xorist | 96542c8ee4501ee802f5af3f8788eee478d0a069f34995f811170504552a1f91

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-10-2024 17:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22d65c37adb2e4ed39f280d086b7654e_JaffaCakes118.exe
Size

291KB
MD5

22d65c37adb2e4ed39f280d086b7654e
SHA1

d977960eb14db1f97c77b9f8ee8d72df45180b89
SHA256

96542c8ee4501ee802f5af3f8788eee478d0a069f34995f811170504552a1f91
SHA512

d0ab00479999b363286390c8488f7d98ccbe70c782a92e577f95eddacac0693eaaedc9175d3cd632f946ee14632fe9ec0b8eb83bc922aac7bf130ebfc76a39bd
SSDEEP

6144:LVVISiDXfu0UpETghQjYnmpuYHULalgsN5qOY9nZGP83S3DauIc:3I5DvgpETKgYnmpF0Low9v2DDIc

Score

10^/10

xorist discovery persistence ransomware spyware stealer

Malware Config

Signatures

Detected Xorist Ransomware 1 IoCs

resource	yara_rule
behavioral1/files/0x0004000000004ed7-3.dat	family_xorist

Xorist Ransomware
Xorist is a ransomware first seen in 2020.
ransomware xorist
Renames multiple (2214) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	virus encoder.exe

Executes dropped EXE 2 IoCs

pid	Process
3020	virus encoder.exe
2164	JF_CF_ANTIGHOST3.exe

Loads dropped DLL 3 IoCs

pid	Process
2316	22d65c37adb2e4ed39f280d086b7654e_JaffaCakes118.exe
2316	22d65c37adb2e4ed39f280d086b7654e_JaffaCakes118.exe
2316	22d65c37adb2e4ed39f280d086b7654e_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nPde7iS1iFO7aSy.exe"	virus encoder.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_If.help.txt	virus encoder.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_remote_troubleshooting.help.txt	virus encoder.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Switch.help.txt	virus encoder.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Throw.help.txt	virus encoder.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_functions_advanced_methods.help.txt	virus encoder.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Foreach.help.txt	virus encoder.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_History.help.txt	virus encoder.exe
File opened for modification	C:\Windows\System32\catroot2\dberr.txt	virus encoder.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_type_operators.help.txt	virus encoder.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_properties.help.txt	virus encoder.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_transactions.help.txt	virus encoder.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Path_Syntax.help.txt	virus encoder.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_pssessions.help.txt	virus encoder.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_prompts.help.txt	virus encoder.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_CommonParameters.help.txt	virus encoder.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_format.ps1xml.help.txt	virus encoder.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_pssessions.help.txt	virus encoder.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_transactions.help.txt	virus encoder.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_CommonParameters.help.txt	virus encoder.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_script_internationalization.help.txt	virus encoder.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_functions_advanced.help.txt	virus encoder.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Reserved_Words.help.txt	virus encoder.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_WMI_Cmdlets.help.txt	virus encoder.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_remote_jobs.help.txt	virus encoder.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Session_Configurations.help.txt	virus encoder.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\erofflps.txt	virus encoder.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_logical_operators.help.txt	virus encoder.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Break.help.txt	virus encoder.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Core_Commands.help.txt	virus encoder.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_escape_characters.help.txt	virus encoder.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_aliases.help.txt	virus encoder.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_jobs.help.txt	virus encoder.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_locations.help.txt	virus encoder.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_preference_variables.help.txt	virus encoder.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\PostMigRes\Web\base_images\Programs.gif	virus encoder.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_For.help.txt	virus encoder.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Automatic_Variables.help.txt	virus encoder.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Comment_Based_Help.help.txt	virus encoder.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_script_internationalization.help.txt	virus encoder.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_While.help.txt	virus encoder.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_remote_output.help.txt	virus encoder.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_parameters.help.txt	virus encoder.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_escape_characters.help.txt	virus encoder.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_remote_output.help.txt	virus encoder.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_remote_jobs.help.txt	virus encoder.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\en-US\about_BITS_Cmdlets.help.txt	virus encoder.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_functions.help.txt	virus encoder.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_modules.help.txt	virus encoder.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Arithmetic_Operators.help.txt	virus encoder.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_transactions.help.txt	virus encoder.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Session_Configurations.help.txt	virus encoder.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_profiles.help.txt	virus encoder.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Assignment_Operators.help.txt	virus encoder.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_CommonParameters.help.txt	virus encoder.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_pssession_details.help.txt	virus encoder.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Redirection.help.txt	virus encoder.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Command_Syntax.help.txt	virus encoder.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_objects.help.txt	virus encoder.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_command_precedence.help.txt	virus encoder.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Continue.help.txt	virus encoder.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_logical_operators.help.txt	virus encoder.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_pssession_details.help.txt	virus encoder.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Special_Characters.help.txt	virus encoder.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_functions.help.txt	virus encoder.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Tanspecks.jpg	virus encoder.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\1047x576black.png	virus encoder.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-imageMask.png	virus encoder.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_right_mouseout.png	virus encoder.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-last-quarter_partly-cloudy.png	virus encoder.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099194.GIF	virus encoder.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02750U.BMP	virus encoder.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15276_.GIF	virus encoder.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21305_.GIF	virus encoder.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR24F.GIF	virus encoder.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\ARROW.WAV	virus encoder.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\rings-desk.png	virus encoder.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\clock.html	virus encoder.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\PREVIEW.GIF	virus encoder.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\header.gif	virus encoder.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonDown_Off.png	virus encoder.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm	virus encoder.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif	virus encoder.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\NETWORK\THMBNAIL.PNG	virus encoder.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\settings.html	virus encoder.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\Tulip.jpg	virus encoder.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\drag.png	virus encoder.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked-loading.png	virus encoder.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02398U.BMP	virus encoder.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03380I.JPG	virus encoder.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\TAB_OFF.GIF	virus encoder.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\btn-next-static.png	virus encoder.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_hover.png	virus encoder.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\default_thumb.jpg	virus encoder.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\5.png	virus encoder.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178523.JPG	virus encoder.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_down_BIDI.png	virus encoder.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387604.JPG	virus encoder.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR11F.GIF	virus encoder.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sw.txt	virus encoder.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonInset_Alpha2.png	virus encoder.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\19.png	virus encoder.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\SoftBlue.jpg	virus encoder.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216112.JPG	virus encoder.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02082_.GIF	virus encoder.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\HEADER.GIF	virus encoder.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR5B.GIF	virus encoder.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewTemplate.html	virus encoder.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\logo.png	virus encoder.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)notConnectedStateIcon.png	virus encoder.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\6.png	virus encoder.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_hail.png	virus encoder.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01235U.BMP	virus encoder.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD15184_.GIF	virus encoder.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\BUTTON.GIF	virus encoder.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF	virus encoder.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color120.jpg	virus encoder.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\timer_over.png	virus encoder.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02758U.BMP	virus encoder.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR30F.GIF	virus encoder.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR43B.GIF	virus encoder.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\GIGGLE.WAV	virus encoder.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\SUCTION.WAV	virus encoder.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AboutBox.zip	virus encoder.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\10.png	virus encoder.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)notConnectedStateIcon.png	virus encoder.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10300_.GIF	virus encoder.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21295_.GIF	virus encoder.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115843.GIF	virus encoder.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Media\Garden\Windows Navigation Start.wav	virus encoder.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-currency_31bf3856ad364e35_6.1.7600.16385_none_c3b9072b536514f6\activity16v.png	virus encoder.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_56cc3687acc564e8\about_Assignment_Operators.help.txt	virus encoder.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_f35f9773adf74c06\Green Bubbles.htm	virus encoder.exe
File opened for modification	C:\Windows\Media\Heritage\Windows Ding.wav	virus encoder.exe
File opened for modification	C:\Windows\Media\Landscape\Windows Ding.wav	virus encoder.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ehome-epgtos.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b661d7abc4d159c8\epgtos.txt	virus encoder.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\500-16.htm	virus encoder.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_hash_tables.help.txt	virus encoder.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_4db0b909695af8f9\docked_black_windy.png	virus encoder.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..ediadisc-style-full_31bf3856ad364e35_6.1.7600.16385_none_ce3a164d3f0fa152\1047x576black.png	virus encoder.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c02a16e1ae17ab94\about_arrays.help.txt	virus encoder.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_6.1.7600.16385_none_73076dd9cf3a9dce\Windows Menu Command.wav	virus encoder.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4a6b77ab9aa530d\about_Line_Editing.help.txt	virus encoder.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-g..picturepuzzlegadget_31bf3856ad364e35_6.1.7600.16385_none_725857cf41f74c3f\3.png	virus encoder.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-calendar_31bf3856ad364e35_6.1.7600.16385_none_6a1946701e0df451\bg-today.png	virus encoder.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\403-8.htm	virus encoder.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..onwizardapplication_31bf3856ad364e35_6.1.7601.17514_none_18a11c58aaf4d08c\ClickDownExpanded.gif	virus encoder.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\gradient_onBlue.gif	virus encoder.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-e..eady_eula.resources_31bf3856ad364e35_6.1.7600.16385_en-us_95d36ad13a0d3d1e\playready_eula.txt	virus encoder.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..disc-style-babygirl_31bf3856ad364e35_6.1.7600.16385_none_b2bd01695c9021fd\btn-next-static.png	virus encoder.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-t..ional-chinese-array_31bf3856ad364e35_6.1.7600.16385_none_c0cebfe77b9f6973\TableTextServiceArray.txt	virus encoder.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4a6b77ab9aa530d\about_eventlogs.help.txt	virus encoder.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\unSelectedTab_rightCorner.gif	virus encoder.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-us-component_31bf3856ad364e35_6.1.7601.17514_none_b52573ad8e4c2d89\US-wp2.jpg	virus encoder.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-e..ebargadgetresources_31bf3856ad364e35_6.1.7600.16385_none_88767a95b8bbf001\default_thumb.jpg	virus encoder.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Roses.jpg	virus encoder.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..oundthemes-festival_31bf3856ad364e35_6.1.7600.16385_none_121f20b55f0bde68\Windows Hardware Remove.wav	virus encoder.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4a6b77ab9aa530d\about_functions_cmdletbindingattribute.help.txt	virus encoder.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_4db0b909695af8f9\47.png	virus encoder.exe
File opened for modification	C:\Windows\ehome\fr-FR\epgtos.txt	virus encoder.exe
File opened for modification	C:\Windows\Media\Delta\Windows Battery Critical.wav	virus encoder.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..calmediadisc-styles_31bf3856ad364e35_6.1.7600.16385_none_dac1eab162daeb45\rectangle_performance_Thumbnail.bmp	virus encoder.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_transactions.help.txt	virus encoder.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\about_profiles.help.txt	virus encoder.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft.backgroun..nt.module.resources_31bf3856ad364e35_6.1.7600.16385_en-us_e0e7b1171f7308f0\about_BITS_Cmdlets.help.txt	virus encoder.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..calmediadisc-styles_31bf3856ad364e35_6.1.7600.16385_none_dac1eab162daeb45\shadowonlyframe_videoinset.png	virus encoder.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..disc-style-huecycle_31bf3856ad364e35_6.1.7600.16385_none_810df6f57d9f2a73\NavigationRight_ButtonGraphic.png	virus encoder.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..oundthemes-heritage_31bf3856ad364e35_6.1.7600.16385_none_5872c0830d0c4747\Windows Ding.wav	virus encoder.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\404-6.htm	virus encoder.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..iadisc-style-travel_31bf3856ad364e35_6.1.7600.16385_none_f2a7c66510a5395d\TravelIntroToMainMask_PAL.wmv	virus encoder.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\about_prompts.help.txt	virus encoder.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-cityscape_31bf3856ad364e35_6.1.7600.16385_none_5b48f43248490503\Windows Exclamation.wav	virus encoder.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\about_job_details.help.txt	virus encoder.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\btn_search_over_BIDI.png	virus encoder.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..onwizardapplication_31bf3856ad364e35_6.1.7601.17514_none_18a11c58aaf4d08c\WindowsOutlookExpress.bmp	virus encoder.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..iadisc-style-travel_31bf3856ad364e35_6.1.7600.16385_none_f2a7c66510a5395d\16_9-frame-image-inset.png	virus encoder.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_Core_Commands.help.txt	virus encoder.exe
File opened for modification	C:\Windows\Media\Festival\Windows Hardware Fail.wav	virus encoder.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-g..picturepuzzlegadget_31bf3856ad364e35_6.1.7600.16385_none_ce76f352fa54bd75\7.png	virus encoder.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..ediadisc-style-pets_31bf3856ad364e35_6.1.7600.16385_none_d0d7ee773d711005\Pets_btn-previous-over-select.png	virus encoder.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_functions_advanced.help.txt	virus encoder.exe
File opened for modification	C:\Windows\ehome\CreateDisc\SonicResources\ClickMe.htm	virus encoder.exe
File opened for modification	C:\Windows\ShellNew\EXCEL12.XLSX	virus encoder.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\42.png	virus encoder.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\404-11.htm	virus encoder.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_operators.help.txt	virus encoder.exe
File opened for modification	C:\Windows\ehome\de-DE\playReady_eula_oem.txt	virus encoder.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..tyle-resizingpanels_31bf3856ad364e35_6.1.7600.16385_none_bc51073aee3391ed\bandwidth.png	virus encoder.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c02a16e1ae17ab94\about_remote_FAQ.help.txt	virus encoder.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\500-17.htm	virus encoder.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\about_preference_variables.help.txt	virus encoder.exe
File opened for modification	C:\Windows\Performance\WinSAT\Clip_1080_5sec_MPEG2_HD_15mbps.mpg	virus encoder.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-g..picturepuzzlegadget_31bf3856ad364e35_6.1.7600.16385_none_ce76f352fa54bd75\3.png	virus encoder.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	22d65c37adb2e4ed39f280d086b7654e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JF_CF_ANTIGHOST3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0347581c719db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AB2D78F1-85BA-11EF-80CF-C28ADB222BBA} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc5000000000020000000000106600000001000020000000d4169c57b616600b9c2bf25a6b1f932d328a658b1b60dc516a4bf0034cc35ea5000000000e8000000002000020000000eeeb852bb388b48783badd06bc94fd45b407de94b6efca6f7a081f065344a6d9900000005fd5eec0194376b90f893e978ad2af1a24116c8f787ccfdb066bd8407a1532774367e0f57f48fd024807910292396f52a0e91b4449a396c1e5af4e83ab216dcdc228a064f332282dec897da858ddcde72b6e6cfc465a5726ca15e23d09f023bba9e85ffc67604fd2e554bacc38598dc7d69558e0d43b4bda1feb8d30b409aa373e0dca552087aeae0b8d563a3dfb305d4000000037c8b96db5a3804965b8903f0a8115998f610caddea8b55b8f9b55ff31fb221855f3c9919f8630f4c44d4c68bc013a829affde80405d9e077d9865a9092bfaa3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434584093"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc5000000000020000000000106600000001000020000000fe7ac597df2f317924d76a47fa068e30511f572a0ff14cca5a894285729b6283000000000e80000000020000200000000dc40565d8dcadb61b81eab066d917fa4624b3be283c73a531b6b2a09ffbbf14200000003815de0bfc428012a3fbb5405c39904fb6e9b0be98e4a0da62801fb78d5186134000000055a18d3d6ab6796f050ae7e8e2ec67b254256a3b2a034be4008d149033296000d4dd8184243f2fba3dcbcc5b2e38693b64c1f551910884edeb4169ca3722f438	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE

Modifies registry class 10 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TBFZLTGLROVAHFH\ = "CRYPTED!"	virus encoder.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TBFZLTGLROVAHFH\DefaultIcon	virus encoder.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TBFZLTGLROVAHFH\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nPde7iS1iFO7aSy.exe,0"	virus encoder.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TBFZLTGLROVAHFH\shell\open\command	virus encoder.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd\ = "TBFZLTGLROVAHFH"	virus encoder.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TBFZLTGLROVAHFH	virus encoder.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TBFZLTGLROVAHFH\shell	virus encoder.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TBFZLTGLROVAHFH\shell\open	virus encoder.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TBFZLTGLROVAHFH\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nPde7iS1iFO7aSy.exe"	virus encoder.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd	virus encoder.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2164	JF_CF_ANTIGHOST3.exe
2164	JF_CF_ANTIGHOST3.exe
2164	JF_CF_ANTIGHOST3.exe
2164	JF_CF_ANTIGHOST3.exe
2164	JF_CF_ANTIGHOST3.exe
2164	JF_CF_ANTIGHOST3.exe
2164	JF_CF_ANTIGHOST3.exe
2164	JF_CF_ANTIGHOST3.exe
2164	JF_CF_ANTIGHOST3.exe
2164	JF_CF_ANTIGHOST3.exe
2164	JF_CF_ANTIGHOST3.exe
2164	JF_CF_ANTIGHOST3.exe
2164	JF_CF_ANTIGHOST3.exe
2164	JF_CF_ANTIGHOST3.exe
2164	JF_CF_ANTIGHOST3.exe
2164	JF_CF_ANTIGHOST3.exe
2164	JF_CF_ANTIGHOST3.exe
2164	JF_CF_ANTIGHOST3.exe
2164	JF_CF_ANTIGHOST3.exe
2164	JF_CF_ANTIGHOST3.exe
2164	JF_CF_ANTIGHOST3.exe
2164	JF_CF_ANTIGHOST3.exe
2164	JF_CF_ANTIGHOST3.exe
2164	JF_CF_ANTIGHOST3.exe
2164	JF_CF_ANTIGHOST3.exe
2164	JF_CF_ANTIGHOST3.exe
2164	JF_CF_ANTIGHOST3.exe
2164	JF_CF_ANTIGHOST3.exe
2164	JF_CF_ANTIGHOST3.exe
2164	JF_CF_ANTIGHOST3.exe
2164	JF_CF_ANTIGHOST3.exe
2164	JF_CF_ANTIGHOST3.exe
2164	JF_CF_ANTIGHOST3.exe
2164	JF_CF_ANTIGHOST3.exe
2164	JF_CF_ANTIGHOST3.exe
2164	JF_CF_ANTIGHOST3.exe
2164	JF_CF_ANTIGHOST3.exe
2164	JF_CF_ANTIGHOST3.exe
2164	JF_CF_ANTIGHOST3.exe
2164	JF_CF_ANTIGHOST3.exe
2164	JF_CF_ANTIGHOST3.exe
2164	JF_CF_ANTIGHOST3.exe
2164	JF_CF_ANTIGHOST3.exe
2164	JF_CF_ANTIGHOST3.exe
2164	JF_CF_ANTIGHOST3.exe
2164	JF_CF_ANTIGHOST3.exe
2164	JF_CF_ANTIGHOST3.exe
2164	JF_CF_ANTIGHOST3.exe
2164	JF_CF_ANTIGHOST3.exe
2164	JF_CF_ANTIGHOST3.exe
2164	JF_CF_ANTIGHOST3.exe
2164	JF_CF_ANTIGHOST3.exe
2164	JF_CF_ANTIGHOST3.exe
2164	JF_CF_ANTIGHOST3.exe
2164	JF_CF_ANTIGHOST3.exe
2164	JF_CF_ANTIGHOST3.exe
2164	JF_CF_ANTIGHOST3.exe
2164	JF_CF_ANTIGHOST3.exe
2164	JF_CF_ANTIGHOST3.exe
2164	JF_CF_ANTIGHOST3.exe
2164	JF_CF_ANTIGHOST3.exe
2164	JF_CF_ANTIGHOST3.exe
2164	JF_CF_ANTIGHOST3.exe
2164	JF_CF_ANTIGHOST3.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2164	JF_CF_ANTIGHOST3.exe
Token: SeDebugPrivilege	2164	JF_CF_ANTIGHOST3.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2940	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2940	iexplore.exe
2940	iexplore.exe
908	IEXPLORE.EXE
908	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 3020	2316	22d65c37adb2e4ed39f280d086b7654e_JaffaCakes118.exe	31
PID 2316 wrote to memory of 3020	2316	22d65c37adb2e4ed39f280d086b7654e_JaffaCakes118.exe	31
PID 2316 wrote to memory of 3020	2316	22d65c37adb2e4ed39f280d086b7654e_JaffaCakes118.exe	31
PID 2316 wrote to memory of 3020	2316	22d65c37adb2e4ed39f280d086b7654e_JaffaCakes118.exe	31
PID 2316 wrote to memory of 2164	2316	22d65c37adb2e4ed39f280d086b7654e_JaffaCakes118.exe	32
PID 2316 wrote to memory of 2164	2316	22d65c37adb2e4ed39f280d086b7654e_JaffaCakes118.exe	32
PID 2316 wrote to memory of 2164	2316	22d65c37adb2e4ed39f280d086b7654e_JaffaCakes118.exe	32
PID 2316 wrote to memory of 2164	2316	22d65c37adb2e4ed39f280d086b7654e_JaffaCakes118.exe	32
PID 2164 wrote to memory of 2940	2164	JF_CF_ANTIGHOST3.exe	33
PID 2164 wrote to memory of 2940	2164	JF_CF_ANTIGHOST3.exe	33
PID 2164 wrote to memory of 2940	2164	JF_CF_ANTIGHOST3.exe	33
PID 2164 wrote to memory of 2940	2164	JF_CF_ANTIGHOST3.exe	33
PID 2940 wrote to memory of 908	2940	iexplore.exe	34
PID 2940 wrote to memory of 908	2940	iexplore.exe	34
PID 2940 wrote to memory of 908	2940	iexplore.exe	34
PID 2940 wrote to memory of 908	2940	iexplore.exe	34

C:\Users\Admin\AppData\Local\Temp\22d65c37adb2e4ed39f280d086b7654e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\22d65c37adb2e4ed39f280d086b7654e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Users\Admin\AppData\Local\Temp\virus encoder.exe
  "C:\Users\Admin\AppData\Local\Temp\virus encoder.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  PID:3020
- C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe
  "C:\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2164
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://www.crazyfrost.com/
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2940
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2940 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
341B

MD5
a88d2aa6dbb3e2c73e7b1b6ab4d6b11a

SHA1
255282528af78b6f62a8627b48d25de0b8828c28

SHA256
52c1659da674c4b74218f3b3e375fe79404d08d52656f9fa1393db3233007dd8

SHA512
63a844a2e1fb213382e704288cbd398bcae53f1ed413f5d33a409b98dbca5fd23736ae60bbc02ea3d8f7a043b59924e8f579676958c82244340b356ecfea27f0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

Filesize
222B

MD5
43b6d1a581e0d77e38cf3765361ff3a3

SHA1
eeed2ca2df8060df2efef6da72384bc408e17be3

SHA256
bb07c18028d169443c79f3d6b4da74fb75412c359efb68c44e9fd15e0dc91157

SHA512
150b563ad32f1a42406df896ab12d9506e25a0f6ddc7a25e88a4e247c46a5a75a1c1fa9b3de25c1f6f477e05079a60cf928f4405be343774bed7ee185146f28a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\BG_ADOBE.GIF

Filesize
24KB

MD5
4a26f4c98d293d9e93fcbc48bb4bc7c5

SHA1
099b57db24726173c49a56629dab2e52ff2780ea

SHA256
c4958eb9188a2112c0e6e1d2d55cd1bde9b935332933d791b2a94e52bfacf832

SHA512
47343f1f7cc00e34a9e8df8b219220364690c6d5bb86d4b93fca447ceaf88d989233382ef0712dbb2e2bc6b1f89082827a64689dcffab68fa5fba2ffddb334c9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\BUTTON.GIF

Filesize
185B

MD5
cf94f8a9278d39cbd83d6820ac932caa

SHA1
081278da4200d8fcbcde065de71e00b95f1b86c6

SHA256
090ae8daccad31686d3231a6afc6dd06d2fdd1cb625730e2c15ca761a976023c

SHA512
36b7bd3e35e7db8c87630a83525de85191432f19e37f7a5835a8c3214ccdf4c2ccfadcdebf3e3cd5dd13e043e8d0f036c65f7b92b2c25cb915132a9c43f40d71

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_OFF.GIF

Filesize
496B

MD5
9cfff6cb0b3006425ecb4b9abc6f8abe

SHA1
fea9b9ab9362ec020b261c07a2c86f0563cb47d3

SHA256
b83a7c7b00cc15ebb15b661af06a9a131413624424675840936b7db0d588a5ef

SHA512
b6365599144242dd18056b3f5e2b304c76ea86642906228489d1baaeac05c2fd0106712bca258488a8417d82cf9c7ae018629a10242cee9c451a8063f05fef3b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_ON.GIF

Filesize
1KB

MD5
80fac7b70d8efc9ce122cc18a370aa1f

SHA1
59c61a23ad4922751316d9d303a1b3d0531595e4

SHA256
62662f383b5c43c863ca8551cb4fd58c192557b60ce9dd18ebc91e883b7275ec

SHA512
17284f35a89b69fba66b837bf65ab34078c74ff480609a60df447d516a0f191e2f2ae785c8ffbfec2f0b7625552abcbd2b5c4d085006a1c1281f2a800fd4edf0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_off.gif

Filesize
341B

MD5
e05b3e937c832476e6744def317f266f

SHA1
a4eede4cc99886c61ee544413662b40e8216dc50

SHA256
daa54a661b10acdc1f7e59562ac9f7d25db5fec12ed4c501f24b024304acdeea

SHA512
c0b9a3efbf26e8e63957dde5583833acf4dd1a9817c770884b3e095fa9dd395b0af6a145341f2980ed9eaad4560ef2f9ba1eda14b8b97dd3018e01379437596c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_on.gif

Filesize
222B

MD5
4be71cbd52acffd511eb807ff26bdc03

SHA1
200c683ebe211199e4c92911653ed35042600f1c

SHA256
039db77b1619fab242a39202aec8a531db61179999af4906c12021679a708e9d

SHA512
2bd4b068a56494ab12d06c7f33a89b057b4354529f15427599f5ae0e5f3064670748d5e634ba33089b67adb0ae4be818a81d8ac4a6b37edf802295ec95e2c10a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif

Filesize
5KB

MD5
338da3989217f19ba4fd759b0cddc944

SHA1
35b2f2e5f61b4184d833723b0930a2cf941e16fd

SHA256
81b094eaf1469a435ba7dcb98bff47154bec836973ebcc4efdac9abd94d65327

SHA512
0b77fe5ad291b8a4c0b21bd304d319ac4a0ad53d57313dc00784ad1aeb663792ff9fdd1ad19633dd597c278070ae61af8486ae78ba290b69519e6679063e3b77

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Country.gif

Filesize
31KB

MD5
c9dc598752c2951697eaf2e0bb5e817a

SHA1
1e605dcc8fbad52ccffd0447375f24d86fa36ab8

SHA256
5cdc6dfc2c3c54996feee3d7e1c3cc8fe811bcd8a933da7d77060e9086fb7d5c

SHA512
49b70592b9db7859f0dd733a1cb28cdc7dd7666270eb8489efa795a343e9914cbf7018ed792c5c8879bea708f7290b785f4e091cc6141d1bfdc1bd04ffc29cea

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif

Filesize
4KB

MD5
6fbf57b1490ae97ddbed6c85ae814b4b

SHA1
96b3fd36bbef13599fe78db9338c1cfa1239c5c3

SHA256
1bc9de48e5bf004fd43de1908d9a88c8348066f52fb1dbbab4801ea8cc8e029d

SHA512
e043fdc82f7bbc1c92a6923cff0b3bf08d07e493947c7b47bc9d743e87a71e329f036e1f6f69cc1ac02741b835c1f9373a5c18147ecf832c9302f5b65b7c0df2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif

Filesize
21KB

MD5
e8a08c9a0bc973881e7fc53e57fd4aec

SHA1
4705bce16b7e6ec2ce43aada279281370835e188

SHA256
c850fd14c5bae57217c7e0290b612ca923b247053f7761ed23b9db66939a4a8d

SHA512
4b102e49bbef236e7facefdbfee40570b6834fd08488d727706b62b42bc01dda3c7a4f0f639110430e7aadee403114e77f463688d2659426d5c3966aca094180

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Groove.gif

Filesize
106B

MD5
3194f514da4c06164083e8ce20fddcf7

SHA1
f1a135319ca46aae0b6aab4a9edb3374c006d73b

SHA256
28f8ab582a3e1f6cb17cdda0522924196bc58d0a10be7ff6c350aafaa063d9d3

SHA512
4e059b121e1028f63e62d0a56c08873c995800648a701788b0b68fde6bd8b40d97ba71b4ed7775036dd2f54ea82b9d0a9a6be646ef842fdc79ada3faec541056

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif

Filesize
8KB

MD5
0fc758b8eff9750da1c03c89f76a6d9e

SHA1
4bbb162df4a58ef50065a86defa60c0cfe0d74b4

SHA256
2bd8492d0754c8f2928133fcfb6aee670e3429fbb54b5cfd9f2626383a6fc926

SHA512
24ba500c5bb3684792d961b776b39f6a33653c391606527e9a87012b27a0aeabb90bbfc3239eb0a7b9a64f45cf01adf5dd58e5851ae0c5a4c776adce8753d88e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif

Filesize
15KB

MD5
29be77f3f16b1341ce7fa22ef272b63d

SHA1
443729efaff96e05fbb0763963719082e09a6194

SHA256
40d5bbbf5a746802e9d6b806b486857ff5bab15b659300716bef8b5f281fe095

SHA512
46582bc6aa99b4d0a516cb73530dbd8b8b2ac0e2547cfdd5aa2a468cecc418adea9516925cc9160cc2ad7bcdbcea43283eb73c668bd16a698f85ca658bc492eb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif

Filesize
6KB

MD5
fd4627cdeac9978636e5deada6bbe777

SHA1
b1b9d618dc147addb668bc5a1f8168f30a0c8a1d

SHA256
536fb77e9b0774dff3bfd5906c4e48cb1255507c4b24f625b3d7d01ae5e5a54c

SHA512
49f3ae8b7fed04d53809f37e8e80d8ef5b5a423e655f612e4bd8fe0b5a6735c54ad1539443bf3369cb98dc1cb51415b0805d2560dd18d33f991ea6042cef1dcd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif

Filesize
20KB

MD5
673048ed0ac2f98da4d4f149d6a194c1

SHA1
f32d8e385ddd4b75ee6aea17e844fa7d47058fe7

SHA256
7a2a9f13d4e66c3170ca3e2297882dcae71bda19ee320e3e76e13f5c61ec01f7

SHA512
609bec85de07efdd82b6bbfd7dba5b6c622ffdb2d29dc155370c7dc2dcd02c5bdda75e02169f5dd71241f85dd9bc90e51319c7f4be73083e6e423a9ed5e525e7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif

Filesize
6KB

MD5
67da30c6131d598126057973854c8257

SHA1
853df0fba612c4fed2778a75930d5a4660754e9b

SHA256
6153276be8148175c482f006c76bb1a52891b20998ad2795a96ddf9eb36dccc0

SHA512
c8cd47f0bd2249bab689a699912d8885f2e7d7f6f1b9830974b604663a8742c8ddb69a0633079b0e8596d5904bb462c93efa341bf8bb38453e73c66852832447

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif

Filesize
15KB

MD5
bd4f6f96d184364e2c97a15e0dbe22a9

SHA1
1bb64348b1ce8f98ad9897c4326c514cb33991db

SHA256
0f2223b93dc7b16792de286d8f13f7bc62594dc3ab34e019e3df06c711643a56

SHA512
f02f6737cd0e70c0768dfad2563b246e3e9117d00f26ac7d82e4dd3c23e5360fcf63109289fdfb9db1187aa41e71861e0f5f5041491c3a6e55239ffcafd56cec

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg

Filesize
2KB

MD5
ed860822c1f6a04b1e8a6ccbf76a2b9e

SHA1
700a85b977bbd08ecb03a032f27ea9cccd27f12e

SHA256
c7db1cb31d79a6b4ab6ba624bb47296afa848252764facec9a2dbce830315303

SHA512
4124baff19c01b8194e3e30a8d2bd41a3d41dd591e09fb3ea5ea394a9bc8448f3d04dd99570865ebc17d42d007c42e0cd4e2150116d0cb24c4bff2573d7b9aa9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp

Filesize
2KB

MD5
23204f7590ddfb3296cc383151a2fae8

SHA1
a25eb3d647db67b4ef458ed9fd028043b05578e2

SHA256
23aceb8f6981bab9e44554ceee939b3b488d614a4430c7cf6e068b5ba3e95057

SHA512
9e4fc61cd2dcfeea46dc1b7cf5253bca13df1afa91aec69cd52a6b9f3ddb813655d6d5ac698d05fa42a25d584f08ec80c9fc0e47ccdb79726925f70d24b2d268

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg

Filesize
6KB

MD5
52b8c007c9e0ee44910a86851e50bcc4

SHA1
d74cd5abd2423cfc5e6dda4afd6a54b062b186bb

SHA256
a381054d80284fff53ff560f9008bdd841d14adc21005c1908ba1e630a563c08

SHA512
176f686e4ed5388a3cd64fcc4e2e7745d53233ba5ae0f680cce858805ea62c16aeea02b3ac761a6bfa58c5d694788b23f5f760e0b5a8365b5e0996854aa68f58

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF.EnCiPhErEd

Filesize
255B

MD5
93ba6031dcfeef69a41a1aa439091dfd

SHA1
848ad6844f6ab3f9820f2a2edf6658ab2c111a06

SHA256
4d6c0560051af224c4ec2e3ce007813387a3bffbe40ee223829304630c61cd6e

SHA512
842463950f777c9df460c8e3ace098a9d8b75d8a9a4fc3f2997f3b49702ae5e708f5767c160cde63a5c5feb8821669400d9dc4839a1f11c14a39ec9f0b9f1c35

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\background.gif

Filesize
323B

MD5
af9d37d310b911e1b96a59727dfacc76

SHA1
a9cc1870739ed98a57b1143ea38ada66e1b93cb9

SHA256
da55bb07289ebf361583b4b1fe37ae1ee940007f6661f173ff517f966c24377c

SHA512
952c9ef48bb23c9a25847fd3475ddc045895e4395eea39bc22dae939966fa922ca39f281c42da8e02c91e9115bbab5e15be4491a2fe64316ba528008bc79b50b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF

Filesize
367B

MD5
56c9fa7a92cc59e3f0271645de1b46e3

SHA1
aeb635d414f2e3b1237a4f838bae7e2181a68771

SHA256
b0fcf4c9fe79de913f24449fabd435b8953551e3cc248792b102de6592ac0370

SHA512
099f116748a312f9616a38ace4e21951d428e913b8a675ffe8ae619fa28690efa6cda8931340a31973456e6c4710add0065175627fa18ed8f00d80bf79b0b1ae

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF

Filesize
148B

MD5
f87f37021b8ca2f3b231df101ce0ccf7

SHA1
88894a5601ad0a73a170819ecafdbea13a1bdc45

SHA256
424d312ba300437909ca9b73e5318d8ba76c3b08b7e256e695fad5d198fd3037

SHA512
e832c176aef7f48fe367401e7158274a2f802b51049831d1a1726fa5f44366d98faacf0ee3a34f4ffeed45f45c08bdfec01a763a683185087b1896560d486f1a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HEADER.GIF

Filesize
440B

MD5
19de7be5299f2572d4f7924f7d6e77d8

SHA1
93e3f637398fbf3320857fdeb5fc0f80f661879f

SHA256
5191ba4703f2ccc8ededfbdfa8ecbbdc5faa2ffea9be56a0c7ebe6fb1fce533b

SHA512
55598a772743601e9315cebb3caabdc7714c33b6e7a008838a5f78915f3bb544e34ba46e38d233d719cd80448d1ad2dcece0864e6d22944ae2c8b03d0d220b34

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_OFF.GIF

Filesize
462B

MD5
066d165c3942022d5e933a3ff153bd3f

SHA1
0b1a1d1688ff1efc1dcb9669da8bb54bf254089f

SHA256
3def90248cb057e34c216931c438a5386ba781d9a564f443a460698dd7398425

SHA512
e768c9ab8c112dfbad05275bc2fa162a2905e5600b40d1275b5f18613269befdb81cca7cb3861c74bf0beabb220fce99c93e3a8651e9cd75e9040747afce1692

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF

Filesize
267B

MD5
3b0703669e558fe4963996b2d6a8c549

SHA1
59ec59e60a41c08c4c3c30fc21362d12c1068dd0

SHA256
b8a7004d63451469e047c41f6c58d00c7281688832c25da73b05285977a38080

SHA512
dcae9511824d8849a43d0acdf41f48a3aae238b3a62d2d5d7ab32ef2229a1abf3f838cbd01d57e1eb1a291d4e8646ee8535655881588ab78b0a335c5b2757319

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HEADER.GIF

Filesize
2KB

MD5
fe2ba3a925c0ac3c47196386042ff10f

SHA1
5ac61369bc977458ac6e748b0cdad67582243671

SHA256
14855a8fcf48809060baf542af2e98919195d3e2f68ca24e96c05a4e419beab6

SHA512
d4237545b854eac85bd06b9c6fadc3a79a8f9a95009b935a9889e18d16433f82a892ba1bcb142de93883a354346cc4fe96928423990e2edc7c70043810e932b0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif.EnCiPhErEd

Filesize
233B

MD5
a876552830e7d4660cde813f4881647c

SHA1
6ad0e279e64114ca225868b7f68f86e9a05ead52

SHA256
eb59f2f6c96c22089b9dff1c006d54e0a194eccace92a3ed7e72d7954aec526a

SHA512
fef4496451dcbec55ce00532ea4399d3ba5544063a1c2e4a03df8ec70115f80895ed118a59df320f1414bb097e4a54d9336fa147bfce58682ba5a1cc36bf3dee

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_OFF.GIF

Filesize
364B

MD5
a7732ed41e4d7dc3ce97b7feecb4ad97

SHA1
ac708081f3bb15c6d4480bcff5f7d1de8ffd9176

SHA256
2a3877e73a04f18a06466fb845e83c18ce54fc04fe1dfdcd32ebce82a82e6818

SHA512
2463bf565b02c2bf4a6e66b97b4ac524e9a8414bdd7f15f04c7b3c35837028a4c111b1e3b6f1e7ade60d29394989ce3f6dd8b01b82cda902683dc8eac3b067c1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_ON.GIF

Filesize
364B

MD5
eb0b54eb83860911073002b71b3a6f38

SHA1
5893fc647795015068d60b1dd5d9ff18de936290

SHA256
0aa3de4735bbd9b2d634857398dd1a2b7e73f051cbdbd610fb10c705d7ea2ee2

SHA512
338e3b3ac1a249b3e67395f6bdafc33584dc514591871ab028d42d434edde8877fa8d4da7d31a7bbe5db876013239eee7a891a44d0fa9d8bd85e1341d72bf3d2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\background.gif

Filesize
6KB

MD5
e7ef91bf41c57a725a7a5df7b4119090

SHA1
9ac75e6c550890d422caa1c9b6789cd48c8291f5

SHA256
bd7bbf474ae974fa6c62165aa9a375e52399cdbf97e9ec5d76bc853c7e7ce317

SHA512
b263cfe9c29fd4a3694792f39cdf86f6cd2712f276c46a4f48cf1706676a0ca363642454ef9a139ffb205436ac407eed15334faa793516176f552987890c82ce

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\BUTTON.GIF

Filesize
428B

MD5
44c7ba4e28aad55885c8f23d3279ed0b

SHA1
6da6cd105ee8282dcf10139b4d2a9a7d19a2f636

SHA256
3d624d81eb171fabd5b1ef8bbae0afd29b8046eb5f8d9df7262ec7cd0ad17e52

SHA512
cf55ba219c50c3e54aa0acfb6deedd52e9c78f6ceffdd91b44187dc1b2a96f689e7c92224e00aca54c009f3c46bbc7ad3e5aa38e5edc3281c02da31f713a1b98

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\background.gif

Filesize
815B

MD5
a738712c0bed358aefe2728d48f54852

SHA1
c4ca704450de6253fca19f0b0f6f6fac99b563eb

SHA256
866d84b61365b76c5c9785248576ff216063aeb4a64388adb3f5ee928c69a3f3

SHA512
0aa4e9b328891c26d30393e5dd2d23cfad0d2ab6f5c53fd155a61711f8af4314c282b6ae84711f3b4d0dac4fe9e0847e08d764ea2726c507347dfb942a21a2b5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\RTF_BOLD.GIF

Filesize
870B

MD5
99a478beec48e4f4370e0d7e91f40c9b

SHA1
078ece9691de2eb1e0af199e7eca4fa839e982b3

SHA256
e49fa6e75b6036c8a73b105ea614dc76ff63d37f67639965f10e601ba26be086

SHA512
313548d37eca82b147f7b91ec62498741d91276df041878c11334d05d5739d99ea91105acb2186e1f54fb61046fbfab0cc6bc2d752da2bd23e8593ec03f2b8e4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg

Filesize
3KB

MD5
ae81619d09af3db1e8f5aafc149d1ada

SHA1
48342cc04722eb05422dad49df4b18e2ddb21416

SHA256
451a6b4059302cb5086eb04d24f19db43ab0f8890553f2b386d03b4dc2b65b09

SHA512
81055a3aad6923157d7c33e6d5cd046ad20253e22c787e649489c4ff1d917ba8a186d06e17499d4baad74860409952df2ec48ffcf15e4c6b96b17835d7ced4d9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif

Filesize
2KB

MD5
00704a55c4bda9e3d2a892bb2172c923

SHA1
26fcc2865e7fcfab2d6e23c1f35d6bd0a208c3be

SHA256
4fa9714e84ced35706f34ee872ac1853460a411c2fa79c7e1dd0e6c2db25d849

SHA512
663dbf93dc6e902f89dc99d432094be1fd0b35d5215402b4e56fa46e1d728c36df736da910b022dfa9c774cbd671e959a43df6a056e0b82ce1c5b5733e0876a5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif

Filesize
19KB

MD5
4ae98c9b625c62165826e5079dee5c6f

SHA1
2ee117b2bcf99765ee1717852cf2d1e8dbd50031

SHA256
1e3ffa6b3fba8a4b39ab088ca3ea8b5c9beb1a471a66b081497e255985d572f0

SHA512
53d8fc1e5dcb17d476f4e748a7365d2f7d5e47a0b22d277d658873fc3bec4ddb8b1c682fe6d6618bddad00f836349bcd095a438238a96f4acd8c20b3e6fcdb9d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosefont.gif

Filesize
890B

MD5
00c6bbc56064cac80539a3fba1bbc9fb

SHA1
29008c60ea13842668034c951d0b50029ba332da

SHA256
38a195f3884a84e3c8fe870618b7a445576552bab2a4a7add736cc7ceeb294ed

SHA512
61eae13583394031ee10e8e5c3acdf724ba824d7f33ebfd7bad3679ebb289a041ef0e8e78d2419bebf2ff9cbdd847f5269a7e17f3eb40bdba7c05328c4abd854

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif

Filesize
852B

MD5
dcb48c3d05de6f1688f42dd7c203470a

SHA1
cb67fbed8add33480733f2dd71ae095f9741f2b7

SHA256
bf5a44f8950334fb0eade07d991f98006313c0c167a5d589644145e2a12ae001

SHA512
099583be03f5f7d6e1095383aa27d3dc9193ddcd6f88cc3fdc7ffc4b71a7cab7f321dbdd5c48a446df9f6f609eaadee50ed15af11d59fdf0decc0626affc8446

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif

Filesize
860B

MD5
11f866456a19ba4ba85687b56c797b66

SHA1
04e3838e21f411e22e2b5c8c66cea677a28d9215

SHA256
3d51e8c2046442d156f5ddaf86816eea289108f6b2420696a63070e0e0ab0e06

SHA512
b59185a880433bebda6b224efc12c9364f79a913f7260aa6e1358a0d623727af2f4b47d5ed5d0338fcaab76e16877f4c56d1a55e5166def939969bf75ed5734d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ADD.GIF

Filesize
580B

MD5
9a4a2913ce0214c11b01e9deba8ccea7

SHA1
42d4b2e0f161299d9e83bce73283128b8b3bd491

SHA256
4712ba39dc9b7b4f8904d9597421116ffaf4490892a9f216a5fa1d1db19389f7

SHA512
2f2d6fc67c944a13077aab4196ee18a7313681147e644a056bfda69beb24928c5ca5acad119f0e971455c486c0c6b305e464110c56ae59dcb2d1938a9a0cac99

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF

Filesize
899B

MD5
149be76fcd1e36d7835cb0e7baf3daf8

SHA1
434ad6c320fb4a5f371a3933a58fd1e39ba1814d

SHA256
0c71c2d378e427d97ef0671fa3fe9bd7701a6b36d352ade6d531142cbae26e2c

SHA512
9a4d4023abadb16efb6250242a98b7a38eca2ae4629fa618769eb62a26c3d427f5645c1b2b781bec6222917b1c3b9d8bc0cd15f203cd98417c1cf6765f4d8c4e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIF

Filesize
625B

MD5
3ce3142e319f1c90f59f671b039d0e31

SHA1
2628345eb46430c403695db968394f6684418616

SHA256
ce48be520362b7262b7f77ffa7caf0dbfda40e71715b745485e8b78628c0f291

SHA512
47048a8ca8e24fa65bc1581dde92f0f11f0a021ca8231118c3006f9870d76e284cdb9c27e2591e4c5984556a0e50590f1f13a20ecb01830a280f282d7ae935ea

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF

Filesize
873B

MD5
03a9e2f5145a559c759384bc3273e6f6

SHA1
b3310f92442f5ffe3e61af00ec99748d604611d8

SHA256
9ca98d2df032576456a14ce54b5e3101e83275fb9d5b54f9b2b0ee493b9f3841

SHA512
2773e89a492a301ae85ed344b0175680e3daf5b9be4d41309e9750fb23de479465a8785295ffc0fb7e3eceb8e6602eb12625131a0e0254d69b90044e237e70e9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg

Filesize
5KB

MD5
c4641179f007fd5768743be3a944fd1a

SHA1
4303ffa654cfed796f02af37800541007ca03ba5

SHA256
1301ea64b08957813f00925499a97b87d23243a9f6b4425e684bdd3eaa7b7561

SHA512
bcaedfb93fad63815e905e90bda820460bb442a75774ec5ac1b276605bb664e5407e4499cd8c56a8a145961ba89c2aa642990fb52efb2dc54f589d7dffac22a2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp

Filesize
1KB

MD5
8b259de478a0940b1a748dc91e230b4e

SHA1
f87b7aea0e784d013ca6f10a3d855431ca2ce65c

SHA256
3435f937e173c7ab63106032ca846b33e7a5af77b6de94eb9c9e3660e595eab6

SHA512
755c7a7b7b05492c8598b70d466908818de42b3837e3ffc2cae1d6df8840c7d33e1ec4346900ad508015784560bdda05823ec7f72a339538145d7a49c842fe85

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF

Filesize
615B

MD5
3c91a72746b7f7389389b9eb50a5c429

SHA1
0668668c3395b14c717ec3b185ee299e031ecb43

SHA256
4425b8c859b8807bd7e3f73776faabf826d2de9a99b870697ae958235a84c24c

SHA512
768fb372a3483f3ce6d04831aeac5aaa52d14cce5c7258e09b5fe30f8452fd95d76ecb78aa8871c79ce85223b7edb04d668743070580e4902e0e34179d328794

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

Filesize
848B

MD5
4f56c5e6e04724f31d555b380598610a

SHA1
79cfe818ec04afd8d46b3dcea50b267070669f8f

SHA256
eba4cef19563977f08db316b23c4147f8a23edc8964d9f29a7a10ef0e11bee6a

SHA512
949f571930c3d504b6142cc44fd8e9cda58e7be65df022284f8bd946722b048ada8f33c660284d52d8ab36a81768c8bfc429195ddc304d5a305bfe6fcc701649

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

Filesize
847B

MD5
9b8d3ad2bb27aabb682779295766868b

SHA1
18246bfc11f2356f29cc327fc166cf27938455f8

SHA256
f0392d716649d7d7eaaf1b34057e4ac7f8901e40f6d69a018cb668b8f70d4328

SHA512
e05f15835c684b3da86c87ae64d48b8a65e7f2081dc4e1d207a82dbe0b6d60db79ba2e2804505e7c8857ac3333d1b9d9f1e03d01de00fca555023aeb6cb56e0c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

Filesize
869B

MD5
f4e88d9f4684c40d92c105eb0df4ebe2

SHA1
bf27ac025930408658b55042fcd989d7891ee9c5

SHA256
a30239ed9e98f03d260989af1f1adc12004cf20e2de217207196bb06c020b46c

SHA512
632f5d9977972826b8bef064314815c8e7065e042be3c6c1e653f3d6a3d3416a4a681bda6c774d5274233248c3edc43d2f33064cde8f4a2cd6c93fb5555bc996

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

Filesize
847B

MD5
3cc4de6df8d41a3690020600da934843

SHA1
8a3e30671c87ff1376d7c443e9b6d780f9db3118

SHA256
f34ed70cdecbbbe92325057624f07b03cae8352c76f1f248834037155600c135

SHA512
758e65129dacd3ca10cb2cfc97bc42af827673bad1b6954a6665d24f2b9c686fbf7f38dffd404a2cd978eddc4c4b1bea831c8db4bf4b3220e1d46164e22798b0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

Filesize
863B

MD5
be6ad15b668807972d2ad74bc28c0dd2

SHA1
5029fb67f18638e86a9ea9c343381273ba168480

SHA256
4eb9a43abcf7100278dcb1f42ec83440329ea8d4a7ab939ea00237891d6cf04d

SHA512
3a752247a6294d9ae625b05d60fd5582fb023560159a9f087d869db3b859c7192b7208f2d8860fbc9a8543c3f3bf59eb59bd45dad161fc13a71c82328a290394

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

Filesize
861B

MD5
1e8c76e98e080dcaf486046768595a6a

SHA1
3e51b52231cc29879c89cbdd0b755feb79120608

SHA256
1c86b1d5311f4042e902fef3eb637941f5d3545908597c6330a1c988177a6905

SHA512
c75dc7f958fd0e0bd71d7dc52d02dfb48bb80a77a12e7497a06a848c7d23421865c0c30dba57aeb4e11b003cd7760c93c2942e234bc999f2538d7f77ba575285

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

Filesize
850B

MD5
9764db16783a653e3040c75b65096d9d

SHA1
611c30efc129e4808a1ae00eb855d2b2b832cade

SHA256
b43619dd43692635aa16ac8905f0f2bd81cf58baadc2bbbfc14c5f8fff128878

SHA512
598db879f3edc14b73a04924b9272adff4bfc4841ebeeb42bef5e58c5290b596cc9337ca84afb44fc086e100cab809041f266db61e69d186ffdb76a6c75d0a5c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

Filesize
883B

MD5
df37fce9d63d2614fd2f7b428282e983

SHA1
92db0aac07ad951b88061206716655696c1646b5

SHA256
13207641bdb532a64f2b1f0b23431d6f87d81f67d64d9a21b03cc2e3541de181

SHA512
870c621240d2493ac67d503cc88ea0bba0aa82c1057693991b0d785bee74c11be5d621fd15a546cc4e0c5d8ce68816718012655dd22a2c044e079122a1973dcc

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif

Filesize
153B

MD5
4846e06f8c4e12a788aecad18f1cb3d0

SHA1
71d4055dbee8cf298bf438312619ce1adaf0f20c

SHA256
fded5ad3099491c3314a3c41c8d5a69d27bc4e77ab195edb1b8db8e44a8b9df4

SHA512
bc6bc5e775cc54e00a3588fecc35366c2104ab55cdd4decaeedd6e3716108973beaa2eb7e474a4ce5db470ed9ba717aee2d1d198afc4516d926343730f125e6c

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
d7bd2ab23ad2dcaa879a773a455e4edb

SHA1
1fe314039d05df4048d4b368b84df0d9efb0e14c

SHA256
671b09870ccc14bbef6ddffd327a7b3e03a1f1b905e31599a4cee5a45ca7dcbb

SHA512
f65aa307bbd5003d04a15aa55e3eeb568b8bc4db3ca071fb7056c755bc193d78f58ba700957880526dcc1d8e852cbd2e1ef04bbe54ab0bc5721b7d36eb083595

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
8KB

MD5
d31b75b7649eb6fedbcad2b74b5f2232

SHA1
b429f1a512082e969a7354e29c18444cbd502c34

SHA256
861a6bee23f2ef4cf92c145c220244b362eb14cc81df9ac1970807d14036c479

SHA512
43c13d1de8ea04db3a82883a99bd1f40e1285c7e748183770f252e62a4b91a4fcd60697a84af6ef395f07893181ab9f65f0391a0fd5a181057410d8d99bb4faa

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
bdfa643dbd542c6907730680756f3a16

SHA1
c79bff37e072a6236733342d8176012ba02ecfa8

SHA256
67b136d710780b79162821680eb2f65b685dd062788da0fa6733f64725e32fc3

SHA512
c5ad8fee2bc7272400b99f41027911ec49cdba22c186039f1420240adea2938f4242edf4a4c842f052c88511959bad92e612183e0bbfba3f727a8292b04066ee

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
9f4795f5306bc18e6dc1e976cade5c3e

SHA1
cde94814d9f859c1a756cdfd8c4286c6fda00437

SHA256
f2fe82fa51ce58e1fdf498b377641af759a0a5837f70d1df8d3f6902f86b11dd

SHA512
fc85999810dd6417b2ea570b73390b86e4b655436b6f0d8943efacec533340f26fb23ced769b461b518c2bb254dcd952f9840001ad543473f8a48a00a29d853b

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
172KB

MD5
009f8b570d00e9b31d1ecf4c22059ed4

SHA1
860484304402e861b6af771de1861def962367c1

SHA256
f18d718ac2dd2bc2317a83dde21cdbc82e567e2cf57cfdbeedec6f970a95dc54

SHA512
8f096eec56c11d7b4e81e822fa7a7d6a0e5593836556b1919bd77a21348a4185f87c7ef889d54c1d2eba189baec0333d4b86c194eed5cfa17258982f59baa30f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6153c5356848b8848fd368c700244351

SHA1
4bfa562e1906f5d26d12c65b233da009d1b2f28b

SHA256
891f73665803fe8a411b88f1425b59297767cb83b76f6a8b9881847542ead9bb

SHA512
e39feecd384528a5d41566ec6ade5300e63633db185d91f5c2fd5d7ac44d0cfe0e29f45e32cfcc404487a1cb1becdc5b2154a7c7cae7fd574b904568a6590be8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
688698ed11e9f50d4a961dd2c5eeb7f3

SHA1
4f1243ad395d268351e7f9e1b4c1f7d28ed28451

SHA256
4a2e741a4a239e89a97072cd6175f7020722b3591a1a44928cb2c76a7de64004

SHA512
ce05a8d2a2969226ce1be5b4d237eb5acd1b39d99b95184f2e51ca798e99489df8ef3344ac065e525bc2394ff74fc0efbfc49efdc91235e275779b7d238ac4a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c4005905703f49c51b42cf0f9a412078

SHA1
9efeb66ea5bd3b8a05dc0aa1641cdbb64b0e5fb4

SHA256
d81b2a4bb2d91e28e007bb47452dcd5463fd7af0f2c1a14970ded0ffcebdc3ae

SHA512
01c944b7abd9d1e0c37973641bb53e4f6632208d9514ff98ab6145efe84b8ff6732c3156035bf8d56e5899d41efb9d2c392a5567f9ad22617c4118c16661f9a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ef96af10ea6ef30df7b2127942290583

SHA1
798da422c088e9eb672b7d795d046f10450ff6e6

SHA256
2224b9add5f5e5520f92ad2aea48b76f53c5edc82298c0e3e5672bc1f17e3fd8

SHA512
adcd86a8107c499a2d954a46e223601f7b3323db7baa0c5407e792327745521ec4ee5e6fc8b14fd5ab2dc55862806c9e18ad174d6905d1d24bc8f30f454f3b4b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
514ce4196efc0468d98bac1d3c42ec99

SHA1
e17a7f75bc95a37b0bc624ba6306547754030aef

SHA256
a2d4a3618c2936ad2a3522c330c002e93760d634adb5da823b4c7bc8ca80fadd

SHA512
3a8ea4b2125bbb4d4396224052a54ca9383bf355d579e26952fa70b3d1725efb2854fba40a0ac8b02fb6149c9e20ed9157b85c33bf80f4b67ba38ce464b118a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8c53520bca533f12988ce69c39781a28

SHA1
8b4064128fb5c39a3849940ba93d35e1c8b0758a

SHA256
059009afbdc833c91e6c6e896272978b081b01e99655be7b8d5fb2f193d49fd2

SHA512
1bc97b578296c3c72d5e0755a564ba7d0f381a8272f2d04ad7382184ce2aa305ceaed853c0ef45abc088a81652da1e8054fde07975daa16267b0d552bb7fe23d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1a07604d9ea0287147f2825d7a9b257e

SHA1
5d4ac553d54698793fecce66c87f72aa37b9a338

SHA256
6c3c08efb8a945823e7ee67d9081dc8264d6d717b0fb99c7f97c8d7ba65e16ac

SHA512
9cf5a0db619c3a3faafe873537cfbca788e64cfc651805d15bb87121fc63fd22ea3eb38edae65bfa1bae8a12c9851f2f695a10f7462d95a8dea211b34016d88d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e075626ed2d3bc8d9ce3488bf59385fd

SHA1
eff94c6a24e6051cddf19bf473e90260563b2d3a

SHA256
aff18023ae5c87bef68294a9b1190db04ae966428863b5415c38bb1bb1009515

SHA512
9ebca4c0d3eeef38e9598fda310da4a8bc38924521fcdfe69f58adbed9781bb82bc668e1ebbf63cd49ba78478149f8cc8c516d87b9d96fc0746ac420625300ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6296e06b55dbc2dbe605eb34d0aded6b

SHA1
e10e32510ac6bef69f7aabff35a4f79825ab50d2

SHA256
0f4ba9459ce63039742bb97a96d319a35785ee7f3faf445e7fb40a8d98c5381b

SHA512
c0c52b8f52fe878e0a6fb8c78457a86c70af68d12f2f83382971c607d43dd2001d36c852de691167f149c258489b68ffedecc26c6ebdf362245c4710b99af800

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fc1d2014d2ce3079e48ebc8a9ded6b9d

SHA1
62088072e7ac33344788a80b52c1b40d616f5fb0

SHA256
3dd35a83d78abd0990e9feae3b3d11c376a05404f8c84c41b4a98160413e1544

SHA512
7b5af9e24f9157d96604250a18b890b24341b2f16c6717cc6f7763d5d2e409103c4416ac0a1c2d72963ed2eaf3876f17fb7f1bcc364e757d1c13e1ea76d6621e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d1323adb760627b19a8a0fdb09fe473d

SHA1
3459b274bbcdc8a75e4846f3004a769d2a4254e1

SHA256
e4cef9c16d27ecb1da81d61f13ed836fd108e6c2b1bf31ee3a727a2be17f9c61

SHA512
cad43ea8316f1a569a6859ad8ec010f993d739e654702a9135c3a99225634b89f3784098599b9dce4842bad666712f996a544c259e8c0f30ae1f42e536435a38

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
91b48aa4f8d6390e5b2b9c70499b95e5

SHA1
d25c4d0ce0eb9623d9bc5bfd4eff26402758d54d

SHA256
e47c2863d6f595f8d5b880b513e2d249302afa8718ead69511a4df31910de6f1

SHA512
58006757647afa38b4945205d302eef8ad681fed121b8c9732d1845fe0edfd7c501fd15775769f09c7cbebd1bd4e84e0adb30eccc8ce9b7b297610596420d9c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9cac34474f895ebab967336d8ac9e472

SHA1
a7859b0f3fdf1d46ec43a8d9c555146566fdfe1e

SHA256
f0f5185deaeddb32c61a7aa8ee1479c1be9e2e4bf2120b387c838c7f86d08da6

SHA512
e07897c3580ecf079da9d0338fe09bf6a71cb471fc3da2ac665f349a6434329541ffd662d5069f81998dcb5de40de1f8287d26c6da04942fc51b6752ed9b72c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
70fde372b4555d218424cc925dc76645

SHA1
e95270ca642120956eb13adb0101232ee1460e80

SHA256
f9787ab58c8f8edcaf9c9d97b7ef80c01db706f445ebefe9025d6941490a0061

SHA512
5f311575b7c2aad5c28b1b1fee643425d9a93b79c56ccd5339fec78af5e95287a9b3fd94710b4aff0cea226814e6292d2bd5a8ae74198af14a212cf4803e5946

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2038db63922957224ea79a428654e090

SHA1
f5d552e62b50623b95ce30a28c798d0b07e41558

SHA256
4d2f6c92ea9ca06db7c9694052adaca1b79b8f8ceea6466a2ca76a184b72a6b1

SHA512
6aeb458384d1c360e09fef6c5e23d9fc255567c68691cb0cabf50a89d6a8c9d20523fe3a895eff7a081643c148a0d09e805d29aa6a1824b1527375a41f400b50

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c5ab1e30b92e9fa43b742a62e0f49a76

SHA1
2999b84022f37c8cdc4de50c4fbe76deff501ecb

SHA256
a650cdc5fad85fb4195a338eb5870591b187ec51ef7ee8eba366710caf884816

SHA512
f8ff2e29d2ee7c0b8764f776b27bf56964779483392ac0aed09687ba876b1da3fc7fa2067975c7e3d42a1819738b849fe9774907203b3b55336d6b3f838f2a5a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ff7b60b11636461b656742d029f21f23

SHA1
1766bfd5bb5e6ee69cb8887b796c317c3eadb7d5

SHA256
15b4570b213fff83d0fa4751b0a3ccb3b9864387892ef5bc0f36b43aaba77ae0

SHA512
3efd271fc479c798391bafef9fbe262644fcf3076498a56c1c27ee501743710e9c7e1f52d2f67423c08c2b741b7cdc2815ec1ea3aa2cf2edd7896efed6face0d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a50ce27fb7f3a92806c54222388cfa8d

SHA1
98e859996c46401189cab23d1cda5199f2c5b720

SHA256
1d13d72b926d71343b30295edaa7fa9821b4167fa2d9935871650d771f9bbf22

SHA512
3b34de4c675cef8133a777dc0e8675705eefbda60c42e41be8be58ab935149de052ec80c29bc42f0700f64927433a79e244854dd4dc606955c819afe64013cde

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab20BD.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar216C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk

Filesize
1KB

MD5
36fc4f4c5fb0c16f79018ba36abc103b

SHA1
a72a3e1c9a16a22a8d3490b3857323a8d7f26967

SHA256
72189fc7d9b5b40246dd60aeb71b8ceb903f7d2020f7e8b963f9202df26109a2

SHA512
8497d61c61357cc3e7f84361f24fcbbe080ac979567afe02e635d5688502243ec035e0df7e00342e98d3dc7127cb64de015a771d777e9ebc11060694255cdde1

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\security_watermark.jpg

Filesize
49B

MD5
3223456ef16cfcb0a110c5b2dc087484

SHA1
bcd57bc34f16314f55b2709d2ddd36f693d8dca6

SHA256
a89a178908b46e50f03772da2544e28dd6e81c264f80aea2eb989dd0bfe31982

SHA512
b87f762706f50273153a4f6820130129fae3bec00aadcaf96b84f964446a871847d14427482141c4db71b2d8547c543325d1bb93b75e503af460b041df14cc86

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg

Filesize
21KB

MD5
bf04dda9eafeca1ff7460356a0b0d2e3

SHA1
2cc1dd2f5095850930d0f52395d2e9ce103827fd

SHA256
3d4afbcc6e1fc187c51081cb0991b0e2d0599b5b5612eacd0b0426cb8315fd2b

SHA512
38b7d295537d1793a7c9014376f763ccc3e11c3beea2a3e6d04ea5433599a0cfb66599c0ea4b733ce7d61cd2e21a678c37b356ae233f609e139a3c17e5dc57ad

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\HelpIcon_solid.gif

Filesize
1KB

MD5
058a42dcd5ea0da05b4978e759ed91be

SHA1
8bc48dee9bca0ea921f3c364210269005f41929f

SHA256
05361a6898a7a529e931fd750ff8cda48cb87a5c59afd155f7b5372e1f1cb626

SHA512
f3e6c0619975c01b83e6fc74149b8ba7a9ac43f969d862c9dbe235be0c95ea407142aa88127fcd83e0b3740bf90b30a00e5b0660aeab7cea2462dc4c3e581bde

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\alert_lrg.gif

Filesize
952B

MD5
712c270596192cc191a891f222c6de32

SHA1
d2622900405f2faa7993610a19369dcf921573a0

SHA256
703c224ea50f854b58784f75c928ec5d9496d56e57d15653a76bc7201e1f3b10

SHA512
5532cd1df504b39ce5724fee8bc1e510254c2610e020c95ef20158f706d1cd63551e83896261e531cd78fe308c2e1bab20373ce92198308031175fd0b8f81001

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\aspx_file.gif

Filesize
121B

MD5
9329ee8a81ea6cd13942fa1eb6b771a3

SHA1
fd8ca48ff7095675928506e45fe72ab47e1ea473

SHA256
ac33ed626dcff31c5dd7399e8c29a391261e77ad0c7c92e285d8d41300b63b94

SHA512
17f3723c2a19363522b01539584a8bac50d0270a0105a090cb958935f48efecf8db10b50b085814e68db66757d11b45b44aac65c2f96658a711c08ba0a4b6b68

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\branding_Full2.gif

Filesize
1KB

MD5
3654a9ff4dce6d01d5c64927c708aafd

SHA1
22a0b4956f8ee9c4c67280c28333f1840c6ac430

SHA256
e8b6e42d2f8b3015806859681e6347da2ebb7d23cf0962d01f3cfc4f33391ed9

SHA512
94082e4938ab501c6e44847315784f4d8c06a5129db78811e43412e1c1b03d4f85cd85c078a871638c9c8b08b335f9b5ff6169f72f2d06b850f4ff3d1a100b3a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg

Filesize
8KB

MD5
f4fb6d351b3b0165bcd49367eb4ffee6

SHA1
0b91cd8acbd331eeb7516a28f46cba263d3caa59

SHA256
063baed3d5e33361eade9a32df9be2d4da7ac00640109ed76301ad25696a2f91

SHA512
86b2c18290305780d0c37470d050d9b36cf7d630eaf2d1db1dd7979bb62eb9fedc57a9c55a5d01800e3af2847aa91d9669b3d01ff91946e00ea3d4f4d4a68cb6

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\deselectedTab_1x1.gif

Filesize
61B

MD5
3dd3a9d6d0897ec02d63f4bfc44f2729

SHA1
7ca87c2fb8231500093531b13f0a59d3c96ef481

SHA256
47e0a48454ef73a425423ed2768e58018eac35e9e90c528eeff9655a6810e3f4

SHA512
33547847f4affe36f4944fbd6deae29dcac4acbe1a76cbf941c5c6d31644a6aa456cbdc90a544a8556969e67528f66856a19abe76eece6ec25b0bf8c482aae4b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\folder.gif

Filesize
914B

MD5
d5915a7450d365d4b98bbb2a23d35568

SHA1
082eed7453c062e03e62c3ffe07d16121d78ce16

SHA256
d502f46f0b0f36d1ea0b48eaa59f98c1586065364e2a48e1099119ac1f22edca

SHA512
7c2958738f6ea99f552fbd1adec23ec2a4aa19af4cdfeeb99e0dddae0a3fe8499194d2d237c763e193278a7fc23dc4c6768f34d2b4e841cd13f610511be08bc3

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onBlue.gif

Filesize
90B

MD5
e698ccbde1772e46e60b5dc5653bf9f8

SHA1
12e5fc8b0dd0ce2a723232ffa4111b5d52b764e1

SHA256
540d847750f72eab316e99703a6c3250dd0fdbfadb1487bf9a8fcc926b35198e

SHA512
b8d998e497d92559f299f7cdc0022310e9afeafa2b8d59c4114884fa599cdf7cb3e56099b9a94899216bc27ac6661dc4db9efa06b4947a796ce489bd7ebc5fd8

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onWhite.gif

Filesize
90B

MD5
c56e24536ba6c3819fa32ab29c1af148

SHA1
231cce2277a6b300224f7a989b21687e1ff55988

SHA256
2ba83a2963d53bb663747cbcdab16ffe14ad955a945bfadf6a98ddbe1f9c8a81

SHA512
5f45df71aeb22c9d9a2a5d7f56f2bfe7455a9f542ebf2e88419066d21e8afdf73cc53f3c165a417e2fa98e99612bdf6aa360fe4f32d9acd4311d7099ccfdd0d5

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\headerGRADIENT_Tall.gif

Filesize
328B

MD5
88541ea12723a5ab50a255b7bf61e792

SHA1
6cbdfd969a73c2cf50c6eecec94c16610ad55b18

SHA256
207907024900891cfa97b635c47ee8b52e1a953765a567cd588a199269cc60d7

SHA512
d4a10f5e3389c15747f1b9f3a2fb9d6b11b429c086b7a3e24dc62a2db83fcb099447e8bf3c4fd5b6d46aeda756fb68eee504f1da1a02614219664ece37be7c62

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\help.jpg

Filesize
1KB

MD5
6d82f17fb8435ce1501753f94159209d

SHA1
7f831f88bd3892ab4251492a1e2b6419f6a8d2a0

SHA256
bed08cfcc23494f3408668e494c7462195f471c6c33263ad9e17d0ea0914ed54

SHA512
40cd2dafe00cdddbdbf8eab5848dd6d013af597da983dd196b0e1c580644ced1774cb670dcfd3753daebfd35409d9ef78d83e6a645c2f3cde6f82ea922af722e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image1.gif

Filesize
162B

MD5
0e12bb23ae932054b2a896dc9cb279aa

SHA1
84dda25e3e6f93f3e75139ffeca22146cc3a0a72

SHA256
66d394255390be8386193902a6a7017cef999aafd70fb2d23d8713fc9c565f77

SHA512
db4d1a0dbb0f93d963d10e739ee70f7af16f7dfb7a89422b5c7a2df7f3b40cb8c07f6f326a1a7e91bf71cca277b6e30dd06017919a38516b59a15e0829d55685

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image2.gif

Filesize
586B

MD5
35bc541ef2081aa9fe8c3d401c447c5a

SHA1
3f6066b7c61f7f8a1e4392cf20296f38556a9aa9

SHA256
c3a09246ef916012aeaab6de8b3170c90495eb1af4f2f70b27cc88a5e06744dd

SHA512
b7431c830abc7a9628b3d20d4e78f506575f416acda1991689e99861c3c9f2a81469c9dae92714661ca21aec0115cdda010700f55004b41568e7367526091403

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\requiredBang.gif

Filesize
124B

MD5
cd9399f9d13099e5e76d17507a2524c9

SHA1
307c429900cecb2626d03f053b3192fca50969aa

SHA256
d5f2c702de271f9117976246a454a068319c9252d0a953c9813d54e3ab23b699

SHA512
1006424a76750beae5ab2314137eec88896b88413c48a330b9ad4e704c30190e87443726994b698912977b805c3fff228fb7d726e1674a1407c0e5ebc6db263b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\selectedTab_leftCorner.gif

Filesize
65B

MD5
8a0f6446250b6edfedbe9513dd2e4e4d

SHA1
8e3b4448eb354a2fd0450bb2696947035df9e084

SHA256
46555cc7cc7713c4ffbd276a124e93da1eacd5c8eb55a48475468ba9fbc9877d

SHA512
680e831ccd8d2b22339b569d618e1475767a1d95ca2843692336ddf45f930bc760b9ae2985a9fb4209070e64fc0d0716a5814819ac5b5fc2945e7a4f1f549ca4

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\selectedTab_rightCorner.gif

Filesize
65B

MD5
7ce7ef132c4034838543becb88009c07

SHA1
e0d4ce9cc8a9d63a7b75e2582a84f5a0319c2b73

SHA256
3691a7a6e5a811d6968103f971fe82a6e37e8d030cee522241ed9ba534f65a02

SHA512
3825b464d62b7653108535131663710e67991a54f2b346711c9d7c29d62b9351d7c0053959042e8696f6a2e456b2ed658876d0d352f66a5b4904a5505220f831

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg

Filesize
8KB

MD5
6dd1f9458f8228b139c22dfafa9772d3

SHA1
e3ede18c4861a14642391a4c3d73215a67552446

SHA256
c334bd270afc1f789edff34cb0d7026d527a580eedcc0ef5f14d23681b4fa2f0

SHA512
5c27bf2420c11d5680bb8de8e5a2f91c3c724944f246a37d378dc3f89be9fedf4da6d08883770c376cd44701459761b1d7edf5f82fadd4be3e24b0957d5238b4

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\unSelectedTab_leftCorner.gif

Filesize
65B

MD5
c0770e4ed01b239995d60aaa83764edc

SHA1
97e7ad58881cf3a0f181b173280c40478c9a2a30

SHA256
5211aebceaa46deb0223de6b43dfb49563adac97a56249df7fb05032361223cf

SHA512
e25278a9dc1d8f999d69640de0c7f6df7fb35931a4e203afc7cd9421a867c8ec1ad6cd52e342227c049551f99f91d2b529305c995eef73fae4c20fbe762bb156

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\unSelectedTab_rightCorner.gif

Filesize
65B

MD5
a68c26bdc1c7ede5b72da2ee48ec4aae

SHA1
ae19030d9383a9b1186bff44929a42f3ab707990

SHA256
e755f3e461bb5419c9b1e6c450428f884f5c8f3388b2351c59cee61e15084c3d

SHA512
d22fa487d9f3cb97d0e3c679e72335780defc83ff5f0ad724e50ac031a51c0250b588870a39c934fa6e4da33ea1708bcf2d4f3136e64335e6ac0dedb31824c8c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\yellowCORNER.gif

Filesize
880B

MD5
8c90010720422fc3bcb76594f97b743d

SHA1
33479b2b525673acec785a05f21f62f84a858bc7

SHA256
663d08f7a2fa652625afd1d6cacd7057ce0ecce9963475aa4b06ad7aa7ed82ee

SHA512
8eb92ec485fdfc607bb7c2c3912d8c9c6f33926981d155577f3faaf72e0fa9e3b46b17cd99df668a264efb407ce362d92e0e7d9bf4cef0d4ad854adf97103c4d

Download Submit
\Users\Admin\AppData\Local\Temp\JF_CF_ANTIGHOST3.exe

Filesize
258KB

MD5
3ffc01adf1bdd98bc7675450ef673882

SHA1
7c8226cbc5dbd32fe8553fd17edaf7f4b946a039

SHA256
75920af382027dfc7baba45e56b6e007ff6d5a5dd7b1506bbb98e08ddcd6742d

SHA512
875b7d94482c3ee7a20fff9b49f56a502f7858edb9a47c61c7a4918bd9ec6bf67ef72b4decd5a68775237ea592c27b75fb3126019b4ef7743aa0ce6a9e3dda04

Download Submit
\Users\Admin\AppData\Local\Temp\virus encoder.exe

Filesize
12KB

MD5
63101d9664ce362eba241e2bddc54a74

SHA1
3fa8190d6a1fea2b54efc6804dedffc6d29c4221

SHA256
20c262be3ce3269b1c2d0f6af38c189c69e22ccbdf0942a23c89073563445326

SHA512
118d99caaf939ffbf3b213a1c51f3933cc7badd737ecc13b9ae1c85163d352d8b10e7ec65158070860b0b78b50a50b3e2d416a9f1910aad0629ee6560a4435cf

Download Submit
memory/2164-280-0x0000000000230000-0x000000000026C000-memory.dmp

Filesize
240KB

Download
memory/2164-246-0x0000000000230000-0x000000000026C000-memory.dmp

Filesize
240KB

Download
memory/2164-295-0x0000000000230000-0x000000000026C000-memory.dmp

Filesize
240KB

Download
memory/2164-286-0x0000000000230000-0x000000000026C000-memory.dmp

Filesize
240KB

Download
memory/2164-283-0x0000000000230000-0x000000000026C000-memory.dmp

Filesize
240KB

Download
memory/2164-4498-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2164-241-0x0000000000230000-0x000000000026C000-memory.dmp

Filesize
240KB

Download
memory/2164-4260-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2164-277-0x0000000000230000-0x000000000026C000-memory.dmp

Filesize
240KB

Download
memory/2164-275-0x0000000000230000-0x000000000026C000-memory.dmp

Filesize
240KB

Download
memory/2164-297-0x0000000000230000-0x000000000026C000-memory.dmp

Filesize
240KB

Download
memory/2164-273-0x0000000000230000-0x000000000026C000-memory.dmp

Filesize
240KB

Download
memory/2164-269-0x0000000000230000-0x000000000026C000-memory.dmp

Filesize
240KB

Download
memory/2164-267-0x0000000000230000-0x000000000026C000-memory.dmp

Filesize
240KB

Download
memory/2164-263-0x0000000000230000-0x000000000026C000-memory.dmp

Filesize
240KB

Download
memory/2164-259-0x0000000000230000-0x000000000026C000-memory.dmp

Filesize
240KB

Download
memory/2164-257-0x0000000000230000-0x000000000026C000-memory.dmp

Filesize
240KB

Download
memory/2164-253-0x0000000000230000-0x000000000026C000-memory.dmp

Filesize
240KB

Download
memory/2164-249-0x0000000000230000-0x000000000026C000-memory.dmp

Filesize
240KB

Download
memory/2164-287-0x0000000000230000-0x000000000026C000-memory.dmp

Filesize
240KB

Download
memory/2164-289-0x0000000000230000-0x000000000026C000-memory.dmp

Filesize
240KB

Download
memory/2164-255-0x0000000000230000-0x000000000026C000-memory.dmp

Filesize
240KB

Download
memory/2164-248-0x0000000000230000-0x000000000026C000-memory.dmp

Filesize
240KB

Download
memory/2164-239-0x0000000000230000-0x000000000026C000-memory.dmp

Filesize
240KB

Download
memory/2164-237-0x0000000000230000-0x000000000026C000-memory.dmp

Filesize
240KB

Download
memory/2164-235-0x0000000000230000-0x000000000026C000-memory.dmp

Filesize
240KB

Download
memory/2164-293-0x0000000000230000-0x000000000026C000-memory.dmp

Filesize
240KB

Download
memory/2164-231-0x0000000000230000-0x000000000026C000-memory.dmp

Filesize
240KB

Download
memory/2164-271-0x0000000000230000-0x000000000026C000-memory.dmp

Filesize
240KB

Download
memory/2164-230-0x0000000000230000-0x000000000026C000-memory.dmp

Filesize
240KB

Download
memory/2164-262-0x0000000000230000-0x000000000026C000-memory.dmp

Filesize
240KB

Download
memory/2164-252-0x0000000000230000-0x000000000026C000-memory.dmp

Filesize
240KB

Download
memory/2164-233-0x0000000000230000-0x000000000026C000-memory.dmp

Filesize
240KB

Download
memory/2164-104-0x00000000754C0000-0x00000000755D0000-memory.dmp

Filesize
1.1MB

Download
memory/2164-103-0x00000000754C0000-0x00000000755D0000-memory.dmp

Filesize
1.1MB

Download
memory/2164-59-0x00000000754D4000-0x00000000754D5000-memory.dmp

Filesize
4KB

Download
memory/2164-34-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2164-27-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2164-243-0x0000000000230000-0x000000000026C000-memory.dmp

Filesize
240KB

Download
memory/2316-18-0x0000000003390000-0x000000000342A000-memory.dmp

Filesize
616KB

Download