xorist | db6caf0d960158ddea58014c0f62e0ac5c7a5ffc147ff1b71af479324c1aacde

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
13-10-2024 08:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ebcc0ec24f4f883df0e18c4e81a8b81_JaffaCakes118.exe
Size

906KB
MD5

3ebcc0ec24f4f883df0e18c4e81a8b81
SHA1

490bf7e10ac597d603a66179c6e327bc6b183599
SHA256

db6caf0d960158ddea58014c0f62e0ac5c7a5ffc147ff1b71af479324c1aacde
SHA512

6f71207fbbf669519e13d873659a38a0484152ff9bbc1c7b7e17c0adf0e2bb1b53ecfb061b7ce6e1e0ef15ceb5510a6e2295b9625e77af928a1644075ffc6e52
SSDEEP

768:Yn/J8wMaNCE44lD1USubS3/fP9U5KWpuW+MqjojnVc9uV3:Yn/J8cQYpbnPepuBMqSQI3

Score

10^/10

xorist discovery persistence ransomware spyware stealer upx

Malware Config

Signatures

Detected Xorist Ransomware 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2228-7004-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/2228-7002-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/2228-9216-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/2228-9217-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/2228-9218-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/2228-9219-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist

Xorist Ransomware
Xorist is a ransomware first seen in 2020.
ransomware xorist
Renames multiple (2218) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Drivers directory 8 IoCs

Processes:

abxd.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\SysWOW64\drivers\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	abxd.exe
File created	C:\Windows\SysWOW64\drivers\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\SysWOW64\drivers\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\SysWOW64\drivers\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\SysWOW64\drivers\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe

Drops startup file 1 IoCs

Processes:

abxd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe

Executes dropped EXE 1 IoCs

Processes:

abxd.exe

pid process

2228 abxd.exe
Loads dropped DLL 2 IoCs

Processes:

3ebcc0ec24f4f883df0e18c4e81a8b81_JaffaCakes118.exe

pid process

2032 3ebcc0ec24f4f883df0e18c4e81a8b81_JaffaCakes118.exe
2032 3ebcc0ec24f4f883df0e18c4e81a8b81_JaffaCakes118.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

pid	process
2228	abxd.exe

pid	process
2032	3ebcc0ec24f4f883df0e18c4e81a8b81_JaffaCakes118.exe
2032	3ebcc0ec24f4f883df0e18c4e81a8b81_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

abxd.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QmdpTwe5Bw2jy77.exe"	abxd.exe

Drops file in System32 directory 64 IoCs

Processes:

abxd.exe

description	ioc	process
File created	C:\Windows\System32\DriverStore\FileRepository\dc21x4vm.inf_amd64_neutral_8887242a56ee027e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hal.inf_amd64_neutral_232b95977cf6d84c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netvfx64.inf_amd64_neutral_194cb6d2ea3a486e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnrc004.inf_amd64_neutral_bbd3435eeaf576ee\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmcpq.inf_amd64_neutral_fbc4a14a6a13d0c8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\eval\ProfessionalN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\default.help.txt	abxd.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_script_blocks.help.txt	abxd.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmar1.inf_amd64_neutral_b8ebf59556c3dbf0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\eval\ProfessionalE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_transactions.help.txt	abxd.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\_Default\ProfessionalN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Automatic_Variables.help.txt	abxd.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_properties.help.txt	abxd.exe
File created	C:\Windows\SysWOW64\Dism\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Session_Configurations.help.txt	abxd.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmbr005.inf_amd64_neutral_d140721f97061bba\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnms001.inf_amd64_neutral_9b214cd9b78760aa\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_functions.help.txt	abxd.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_hash_tables.help.txt	abxd.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Session_Configurations.help.txt	abxd.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_trap.help.txt	abxd.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmpenr.inf_amd64_neutral_34624840c3163a38\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnin002.inf_amd64_neutral_977d40799168c216\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\eval\HomePremium\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\001f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\OEM\HomeBasicE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wpdmtp.inf_amd64_neutral_28f06ca2e38e8979\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Language_Keywords.help.txt	abxd.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_CommonParameters.help.txt	abxd.exe
File created	C:\Windows\System32\DriverStore\FileRepository\unknown.inf_amd64_neutral_5eb6ac70dd1a3ad0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_remote_FAQ.help.txt	abxd.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnbr007.inf_amd64_neutral_add2acf1d573aef0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\SysWOW64\migration\WSMT\rras\dlmanifests\Microsoft-Windows-RasServer-MigPlugin\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Core_Commands.help.txt	abxd.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Session_Configurations.help.txt	abxd.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\_Default\Ultimate\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmdyna.inf_amd64_neutral_7e4d690d07ee94c1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmtron.inf_amd64_neutral_1121c7f92e9e3001\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnbr002.inf_amd64_neutral_db1d8c9efda9b3c0\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wiabr00a.inf_amd64_neutral_6033065925bcc882\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\SysWOW64\he-IL\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Foreach.help.txt	abxd.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\OEM\Professional\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmgl003.inf_amd64_neutral_4c78da9e48068043\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\System32\DriverStore\FileRepository\nettun.inf_amd64_neutral_bd24fb174fabec97\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\OEM\Enterprise\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\_Default\StarterE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netevbda.inf_amd64_neutral_bab421df9c31cc81\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\SysWOW64\migwiz\replacementmanifests\Microsoft-Windows-TerminalServices-LicenseServer\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\SysWOW64\ro-RO\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Path_Syntax.help.txt	abxd.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\0404\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmaus.inf_amd64_neutral_5fa4270b9924b918\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmhaeu.inf_amd64_neutral_6611a858035bf482\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\0816\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\SysWOW64\slmgr\0409\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\SysWOW64\Dism\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmcdp.inf_amd64_neutral_170c11f3a6d3f0a8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_transactions.help.txt	abxd.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ksfilter.inf_amd64_neutral_86311fdf78a07678\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_hash_tables.help.txt	abxd.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\abxd.exe	upx
behavioral1/memory/2228-12-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2228-7004-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2228-7002-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2228-9216-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2228-9217-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2228-9218-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2228-9219-0x0000000000400000-0x000000000040C000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

abxd.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows NT\Accessories\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Program Files\Microsoft Games\Mahjong\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File opened for modification	C:\Program Files\ReadSubmit.mpg	abxd.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_75_ffe45c_1x100.png	abxd.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\main.html	abxd.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\flyout.html	abxd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21495_.GIF	abxd.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_cloudy.png	abxd.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport_mask_right.png	abxd.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waning-gibbous.png	abxd.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CASCADE\THMBNAIL.PNG	abxd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287641.JPG	abxd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_bw32.jpg	abxd.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_m.png	abxd.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-crescent.png	abxd.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\MS.JPG	abxd.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\greenStateIcon.png	abxd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif	abxd.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page_PAL.wmv	abxd.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\vlm_export.html	abxd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB00516L.GIF	abxd.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_SelectionSubpicture.png	abxd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\help.gif	abxd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif	abxd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\TAB_ON.GIF	abxd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR2F.GIF	abxd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\BG_ADOBE.GIF	abxd.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_mainImage-mask.png	abxd.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color32.jpg	abxd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02470U.BMP	abxd.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-gibbous.png	abxd.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Program Files\Microsoft Games\Solitaire\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_output\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\reveal_down.png	abxd.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-gibbous_partly-cloudy.png	abxd.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\dial_sml.png	abxd.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\bg_sidebar.png	abxd.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14531_.GIF	abxd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21326_.GIF	abxd.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\11.png	abxd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\license.html	abxd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationUp_SelectionSubpicture.png	abxd.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-crescent_partly-cloudy.png	abxd.exe
File created	C:\Program Files (x86)\Common Files\System\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341559.JPG	abxd.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Stars.htm	abxd.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\43.png	abxd.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_over_BIDI.png	abxd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AboutBox.zip	abxd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\ResourceInternal.zip	abxd.exe

Drops file in Windows directory 64 IoCs

Processes:

abxd.exe

description	ioc	process
File created	C:\Windows\winsxs\x86_microsoft-windows-time-tool.resources_31bf3856ad364e35_6.1.7600.16385_de-de_d57b51f142dd7423\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ehome-ehentt_31bf3856ad364e35_6.1.7600.16385_none_8f626e368134068e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..httptracingbinaries_31bf3856ad364e35_6.1.7601.17514_none_8dacedf8319144f8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..es-licensing-srvlic_31bf3856ad364e35_6.1.7601.17514_none_9f04b3924a232af0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..input-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_3c1b18d940d45d5d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\amd64_sffdisk.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_25582a9ff58430e3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-i..lprovider.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_998776b7c69522d0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-w..figwizard.resources_31bf3856ad364e35_6.1.7600.16385_it-it_7c0c8fb2a1b286f0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-cryptui-dll.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_040b0688a7f1db42\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_providers.help.txt	abxd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-w..consumers.resources_31bf3856ad364e35_6.1.7600.16385_en-us_bc0f773a38ccd97f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\amd64_netfx-xpthemes_manifest_b03f5f7f11d50a3a_6.1.7600.16385_none_ab5096c4554b074f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-netplwiz.resources_31bf3856ad364e35_6.1.7600.16385_es-es_2f005af71cb5714a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-powercfg_31bf3856ad364e35_6.1.7601.17514_none_5faf24b6d52ba3de\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-o..files-adm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_34db1cd98c89c628\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-c..ityclient.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f1407637cb533c29\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-security-vault-cpl_31bf3856ad364e35_6.1.7601.17514_none_f97a44fb99cf439a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..engineres.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_8284428e57f97b2d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\amd64_microsoft.windows.winhttp.resources_31bf3856ad364e35_6.0.7600.16385_ja-jp_c8307df51ca42b75\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\x86_wcf-infocardcpl_cpl_31bf3856ad364e35_6.1.7600.16385_none_995999a75e321914\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Design\e54657ea70d60e1ad13dc5f818f32e90\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\amd64_mdmfj2.inf_31bf3856ad364e35_6.1.7600.16385_none_b5c7033b92bd022e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-i..nal-nlsdownleveldll_31bf3856ad364e35_6.1.7600.16385_none_087f597fb956baeb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\amd64_lsi_sas.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0b2db5728648fbb1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-k..er-events-container_31bf3856ad364e35_6.1.7600.16385_none_27f8f387ab3ef424\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..p-cleanup.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5cbd5c8d449702df\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-deviceux.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_11d53c9a0172c986\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..-shanghai.resources_31bf3856ad364e35_6.1.7600.16385_de-de_775e5acffd45d164\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-w..figwizard.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ee0334ef82de12a8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\msil_system.xml.resources_b77a5c561934e089_6.1.7600.16385_es-es_4bd2e4b0dc5dce90\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\assembly\GAC_MSIL\policy.3.5.System.Data.SqlServerCe\3.5.0.0__89845dcd8080cc91\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..ibinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_52b12736cf5b53f4\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-n..s-package.resources_31bf3856ad364e35_6.1.7601.17514_it-it_86fa4eb7805982a0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\amd64_mpio.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_be006d4ed39bf5ae\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-taskkill.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_2eef63283cd4a887\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-help-ra.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_cfa6c4733c3919a9\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\amd64_prngt004.inf_31bf3856ad364e35_6.1.7600.16385_none_a0b67189fe7a0ea1\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.Commands.UpdateDiagReport\6.1.0.0__31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Serialization.Xml\v4.0_4.0.0.0__b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\amd64_infocard.resources_b77a5c561934e089_6.1.7600.16385_es-es_1c63e5913f091747\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_11.2.9600.16428_none_11b913172f0cb26f\Windows Feed Discovered.wav	abxd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-v..c-usb-rpm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_bcf8a48bc045e3c8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_6.1.7600.16385_de-de_87cba9e8f27bba0e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Design.resources\2.0.0.0_fr_b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-diskraid.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c07d6b063fa38eb5\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-mmsys.resources_31bf3856ad364e35_6.1.7600.16385_en-us_06159aac83a1ccbf\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-mspaint.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_bade742ca09c2c63\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-v..ice-dynamicprovider_31bf3856ad364e35_6.1.7600.16385_none_b9ee1de1ca498be1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\amd64_monitor.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_d9adf67a3066dc98\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..elsupport.resources_31bf3856ad364e35_6.1.7600.16385_es-es_25f9d9431fe950b0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\amd64_adpahci.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_155a3270ff8e0e27\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-rasbase-rassstp_31bf3856ad364e35_6.1.7601.17514_none_f7f7b561fe8c0735\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\amd64_prnnr004.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_f6c3c24af2d49226\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\amd64_server-help-chm.nap.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_cd913dc0445afc9d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-duser_31bf3856ad364e35_6.1.7600.16385_none_5a4b046c5dce176a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-p..ndprintui.resources_31bf3856ad364e35_6.1.7600.16385_de-de_29d825a7cbfe7e81\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.Bu#\fcf5142785d58bbd7833d24cf9461961\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-msftedit_31bf3856ad364e35_6.1.7601.17514_none_33f6fe754dd11735\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-newdev.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_718373162933d652\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..ado15-rll.resources_31bf3856ad364e35_6.1.7600.16385_en-us_5cb1f9d3eae4d4aa\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-rpc-netsh.resources_31bf3856ad364e35_6.1.7600.16385_es-es_4ccaa83004c931fb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..spp-tools.resources_31bf3856ad364e35_6.1.7600.16385_de-de_dbec3ce8a9af0e4b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\assembly\GAC_MSIL\WindowsBase.resources\3.0.0.0_it_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

3ebcc0ec24f4f883df0e18c4e81a8b81_JaffaCakes118.exeabxd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3ebcc0ec24f4f883df0e18c4e81a8b81_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abxd.exe

Modifies registry class 10 IoCs

Processes:

abxd.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd	abxd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd\ = "IMNXWSJWGOEPHMV"	abxd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IMNXWSJWGOEPHMV\DefaultIcon	abxd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IMNXWSJWGOEPHMV\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QmdpTwe5Bw2jy77.exe,0"	abxd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IMNXWSJWGOEPHMV\shell\open	abxd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IMNXWSJWGOEPHMV	abxd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IMNXWSJWGOEPHMV\ = "CRYPTED!"	abxd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IMNXWSJWGOEPHMV\shell\open\command	abxd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IMNXWSJWGOEPHMV\shell	abxd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IMNXWSJWGOEPHMV\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QmdpTwe5Bw2jy77.exe"	abxd.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

3ebcc0ec24f4f883df0e18c4e81a8b81_JaffaCakes118.exe

description	pid	process	target process
PID 2032 wrote to memory of 2228	2032	3ebcc0ec24f4f883df0e18c4e81a8b81_JaffaCakes118.exe	abxd.exe
PID 2032 wrote to memory of 2228	2032	3ebcc0ec24f4f883df0e18c4e81a8b81_JaffaCakes118.exe	abxd.exe
PID 2032 wrote to memory of 2228	2032	3ebcc0ec24f4f883df0e18c4e81a8b81_JaffaCakes118.exe	abxd.exe
PID 2032 wrote to memory of 2228	2032	3ebcc0ec24f4f883df0e18c4e81a8b81_JaffaCakes118.exe	abxd.exe

C:\Users\Admin\AppData\Local\Temp\3ebcc0ec24f4f883df0e18c4e81a8b81_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3ebcc0ec24f4f883df0e18c4e81a8b81_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Users\Admin\AppData\Local\Temp\abxd.exe
  "C:\Users\Admin\AppData\Local\Temp\abxd.exe"
  2⤵
  - Drops file in Drivers directory
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt

Filesize
374B

MD5
4fd7af8890656b6d8d33bdb64d1a7d86

SHA1
86904845f70fe0e06df05274220540219506877d

SHA256
4407816fd216281711386bf1d73247b7753800f7a3d87df82cc38a42121fca93

SHA512
cfd5e0bf9277f0865f59429e998fe1be9c1bbe6576e312625b03f4070df5a3eb810dc0c4eafc3802b4200058d950bbeef16c1996033d8b4ebba7d66ad416aa19

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
341B

MD5
b15d489471ee7666ef38b74a35c06f7d

SHA1
dfff1cd2c8c28ef92463df55a39157b7c5c53cb0

SHA256
bb79b5b7bef841f15466a62d36fb164668ff7dfb8a0742a54a255b78a48ac96d

SHA512
5b6116c68223563768b79db2bb23f6ccd7459708d38ed4f892867564b82e79ab1288f0e9aedb0ff1ad4c6e14873f4be6fa5aa34f8bc490b656dccd3c9d6aa64f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

Filesize
222B

MD5
df161723990ee0e1f753cb76d002a9b1

SHA1
21bf779ed44881c5df6cf4b894f93260ba928380

SHA256
b70a085700cf8656e78116036144a7b3bb7b2bdf209bad92262d5ee287077de1

SHA512
e9ebc6d28f1b42bf94b5122f0daabdba5db9bc8341fdcaa66cd802ff8df3790c2598b46ece6a2f2e1e0de5ee55af9f2d5f34650d3e25eadd9451ce6329f5f808

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\BG_ADOBE.GIF

Filesize
24KB

MD5
7065aa996ea456d4aa201a3cbd64f914

SHA1
d46d93b93e4a5c621d8541052d31327b814c06cd

SHA256
265405060ea8f2fe076d3360ad7fda4039c6dd2ad3308f8dc6703b2f6cffe9b9

SHA512
b43e3adda87889c4c198b4afacb6c1312cd8a986ea45fdd76084a0bbd911efe259e0b3ae22d7a9e702f32ca22b499f984bf19347b06a96779afe46cf373d0d47

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\BUTTON.GIF

Filesize
185B

MD5
96332b79d3c0ace468d6ebd907834ec5

SHA1
aaf8779bb73cf426c9fa3443e2b1f2d52e1e98fe

SHA256
bec8297e3776e5f8d3944ef2e51ba91713a824e6d8d947b8400c27d3cae9eeda

SHA512
7128136a30de6cb7a2ac7d32c2eb0c331746cf0f0e246448eeaeeed9e529f50cea57943276dc67d6b5f074cf38906b93bb976d63443e0dc6fcdafe26f9049a08

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_OFF.GIF

Filesize
496B

MD5
f78bbfb96f25e7fec01b8a0b78197c4b

SHA1
734aee845808b9e22a2e02b43a1cf2dd0231a64d

SHA256
f38273024f409644d37b22333b94877e7856807865e03b642bbd4bfc4091d402

SHA512
194428480073d1dfbbe5564bf4a003c023b14c84ee5b6fa30a86cde11ce4df3a0ac1efcb8e29b27a80dcf228901a2bbb3b6afb4bca0c3ca2401939736d3867e0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_ON.GIF

Filesize
1KB

MD5
98f583753e998f033594a69b18d9d99e

SHA1
7116986667a884330b91622bc440c04f65c300ec

SHA256
40da609d7051937cc9cee75f9fcac1b5908d57353cb33ba63d9f25ad08bb4428

SHA512
77965ed2011707cb46d23770d7fa76f906e280d6b58238fa0c7bb2bd2b9b2254865228605c7a722eb86ef1a0b24a7d4abd1e2713ed27042b9237e5c68c4c423b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_off.gif

Filesize
341B

MD5
728aa5b2ab097ab3bc1f8771dabf9716

SHA1
95961657a6aa6114833bfad254bf16bf577280e6

SHA256
40706b65000dbb038fc40d6e208c7ef25ce77a097023246118faee58fabb31bb

SHA512
120be59e3c980d756ea6b87b8b0ca592710f50522c88b51d09c4b4addc9781d08c9b80da4015e1a62d1b7ceb54039b4f1c05388b80d7349cb3e9f2baa81a11d1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_on.gif

Filesize
222B

MD5
0aad8aae1f8394fe8e703f8be28baf3c

SHA1
30f8072b7a960251ba47a38305c737df306f3b9d

SHA256
c856006d6a2f80ef38be56dcc90cde44b033e729fd6600af5484516792a2125c

SHA512
2fcf7777d4e503d5d0f13d415293a909d90f9a12d7569a196fcc2116b0a74ba28afe8aff60409cac184e971dba5b52f3b1265d584c739709d6a78c9aa57e8751

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif

Filesize
5KB

MD5
26e411484bd47d5b7d45d0a1e766a328

SHA1
e9221b794cf16b072fcc5e67998094a3401d30b8

SHA256
d27fa3e6735df7993effd1b375512efe6e15e0b702f787ad2b34d1e0cc0b3d6e

SHA512
fa536903d5957ce9331de2a151a0eaf56770fd564cfcaeb1e02129d2e279efefdfd40aee421e671a1e8f9c7b27fa406d88cce2d4bdb625bd68e9e3deb2e76e9f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Country.gif

Filesize
31KB

MD5
2f184825c9820df27a689fa6fe616c0e

SHA1
2107f831ab489522937545bf937361ee40d40444

SHA256
c1184e196851eafcc1106ce0894227c45af0852c547ee32cbc73d4d98a3cf462

SHA512
8d2c4b7b2f72440c0708d1026e203ffbc6894f76ebbb04edca60b7fc23477678255c65a52e1130530483e3bac77796d6c5bb62e653640991d99b5b3d5a3bf948

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif

Filesize
4KB

MD5
c8b629207427ed7cab9ccc6be4e5e547

SHA1
44157cf0ab528e41055c42e173e135b643403496

SHA256
f8f00c628263ddb7eec8d0ed9680b0eab71af954d4c255e2ff723836dbd9e606

SHA512
fa35de2667dcee4697b3f15b455bc42f3cdb859e307a3eac971388d4ba8923548ca528f006345cc829e75612035409c65c7fe176c85c76ea99ec854e0901b1a9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif

Filesize
21KB

MD5
0d0e3827f23dc37fcf000c4fdbbeb322

SHA1
d93d261ff660afdef9e822a469c879746d21ff0b

SHA256
1cc9610d38df1798c1cf6162209808454cd87124af9d39ef3dec9c720ef03883

SHA512
959c8b63467803a2670ea88dbeb605f9a0dc8a122e0d07999bef58885c3c07004dba3083e822710e8f4d8d7434473812e6db03af7f9197bd6b1fa362c1022bbe

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Groove.gif

Filesize
106B

MD5
443d0a9b68906c2ac2132dd39f91a00e

SHA1
f18b1c6f48f8a9f0c876f8f93b6e5f885cfdebe3

SHA256
992dc9155437cd53dc1bd093dae132cdcb3771c06fcfd3016bb6fba0256c4eae

SHA512
01a5e61bcdbd48d5f6aa3a8ca45a3800d2d9f23e03200d1e3463bfd24060f0568386116c3f7f6a8cff9a3203fa49473c89fb2ee8d83fba6870ab2739fa4f41e8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif

Filesize
8KB

MD5
3cf229e3ffbc8ccdb13a98ad63e6461b

SHA1
d2ed1780df7d9b7ff4896024f442b52160e760d5

SHA256
b64941adca6e3b6ff59f4afb0ea8508e166b093dae3e9948a40048555d34e067

SHA512
6e4f7e3ec62205b05ee4f8454145c695fae786814d20e406e7d49a8610d560af8a03e90bcf0dc5f31e472ffdee4c4f9641e5083e9b3c16580a73721b8a50d1ed

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif

Filesize
15KB

MD5
b4446bec522d72288bf150f24442dd29

SHA1
b60a940f25288677df770dde305cee79f2a37e8b

SHA256
e96b3251c5efd3345395f1247319d8806706fc313d0e8ab6a667d9ab7c763e3e

SHA512
a124b41de20a2614b24639920afd24ff4eb1c96309aa40239b300ab595f670ece3a7ffe91c89e891ab4088c04b64078ba2fa4054e2b90a2b3d663667a094bf27

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif

Filesize
6KB

MD5
3df0ebca59f482cb0583fbd2c1109f6e

SHA1
b8d6def286d6f200b9c9f7c6147f04d81de0b96a

SHA256
c03a42799aca6cb13074b01fe03e8be9799a282b9e996f626d69c6dee57afbdd

SHA512
156beb3ea9263316a8c4c277b2ed2f95f9edb4c74d2f7ecef1539bf04dc2d4a72c019a1397e9f8effbb7378aad50348311a1db20155f2cfa51e8ab35bb270a96

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif

Filesize
20KB

MD5
7d6da6f1b6243b1011810a1edab2c9da

SHA1
d64e62bfdd15bf039705cd5fd37a30d48c440722

SHA256
aea5aacf04deb76be85816d79e5e15aadbdc1e459e3dc3bb87a6d48b873faeb2

SHA512
97cca723141c7213fadf5dff1c2d7914479b57abc6c6c003bb8499d42bd3a9fe6474603f271513559e3fa6d93a9c726bf5d31bd40b0f2c638d950982d84f46c6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif

Filesize
6KB

MD5
7c9586c3a6fe96bad6a380fbf1b56d5d

SHA1
4b075216aa9fb9061c2ddc9ea8ce3edabe30edc2

SHA256
61f2156048ba397c659b635b19bcad7e58271e40b62f1f056ef8a144f0edb26d

SHA512
af06bea8875bd684e4dabe0fa581d6974c703f2dea58d52358d7b635ecfc0d4e40f5cfd196a6e5a5289a8924ae4dd096d3692fe2f09e1763733f0ebaa1b6ead0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif

Filesize
15KB

MD5
07e883a6617fad59f3159a614ee69909

SHA1
9edefdc8f2c299af87ecbbbbcd6253c6c5bfdb27

SHA256
696d68a2ebc057248604825dbcff616c0c83c8efe593cd20049c56355cb96dc0

SHA512
9d94500aede2b00bb6c0ec097620bbd0e3f27acb72cd5497f37ebf29c1e385faacfe347fbb7c909892a33dbf04a3d213ba8ed6ee72757ef57d00fe31cd1fc75d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg

Filesize
2KB

MD5
36b420fa958daf1569b5cee3990ea081

SHA1
f51c8bb36872f8375553333b1518c73ecec25226

SHA256
8bca4b92407ecf5b502c27d0e7623719ad357b7d144df68f2a2ad3a33c640a0f

SHA512
a56ad84be89b0bade993c4ab1dce8b77c66eb4c20d4bc3166e7aa8f6d024a43f828da96a06ede6857fde31fd5018c9bd60a7d4443a3fe15e7d9094f74856979e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp

Filesize
2KB

MD5
dc495abf98175504fee3bbda9a4ddafd

SHA1
f5dfb5e834480e81d3ba057e2c129b6a783bd2a8

SHA256
e3a9693967240f3b46db2a21f29508a3d4a0fce4531fcffa549d2e7ac3abfb16

SHA512
68973b4f63692def25bc3ec995d4cf52216cbb1ce47ac34822d8faf97376fc25f8e834151fb14ae79057cda08d188c6cae8f697d1d3669b31564b56db406d838

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg

Filesize
6KB

MD5
1fdec7114a4327d5251390b9f13d1ecb

SHA1
13a430d616cdb7428cb2c857ccf6371a589b3a1c

SHA256
85bcba9e5e9ab4bb0bf2b3277be96b3dded5dbf08c921dc45839da19c04843f0

SHA512
00221bc8aec44c771b4f3e446b3d3e4fcc3e98a3b6473549d4b68df584ecbf493bc2ab2bb8174755e982ebaa62e75708663ee8e6a7302859428869ec501ae2d1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF

Filesize
255B

MD5
3d5c3a40ebd99a83e719820c82c24501

SHA1
910f503987fc4cd85ab0402f42d928694b5e01ed

SHA256
e8967cb16cb1355896a601592c84d0d69edee8e8189b827f9e704bc33beed815

SHA512
3af75f9abe72cd4b9d62543eb287b9f6990728615bd771f818bae666ada76df57e9ad490ed419c8aee0c41a276cb84616833fa796873cf74a85e649f96142f6a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\background.gif

Filesize
323B

MD5
9546f7743cf36a10c52ac7df7228ac9c

SHA1
dff926af5d86404d94490a0620f7eac2fe3cb290

SHA256
00b2d618405f1ab8ced51e0052f72e84ed5dee489beee01d2439fe8f172aa0c2

SHA512
33668d6f430a79ec9af95e98b31269620badfa44a686a78d78439eb827c96f0567e326f058e44d98137aa311750b86dd98d2c82c662abf4775753474a2447251

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF

Filesize
367B

MD5
a19e33630442c5a545355a83ed82704e

SHA1
8579428c2cb25b60f69a0efdb99af3327dd713e3

SHA256
61a3c4088451e1a5b2ff6d6c5caa8bb8f149656a9e1b4ac8bffc3d208fbf0c54

SHA512
6141d5321d46e104518057cb593812f0fba902d5110bed11cd146ade82218304c17f15099bc7ff6af39a7eba87c8e9faaf3c54b1471bd0446a346666db95323d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF

Filesize
148B

MD5
fde89ef2f18c3756dd50804b5287fc9a

SHA1
acf60897da2a01859ddd9ce3e551eb8481116ee9

SHA256
851b6e31d2cdbadec39296eab5b35af4f1ea84244f6cf7b3edfdd79942b811e3

SHA512
32000de977041e1994afa75c5525da03894f0830df88e1810552e538def7a17465a06ec98dcc896b1037dfd6e9bc2d3f7c21d90df78cb3772cdb21d2748c3924

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HEADER.GIF

Filesize
440B

MD5
04c384238551ca475a05688c57b0cb18

SHA1
e439537aa48887d2b6c4a9228937c3566c030e18

SHA256
358a8298d7e0c8cb64b34d978aa248f074033e56bfbaa964916f7efe365b0eb5

SHA512
6ab7ae3ca00772a72edca58ad66c08b3be3801e59849ee29bdf8d4500e1d7fa9a8f53cb20b665a01426253c424f8273be8e78dd54dac7bee778db0d21547eaf5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_OFF.GIF

Filesize
462B

MD5
d52aba1c9865ba7bea9484d9f5cc8acf

SHA1
331bc9b7bbd46f21263cec1980f87a737fee3feb

SHA256
25be25d5f528bf0d9fb378a62aa41ca06d6fd124137f6ec1f29787f52dec102e

SHA512
ee85f10a75010f22e1444167dac9195fd39749822a6bd9aa04bd0278ac8c4c92de5aa9f7cc37d2b6da6499cf51e604283f94fa855bec42a55877e7cc7f38f047

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF

Filesize
267B

MD5
06e7e7055e5c4175d3d6eec354555e7f

SHA1
a81f31c8a11869140274aa21cc12a3fec1987823

SHA256
0aae81e3cb37f63f4c5d040e9abd557632c18d19fa391efe4130fd24ce0acbc5

SHA512
6602e59d60ca5601084719a80d5974aaacfd12ff6313316ee8558bb1434029570c2e9355b42d34508ed9b05a56e6e05a0eaa9b962db8af9a3bddd79c77a1dc8d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HEADER.GIF

Filesize
2KB

MD5
e0d89880809971774a9c1ccb5549c3f2

SHA1
b10d14e22ca398c80393bcd312b28729798c5da8

SHA256
fd4e25e11c500fe022224f7f7be83ec3e76c461317424b18e41bb51675b43ff9

SHA512
2d9e72e9e025edfc8a301fe61cc4a526a5033d523b2e7ec51ccaf2cb8a62b2ed38c471a584ae46c4ccf2c48d80b036733fab34005f3c1f92c83488edddae2910

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif

Filesize
233B

MD5
008c19a085936e7caa63b90dc4489555

SHA1
5885078949bcf66694937759f943553f7042da33

SHA256
6ce72735ca196ca0a427b696e29c3a45ed4d2cde84706388c4943ad2272c33cc

SHA512
146866c64317b7703ca8b132f7123073e8d139552c872e5407c78911428660cb9e4c85a94bea0e433729cdfc15b74d6f02a95305896dbda5b872f9013f2dfe4c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_OFF.GIF

Filesize
364B

MD5
044fc44264f9943d2fd507cf42000c58

SHA1
be56b005a12916583bb40dec69143a773a17f78b

SHA256
e3c62f46ec74e92b07e8b28dbc490b869a7a71127982e77cb73bc22669db060b

SHA512
285f730ec746c42740e437cbcf8e7870be06d8f883fbd46b977eefb8807d61e5362dfc53ac6fd1a4bf2b427aec10a448ef4e48a5b6f2f632ba162cae4fd01aaa

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_ON.GIF

Filesize
364B

MD5
144d58041cc6bc35daad50ec2b562e76

SHA1
1c40a657651462c79ec0a345cda6500baf64faf6

SHA256
49a3dbc4ec3c56f419d8e9f1ba6fd45ebaf2fceed9bbb1986dd8bb8e7366914f

SHA512
0a6ff8d6705ce5453eff827543981dfcab275cedee575b466ef3d8f3fc8b1a094b22709811745832e3d7a8257516238ea3d298354f910f4d6487b82eaf295e31

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\background.gif

Filesize
6KB

MD5
276f3a885d4db363093da4973d9132a6

SHA1
39d671f807f7504de457f476e539b72a7c57313d

SHA256
57683a2ac55ae769c8faf861c65f3e21e925053665216f23d2d69db2e5d31fc2

SHA512
615394ba4b6ac684af7f22b70d3f61219beb6f204492be9aef01024d3aa4cbd85d243bc779b241dec23d8ab8346aaefe44863eac24c60a4abc98047a915626d3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\BUTTON.GIF

Filesize
428B

MD5
54c5a63c37c9f567717e05aa4d435628

SHA1
c3ccfe631d80daab2a51ba7ea37f4e0c4907d976

SHA256
d7e7e6864a5c7a48dac3400ad57d5e83b1f465666667f24603a62d21f7cd8470

SHA512
41be69536b7cdfc6c87ad060b831e6953093a91a39cdf36537c764d9089e74e3887d4b22de140b6198e406470a7b1945a5d0a46bdacbff04a9d1944b922b4da8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\background.gif

Filesize
815B

MD5
d23004f096eb305208a2893429e155ee

SHA1
3b254000e7e927ee31edfab3568bb1df94f165a0

SHA256
ef7525cf3be92ca7ab2faba9fee83affb1c68315833c207522498aa16bb6ab72

SHA512
3983812e7f0607903ced8de9d7d4ea21a3e44dfcec4595b87e296201f1d5792722b93c57d8ed12e80013cc45acd3e517144c407bfdab679ba9a7aef9b1568200

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\RTF_BOLD.GIF

Filesize
870B

MD5
fef892a647aafafcb101eb7ee3c6b961

SHA1
ae744add95fcc35afd446347663771f9b852a8b6

SHA256
8324ebf082841d9f01df26f776b17365039542926768acc95a4f98640af24eb9

SHA512
6dea2aa44fe0b7c18d1abc18fceb78393bf9bc95e66fb2d43cf84629cc7883d634c319436202c17699d3a1aad1ba0fef8dff9a25fc2326540bb79ba593706ef4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg

Filesize
3KB

MD5
ead2563ef9ef4e4fb8b83c587808fc76

SHA1
d859b34ac8056bada1a55579f514c3ee3e1e04e6

SHA256
fbd3a44c3988f89d677a3dfa796dd14829144a9318323fc5795f25a39d4037a6

SHA512
23e441ec03203db62689986155b982db0ad240757954e1578480ceb1af7bd377915ffd70a3e8d7df349d44fa5ddd7df7106f77e04c66e42e07d238b5b42bc047

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif

Filesize
2KB

MD5
c044a43ac714bc6708100eb0b28561ba

SHA1
8dce30743665f824cd569b50d91915ca6c6fe4a8

SHA256
05afc95da418a15ac5d5f07c52a2f57ebd5aacf4558495f599598a62d4c1f766

SHA512
1865ee6a55f39bfc1fc92430099f23e7b0d521d38785554353d769ccc479917eba9003b2c67a79fc455b3bdb9c1f6c192f9ce8db6a6edb433f55e7b4d658fe5a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif

Filesize
19KB

MD5
12c5d4c50d4cab13e7393b8a378ec3bb

SHA1
c843eada8ef6d793874ffda66f768ced54e633e8

SHA256
4f73f1e3f03ef8dad805cbf50b917e181c490a784eca7bbcd01f429383a230d2

SHA512
727b7ac8a6ad34f75577c86d3618c6efedc2deceef227aa9006700233707a90bf29c89caad8665f14a0089944c450ba4576b1fb2c33eda717f54ee11fdae7702

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosefont.gif

Filesize
890B

MD5
0cef1311c1ac67920b60ef50bc35ffb2

SHA1
cdfd987f69a17ae249c248354b757494d1dc03be

SHA256
a316b5c665cd33876ca933800932ca6e810996dee68ed16f6327b55f6e85f533

SHA512
6b808e41d365377a6a2e7c4a48ae8547e280365e8aea2d587e20843c3a3a594f50a36951d31a0c323994ef8fcca1c347ba07ac804fa61d06f5ba3bab320be23c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif

Filesize
852B

MD5
abd86392fd45bd392b3a3bca063b4437

SHA1
b63c8430d753b987ecc93174af60f1b4f3058be1

SHA256
1dfac7d0784b2bbd023d4625600df0ecd9ae278d7ee1fd24097a2bc4462ced2e

SHA512
72b6ab8ffe18c39d128882b572fd1282729141675bc3ef898bb68b5873e014b2c5b9bf1aeb094a0554c4acad4ba40248d3d280f55a683b7c701034c35b069baa

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif

Filesize
860B

MD5
8c1eb6328a428752814af9bd066a8037

SHA1
fe03db78e8146f6fec5527b29e07beb6d178dac0

SHA256
a21cdd7927a6dc5c1b179d132543032cac82b157332b9594c966af59baacc6bd

SHA512
1d280fc19025411fb21763cecf5d861dd3b1724c2f77f0cead9907b0daf6aca08e6d62c04a3a2519c98268af8dc2faa6c2cef9ce338ae16f0820534bdc6ed347

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ADD.GIF

Filesize
580B

MD5
6bd8f61dfb99adc59e3271755b2167a6

SHA1
08acb2fe6f84aab992e9d0290088b34b011b2404

SHA256
47f9feb7297b3891008d73238b0f1317c1f96adf952cc24f6504ca55ef926f77

SHA512
cbdc6cf51af69e14211e3743815a3e763857308635aa611b0bb0b0d97d8298324ed3bd6e403877a14ddf7d57551b39122aef77a651aea4625c46270c4dd6b2ba

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF

Filesize
899B

MD5
2eb86138c6bad336b818cd9d6066c546

SHA1
3067f654a5ef762ee4d911b53511bb828060ca95

SHA256
4f17cf364963d0ff5162e026b94fbb52c24bc9694449a7e7bda0d6f2944563e8

SHA512
6bc56c0269c71685df55a71e21beb5c0b8ef1689c453b3cdc3d382ab899eca4778d5e88a821a970ee4e383dab6aa30363ff41df8cf05b028098875029d174dd5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIF

Filesize
625B

MD5
e9182b02093e4d06b13bee10c0ca019a

SHA1
9667768e55b8eb590e830db21471753506255da8

SHA256
ecff16b0c075483f8e3adebfac6d19377ab92bce43e83473b41a3da3273032a6

SHA512
fb68f9ca9ac807e16f7fc033b67bc00e45c79f98b4fc7f8e91830c876fba185fcb619985dee11616b86e1f87aa9d5a44bb37c6084e80483490ece7bb69ede7ca

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF

Filesize
873B

MD5
852e4a150876631c05ef676791044e77

SHA1
2707b3802f45bb4a7e01332fe73ce595aa7abd1d

SHA256
fcdffaee80969c12579e931414e733bb70a8ddcc71f588a7b16a77fd9cac2c5c

SHA512
c3ed33d15612ac2c97b1ce67659654d2a725c8e80f9a9a3dc198a88270e29e439b402b8ec0f0ac6abdcf0036185b431fe98616cd78566321454bc1134d5787ab

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg

Filesize
5KB

MD5
d204b478d8608e362a4b0d97e318b45d

SHA1
7ec70ea082974963c7368d1b672cd97dcf28b07b

SHA256
ad393ae317e86275ac2db9cb31c9db3dc08fe67111c751374a15cdaf5eec3a1f

SHA512
7e478e0b411b185067e010b5f243c0ba896fb6c8ecd72ca225a4812208b32315c25f06d0f1e34610317f7d926b4931e7f220f5d245c4b6d37893e54c373d9bde

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp

Filesize
1KB

MD5
2e5a8e7f81d7d0116836559146a03d23

SHA1
9a50b6940db44b9df6a7d664fed296b151c17be6

SHA256
9cff8bb6d60d1df25bad981613d4d79631bbf49780cc2f72af67d17befc1c70a

SHA512
28e2e7cdf530db6018e118d11e9587cf2879044a0507025eafb5b9fe7e9cf86fe85fd97b2b79dc4210a9ef9af5dc8c6b4bbd8b1ad516b3c71590b670965c5562

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF

Filesize
615B

MD5
7e8e20b6bdb66c7b318ae6e3ce0cf618

SHA1
e05af599deb90b21c131818cb6fea0038bbe8255

SHA256
1b83f28f4ed4981d56e5e38e0b628a2e8a6ce3d87aa93ae597926a2756e23f29

SHA512
16e8431efc501f3f5b79b05f2fad74e8c65e2d0626b2e2ba9f421a67e8ab07672cf881c74008b85acfc6a5f4cdc8fd8b85f4b0f899c3a78c066363fa705082ca

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

Filesize
848B

MD5
1c206f28f770cbdb6e1696569f16cca4

SHA1
732ec56c05cc7d0ef2f280fd00d571b2f1d7653e

SHA256
5d122863d14dfa1083a88e8348da76ce3096a4ab9c671033da8043430bb516bd

SHA512
9ef022c1a591356c2bb4e8bc3f87f83f0a128247a65bfea541f7f0507beff3dbd557a0902026c73fa21966bf90f7468a7c3e4ba786f36fe079ef87883924103c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

Filesize
847B

MD5
262df9fb682f9c5279c9bbf4a97d86de

SHA1
d2ddb255846eb56b4b0e6c5dfeaaa4808e83e4b0

SHA256
9c911b81d918598f4abcaf99d94d021344bc2b32cffeb53200453ef1c052192c

SHA512
489a17bf3ac11683c50a117991c203ab9d85f886c2ac5188a2c74380fd2c6eff0df65ae63c33fcadd782f408c9ce854ed53794de1741312b53ad80c288a5f090

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

Filesize
869B

MD5
e4a223412e5fb63093e6d840e7a148d4

SHA1
bb4b3514e5b1732d082e013848362b485f03e902

SHA256
e130fcde61f1d3cbfcbfc504f8ba4d1a2f3344a86953e268e184809bd5436bd4

SHA512
21555edd626bcc5d5b01439486a509cc3ae0c4d89ae9e2a7faf81a2a438efd20c9edc65a8a7ba3423739e83dfe178e48864d81e6223bd7e5b5b00320757fcf3f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif.EnCiPhErEd

Filesize
847B

MD5
67b8219a255a701ece6d3191cadd67a2

SHA1
f82055fd1a97234b2fcd8a61999fa5e1388744d2

SHA256
6486961ebfcaae36d6f6dfe314365eda396bf99f329c69ec09312541aeff6b05

SHA512
1f4a4c7ae10dd28b97da1cb4a08921d181d211ff7e4a1eb933772c8da853d4ca7543da93ebe09fdec7e65a7cb63eaa169a82f375fcca0563c36b68ad6ec194a6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

Filesize
863B

MD5
4fe1fef339b0f033881e267c4252331d

SHA1
7b91134a7baa1682318673b4f6d58b124c6e3253

SHA256
9c18e3aaed23c8d6fa195449a2f0dec794d5064b3d355edce9d9c2130f391074

SHA512
3d5be9b812d5a1ed39afe01a173195456d2ed8a345c1d7e7474518f9f8517d5e5396cd50bd0b777f69e34ca95d63fe2c5b8b5d28e85c49cd56d9a40071561bd9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

Filesize
861B

MD5
843e55afbab5ad68e23f0dd6fbf432ef

SHA1
30c18fb1e2c4d90a04d708799cc5f7128b93fada

SHA256
54ed85d60660fd6e7e3aba1c1e54a5068e585a603df2460f89c529d51e945f32

SHA512
76d4f447691b6ead015fae8d6d4e1ab7a5f6cb63f8cc4b00ee3aa0c4024d84c1e7b280bf2b1191a0e0d6f2bae4700befe57725a3ebe980feaa7d758cba1c0813

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

Filesize
850B

MD5
11613a22f6d025506fa2d6ae2b1f898c

SHA1
6307f2f3bd4abb5c18f5cf3a873229b86de45d5e

SHA256
0b509f2b48ba3fdc1ba3900e77beb93d0e5466e3137173944a67e6c899bbc7e3

SHA512
1cdca6c3771fba0334c99ed6ca145c47a70545824a16d1c48207045b6697ed3582c45a94dae19cdb89fa2f8fadbf91bc8ce917311ad6a6fbf21355f1ec5bf05f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

Filesize
883B

MD5
2510b66e2d1e52cd3781ecd44fea8080

SHA1
af62bf0ff347a8df04b818187273e4c84dc56dda

SHA256
ef41eec8209b067974233abfb070f7dd9d90878c8acc48e3bd26a06298407e0e

SHA512
7295119bbba98bd5eb0eb350d04b3650c0448e93b28c41714c9148a0e357d74dc78ba0d389c31a8f8e1183e9ef84dd78cc72aa04f97b01ebbd3f04d0d876319b

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif

Filesize
153B

MD5
099b66a06ff1d191d0d8a43818279416

SHA1
fc15834b826fc5a1ca8133d7de8fca9352b76a7a

SHA256
fe2910fabce298d1ca1b665ef2034ec5121c36ae561a655e0d0556363a4c83ee

SHA512
e2c5c2e42fd73e55f2a1f97badb01918b681833d615b3039ff25336b846b5fe4a83875b5aab668e05dbc1e3510a61c536cf113d20cdd4c44609bf2ec577229b7

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
5ea75ed82b7f45f0eefc57f290394aec

SHA1
0c41170ad395179c432c1119397d6e1016642586

SHA256
359c0265a73012160e043d70d9a4c51fdd1006da754450f1c2c224617317f2df

SHA512
c82c3eaee35a550db6f1beea656af070e0b6941db635f6bf8b34a30d8e6b94b7a004ca106d3add0344e1dd42c888d83e0ae0f09ad4089219b56c5ccdae441ad3

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
8KB

MD5
6c9f3b00fb414f7647d08bafd137522a

SHA1
e739c7a0c696d9a3620f3f6417fc5b6ccdf7f97f

SHA256
087067019863ce2627075bbd2a2fef4c4e48cc510b6f2442731b5e39637ec01d

SHA512
2de5f5eeed46ea34b1f8c8e505cd8e373fa1200e87f165bfe218fbee66c7b74d8382bc783e42d0b8696ad953b8d9ec6ca56717654bfe7d1864cdf991aee86cc2

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
3b770490fd2865c75aca48ac88f1b8a0

SHA1
e2afe0418745249a822c3e8807381edc974237d9

SHA256
2254872accaa193a9c63079f721dad9f0d6d8eb1bdafe9e42ba4899af22ff212

SHA512
e78e56ff19087d6c32371b2278d995d10e78e7ed44f80e23cebae4077d9f80011f8936150939b8e5f855a463907d27e69c43a6ab3f16e84b9014f31f13c2917c

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
af37f712a622e5aac94cca11b0e552dc

SHA1
b99c32b47273e3ef4ce60158d15980e305aeb7cb

SHA256
a2a1340cd4caeb58b003df8eee4625b7ce78fba71250eafd9ab96a22a3900a6c

SHA512
eda3db2d0ccf66d0ad2b0ac57c97c419a11585b8223ee72c41ca21749c4e6d876b5cb6be55dcfed854c992b1bb1a1355c2ce8047309b692295bea27a592df6a2

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
172KB

MD5
5269d8df73c0c50ebb5fc71697dc9181

SHA1
acb7241487b2d3f8f3c8260bbbe0a86bb816de67

SHA256
c0db332b23813eb56abd9b2575347b7e7c51384a4de363860c04ea3f96e2c0f9

SHA512
e47ab07dc201dc7e538b9e75ceaec24597b52f4ebd331570d632789bc6f3845720c8117fa785fb2a3ca8d781bf051a511397fec67d5a4746095e9c9849c20eb8

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk

Filesize
1KB

MD5
00947809247561ebb525759a65e0111d

SHA1
eb25052ca098273a2bd3cf40a67dd1b36c407181

SHA256
cfd67fe0a3712ebf3bb48578a45aca9614dbfbf0cb59bfbcbaabfb1c0cbc9f7c

SHA512
bbaacea78843720d0c3bb0ba24738ff988476a1c489a85ade4ded46eb0ed0c8d72d72a18e1685dc2393f43ec0ffa9f2bdf3e30e13142138ed16a51079d31a848

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\security_watermark.jpg

Filesize
49B

MD5
6537e77afa866b2b0a58eb904f9e47dc

SHA1
176926b9a20aed2441c0ae23bebb9b599559646a

SHA256
218fe92c9016d2063869ef9617853203158b3bb95a80a3ba52fec942c10def0d

SHA512
0622d39dd895fa099209f54382b584b602b3dd8ef17bd0c1cc5454875f225b3d19dd861d4ad30bd04a0c020503172ff21d93f51a6a175b79b6dda1ae6e530c7e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg

Filesize
21KB

MD5
c41fdf5bf71cbce5374f4eb6c16b8c84

SHA1
819268fe4f6d558ce8ae27515de5606e172c15e7

SHA256
36cafa3071d2437de08c4279ed5d17bd2aff088b9bc8fbceabfef0c5f91e850b

SHA512
b477998439731496caff97803af1059750f01e842d57e58de11b9ffee87405357cf0e497146171f03285e0700c66922aff13af4922b5d8dbb9e20897df44b6a2

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\HelpIcon_solid.gif

Filesize
1KB

MD5
644fab5294f9d7f5e9e6fe7b0a22655d

SHA1
0cc4ddaddd3b82cb6e1290a43935119e6d338ccb

SHA256
e8405c04e03d72e1ece319a0fcd397421885c128aa08fc2a394e9d90038d3381

SHA512
0011c99ce881c70cd84231bd054a6b874b84e6099ef5b44a62a4e8816d45b910c4d14832c576ce058d4f2a61a86d9dbce1a51292591df294ce8e6d71876b0a7b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\alert_lrg.gif

Filesize
952B

MD5
46835b517e80ecd0d9e805d17dfd1f09

SHA1
4b7708995d4d152512f73c0c7da15b8bb793df54

SHA256
c21954bc50c73174037fc33e2099436c2efaec8ce702ef4302a45e6e429e858a

SHA512
f976360a7fdfddea9f47f455fcdd6632abfca803f6f167238ca2683d1bc94f399f72054d717321f35f47a7588499b30b6e71a6c1624cbe19af6295d7447acc23

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\aspx_file.gif

Filesize
121B

MD5
64e321e96a8306bc4425031605cd07bb

SHA1
459c4e7484875bdc4eb885a922fe9e6ea77c14eb

SHA256
77a7ba1230f44e9d26bf7ec8ef2966aabb58f778666e972b53203b27e0f15627

SHA512
03dfc84b08222cbe5ae98402f3b8a6711c8a94cf890c01605875f6526846f57be90c48efc5ee4527c6ef96539f49e5beba79eb3b0e9d0fb9bc2106a190ed4d42

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\branding_Full2.gif

Filesize
1KB

MD5
829c49494d82b40e73d69f6e5eb9258c

SHA1
2f894af5c5cc08559390212e93183f01e39d3f84

SHA256
5e50d7bc2f8bee52034641225eb51b75170cf150e5ff07bc38ffa1b4cc28b4fa

SHA512
af077fdbc1a78ee836870c13962ccc23c4873a29cb011094f0bc721186866389974befb18c8cd025db3be4258af47c0b250451d1aa01a7a2cf386090cca27325

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg

Filesize
8KB

MD5
bc753382200e0f04868e826e42e2ecf8

SHA1
2455946c22780e16ed0480f52ea8439db8af2ef8

SHA256
2677568d69a768ac292a8dc71ba5a34d3de7f22ba7d75cc1af700bd9cd4fcc38

SHA512
2a561738abbac41be211a8d16f9f9fe9645692510b431843d29fe320ba05d61a2c9fe69bafbbac2b3158f4578dc91c9ba4784d383faa9f8132eb9921779c8405

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\deselectedTab_1x1.gif

Filesize
61B

MD5
1d0d6cde77e02003f3b50990b8f26435

SHA1
d0986c81c2f286f5e92e7d08d3ec7eb9f14deff5

SHA256
dc76ba24331427f9534c42175c36161da0f44d59211ed551644dcc97915d07ce

SHA512
2144458d334677dac0c9baaad3863ee0f5ee9876067ae7e62c98341273bc312c7ecfb793ff761d7623dc31181747a8812650f460dafecf316f09959f6397bcf7

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\folder.gif

Filesize
914B

MD5
a6d98c999d5add17802b2eb97a5801bb

SHA1
be7f7b25f5149afd25d0fe8337cf08803c84c120

SHA256
bfc4a1123b1a9ee79acab74de71e067b87d108b2856f4569dbf84aa997762008

SHA512
b9a36c27f198798bdf764135c3393b00a101b154e03f43bb35f259269d7adab0067ffaeed58f8f2bb4c2fea6913b7ee0d5a25b8c1667abe298cf8802ef031531

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onBlue.gif

Filesize
90B

MD5
629e6db6e5dd4bccd3afa64d54767954

SHA1
8ffa8e8942de3bd592a8961e2c8e4e0de2507d11

SHA256
9f6c1aa24663b9aa01955c1f37b2e3315638ba681e6febb3db74f4661523bd32

SHA512
199030f1b009a541885cec712f36376575ff20053f4292c0787a3f50603c0d1a345c2695d900fac86e02f2e83b8d65ca04b0ca2e2431abf57c02656c84c333f9

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onWhite.gif

Filesize
90B

MD5
4f558e9e3f1c38fb97e79e86ec8a1c02

SHA1
51602ea1c569d4b35eab856e34563cdd787cbf83

SHA256
aac2e7b4840ec450f74d53694472064ba461dc27a7fdc6d5f4bdc211ab3f8bc8

SHA512
6d32d4f6b374d0b8eab9fe24eba6664a438457cb3dcd8822c3cded073c2873f68f8958e41bac9c4823cd3cce0343f0fa6a45b19093a5db92dd7b7229148afeae

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\headerGRADIENT_Tall.gif

Filesize
328B

MD5
2677049269d8b8a500670c62d3b35bde

SHA1
d54a7f6c0218c21517babbda89245f7d7ebe113f

SHA256
311b756233f9430e5af9dfeb6beb57444994796334450bf61f5f9a5176ff3d32

SHA512
454580bac7856e3f07dd28e07747089c34e1e70c55515dad002ed9bd04a90b05a29de0d3799db0dc451fa5cddbee01675afa6de75dc60bc6185af9341b5d97f1

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\help.jpg

Filesize
1KB

MD5
33fcda908388eb4350863595715b7b76

SHA1
c5ab665d808fe8d7e2bc3c46fe12d03bdbc08128

SHA256
4eda2b78c5e6d3b138bf960b22ddb9cbf5b1db7cdaea4f9e02f79875fa4c6cfa

SHA512
b7d85ae7a096596bd0558ab739de14d7815d9e981205e968ae4395da81ee57619d4b9cdda1dbd63ae62b895b09c23895867c5aad6c69857da14437aac12cddc8

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image1.gif

Filesize
162B

MD5
5bd52af9cb3b203e19bdee273d3ab3bb

SHA1
2215d425daa402e6c5d6174d55b2c3ad67e388d5

SHA256
46accba73ea1c30aa708483756b9325f3d5d9c689ecf46d1f9d57e84a0cb979c

SHA512
2a8509d2c96a4cf0c5470aed26cbfb0d143b57d7fa26603592d351e248bbe449ee60fd0c55bb2fe9132aa02ab5f8df76b144c14115aba52771ceca454a2a03cb

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image2.gif

Filesize
586B

MD5
a4d9e81ef95b60ddc0b257f5102d6f9e

SHA1
448bd380f4099f65dece26336f3e92e3eceeaffc

SHA256
7eb89e635be73402fbf1d2cf04f465c176d109cc4bd42789c897af51f99e63dc

SHA512
4cb82a44702f6254196520ec46c39550d270e713f3f95ec1ea4991726fabe9f49af39ff978ad926752acb44c162ea3915b953bb406a1e12531924efa10115d5d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\requiredBang.gif

Filesize
124B

MD5
1f39e2dc51557d985b24e1f9fecda134

SHA1
c78186faa931ce82112f2b5fc0dc6455d35760ed

SHA256
1d53efef128e163152319c9b1b572a0b8a4d7f8a422854c2ddd7318f9527ac02

SHA512
42c6f586411a7bd976cfe96ba5b37dc2be4c8dc2f09b134a2865d631625056f6ad5e63191a116f95fbf363a0c6f0f88024dd2fb3f5d15db4eef88b2c2f6ffd72

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\selectedTab_leftCorner.gif

Filesize
65B

MD5
52a021c04e04876cfe6801e6e0438018

SHA1
c92a83daaa236e01ebe2be82d1164d524a42eb6a

SHA256
6875c9a601b708018b30ddc32913e2f73167f53ae383d116cb65bc52ef41f07e

SHA512
a1602648debf7b329e38e9b666d6471f6319440fd7c5396a42f9225dc9a2ba58cba624422b4fcaea451cd208985f8e0282100163c691e06dcfc754731902a308

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\selectedTab_rightCorner.gif

Filesize
65B

MD5
07232397bd5144d6df309e79d87cc0a5

SHA1
9dc486ff623a717d5eff99896cf9fb97c7f3b0c2

SHA256
94e04608d55128f741789da0efbbc182cb9f25b9d52dc41bd12a1270d53a268c

SHA512
a2ae5e4718a1fd327c68fbc617bc741c49ff53ab3994ed2daaf23f092bb23c71bfcefed1866291036b0328392a3a1a65146eddffa019a1374878d605a59d8525

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg

Filesize
8KB

MD5
fe88f6ae3c5aeaae9902a156d70c43ce

SHA1
6bcaf554bc42ccb9d5f169ea3b91e6c4e637fa2e

SHA256
ebf52f305818e41442e49edc746df24d258b74fdfbdf41a30059108a3a1f4fe3

SHA512
47fe1ca9fa5dfdda472705d176d5afe352f9133f307befe9759a12d15a30bc4c08ed3cdc3931ded2ac961129fb74ca3c4ec21caf08babc0896d6d156b9842c0a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\unSelectedTab_leftCorner.gif

Filesize
65B

MD5
ca5615de6968111e37fc17c7b18396bd

SHA1
e56532336584876ce6408720e6d6616bc4163830

SHA256
a9594a38f5f1b783955a30cbaba3c65356d99f8782180569b411dba9bddbd030

SHA512
e488528380af2326647cc07e24438942f30b1ee3c8c958ad170ed8e6c5978a662312f4f6c4e28a21f578dde81b5080c057429093a5d56abd34de324513e7c7f1

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\unSelectedTab_rightCorner.gif

Filesize
65B

MD5
798823ac9a481218737e17a5ce3e8e5f

SHA1
329741a10d6b82089912c2048e4af938839afeec

SHA256
fe46012e87aea5c97abd225855c583e803e6570f2224cd263c952800c12736a6

SHA512
650d09f21e67344020e5150417676e4eb45693eefd91191c0fe4ebfd8907b36a2cc61c768ca788f4853f24fb81e792230305e80f5f32d3dcd3a04f957d327e44

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\yellowCORNER.gif

Filesize
880B

MD5
4f8db507e311e2dbfdcdba07769a6a5b

SHA1
02cb981b165c3f9a8c4f63dc92845d6d73d4ceb8

SHA256
333b5c75c451eb5d2231098d08e72074a7902a71928975fa4875a7985e8507d5

SHA512
bca9cc3b99003e132cea6b753ab1977a8c17038edbe39678884bf0370f2292c81418e23d70effd0ec7ee84a58fa33ac7bda4adbf5c00ae7caff7219c20a3d41d

Download Submit
\Users\Admin\AppData\Local\Temp\abxd.exe

Filesize
7KB

MD5
9fcc91636fd031148a85843248208e03

SHA1
1810fcdd967f80b71de48bde2ddc379cdd55caee

SHA256
028a6a1a53b8374a8dd8b6dbeab68c86b24e277312d6c62846a0404bc8edc78d

SHA512
52e75ef8f1de6ca7e02e11a3053109e9c8dcf514a83d75a826456a7cd33a65942baca27b8381855df72d8bcada1cd18f3fdbaf454fde53f1007f8fe10ca95278

Download Submit
memory/2032-3603-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2032-9-0x0000000000970000-0x000000000097C000-memory.dmp

Filesize
48KB

Download
memory/2032-10-0x0000000000970000-0x000000000097C000-memory.dmp

Filesize
48KB

Download
memory/2032-0-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2228-7004-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2228-7002-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2228-12-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2228-9216-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2228-9217-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2228-9218-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2228-9219-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download