d0b8b473b48219921ee9ab0c2a24f

SHA256
88caf2167c9f9f701d406d0dca809b7c0d4aa9d4bbad29553982ea5e31704b18

SHA512
da5c907bc285e55302ae6ffa6dca606af79dc130152d37c0c760d58f7daa1a802e82ca2fcc5d01e7cda82001b8afc1d58a289c9a3e86c7459e1a97a139022e75

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif
Filesize
754B

MD5
59f15c1f684fbeccaa5cefdd6af3837c

SHA1
418e916aba374f489bd4f8781bf442f1722c511f

SHA256
f017836ec188f4cb46a8ebccd2c7f6d88b9fc7b72a29b9aefad4490d9c479a8c

SHA512
cf5967d6428c801d1934aca18638a6be9de032cefb182640bc33142c747259310b8d3826e91b740c89db4d896e99f8121377b0ac33c175f2ad95ab311c6f1f42

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_OFF.GIF
Filesize
885B

MD5
9d931d247a1caa7c830d6c8c078be967

SHA1
8ba2ad4b5ebf278ef0480146a14c81dde4e54565

SHA256
b773a80efffd761806101cf9d2b0c61cc9b661d772b62fbbcf2548ebd93645cf

SHA512
9ae1cd4d2e340be7fbfbc3eee9efb1bfbb997dfd477f85d9322ea2dad923e72ab97fbb8f6c1641271ceb258144a5e07399528b43fcfd139514c5f3142cf8db38

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_ON.GIF
Filesize
885B

MD5
05db54d5cb1ade1be3cf0890e02039d4

SHA1
a70398e70f232c343b2b857b2cf1f1243cb9c37b

SHA256
338feaf363231b9730a96db0c9b4d8e792c6ebe8dfcdb17a06d599dda696969f

SHA512
3e84fe7a2f4136fec66215ee76e295f617b6a9613bb309dd1f89c165e52129a3eba5e70560eda74cd0a55b5c9ba9cf7c26d8d73c4497b7c2afd6965a093707b5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\background.gif
Filesize
7KB

MD5
3b3bdcb677e9eef059e46603d44ef10b

SHA1
67693e7248f75d59824485adfc4efe9f244b5646

SHA256
dd142b607f81d901840de998bb0447a9043bfe5bb97987bae21d33ef7142f2ff

SHA512
a85feef28b9a66ec44d81face0e55e0ab3b76cbab5c08b8ca0da079b0800819ad1c1c5228a518c840b0ed547374c9af1f6a67e99e9b857a5ab49484eee5dbcac

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\BUTTON.GIF
Filesize
949B

MD5
a38ded3bfb66674a021b568a1bc61dbc

SHA1
74303b8926d855f03d4b3b608c91177acea34c73

SHA256
1bed4612bff22b459ceafe7785ef6a3f586b04371c6f92d4965384f2345065a2

SHA512
f62d477980b481daf372a5ae45bb2a923341a6a264baf8d3f25d0bc50dd3c60e7d9663f54c144df3a0975426c71adb677f2260c0ae1517b3230edcc26d1b21d9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\HEADER.GIF
Filesize
26KB

MD5
7677d4e10bd2b7f8c7169bcd535887fe

SHA1
0b0a26683ae73f01e3a805020259fcb8f822f4f9

SHA256
199624c59d289cd3673e17c464a68c4d788f6c9990273fa859bcfd3fcdaf3851

SHA512
41bb4802d65aa06d3a1ff7ec65fa82b804c0bf4c41254a46f389709975ad30a440cfdbe5f35e27b332d4ff135646e8b60ce1a2cc2b1cdd650122b4c051507d0b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\background.gif.ragnar_A0710810
Filesize
1KB

MD5
3b8e3c59c282ef4606cda6d0153f539b

SHA1
d402dc592edbc17ac2fcdc92b60a29056eac2987

SHA256
87f0b366985abb36460fe32d11b49f0178c653b75729f95c3df492a9fb2ad66e

SHA512
e32fa41924c98a494a9e3e583b653ff6bc170e7321a8073c9debe7895c86575328d73069148fba85638eb84cc39729b8d40917862f21e11d5faa9e6d813db288

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\RTF_BOLD.GIF
Filesize
1KB

MD5
c25df90afb4c015efbc3f4e181dea8ef

SHA1
e98adc7b4360d1e0f6347aa43d56ee42479efbd9

SHA256
dfc6b55b7989f2b516f66920f417f7e640ea4dda471bbddf970f9d87118b0a16

SHA512
d2b74d0e4a58aa06f2312584f89bfb1251a0e75e9d7ed54b7d07dbe206f3ba3f5b39f2ff43c7f79cbc373528465ef814dc99e489e05309f99147f865eb80eec2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\VIEW.ICO
Filesize
839B

MD5
d34b97fa17a95a90c208955807b57084

SHA1
b50949708a9d4557fbb86cd8b4598cfeaed0d70b

SHA256
386948834899b84ab61fae90827160becf348f6bcefa8c529371ac7e1b796dd8

SHA512
d7193a4729e3e323aeb64642b477f6e912b2b2f988a1641bd65c12b0ad196f13f2e342e2e269d7084e178ed505bfb80ad4c3de837ab61573554ca17f1cfa5b6b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg
Filesize
3KB

MD5
793ce01c07e84891205ca92e0b469fc9

SHA1
6cde4683112edd0fdddc4447c2d9623000d8a2ee

SHA256
5d880d111f2fc0ac88ea1cf80dc1f70858397a348fd78fee4f9d817adecd8345

SHA512
3ae8426fe1b33f9ad46f592a36fc3c7ff35134ba519bed1877c26f47aae95c89cb4bb795875088773285d248ce1960e4e84ab0cc4aadee4e9ca2b61a7be6f0f3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif
Filesize
3KB

MD5
f95e121af06765c5cb93bbaa11b6feaa

SHA1
d3143b8b6106d4f8d4acb5ca5fb745f3fe0ecff8

SHA256
73624e04659e3a17c20ed20b1b570d208a9cfeeda65b050b59ef12eab5f9a34d

SHA512
aa0a55a73f5eead10e8810099a3ebcd59b250d6918c1a0e460242f85875e36bc66d7fefb2a9898dfed6ef0e504416c76971cb89eb860077df034c09a6d245c99

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif
Filesize
20KB

MD5
4c467ecc75f9a89b8824873f41e87dbf

SHA1
aa5ffe0cf4aba2b00f96e9861732d8aec7973d88

SHA256
284c9c56485f8cd6743e02fcbd5ffccc8d2ec172bb0327ce4563c0c8bcb2be3e

SHA512
e77e517074a4ae382e5e58068ae26d8ac65eb5e8568ad09e4f8733e3181360eb0e34655a6e66ca6a7fc913fcaa6abbbcf06d794683b15e17a4061d659f5a0081

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosefont.gif
Filesize
1KB

MD5
b44575a2e191f91c3e04b3cf778e7903

SHA1
7393bc066bad363aec0112e72d70bcc7af6367fc

SHA256
7ebf5cfb95a33eeb78a06176e1347d574dea0d52182f82eb16f83a2610d4e1fc

SHA512
bedc22c35f15e5c4ed74f7e8b9143bdd0bf93d04537f0229b8f449f8561d919ecd40ca1955f57835c521b02ee69c692a2427361b2ef441c5a2bd4c9e0ebc1f67

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif
Filesize
1KB

MD5
7bad47a4d9cc491dbaea6ecf84225a27

SHA1
8b2ffc202c4bb374a1c62d466ab730b41881956c

SHA256
225ec56f21ffdeae9575925e4f18d37012edf4e90449638f57aa37a5ffe51c1e

SHA512
15c0c0f855aea01df7329bc5e4c737178ea666a6b0c095eed309dbfe5ad95364584a9d0135f3384761c5f37d533b5a0bd3469d95a9f0a6b87ac9ae0e161681a7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif
Filesize
1KB

MD5
554bf9d93f77986a1ced2c1714dbff14

SHA1
42f118b4c1aecf40483a4a3c32678f1802c5dff1

SHA256
e6b2499361e28f4e5cc491b1172959f75cece4c67015e8d295e045926fd1cede

SHA512
f48fd2aa7cd35dcd497bae051450b29768cd84cb590de6abfae566d38e2d3818016c814846208b3926822f2db7108b4e89973c6139926475eaa676fb2bff0b31

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ADD.GIF
Filesize
1KB

MD5
0b401ccad4dfe0f02c24aaece6e30d5e

SHA1
42910337a270cce7f8b1f54a7d38e188e1e18fbe

SHA256
cc5e4cee9ff08229e901a441255a756c39e98182914f97759099b1f1cbaf9f0e

SHA512
0cedc7192988143279feb19debb2cac708b13b3d65b8dc6d3e488abe6df5bc48645649d7f2a4c982efef3359dcc16769d08dcc502b0bac82f5600cd3ea56106a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF
Filesize
1KB

MD5
c491e0e7d63716375c7f5e78f15b9eda

SHA1
a3af9383d6ae5ee59d366dc601ae0ffacee16ae0

SHA256
95960280977d61ed9423c00150f4ad9365b9d4282fe2d237579872f50a420be3

SHA512
80252ae22c7192add1f9430fcdbe2ffadf3f86254ecf6ed1ff3b08fe450e8627b87d40d659d2a3a0b8bce86c2b609b8259d2959432936d39f0887a0cfb72377f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIF
Filesize
1KB

MD5
34b30b5b57755acb5e9173cd57b6374f

SHA1
1ee6bd5d4f61820e1d194ae828aa485a52a53e7d

SHA256
09ff28157951b6bb472b6c3d1169678bc62ac8180dcd4f6ba7a1a6d265c8fd8e

SHA512
8ada95c3a7e9ade3b6b30dfdc23739682ea28a96606375b8f94adf2985828760cce6799ab911711a9766520ee6a4146bcd5ffc0b437cf52ddfad1885ed9993a0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF
Filesize
1KB

MD5
c24c8d75c30d60226a1307bec923037e

SHA1
9c789f896769aa5b3ac334a5dffece6d68d24a03

SHA256
c855a1dba4ea3adef8b536e0aafce53430348499e09e7100ec2a5e1f2c8c1b45

SHA512
146eb983dbb89731c64046825793f8df4912fe0f0fe8f35df79e670bc71cef90970690220c37a5ff8a45e905a6708f383103db4c4b376b5d0f314b9647eb0c67

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg
Filesize
5KB

MD5
564e6a92bf308d5685423966fe187538

SHA1
dcf6c1229e4af100978c34e81f16442db6b4f2f8

SHA256
d74c452fefb197caceed240b5a89fbf87f959e211a2bf2f855f055baf504f7e9

SHA512
c7fd80b64d566d5735dde3ff1e52a432ff6b8d19d8bf77cfc23000657b5cfc099df771c11efcbbba018e9c4d3db09c43879ea97cfe10853c926316a8f1390cf1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp
Filesize
2KB

MD5
9daede004f6e7a18f4c7dc42a57dc1ef

SHA1
94ac6167260d98655fa2c55558ca0f44f12c3f4e

SHA256
84095b377a6d5f56c7a93723a7849208f8c3ee25d3d08546aa83e13f44d88d1b

SHA512
575ac57c935ef0b2d3414fad66cb5297d1bb82a3533b60cfef45c1d8ba1b22f6c98fa2b08a05cd763d05fd4ea55d5ecfe335799e0a782ec2db1a1fd3b4dde311

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF
Filesize
1KB

MD5
0b2507fc784d1e82bfd6231c01de7435

SHA1
709f4425dc2b896adced37ed64e900699fabb001

SHA256
d1384874108cc306c339c9a65c01f1fb5c3ee43965b2e9ce3b53aaea5fb40f6f

SHA512
ee6776917d69dd88750d9f9d7c25b4822763d9dda0faed94b7dac572cc3754ed09623c9f8c5820a5186b20b53a4dbafe4494e6f0f2ec2888b3c3a66686b8a283

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif
Filesize
1KB

MD5
4f563de2fb52d24081ccbfcc9d040981

SHA1
69425977360b53cbf12ad57ffb7c0ff4304dee6f

SHA256
f701495206d243890dcc613049cfb8ef92ec2c0830b6651f5af5813e90b62cc6

SHA512
74a30e009a5868519e133acff3be3b4924141b77f0890cb19a8da8469c9cdb12208a4d16d4761fc46dcbe082fc181168d4b0b340e3b91c1950d18748c6019d65

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif
Filesize
1KB

MD5
a01fce62fd5ac32dbc5809c62e641197

SHA1
8a69b77ad42530dd8d4a2aef1ef8e8d15b64bc5d

SHA256
990017aecba410503129bc72671491fb9f88d68f950550e5d16bfd753fdee453

SHA512
31fe029d312b4d4bdfc2a11226c83fde02542d65410764ef0136b1bceb4c0764fae4cce6975711c06fabe0976a3519b5c6ca8753997a3082a15cb2acc87a9cde

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif
Filesize
1KB

MD5
0b9ab4756d57430f8854d756664b9f71

SHA1
85e1779108fe119dd5f112a06a6122673d464f43

SHA256
708bc52693651b8dd67645c7d462408715bc503bdcc49482539fdb737500d2e8

SHA512
3bd1212564eb9bffd245dc55db58b26c1dffc84ebb0b7d2a1a715b607da844eccf419dcf9746bca1eb6514e8046cdddb31e55555afde3d57d4b7f56730f1ec83

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif
Filesize
1KB

MD5
0888ec0a2250db139fae0f34df424b43

SHA1
76520d228cb7281320ff17ef134d49061700cd77

SHA256
b94c178b9df2eb374e68a1152c7bf2bab260d5454a8970d693afb94dc5b63e7b

SHA512
40ce94a5f976bff027280e3953a2ad8d0db010b55df73fb1dc91d43069c66569c8b5675cd3f81bf0e0e2c7163bbe03b586078d65b1bb1b7b419b647ec2047155

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif
Filesize
1KB

MD5
5ee09e1e0e83ba118329664de2fc8b84

SHA1
eb5dc39a87a0c8befd4b29b4f77f9057c0827d02

SHA256
b79c8290116c23830e677859d16400a9c6690f53322a16d0a3ca6a513c213eac

SHA512
dc5fa46c28baec30e81ffd4732e79a7c0cbd38f6cea68f5e9a18968d0a28d1fec0514ee4dab1c1cec536be1a3397ccb07cdfc4cbca9e1affbefd4bc78d99e30e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif
Filesize
1KB

MD5
f2a608f07fbac70a24e3aeae538b4384

SHA1
a0126dac22a62e8f0585b3afa9c81caa9e3cbf5c

SHA256
7eaff211c3d6be31bcca0b3d075822e300d5d24294adc202b222b53eeee09764

SHA512
5e1782045f0aaf339be87ab24e78c4a54b26eacf97f665cf0c8ee68511a37ad25c8ae7121fd840d5eabddc76135193ba362c31d1066029ad112e6fac4d1a02f1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif
Filesize
1KB

MD5
641cb2dd2f7b45ad55c10afa55af960d

SHA1
895847dbde2dc5debc96d56401eb8b2a95c3b504

SHA256
cde3250f44f5d3b54bcc5c286dfaf763714a51aeeffc0f0c35e0b69af8e8efaa

SHA512
12c353815900221fafc0d882d577166b198ec51e8a62da00bc0f91462832587d9587a1e98f62d55d27d917695d564110ad942a727ccb4ff1a38b5f9bd0adf864

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif
Filesize
1KB

MD5
bd973645446d96fc1e077ff125258ebc

SHA1
2e65d48af30d5042ed7873b5683e31963f23d1b5

SHA256
c91336d0e54cb308d7d91934b540bee46d570361cdf80cedcb851e2bb8bd8a81

SHA512
ac8145be49b42a3ce81611a14fad906f4c357aed6e9f5d3e8692a9d1b62758d9a18afcd674c39925d05239811dc9038c034e9895cb4fd1e27e0857e88528b5cc

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\Microsoft.Office.InfoPath.xml
Filesize
247KB

MD5
aa07e9e619f80fa54b60c02b9f119cd6

SHA1
26ba57c14786bd5e2f3d1567bab04e7c3c21f6c8

SHA256
9911f32cb710240858983b1884fe7642a53f1de92da1907ada9347f39da9d0c2

SHA512
27c98ca899d16418183dee4c3c345862ff47596093d67509f0173eceff9b0c298d4c79590a769aec3d49ed6dcc0fd5188adc139a0bd9614afa5208f59147bd43

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\TALK21.COM.XML
Filesize
1KB

MD5
2e8392a73b4cc85f65592faad27a5918

SHA1
b4235fc4c2df8fac49605491f342da95269841af

SHA256
7fd40bc4b7966c24b49d4a151973b441c92e382bbbb54b2989c463a5f82bb89a

SHA512
86fb710edacaa8a6ec5453111c3a628f4ce0e9905875f552890a824eab3d7c71e83c184d8cddf78eb12c4977ad15ea697441bf68fdbd255cebaad8a6ec0fba0c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.XML
Filesize
1KB

MD5
7b797c6fc3306a0e14a5ecf293dc0f24

SHA1
513a434658a37b9370e0b7922df68bfc5484909a

SHA256
c8ae29c945a6eea4b6ac5ac20b197305fdfd5edf009e22bcb63f476b504a2587

SHA512
6a1a8c08a14e039fdf26ae453d4a69b5673a446d2f68b69cb7a6b6f1c69a1f1f419e017be98b5dfadfe728d7871c628bde7f03ba1bddad273193f8162773204d

Download Submit
C:\Program Files\Java\jdk1.7.0_80\db\bin\NetworkServerControl
Filesize
6KB

MD5
a3a6b8d5c120b8a406e4739b52945455

SHA1
0a37b3fec73998cca26096cf8bcffca9671e0808

SHA256
a56d36f7290da59145066bbaf2d5db407b752059bba27972adf77b85f58fa192

SHA512
9ce55c041032d95d9f03534da036ef28d3d7545be0cc8ccc5bc66eca5015df1b5653421169f24391fadeca43037da83c4b227222b225fbc02b6bd5316086b6f0

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif
Filesize
674B

MD5
a226bd9fb7203f0ee78c0121d7aa1287

SHA1
7235039a534f760b4331b69f605f6a6fcb6885eb

SHA256
0290e97198f9f9c8d34765b26b16ea741b7e7f3ca4dea7f81642df356949ded9

SHA512
a69e2b403db6eb935dece2e55f6c7c8fbeef7259fd77e4db1c2802c19d682d0319255f6b52f07dd542bbcf6d92bbb2faa9de7707332107c78a6bf20a579ce537

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\EST
Filesize
548B

MD5
8427da6520feb07583121b86f6a5c139

SHA1
3a0be486a2ec757c39f24ce664bfaff4c47e152c

SHA256
77b46bc644d0d842fe8d21ac3dd35cdbe9fb8f5eb9cfc5128a02c9a9b62584f9

SHA512
a62dfe03355ae42bf7e4eff8160f8c73911d147d93a60a4893f15ddb7aba0d2a1691ebfe38ec8be64b7e658b225f84ef6159829f127526bfc5bf7d74b94b6512

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UTC
Filesize
548B

MD5
e61d6232a0f4ef16ded030104ab81799

SHA1
40aeeb151e971393f1ee8c82a938b09cdb34800b

SHA256
18a4718d3d475c2ceacfafe21553e90f4ec926e36f76e34373e49bbf58f4849f

SHA512
4e98b0b6d53cb7667037b8fdc44fa1ecea1e4ac96e5ecdf17612311dff4429d27c213e53fcdd640b605e8c71b082ae14e0e6f4d88e810beb9c5db22d8b676dfd

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\HST
Filesize
548B

MD5
a537af57b73b732665c2995f88312af8

SHA1
22ef619eb6de36f91ed93ee522512d0b282cccfb

SHA256
3c6f44c4a5964861749af5eb241948dfb2b9574de06dd62ed0fde9ca85654200

SHA512
b082536c4672323fd376ad4ec412ef834fc92544bc95ded1a328dc7fa4a68abcb05df0d32506d09b30e143f367362890e0acf810c3531f53bfab1771f84ff767

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\MST
Filesize
548B

MD5
c5fa826b9ef3fc30cfdee32e09b8480c

SHA1
92819d58360dbf9a5202f5927cf5ef6723621e51

SHA256
4067759f314df51ea794ffd089deac46abeb5cc1df0ddb10a31fa0bea48809b8

SHA512
024296d147840009c2c0de1e13b916fd09f73a2bbea1e079d2068d60517635cc2c039f4f58b2c0ee3021e8b9e62cce2f8e3004a2ab98cb1b35a7255a20844d6d

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize
12KB

MD5
2960ef3727ae1a26eb14ba208735ef5a

SHA1
f80098a97bd0f64fce7f469b0e88130146ff9b23

SHA256
679d04f1c0c1663af4557ea7da85f67dbb94b94ee879d69bc6a069d370046c6c

SHA512
2730bfad89f7f6a978a8d24483babc747652801cd8c9f772c104f6524f5a962ec3a783fc26c5947ef1caf3636275024dfac907f0d63684acd6c4fd05e8d50ade

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize
9KB

MD5
f87ee363426e286943501f70abaeeddd

SHA1
b4cfec304fac40fcb77e14ffca4ab670f6821318

SHA256
a821d89c3155b3548d0c27b2fe5e97df004aca62d0d8f1c1fc49b2f5ef30af72

SHA512
e52ddc849145c742d25281eff028f46c2437f5f5b7488238e80827da4f982421517c9b62d3c092b74d3b4a8efba09377065c7f28a0fe4cda37b68b51704b8b37

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf
Filesize
578B

MD5
84462d32444ad50b146da39a6140412a

SHA1
7fdfc8ff1f0fe260f8f21ebb34f455471294bccd

SHA256
5b9ae6126a7bbd8e32541c07d3c0eb1f7d60f7f39362dbf0705143627b8748bb

SHA512
1053eb3b52bdf932df83b7d41e621f77d6cd5a59eb12d1fc9b514d93baeca68fa35d0213e2d6e4268adb1e860d86aa3a9b26952dc1acb1745d79d82c12a1961e

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt
Filesize
11KB

MD5
349339ac6936f8d862b82b160b21c7ca

SHA1
8a37f2338564f4bcbdf99114623db71b58d83f4e

SHA256
37ae90173ef43bbe962a86d5c4fce8d4249f21c02daa93d7f49eebe82ff5ed2e

SHA512
00c1c5708384077750017e0d648c4f0ecaab44448c1542bf68c8cff0d7a6de1b1f1e744ec8422a01f5d55ad06e7203b8fe1e05082b946704639bcdc42ec3d109

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA
Filesize
8KB

MD5
c4bccaa20ff80bc11b73201e6e16dd17

SHA1
1382ef4c4b040715f44efb87ddabab07f17bc291

SHA256
93f2bbf3f3cf2a131448f6f5e83c02d2ed72b652ef746d414f8537a854206ab9

SHA512
950f2f2c53a52058cd2d82bfeaf75dbcc621aab213ed77cce6b70f88cb4083c6acee98cda321e19c5a76bbe876075a41a3c3099e01f08cd4e2c51f69c6d6a1ea

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA
Filesize
8KB

MD5
c5538eca63f8399804dc1f833a6d19e0

SHA1
caf0b39793d7f606e21f6dfbc4f2be6468223b13

SHA256
3d266b911fc8c7dcba891e3e71b4aad2b38cd8681cb02266addccfdc2215bb3e

SHA512
b597ed0f01fa6ad0af5c855342e3d763eee7c48fb13f833d455b6d4691f2fb9390e59a7a4f9056c0dba1f940a5af30caccc6c2ac768505564c72207bba708b6b

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\MANIFEST.MF.ragnar_A0710810
Filesize
654B

MD5
946abef3e83c3c38784bfd1617409ca6

SHA1
deed96424c499ea5f90f4515355c045c2081593f

SHA256
70b10b724ae39c58e1c29442889f8b6ef845f9a3e8cb4170c4d4366fa2ac5da9

SHA512
7e5e7d038aba6192de096bde8de34b89931b116e790b7736a7a4d97dc0d511886a7a2340ee9192394f7366c0d56e40df25908d4e63115a310904b7b6b677a159

Download Submit
C:\Program Files\Java\jre7\COPYRIGHT
Filesize
3KB

MD5
244d058acb0c24e7a947207baa2e06c4

SHA1
e4ed00806d43ffb195695364b0d6008c06345b05

SHA256
c007a13172aeba75ead6789b4b6b0feecbed155a6ce442476e66c7d39ebe272a

SHA512
cb6f2e87a9ba55a254ec097ebec0552875bda5723006c0f1fbaf6c3ee61e33ee9556f90f3152c7d4bc18bb18e7b4a2caca5602c5f50167135b451d9188399b03

Download Submit
C:\Program Files\Java\jre7\LICENSE
Filesize
562B

MD5
7b52f6d9acdab513a02cfa9c0459b4a3

SHA1
868f061ae66b3101cba8fd273346b98cb31fdd1b

SHA256
90ba72ec9858cac64bf6067561371d568802f7ded8a71406817bca40512ef5b3

SHA512
bdd9f10c3d2f831b933052a4bcea0bf4ecbe55d9afdf652ad7f60c4b06591d75fdb8a765ef19087ccac393a0451ab0bec8391750806557e1f70e3dd5031c6392

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt
Filesize
109KB

MD5
8b34a99c2d2dc80b245f052faa373f91

SHA1
ea2936ed07dd38deb4aed2cae32f3d153d81bd73

SHA256
f566ad6e023977beae8e66ef3fa00be26153eea2378ff8b3915e43a157984591

SHA512
5e8aa1b0e49cd5d8ffa6973ec3d724168e01bd5c1bbd53ce8dbc8ac5ce73ba6b162b71279cc44df97525aa5aca7d1773da6b515a502a0141312f4f6f21122446

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt
Filesize
173KB

MD5
f55cf7e4322d7aff89a6ebf5c1d1319d

SHA1
7183d27dc7b2896139046ee7b7a51b979676198d

SHA256
98642608fb14dea7a92e6df411a718eb56fb660f7051180a3fea975e18382e18

SHA512
490458dbb37411adef09339fcd86defee29fd7228f94aa386304d3f506b4448f1aa9d68acc32394366333951e64f849324e812cc4d9b452dea67c56bab6e6c33

Download Submit
C:\Program Files\Java\jre7\lib\deploy\messages_zh_HK.properties
Filesize
4KB

MD5
502942af8af3cf911956aed6a12ae63c

SHA1
ce2cf42efe9276d0796c7f20258eb59c5114e7b8

SHA256
faa7c63a99c51fa34687e70a8985f03bf970b1663b27e58c71cb8b80710755e8

SHA512
cb86eb08be8090db34a65b9e8dd22ba715d4e775cdb683a2dd1112dc420b1b07e99764a277aba0cefeb805e7fa76ea33e028c847cd01f5982a22b04e8c1f5b23

Download Submit
C:\Program Files\Java\jre7\lib\zi\Atlantic\South_Georgia
Filesize
548B

MD5
8f6efa8357842c262abce274771a342f

SHA1
3152fb5da4e36b58502ac0a10eb994dae662414f

SHA256
4c31c6d90608e2f04fa42451f16e8370d698b816f4f9ccb5724a0db9a31aeac7

SHA512
4444d2703066b42d7b1a8e7387b370364ce1a1aae17917dcaa9a44f79f8d48a162070e9937cc36eedfc3b5fc4421c6512ca43866ab2546a670c0c8a8e7e7663e

Download Submit
C:\Program Files\Java\jre7\lib\zi\CET
Filesize
1KB

MD5
523e192a63a8d0d45f2013b6842367e7

SHA1
96df3bedb6847adedfc56f6fc813ead5b1931c08

SHA256
98d0f76baf29c4156062b213bb4a0261a9c00a2a6edb303beff7102e61d965b4

SHA512
e2d1d77a734d7d8e0e9802433748fe497b474669a06152a704ffe02f9c1f3f1e525abb1a045038569389bc88894977b5947655e62f7a489c9e83ef70a7fabc00

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\GMT+4
Filesize
548B

MD5
4440647133b7b2c26469817a63df54a9

SHA1
3ef79caa12f66587f36a76c934ee0c0b7a741e90

SHA256
c2435cc818beb065aef45e1f774d2ae52a5703aeeab2962808c56d68ee545e6c

SHA512
e63b1f7c4c01268996f739ca9cba0edf15605121cf8d23ee94a962c45b1e911827fe23f1218f99d12cd3930ab0bb6b54963f9c39dd59b757fa279af446401aeb

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\GMT+6
Filesize
548B

MD5
031241c3b8953bb265ace4b3119c47d2

SHA1
84a2ec0689942ba9a7f2ef6837b8a2e3346ca96b

SHA256
6175e1d1ae8ec8c9d1abba15a4168bba351a2f1e7df9a520c131e7a0a4347639

SHA512
7aa2fcb9a74090418726dba7164e95a9002b0d8a12a11359b6eb9d961e72824c5075e27c3bb96bd21bd7857adb5e9e99da7248f6e486a1a91d697308febe9ba1

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\GMT+8
Filesize
548B

MD5
5dd9acd73728f8d0bc0f0dec4512aa23

SHA1
48ce521d73bacb1f52a822e3d305d393741d6bad

SHA256
b88e0d0dcf559356decb8bb97d015ef920a9f5474fc777db078e9ca04224ee93

SHA512
260b6412464b4f54d0e272c963cb7a3629fc13522db1d88915cc76c93066229e299b47ae67a9d355510b4e02633caab252f04badfb6860ed3051a7ea52281e85

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\GMT+9
Filesize
548B

MD5
d438f96cae844bad46db2ac31c55728e

SHA1
80dc627b872192620a2cf88d85fd527aeffcf6e0

SHA256
b767e38ba96c537f082c4a1af123d3af3d70f69e52d1be4343df1375c2e7bc18

SHA512
5239d05784b183db91297dfece6b4b291b75faf96203ca5846e6fc470187a96b838e84b437ddfb7109e5aa40d81d67b53d1c3bff8733581a37d82e72c7f4ca4f

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\GMT-10
Filesize
548B

MD5
c6a2fc0f2132902e13fdc60b2521ef14

SHA1
0b599c9790ed369ade90cced1cd494f460c104bf

SHA256
380ec7283dd0d8f22f6dc1a53dd2054baef57f3ab5e4b07f6fff610ea6ef43e7

SHA512
b164a96eaf33972ab17158e7aacd9fd203ac73896c19ec0060c347a3a335a97e57538232137b11360a60e810bed190405cc9e031fc8fb353459d099726bfe8c0

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\GMT-7
Filesize
548B

MD5
3d5e710a232589802005e91c77ed6bea

SHA1
73c2971b81e91e6030069f96bfad2cee478716e9

SHA256
da069b6f74dcc5102f31c93983bd56b618f25b0f7210571b9630a26b05fb4d69

SHA512
b6ca0b5459cd3f30f67030514bdb7d9d3e744f7bcf8db884ed3d2f20cf249e2fa4e43440e9d1c9642a9632d27037f76d7ab2d31e5e38335e9c6924473f4bcbf6

Download Submit
C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\vlc.mo
Filesize
584KB

MD5
3e303dda9d55bae74100a16bf95c71ab

SHA1
28bff84ac560a242383a8660a5ff9082b2d5e1e7

SHA256
2aa829441d740ff93a81089db8e11dade56fd17fb9ab2aa55ae2663939c1626a

SHA512
7074282701c7b97d644265585ffffce16056d02fc2806cb0f26e4dcca4a95606f2262dcb9df814a1d30fd4dca58be8a70fb6feb0cb097ebcbb2910e963555d7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\Microsoft at Home~.feed-ms
Filesize
28KB

MD5
13b8acc4d24b69e795553989384668ab

SHA1
19869e2eb35a605ec13e80b21ad2eb62351d789d

SHA256
3df5be0edd70f39b3748d74a44a60a91f2e07cbb9e20f5335bbea5eb626a53f4

SHA512
b1ac04ad37545c7a87cc76f1ae2094040fc97160c96c5e405fd99a19cfc3d8a3d3c9f155b7fb448e201ee7674a205b2575b19b973c640d86a06a0d8435144f22

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe
Filesize
37KB

MD5
8ec649431556fe44554f17d09ad20dd6

SHA1
b058fbcd4166a90dc0d0333010cca666883dbfb1

SHA256
d1faee8dabc281e66514f9ceb757ba39a6747c83a1cf137f4b284a9b324f3dc4

SHA512
78f0d0f87b4e217f12a0d66c4dfa7ad7cf4991d46fdddfaeae47474a10ce15506d79a2145a3432a149386083c067432f42f441c88922731d30cd7ebfe8748460

Download Submit
C:\Users\Admin\AppData\Local\Temp\10.exe
Filesize
37KB

MD5
d6f9ccfaad9a2fb0089b43509b82786b

SHA1
3b4539ea537150e088811a22e0e186d06c5a743d

SHA256
9af50adf3be17dc18ab4efafcf6c6fb6110336be4ea362a7b56b117e3fb54c73

SHA512
8af1d5f67dad016e245bdda43cc53a5b7746372f90750cfcca0d31d634f2b706b632413c815334c0acfded4dd77862d368d4a69fe60c8c332bc54cece7a4c3cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\11.exe
Filesize
37KB

MD5
6c734f672db60259149add7cc51d2ef0

SHA1
2e50c8c44b336677812b518c93faab76c572669b

SHA256
24945bb9c3dcd8a9b5290e073b70534da9c22d5cd7fda455e5816483a27d9a7d

SHA512
1b4f5b4d4549ed37e504e62fbcb788226cfb24db4bfb931bc52c12d2bb8ba24b19c46f2ced297ef7c054344ef50b997357e2156f206e4d5b91fdbf8878649330

Download Submit
C:\Users\Admin\AppData\Local\Temp\12.exe
Filesize
37KB

MD5
7ac9f8d002a8e0d840c376f6df687c65

SHA1
a364c6827fe70bb819b8c1332de40bcfa2fa376b

SHA256
66123f7c09e970be594abe74073f7708d42a54b1644722a30887b904d823e232

SHA512
0dd36611821d8e9ad53deb5ff4ee16944301c3b6bb5474f6f7683086cde46d5041974ec9b1d3fb9a6c82d9940a5b8aec75d51162999e7096154ad519876051fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\13.exe
Filesize
37KB

MD5
c76ee61d62a3e5698ffccb8ff0fda04c

SHA1
371b35900d1c9bfaff75bbe782280b251da92d0e

SHA256
fbf7d12dd702540cbaeeecf7bddf64158432ef4011bace2a84f5b5112aefe740

SHA512
a76fee1eb0d3585fa16d9618b8e76b8e144787448a2b8ff5fbd72a816cbd89b26d64db590a2a475805b14a9484fc00dbc3642d0014954ec7850795dcf2aa1ee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\14.exe
Filesize
37KB

MD5
e6c863379822593726ad5e4ade69862a

SHA1
4fe1522c827f8509b0cd7b16b4d8dfb09eee9572

SHA256
ae43886fee752fb4a20bb66793cdd40d6f8b26b2bf8f5fbd4371e553ef6d6433

SHA512
31d1ae492e78ed3746e907c72296346920f5f19783254a1d2cb8c1e3bff766de0d3db4b7b710ed72991d0f98d9f0271caefc7a90e8ec0fe406107e3415f0107e

Download Submit
C:\Users\Admin\AppData\Local\Temp\15.exe
Filesize
37KB

MD5
c936e231c240fbf47e013423471d0b27

SHA1
36fabff4b2b4dfe7e092727e953795416b4cd98f

SHA256
629bf48c1295616cbbb7f9f406324e0d4fcd79310f16d487dd4c849e408a4202

SHA512
065793554be2c86c03351adc5a1027202b8c6faf8e460f61cc5e87bcd2fe776ee0c086877e75ad677835929711bea182c03e20e872389dfb7d641e17a1f89570

Download Submit
C:\Users\Admin\AppData\Local\Temp\16.exe
Filesize
37KB

MD5
0ab873a131ea28633cb7656fb2d5f964

SHA1
e0494f57aa8193b98e514f2bc5e9dc80b9b5eff0

SHA256
a83e219dd110898dfe516f44fb51106b0ae0aca9cc19181a950cd2688bbeeed2

SHA512
4859758f04fe662d58dc32c9d290b1fa95f66e58aef7e27bc4b6609cc9b511aa688f6922dbf9d609bf9854b619e1645b974e366c75431c3737c3feed60426994

Download Submit
C:\Users\Admin\AppData\Local\Temp\17.exe
Filesize
37KB

MD5
c252459c93b6240bb2b115a652426d80

SHA1
d0dffc518bbd20ce56b68513b6eae9b14435ed27

SHA256
b31ea30a8d68c68608554a7cb610f4af28f8c48730945e3e352b84eddef39402

SHA512
0dcfcddd9f77c7d1314f56db213bd40f47a03f6df1cf9b6f3fb8ac4ff6234ca321d5e7229cf9c7cb6be62e5aa5f3aa3f2f85a1a62267db36c6eab9e154165997

Download Submit
C:\Users\Admin\AppData\Local\Temp\18.exe
Filesize
37KB

MD5
d32bf2f67849ffb91b4c03f1fa06d205

SHA1
31af5fdb852089cde1a95a156bb981d359b5cd58

SHA256
1123f4aea34d40911ad174f7dda51717511d4fa2ce00d2ca7f7f8e3051c1a968

SHA512
1e08549dfcbcfbe2b9c98cd2b18e4ee35682e6323d6334dc2a075abb73083c30229ccd720d240bcda197709f0b90a0109fa60af9f14765da5f457a8c5fce670a

Download Submit
C:\Users\Admin\AppData\Local\Temp\19.exe
Filesize
37KB

MD5
4c1e3672aafbfd61dc7a8129dc8b36b5

SHA1
15af5797e541c7e609ddf3aba1aaf33717e61464

SHA256
6dac4351c20e77b7a2095ece90416792b7e89578f509b15768c9775cf4fd9e81

SHA512
eab1eabca0c270c78b8f80989df8b9503bdff4b6368a74ad247c67f9c2f74fa0376761e40f86d28c99b1175db64c4c0d609bedfd0d60204d71cd411c71de7c20

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe
Filesize
37KB

MD5
012a1710767af3ee07f61bfdcd47ca08

SHA1
7895a89ccae55a20322c04a0121a9ae612de24f4

SHA256
12d159181d496492a057629a49fb90f3d8be194a34872d8d039d53fb44ea4c3c

SHA512
e023cac97cba4426609aeaa37191b426ff1d5856638146feab837e59e3343434a2bb8890b538fdf9391e492cbefcf4afde8e29620710d6bd06b8c1ad226b5ec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\20.exe
Filesize
37KB

MD5
f18f47c259d94dcf15f3f53fc1e4473a

SHA1
e4602677b694a5dd36c69b2f434bedb2a9e3206c

SHA256
34546f0ecf4cd9805c0b023142f309cbb95cfcc080ed27ff43fb6483165218c1

SHA512
181a5aa4eed47f21268e73d0f9d544e1ceb9717d3abf79b6086584ba7bdb7387052d7958c25ebe687bfdcd0b6cca9d8cf12630234676394f997b80c745edaa38

Download Submit
C:\Users\Admin\AppData\Local\Temp\21.exe
Filesize
37KB

MD5
a8e9ea9debdbdf5d9cf6a0a0964c727b

SHA1
aee004b0b6534e84383e847e4dd44a4ee6843751

SHA256
b388a205f12a6301a358449471381761555edf1bf208c91ab02461822190cbcf

SHA512
7037ffe416710c69a01ffd93772044cfb354fbf5b8fd7c5f24a3eabb4d9ddb91f4a9c386af4c2be74c7ffdbb0c93a32ff3752b6ab413261833b0ece7b7b1cb55

Download Submit
C:\Users\Admin\AppData\Local\Temp\22.exe
Filesize
37KB

MD5
296bcd1669b77f8e70f9e13299de957e

SHA1
8458af00c5e9341ad8c7f2d0e914e8b924981e7e

SHA256
6f05cae614ca0e4751b2aaceea95716fd37a6bf3fae81ff1c565313b30b1aba2

SHA512
4e58a0f063407aed64c1cb59e4f46c20ff5b9391a02ceff9561456fef1252c1cdd0055417a57d6e946ec7b5821963c1e96eaf1dd750a95ca9136764443df93d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\23.exe
Filesize
37KB

MD5
7e87c49d0b787d073bf9d687b5ec5c6f

SHA1
6606359f4d88213f36c35b3ec9a05df2e2e82b4e

SHA256
d811283c4e4c76cb1ce3f23528e542cff4747af033318f42b9f2deb23180c4af

SHA512
926d676186ec0b58b852ee0b41f171729b908a5be9ce5a791199d6d41f01569bcdc1fddd067f41bddf5cdde72b8291c4b4f65983ba318088a4d2d5d5f5cd53af

Download Submit
C:\Users\Admin\AppData\Local\Temp\24.exe
Filesize
37KB

MD5
042dfd075ab75654c3cf54fb2d422641

SHA1
d7f6ac6dc57e0ec7193beb74639fe92d8cd1ecb9

SHA256
b91fb228051f1720427709ff849048bfd01388d98335e4766cd1c4808edc5136

SHA512
fada24d6b3992f39119fe8e51b8da1f6a6ca42148a0c21e61255643e976fde52076093403ccbc4c7cd2f62ccb3cdedd9860f2ac253bb5082fb9fe8f31d88200d

Download Submit
C:\Users\Admin\AppData\Local\Temp\25.exe
Filesize
37KB

MD5
476d959b461d1098259293cfa99406df

SHA1
ad5091a232b53057968f059d18b7cfe22ce24aab

SHA256
47f2a0b4b54b053563ba60d206f1e5bd839ab60737f535c9b5c01d64af119f90

SHA512
9c5284895072d032114429482ccc9b62b073447de35de2d391f6acad53e3d133810b940efb1ed17d8bd54d24fce0af6446be850c86766406e996019fcc3a4e6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\3.exe
Filesize
37KB

MD5
a83dde1e2ace236b202a306d9270c156

SHA1
a57fb5ce8d2fe6bf7bbb134c3fb7541920f6624f

SHA256
20ab2e99b18b5c2aedc92d5fd2df3857ee6a1f643df04203ac6a6ded7073d5e8

SHA512
f733fdad3459d290ef39a3b907083c51b71060367b778485d265123ab9ce00e3170d2246a4a2f0360434d26376292803ccd44b0a5d61c45f2efaa28d5d0994df

Download Submit
C:\Users\Admin\AppData\Local\Temp\4.exe
Filesize
37KB

MD5
c24de797dd930dea6b66cfc9e9bb10ce

SHA1
37c8c251e2551fd52d9f24b44386cfa0db49185a

SHA256
db99f9a2d6b25dd83e0d00d657eb326f11cc8055266e4e91c3aec119eaf8af01

SHA512
0e29b6ce2bdc14bf8fb6f8324ff3e39b143ce0f3fa05d65231b4c07e241814fb335ede061b525fe25486329d335adc06f71b804dbf4bf43e17db0b7cd620a7c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
Filesize
10KB

MD5
2a94f3960c58c6e70826495f76d00b85

SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a

SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

Download Submit
C:\Users\Admin\AppData\Local\Temp\5.exe
Filesize
37KB

MD5
84c958e242afd53e8c9dae148a969563

SHA1
e876df73f435cdfc4015905bed7699c1a1b1a38d

SHA256
079d320d3c32227ba4b9acddf60bfcdf660374cb7e55dba5ccf7beeaedd2cdef

SHA512
9e6cb07909d0d77ebb5b52164b1fa40ede30f820c9773ea3a1e62fb92513d05356dfef0e7ef49bf2ad177d3141720dc1c5edceb616cef77baec9acdd4bbc5bae

Download Submit
C:\Users\Admin\AppData\Local\Temp\6.exe
Filesize
37KB

MD5
27422233e558f5f11ee07103ed9b72e3

SHA1
feb7232d1b317b925e6f74748dd67574bc74cd4d

SHA256
1fa6a4dc1e7d64c574cb54ae8fd71102f8c6c41f2bd9a93739d13ff6b77d41ac

SHA512
2d3f424a24e720f83533ace28270b59a254f08d4193df485d1b7d3b9e6ae53db39ef43d5fc7de599355469ad934d8bcb30f68d1aaa376df11b9e3dec848a5589

Download Submit
C:\Users\Admin\AppData\Local\Temp\7.exe
Filesize
37KB

MD5
c84f50869b8ee58ca3f1e3b531c4415d

SHA1
d04c660864bc2556c4a59778736b140c193a6ab2

SHA256
fa54653d9b43eb40539044faf2bdcac010fed82b223351f6dfe7b061287b07d3

SHA512
bb8c98e2dadb884912ea53e97a2ea32ac212e5271f571d7aa0da601368feabee87e1be17d1a1b7738c56167f01b1788f3636aac1f7436c5b135fa9d31b229e94

Download Submit
C:\Users\Admin\AppData\Local\Temp\8.exe
Filesize
37KB

MD5
7cfe29b01fae3c9eadab91bcd2dc9868

SHA1
d83496267dc0f29ce33422ef1bf3040f5fc7f957

SHA256
2c3bfb9cc6c71387ba5c4c03e04af7f64bf568bdbe4331e9f094b73b06bddcff

SHA512
f6111d6f8b609c1fc3b066075641dace8c34efb011176b5c79a6470cc6941a9727df4ceb2b96d1309f841432fa745348fc2fdaf587422eebd484d278efe3aeac

Download Submit
C:\Users\Admin\AppData\Local\Temp\9.exe
Filesize
37KB

MD5
28c50ddf0d8457605d55a27d81938636

SHA1
59c4081e8408a25726c5b2e659ff9d2333dcc693

SHA256
ebda356629ac21d9a8e704edc86c815770423ae9181ebbf8ca621c8ae341cbd5

SHA512
4153a095aa626b5531c21e33e2c4c14556892035a4a524a9b96354443e2909dcb41683646e6c1f70f1981ceb5e77f17f6e312436c687912784fcb960f9b050fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8BED.tmp
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\10.exe
Filesize
123KB

MD5
4101b75d5e5fa4b011b571d090ed0501

SHA1
85c097a2d3c82e2e644562287c3eec7035c004f8

SHA256
0edbf3d32b22b572f8763c00d13ab0c62f7cc654a729fb8a73de31b031a5169b

SHA512
0a94a284e420a59c68847ddf5a96c07dee4726f045eefb1e37f6dfc23cd99eac68d51823427cb58f6dc9ea8740ecb1a18ffa343bbe2e4cf2b71d036d89ae87ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\LummaC22222.exe
Filesize
258KB

MD5
40e9f5e6b35423ed5af9a791fc6b8740

SHA1
75d24d3d05a855bb347f4e3a94eae4c38981aca9

SHA256
7fdd7da7975da141ab5a48b856d24fba2ff35f52ad071119f6a83548494ba816

SHA512
c2150dfb166653a2627aba466a6d98c0f426232542afc6a3c6fb5ebb04b114901233f51d57ea59dbef988d038d4103a637d9a51015104213b0be0fe09c96aea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\newtpp.exe
Filesize
107KB

MD5
f437204b3e1627d8b03eefdf360281ad

SHA1
c824e787a9786d5fdd19effdec54abef217e5b39

SHA256
d4bbc125a9e94de44f4deea9d6b10adc87a1ec1aedd753b39d26bb15817fdadb

SHA512
bdb6fc7d1e7f61df6a7ff3036fd56793e1096937fb07fbe033692f20de1bc81ca0215c5eff5a21627607c1ca514296d9598490c244bba5ec60c74653e1978910

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\sunset1.exe
Filesize
80KB

MD5
d4304bf0e2d870d9165b7a84f2b75870

SHA1
faba7be164ea0dbd4f51605dd4f22090df8a2fb4

SHA256
6fc5c0b09ee18143f0e7d17231f904a5b04a7bd2f5d3c2c7bfe1ef311f41a4d3

SHA512
2b81bcab92b949d800559df746958a04f45ae34c480747d20bd3d7c083ce6069076efe073db4618c107e8072a41f684ea5559f1d92052fd6e4c523137e59e8d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\t1.exe
Filesize
84KB

MD5
a775d164cf76e9a9ff6afd7eb1e3ab2e

SHA1
0b390cd5a44a64296b592360b6b74ac66fb26026

SHA256
794ba0b949b2144057a1b68752d8fa324f1a211afc2231328be82d17f9308979

SHA512
80b2d105d2fac2e56b7ea9e1b56057e94ffe594c314ea96668d387ab120b24be580c58d68d37aca07273d3ce80f0d74f072102469f35cb02e2295817e1f16808

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8C1E.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\asena.exe
Filesize
39KB

MD5
7529e3c83618f5e3a4cc6dbf3a8534a6

SHA1
0f944504eebfca5466b6113853b0d83e38cf885a

SHA256
ec35c76ad2c8192f09c02eca1f263b406163470ca8438d054db7adcf5bfc0597

SHA512
7eef97937cc1e3afd3fca0618328a5b6ecb72123a199739f6b1b972dd90e01e07492eb26352ee00421d026c63af48973c014bdd76d95ea841eb2fefd613631cc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WWZ6AIO8IZWJJUQM3X1A.temp
Filesize
7KB

MD5
7af00469028e8b37194ef9fd05398ede

SHA1
25b81ad51d1c17051165d3953760329d8fd8e1f2

SHA256
e61c484c04282e369152710cf843714f10e0d8564fd93d092af75d61483ec53e

SHA512
a0ae2c03fb493fd8c737bc30a5f16d668d9897204ad71f09943fcfdd1d9fce982d3f15a3b1899b3d139b7c554f6d70197a4c1ef9c1ae9c7b3e8fa85095573b7e

Download Submit
C:\Users\Public\Documents\RGNR_A0710810.txt
Filesize
3KB

MD5
0880547340d1b849a7d4faaf04b6f905

SHA1
37fa5848977fd39df901be01c75b8f8320b46322

SHA256
84449f1e874b763619271a57bfb43bd06e9c728c6c6f51317c56e9e94e619b25

SHA512
9048a3d5ab7472c1daa1efe4a35d559fc069051a5eb4b8439c2ef25318b4de6a6c648a7db595e7ae76f215614333e3f06184eb18b2904aace0c723f8b9c35a91

Download Submit
C:\vcredist2010_x86.log.html
Filesize
81KB

MD5
98f7f23d0c1d737c2a83977f58cb43d9

SHA1
4de5b97a4aa6677746210dd64a09831d1c6d93af

SHA256
c1f3874ef102ed242b3d7cd5df450cec866d894a676ad3c68ce85d6b604f21e8

SHA512
c29d6092713d905b755880805a2ed6933faa65b0e12040abc7e697667859862ea618dbf863398d47664a527234142aab6ec72abf0635244d591e206a697e8268

Download Submit
\Users\Admin\AppData\Local\Temp\Bomb.exe
Filesize
457KB

MD5
31f03a8fe7561da18d5a93fc3eb83b7d

SHA1
31b31af35e6eed00e98252e953e623324bd64dde

SHA256
2027197f05dac506b971b3bd2708996292e6ffad661affe9a0138f52368cc84d

SHA512
3ea7c13a0aa67c302943c6527856004f8d871fe146150096bc60855314f23eae6f507f8c941fd7e8c039980810929d4930fcf9c597857d195f8c93e3cc94c41d

Download Submit
\Users\Admin\AppData\Local\Temp\CryptoWall.exe
Filesize
132KB

MD5
919034c8efb9678f96b47a20fa6199f2

SHA1
747070c74d0400cffeb28fbea17b64297f14cfbd

SHA256
e036d68b8f8b7afc6c8b6252876e1e290f11a26d4ad18ac6f310662845b2c734

SHA512
745a81c50bbfd62234edb9788c83a22e0588c5d25c00881901923a02d7096c71ef5f0cd5b73f92ad974e5174de064b0c5ea8044509039aab14b2aed83735a7c4

Download Submit
\Users\Admin\AppData\Local\Temp\a76e49df84ba2a7b33e8ea959995b5e6faecb90d551ef169d8272ce9042c35a5.exe
Filesize
159KB

MD5
6f8e78dd0f22b61244bb69827e0dbdc3

SHA1
1884d9fd265659b6bd66d980ca8b776b40365b87

SHA256
a76e49df84ba2a7b33e8ea959995b5e6faecb90d551ef169d8272ce9042c35a5

SHA512
5611a83616380f55e7b42bb0eef35d65bd43ca5f96bf77f343fc9700e7dfaa7dcf4f6ecbb2349ac9df6ab77edd1051b9b0f7a532859422302549f5b81004632d

Download Submit
memory/848-385-0x0000000000C40000-0x0000000000C50000-memory.dmp

Filesize
64KB

Download
memory/944-176-0x0000000000E40000-0x0000000000E50000-memory.dmp

Filesize
64KB

Download
memory/1020-428-0x0000000000F30000-0x0000000000F40000-memory.dmp

Filesize
64KB

Download
memory/1352-396-0x0000000000C80000-0x0000000000C90000-memory.dmp

Filesize
64KB

Download
memory/1396-390-0x0000000000090000-0x00000000000A0000-memory.dmp

Filesize
64KB

Download
memory/1632-151-0x0000000000970000-0x0000000000980000-memory.dmp

Filesize
64KB

Download
memory/1720-394-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/1724-141-0x0000000001060000-0x0000000001070000-memory.dmp

Filesize
64KB

Download
memory/1864-463-0x0000000000F90000-0x0000000000FA0000-memory.dmp

Filesize
64KB

Download
memory/2044-220-0x0000000000290000-0x00000000002A0000-memory.dmp

Filesize
64KB

Download
memory/2072-169-0x0000000000AC0000-0x0000000000AD0000-memory.dmp

Filesize
64KB

Download
memory/2300-393-0x0000000000B10000-0x0000000000B20000-memory.dmp

Filesize
64KB

Download
memory/2308-472-0x0000000000050000-0x0000000000060000-memory.dmp

Filesize
64KB

Download
memory/2312-468-0x0000000000C60000-0x0000000000C70000-memory.dmp

Filesize
64KB

Download
memory/2320-389-0x0000000000090000-0x00000000000A0000-memory.dmp

Filesize
64KB

Download
memory/2360-476-0x0000000000A10000-0x0000000000A20000-memory.dmp

Filesize
64KB

Download
memory/2372-207-0x0000000000990000-0x00000000009A0000-memory.dmp

Filesize
64KB

Download
memory/2408-114-0x0000000000890000-0x00000000008A0000-memory.dmp

Filesize
64KB

Download
memory/2436-46-0x0000000001090000-0x0000000001098000-memory.dmp

Filesize
32KB

Download
memory/2484-435-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/2540-381-0x00000000000B0000-0x00000000000C0000-memory.dmp

Filesize
64KB

Download
memory/2572-45-0x0000000000080000-0x00000000000A5000-memory.dmp

Filesize
148KB

Download
memory/2572-4454-0x0000000000080000-0x00000000000A5000-memory.dmp

Filesize
148KB

Download
memory/2576-469-0x0000000000960000-0x0000000000970000-memory.dmp

Filesize
64KB

Download
memory/2676-49-0x0000000000950000-0x00000000009C8000-memory.dmp

Filesize
480KB

Download
memory/2700-256-0x0000000000DF0000-0x0000000000E00000-memory.dmp

Filesize
64KB

Download
memory/2724-262-0x0000000000BE0000-0x0000000000BF0000-memory.dmp

Filesize
64KB

Download
memory/2764-23-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2828-414-0x00000000013A0000-0x00000000013B0000-memory.dmp

Filesize
64KB

Download
memory/2852-61-0x00000000000D0000-0x00000000000F5000-memory.dmp

Filesize
148KB

Download
memory/2868-475-0x0000000000AA0000-0x0000000000AB0000-memory.dmp

Filesize
64KB

Download
memory/3028-2-0x0000000074B80000-0x000000007512B000-memory.dmp

Filesize
5.7MB

Download
memory/3028-21-0x0000000000760000-0x000000000079D000-memory.dmp

Filesize
244KB

Download
memory/3028-0-0x0000000074B81000-0x0000000074B82000-memory.dmp

Filesize
4KB

Download
memory/3028-1-0x0000000074B80000-0x000000007512B000-memory.dmp

Filesize
5.7MB

Download
memory/3028-2738-0x0000000074B80000-0x000000007512B000-memory.dmp

Filesize
5.7MB

Download
memory/3028-20-0x0000000000760000-0x000000000079D000-memory.dmp

Filesize
244KB

Download
memory/3108-18872-0x0000000000B10000-0x0000000000B25000-memory.dmp

Filesize
84KB

Download
memory/3108-18854-0x0000000000B10000-0x0000000000B25000-memory.dmp

Filesize
84KB

Download
memory/3108-18890-0x0000000000B10000-0x0000000000B25000-memory.dmp

Filesize
84KB

Download
memory/3108-18888-0x0000000000B10000-0x0000000000B25000-memory.dmp

Filesize
84KB

Download
memory/3108-18887-0x0000000000B10000-0x0000000000B25000-memory.dmp

Filesize
84KB

Download
memory/3108-18884-0x0000000000B10000-0x0000000000B25000-memory.dmp

Filesize
84KB

Download
memory/3108-18882-0x0000000000B10000-0x0000000000B25000-memory.dmp

Filesize
84KB

Download
memory/3108-18880-0x0000000000B10000-0x0000000000B25000-memory.dmp

Filesize
84KB

Download
memory/3108-18878-0x0000000000B10000-0x0000000000B25000-memory.dmp

Filesize
84KB

Download
memory/3108-18876-0x0000000000B10000-0x0000000000B25000-memory.dmp

Filesize
84KB

Download
memory/3108-18874-0x0000000000B10000-0x0000000000B25000-memory.dmp

Filesize
84KB

Download
memory/3108-18834-0x0000000000B10000-0x0000000000B25000-memory.dmp

Filesize
84KB

Download
memory/3108-18870-0x0000000000B10000-0x0000000000B25000-memory.dmp

Filesize
84KB

Download
memory/3108-18868-0x0000000000B10000-0x0000000000B25000-memory.dmp

Filesize
84KB

Download
memory/3108-18866-0x0000000000B10000-0x0000000000B25000-memory.dmp

Filesize
84KB

Download
memory/3108-18864-0x0000000000B10000-0x0000000000B25000-memory.dmp

Filesize
84KB

Download
memory/3108-18860-0x0000000000B10000-0x0000000000B25000-memory.dmp

Filesize
84KB

Download
memory/3108-18858-0x0000000000B10000-0x0000000000B25000-memory.dmp

Filesize
84KB

Download
memory/3108-18856-0x0000000000B10000-0x0000000000B25000-memory.dmp

Filesize
84KB

Download
memory/3108-18862-0x0000000000B10000-0x0000000000B25000-memory.dmp

Filesize
84KB

Download
memory/3108-18852-0x0000000000B10000-0x0000000000B25000-memory.dmp

Filesize
84KB

Download
memory/3108-18850-0x0000000000B10000-0x0000000000B25000-memory.dmp

Filesize
84KB

Download
memory/3108-18846-0x0000000000B10000-0x0000000000B25000-memory.dmp

Filesize
84KB

Download
memory/3108-18844-0x0000000000B10000-0x0000000000B25000-memory.dmp

Filesize
84KB

Download
memory/3108-18842-0x0000000000B10000-0x0000000000B25000-memory.dmp

Filesize
84KB

Download
memory/3108-18840-0x0000000000B10000-0x0000000000B25000-memory.dmp

Filesize
84KB

Download
memory/3108-18838-0x0000000000B10000-0x0000000000B25000-memory.dmp

Filesize
84KB

Download
memory/3108-18836-0x0000000000B10000-0x0000000000B25000-memory.dmp

Filesize
84KB

Download
memory/3108-18461-0x0000000000290000-0x0000000000970000-memory.dmp

Filesize
6.9MB

Download
memory/3108-18673-0x0000000005720000-0x0000000005896000-memory.dmp

Filesize
1.5MB

Download
memory/3108-18799-0x0000000000B10000-0x0000000000B2C000-memory.dmp

Filesize
112KB

Download
memory/3108-18831-0x0000000000B10000-0x0000000000B25000-memory.dmp

Filesize
84KB

Download
memory/3108-18848-0x0000000000B10000-0x0000000000B25000-memory.dmp

Filesize
84KB

Download
memory/3108-18832-0x0000000000B10000-0x0000000000B25000-memory.dmp

Filesize
84KB

Download
memory/3716-19559-0x0000000000EA0000-0x0000000000F82000-memory.dmp

Filesize
904KB

Download
memory/3716-19564-0x00000000009B0000-0x00000000009D2000-memory.dmp

Filesize
136KB

Download
memory/3716-19513-0x0000000001160000-0x0000000001302000-memory.dmp

Filesize
1.6MB

Download
memory/3864-19790-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download