xorist | c9718b8354f67e040917ac8519dc2f286d53889e6ed7f513cc71e468a3bb3492

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
31-10-2024 23:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

300.exe
Size

21KB
MD5

0dcdb939e8524ce89fdfb91a2e675e93
SHA1

a68934aed2b0a430dab8f7ef3a960218faebe583
SHA256

b7aefaf5b83cb8ad0dcb2a5b88d727e1375f54239c009a921a40145952d35573
SHA512

92626161d11c09c8b1fd97fd0ac5185ba981f75ea09b5f205fefbb00e3127ec14d47d28ec3da5f471005ce676cb78ce263e1ad16fc994749a8fb02587665daf1
SSDEEP

384:R4oZDeeumrKCZ1swbbVC2aJ2mO1yq314ZBfprXo0uLpRgMcBi8e/tmBciGN:R9Qe1sIbwOIq3GprXoTLpMeFIctN

Score

10^/10

xorist discovery persistence ransomware spyware stealer

Malware Config

Signatures

Detected Xorist Ransomware 8 IoCs

Processes:

resource	yara_rule
behavioral3/memory/2768-4-0x0000000000400000-0x0000000000409000-memory.dmp	family_xorist
behavioral3/memory/2768-3-0x0000000000400000-0x0000000000409000-memory.dmp	family_xorist
behavioral3/memory/2768-7-0x0000000000400000-0x0000000000409000-memory.dmp	family_xorist
behavioral3/memory/2768-10-0x0000000000400000-0x0000000000409000-memory.dmp	family_xorist
behavioral3/memory/2768-7479-0x0000000000400000-0x0000000000409000-memory.dmp	family_xorist
behavioral3/memory/2768-9151-0x0000000000400000-0x0000000000409000-memory.dmp	family_xorist
behavioral3/memory/2768-9152-0x0000000000400000-0x0000000000409000-memory.dmp	family_xorist
behavioral3/memory/2768-9153-0x0000000000400000-0x0000000000409000-memory.dmp	family_xorist

Xorist Ransomware
Xorist is a ransomware first seen in 2020.
ransomware xorist
Xorist family
xorist
Renames multiple (2211) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Drivers directory 8 IoCs

Processes:

300.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\SysWOW64\drivers\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	300.exe
File created	C:\Windows\SysWOW64\drivers\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\SysWOW64\drivers\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\SysWOW64\drivers\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\SysWOW64\drivers\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\SysWOW64\drivers\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe

Drops startup file 1 IoCs

Processes:

300.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

300.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XF990lmKs5g9Qn0.exe"	300.exe

Drops file in System32 directory 64 IoCs

Processes:

300.exe

description	ioc	process
File created	C:\Windows\SysWOW64\it-IT\Licenses\_Default\UltimateE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Line_Editing.help.txt	300.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ricoh.inf_amd64_neutral_66b4504d1fb1c857\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\ProfessionalN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_functions_advanced.help.txt	300.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmpenr.inf_amd64_neutral_34624840c3163a38\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnky308.inf_amd64_ja-jp_d90af802b607044a\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnep00e.inf_amd64_neutral_edc631ff41a34218\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prngt002.inf_amd64_neutral_df2060d80de9ff13\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnky306.inf_amd64_ja-jp_97f0de39317f6837\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-DirectoryServices-ADAM-DL\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_hash_tables.help.txt	300.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmnis3t.inf_amd64_neutral_857ff0fa9c73850a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmnttd2.inf_amd64_neutral_9dcd97ab7a913b7a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnky008.inf_amd64_neutral_9f6abc54cbf095f2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\eval\StarterE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\HomeBasicE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Line_Editing.help.txt	300.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_remote.help.txt	300.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\OEM\Enterprise\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netr28x.inf_amd64_neutral_c86d6d5c3810fc04\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_providers.help.txt	300.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\_Default\ProfessionalN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\System32\DriverStore\FileRepository\rawsilo.inf_amd64_neutral_8eb7e6403ddbb7a8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hcw85b64.inf_amd64_neutral_22b436d5d06ab017\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_scopes.help.txt	300.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\000a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_environment_variables.help.txt	300.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_remote.help.txt	300.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\HomeBasicN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_locations.help.txt	300.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\_Default\Starter\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\SysWOW64\pl-PL\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Parsing.help.txt	300.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\_Default\Starter\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\System32\DriverStore\FileRepository\adpu320.inf_amd64_neutral_4ea3d42a9839982a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_functions_advanced_parameters.help.txt	300.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Windows_PowerShell_2.0.help.txt	300.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\_Default\HomeBasicN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\SysWOW64\sppui\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_remote_output.help.txt	300.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\eval\UltimateE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_functions_cmdletbindingattribute.help.txt	300.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_arrays.help.txt	300.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Automatic_Variables.help.txt	300.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_format.ps1xml.help.txt	300.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmgl002.inf_amd64_neutral_e204d4267d752eb7\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnrc005.inf_amd64_neutral_31e08a1c2f933124\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\System32\DriverStore\FileRepository\net1qx64.inf_amd64_neutral_85d10fa4c777b7be\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_If.help.txt	300.exe
File created	C:\Windows\System32\DriverStore\FileRepository\arcsas.inf_amd64_neutral_c763887719bed95d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\System32\DriverStore\FileRepository\eaphost.inf_amd64_neutral_4506dea11740c089\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\OEM\HomePremiumN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\System32\DriverStore\FileRepository\nete1g3e.inf_amd64_neutral_7f08406e40c6ede2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\System32\DriverStore\FileRepository\volsnap.inf_amd64_neutral_7499a4fac85b39fc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_remote_output.help.txt	300.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\eval\Ultimate\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\OEM\Professional\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_modules.help.txt	300.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmmot64.inf_amd64_neutral_1abbad2f29c8fa08\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmti.inf_amd64_neutral_4443b423d18c3ffc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Break.help.txt	300.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnrc002.inf_amd64_neutral_fdb6f2e252435905\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

300.exe

description pid process target process

PID 2696 set thread context of 2768 2696 300.exe 300.exe

description	pid	process	target process
PID 2696 set thread context of 2768	2696	300.exe	300.exe

Drops file in Program Files directory 64 IoCs

Processes:

300.exe

description	ioc	process
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\js\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\24.png	300.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\README.HTM	300.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsImageTemplate.html	300.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\babyblue.png	300.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Program Files\Microsoft Games\Solitaire\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AssemblyInfoInternal.zip	300.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02069J.JPG	300.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_GreenTea.gif	300.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_VelvetRose.gif	300.exe
File created	C:\Program Files\Common Files\System\ado\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-previous-static.png	300.exe
File created	C:\Program Files\Windows Mail\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\square_h.png	300.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02218_.GIF	300.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImageMaskSmall.bmp	300.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EXPEDITN\THMBNAIL.PNG	300.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03012U.BMP	300.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR4F.GIF	300.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationRight_SelectionSubpicture.png	300.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationRight_ButtonGraphic.png	300.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_top.png	300.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\graph_over.png	300.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\GrayCheck\TAB_ON.GIF	300.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Bears.htm	300.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECLIPSE\THMBNAIL.PNG	300.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02040U.BMP	300.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\Xusage.txt	300.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\settings.html	300.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386120.JPG	300.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationLeft_ButtonGraphic.png	300.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\js\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341439.JPG	300.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\slideShow.html	300.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309480.JPG	300.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_VelvetRose.gif	300.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\background.png	300.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099188.JPG	300.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_divider_right.png	300.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\en-US\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsPrintTemplate.html	300.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Notebook.jpg	300.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport.png	300.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_left_pressed.png	300.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\settings.html	300.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsPrintTemplate.html	300.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-background.png	300.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_output\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsHomePage.html	300.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt	300.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\VS_ComponentSigningIntermediate.cer	300.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\glass.png	300.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_VideoInset.png	300.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-back-over-select.png	300.exe

Drops file in Windows directory 64 IoCs

Processes:

300.exe

description	ioc	process
File created	C:\Windows\winsxs\amd64_microsoft.windows.h..iverclass.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c94ff0f7345728e3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-shpafact_31bf3856ad364e35_6.1.7600.16385_none_2d6af71c0ff9cce3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\branding_Full2.gif	300.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ipnat_31bf3856ad364e35_6.1.7600.16385_none_b70d093f950ce2cf\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\winsxs\amd64_prnca00e.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_48cc8279974611b1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_ro-ro_a958e61749c0d36e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\security\ApplicationId\PolicyManagement\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-v..ice-dynamicprovider_31bf3856ad364e35_6.1.7600.16385_none_b9ee1de1ca498be1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\winsxs\msil_microsoft.visualbas..atibility.resources_b03f5f7f11d50a3a_6.1.7600.16385_it-it_3f448933231a51cc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..onents-mdac-odbcbcp_31bf3856ad364e35_6.1.7600.16385_none_0cefe59a67d4417f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ie-ieetwcollector_31bf3856ad364e35_11.2.9600.16428_none_a56da9e617d4f97e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..framework.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_464954d4cafb345c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-shunimpl_31bf3856ad364e35_6.1.7601.17514_none_b3bc7baa4af52181\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-wmpnss-service_31bf3856ad364e35_6.1.7601.17514_none_61acd141e5332baf\wmpnss_bw32.jpg	300.exe
File created	C:\Windows\winsxs\amd64_microsoft.security...icyengine.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5b2b421bb4cadafa\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-w..akerstemmer-neutral_31bf3856ad364e35_7.0.7600.16385_none_8918bd7febbe3998\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\assembly\GAC_MSIL\MiguiControls.Resources\1.0.0.0_it_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-shlwapi.resources_31bf3856ad364e35_6.1.7600.16385_en-us_53a5cec4855ca29e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\winsxs\amd64_prnrc003.inf_31bf3856ad364e35_6.1.7600.16385_none_215e6e687572d186\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-n..etcapture.resources_31bf3856ad364e35_6.1.7600.16385_it-it_a688215b057365a4\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-admincmdtools_31bf3856ad364e35_6.1.7601.17514_none_12d42225a9a7aef7\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\winsxs\x86_ds-ui-ext.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1dd7c4f15bba462e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-a..istant-ui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_3569ec57357011d4\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-choice_31bf3856ad364e35_6.1.7600.16385_none_c33d412fed16819c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-mmdeviceapi.resources_31bf3856ad364e35_6.1.7600.16385_de-de_1ec9ae8077682b07\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\assembly\GAC_MSIL\UIAutomationClientsideProviders\3.0.0.0__31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-wmpnssui.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_c7ae34ca97276b98\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\winsxs\amd64_usbprint.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_17d0f6c5cb1091d4\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\winsxs\wow64_bth-user.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_6f86e5aeb9f86129\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-notepad_31bf3856ad364e35_6.1.7600.16385_none_d5642974be118415\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-i..emsupport.resources_31bf3856ad364e35_6.1.7600.16385_es-es_ff8ab258b10b46c6\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-taskmgr.resources_31bf3856ad364e35_6.1.7600.16385_es-es_d67dc559c08dab90\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\winsxs\amd64_crcdisk.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_53849892d8c76640\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-g..-currency.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_73db80f37a680574\currency.html	300.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-wmvcore_31bf3856ad364e35_6.1.7601.17514_none_0939edb934199a4a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..qlxml-rll.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_f237f1370eac5324\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-font-fms.resources_31bf3856ad364e35_6.1.7600.16385_ru-ru_7b2a0898d09e3888\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..dthemes-calligraphy_31bf3856ad364e35_6.1.7600.16385_none_c1407bc73caf8dfc\Windows Pop-up Blocked.wav	300.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-onex-mof_31bf3856ad364e35_6.1.7601.17514_none_c6f691d4b7641c87\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-t..p-utility.resources_31bf3856ad364e35_6.1.7601.17514_de-de_4d80c42f0e5ba716\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-devinst-adm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_03bba2d449d639e5\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-a..istant-ui.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e8cc54fdfec885a0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\winsxs\amd64_prnep004.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_991b6dbcb3872570\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-t..nputpanel.resources_31bf3856ad364e35_6.1.7600.16385_en-us_fceb4f86fe34a68e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-w..sh-helper.resources_31bf3856ad364e35_6.1.7600.16385_it-it_4d72883065f27711\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\winsxs\amd64_image.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_5e9f38101207409a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-fax-service.resources_31bf3856ad364e35_6.1.7600.16385_en-us_36e0de390f55ac1d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-shell-soundthemes-raga_31bf3856ad364e35_6.1.7600.16385_none_2fe300bf8e73cdbd\Windows Hardware Fail.wav	300.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-shimgvw.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1196a2cb22cf2834\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..-odbc-administrator_31bf3856ad364e35_6.1.7600.16385_none_44263d819f0aa19e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\assembly\GAC_MSIL\microsoft.build.utilities.resources\2.0.0.0_fr_b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-help-auxdisp.resources_31bf3856ad364e35_6.1.7600.16385_de-de_22a8d3c4623b892d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-shell-homegroup_31bf3856ad364e35_6.1.7601.17514_none_d9a9e2f0cbbf1804\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-e..e-library.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1240127174e32372\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-t..ventextservice-core_31bf3856ad364e35_6.1.7600.16385_none_242b2adec9a10287\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-dsquery_31bf3856ad364e35_6.1.7600.16385_none_89ba21a517fd03e8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\about_requires.help.txt	300.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..ty-protectedstorage_31bf3856ad364e35_6.1.7600.16385_none_a43e06414a0fcb4b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-wmi-mof.resources_31bf3856ad364e35_6.1.7600.16385_de-de_2030d91eeabe5103\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\winsxs\msil_datasvcutil.resources_b77a5c561934e089_6.1.7601.17514_de-de_2d11f7b0be7b688b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Web.DynamicData.Design.resources\3.5.0.0_es_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-tapi2xclient.resources_31bf3856ad364e35_6.1.7600.16385_en-us_45036df50f2fc8ff\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..disc-style-flippage_31bf3856ad364e35_6.1.7600.16385_none_0f19716417635239\203x8subpicture.png	300.exe
File created	C:\Windows\winsxs\msil_mscorlib.resources_b77a5c561934e089_6.1.7600.16385_es-es_66b4f1d2756f92ed\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	300.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

300.exe300.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	300.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	300.exe

Modifies registry class 10 IoCs

Processes:

300.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IYOIMLDLAUEQYQT\shell\open\command	300.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IYOIMLDLAUEQYQT\shell	300.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IYOIMLDLAUEQYQT\shell\open	300.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd	300.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IYOIMLDLAUEQYQT\ = "CRYPTED!"	300.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IYOIMLDLAUEQYQT\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XF990lmKs5g9Qn0.exe,0"	300.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IYOIMLDLAUEQYQT\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XF990lmKs5g9Qn0.exe"	300.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd\ = "IYOIMLDLAUEQYQT"	300.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IYOIMLDLAUEQYQT	300.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IYOIMLDLAUEQYQT\DefaultIcon	300.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

300.exe

description	pid	process	target process
PID 2696 wrote to memory of 2768	2696	300.exe	300.exe
PID 2696 wrote to memory of 2768	2696	300.exe	300.exe
PID 2696 wrote to memory of 2768	2696	300.exe	300.exe
PID 2696 wrote to memory of 2768	2696	300.exe	300.exe
PID 2696 wrote to memory of 2768	2696	300.exe	300.exe
PID 2696 wrote to memory of 2768	2696	300.exe	300.exe
PID 2696 wrote to memory of 2768	2696	300.exe	300.exe
PID 2696 wrote to memory of 2768	2696	300.exe	300.exe
PID 2696 wrote to memory of 2768	2696	300.exe	300.exe
PID 2696 wrote to memory of 2768	2696	300.exe	300.exe

C:\Users\Admin\AppData\Local\Temp\300.exe
"C:\Users\Admin\AppData\Local\Temp\300.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Users\Admin\AppData\Local\Temp\300.exe
  "C:\Users\Admin\AppData\Local\Temp\300.exe"
  2⤵
  - Drops file in Drivers directory
  - Drops startup file
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt

Filesize
600B

MD5
48a90de7d6ce6c321aec8789dd7e1401

SHA1
f717edb78f38797ed8e000c0004465508cadc699

SHA256
c802e0c2c158a9742466965c115a6d270ee4c42c95998c037a349905d14c10c9

SHA512
c0af0ea9c5f772e5074d197639f352681f49da7225e8530c2072080fe7e760274c668cd427c075f2a6bb36167fafbb2b53ea36403e199566bff0e1856d1a91a9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
341B

MD5
7bea1a188e8c7efb8098c192279a1656

SHA1
a161a2df4aba628ae3fbac8346de7c4487cabebc

SHA256
3ac742f30c879776c2dead5d502bd8b84f985c0da9d67f1fa219937d87dec8b1

SHA512
f4b218775027fcfde1e1ef9efba12d471e1842f8509a0e2c9677c0b61532e7ada398e916ab45d48f8758cfeb100f7e132a3190d83b545e560712543e90b03205

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

Filesize
222B

MD5
c582c623f81e631887762c5e1628b130

SHA1
f1cdbd37a86f426d0228aed7e5d0eb445d287d61

SHA256
40bf14e9ee1a681f8191651829cf3494d1381214d20e75f21194235aed811ddd

SHA512
5773b1304578524eb739ef2b418c2e5616d439e7a03cfde9aa8546e61d2353fb83ef4eb535bab53afe55580da1b833ca547e1784db42651b610334a5c412b142

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\BG_ADOBE.GIF

Filesize
24KB

MD5
18eebb3dcbca8060f569754bc07b5b35

SHA1
ed018d0c3e9cba025b5e1e8a58a8bc2ed8345667

SHA256
66d9c76703eee62afdb8c6bef247ceab8a9fb3f6f3c81f1b7985293ecb63cad4

SHA512
71b886a5b4017c05e570636a3fc6e233dbfb6e792b1f93d761f8e920b12022c7ea13936dd63691448c596196eed6f137dd185de3c61f6c1d122d825eef127cf3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\BUTTON.GIF

Filesize
185B

MD5
e063f565b675cdba0e85cb51a2413406

SHA1
85ed36b62976dc431a5bd9c0912ac3257449a92a

SHA256
a0ed2bc1d0ca8b6e18f407cbe7799240153ea88d1c947effcba728e5b921c4b2

SHA512
b444431d3dbceb65d75a85af1e346d8ac14cd50a316031f9ea8f0c920b26472b3483e0cb2c9110adb8c2270f59c94b4341ef74f1a943f1c739bac0f8c8f7a15d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_OFF.GIF

Filesize
496B

MD5
e07d0445fa38925595d8f259870a3345

SHA1
0a40f9074896f9d72e2e0874833306c67a291177

SHA256
2f6957eb7ba882911f40433211d1a393e352dc0247c63763d9925f2ef156a572

SHA512
3143ddc1d85e30829e036649f844fd9e36fc962d55a043553ce29ac607068c4fd75eb150b8435da3208164f1cf130263d582cd26cdcfbae950bbc9bd825e6e58

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_ON.GIF

Filesize
1KB

MD5
b2bc7929f2d0d4ca9fb256f82dcd623c

SHA1
a8bdc079681f0bb65c3855dc014a3c15b4d3f63a

SHA256
f9e9f09593fb3e4c542b072603507151ab661f6ff1db9363ba6efbf253843272

SHA512
d4f0b500409e93f145e05bbbaa7b3feaa12c62b0f91b447ef4f1af99664325eceec7f3129fb701295f802a0124f6afa501f0ed96e2e5f4265ac051341abbaa40

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_off.gif

Filesize
341B

MD5
04636482e7360282392e4364e353316e

SHA1
6960cadf444fd38b9f4a1fd1b04e230ee1533b95

SHA256
7e6935596de574134018075f1a49f1a099fdc9fdc603e6214c1caa6bdc43c5bd

SHA512
e6be91100d81f0391382e52cf6a19b645a2be6e9949f9455b4cb159ef4bae35bc8116dc0d3eecd0cf4a36f4996c2091cb45760163d14cc6d452dbf9bbb435c42

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_on.gif

Filesize
222B

MD5
db517d80b3f4920e6cd94dbc547e33c6

SHA1
2f44cda97376bc8bb9e7b12ae0dc7d6b9c08355e

SHA256
d6e1da0301645ee00f86824228b5f27890f1a43c13102254ce62635d96a32c1e

SHA512
96c020b4f0dc4df243882fae916fc09667243a64b4f1d5957060bc2d8b5ce0138a26ebb4d51b74998a2d05934058322157207c3beb3ae4ac46117c7289762654

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif

Filesize
5KB

MD5
798213c02e94a4eb942acf758b5db265

SHA1
bda7a50b5aca73217771ba29014c7aebbe963d0b

SHA256
d04a6b031463c8e9ae9eba9cbec361fe34b39d240a29b7e5aecf6d683f39ff2a

SHA512
d2f65eb6f0244c0b6bf7388d6b739a9d5235a47ac8d74485b8f1dd3da1b92df3b27341d5977e96106d4bc12b930ce9415a0490a3010f2d406249755a0ca56002

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Country.gif

Filesize
31KB

MD5
f8b17b8fc336de1ba9a69c31d8c3b25e

SHA1
00f79758ba9a89dc9e9fe2e31cbe4052d0076ff5

SHA256
8c1eb887e2c703d4c43d552730c6fc962e48a63a457918d7cd6b442b43f08572

SHA512
43ae71b3cfa9646bf8b5d9b0e073ecaec05475aa9b87c0194247bbf4daf313b79da95851af25f48314b70ecf6548a61a9c7ffbcce321d4f6e01f47cd08b8be0b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif

Filesize
4KB

MD5
9f5c40f7745b1195e01fcfc3a48b3c0a

SHA1
05967f64cfb983ec194509c9289bfb0dcceddc37

SHA256
be5d68283472cbf258e6a2fdc0bd407e3f1072f3b4876ad869fbb0bf15a3b082

SHA512
d78eb4d1d19187ce03f00e7e3fd6fbcc418b70288e7bdcf1877e856bd3d9f90bd720ee7f6924bdf6833f3bfedf4b68491e7bf6bf1378db682ccd836fe55b7ef1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif

Filesize
21KB

MD5
04f463e80ad80c591e87e022bf79a30a

SHA1
32410c7603f5cd4cacad8f955d195ecd77beafdf

SHA256
e62a3bf7b587619f43067babf8e36bb13855fe759500e3ee9631b6987cbad05b

SHA512
25307c09f873962a5d24e113d4b43481439eed418a61f34b5263eed542cb266a4e46836c1bf975b27507a8331f6dcd8c4e01114c584283f498ae5b6cd09c9ea9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Groove.gif

Filesize
106B

MD5
f12d421ca81bc49e9bb11e82ef23f02f

SHA1
d16aaead42dfcdbb03b1ffba73cac5df12e4814b

SHA256
30736f3e5820f1953252ab4adeb4534833697c24d6ee4993f4ed440cf3fa0142

SHA512
7a9fe09143477ce4f6de8d7e1924fa190546d0f3587ccc4d0da1ec67c254b700e190724c9eb795487c85b2bf8085a58725c8defb7ba87162dbc5fc2727f48a9a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif

Filesize
8KB

MD5
9e3c33906c97a958745dbc4890f64554

SHA1
304a7f1f40d658dbc4fe45cc2eb3eb15f9330a88

SHA256
bd19a3829f4e991a66ff05a5da2b1717408651c2df62e03a9fad68c7fc653744

SHA512
86af5e7a8ac7af1023eba3f8c701d2f2b16741a4244af4eea91f228af46dbde7eaca198bef65a3fbff06dcbcbf728fa38490c71a18600880e4c5d4b3d4b2a3a0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif

Filesize
15KB

MD5
bdede5cf0e469c9a24e8cee3503ec603

SHA1
14a21ebc30e04cfa557947bc16d96c12165da282

SHA256
6a1a9facf05251dfa533cf245bd52dac62195d59352f5e73c0679273ec7eee54

SHA512
4791dd800c14a8faa31f55be118fe4fb7566d0988e1931b14215e2029743609dc9f3ec5fcb55679e2735d52156b3b410464495b50f68a7b94ee4e739859df1e4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif

Filesize
6KB

MD5
2c984b3b809622e663fd329b01b4145f

SHA1
0f9577224b18203c4063e4e2ac83b9f863eeaea4

SHA256
e0eeca03343585dc1f3111edab5ac45ed2e0c912c3f50927363da567b236cd65

SHA512
1f07dcef7a2645834235dbd13722b0afe85d7ba08d5c2069f32e270f194da88731454396d3aef795ed9119f7a1327b2b940b9ff317358307c931ef7bcdf4665f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif

Filesize
20KB

MD5
31b503850911bed3b1909929b66323ab

SHA1
a99311a2d41d4f629ba6886abea235b41173b3af

SHA256
385686f70c8646d2bd307b855375d6d991402d43426cdf88d1021020dfc322e7

SHA512
c085ac8f84824dd0a1aeb9d5220f3cb6b797cf17b58e9cc0b2f5eb97bb0b60d75604dc7821e985b4ecaca81dbba3dd656bd722a12f955d14b25f157baab3757e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif

Filesize
6KB

MD5
70946a529351550687c97ec331cf7707

SHA1
6df9e7833ca4d5d434febbb383d5f28f9c75cf25

SHA256
710ad1e762b18bebd7dbdf8152693f9f26c4783f2bb657b919247aee96e06746

SHA512
f7a7104c550bc94bae7ebaf533d91c5198726974c99b9ffab6ed5ecf0d193f8f207c96c27fb14b7d50e3b148809d80465a0c2d89f14aa17f863740288d05b787

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif

Filesize
15KB

MD5
8e0e956bd107f49a3841c7b9b484d045

SHA1
71f42ccb2d4f61b3949644c9534a14f938637783

SHA256
6cfc572d243fc8eb0fd26127624ffa516908410aa9820137a81a4f3959d8b262

SHA512
ff333b32875ff281081f10f335b0875b554d52901bfdaadf2d16890f10a827f6e5e458e7fc3e61e638cee646d95dba517c3fa4f5f5f640c5da9649cf35c854de

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg

Filesize
2KB

MD5
b13dd386978f1f5c623f3308b9122fd1

SHA1
953d4860a1a73e1aec7cbcb1f0fd2c6fbfa4a546

SHA256
020cdcb06c3514dfa0f030e349cf656a89d88e0711545c71d1028382178a067c

SHA512
e96c7a51cf824d0d6e76bf5304e3245779f360db0d3b7592fc574bd109338b23e307ee2705cbe99c8ebd120f7b7290c173e24a123b9d2fd817ed1bc5270ef4f8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp

Filesize
2KB

MD5
ccd6763bb5b357a7439f22e2b55cb00b

SHA1
e4e0d96a0229970565736288acc82d3477118129

SHA256
86b6980a71279d8c675a1dfc385eaef22e3ab3213205b9b90567f6e7cf2ac782

SHA512
08fb3f557fae318f087f5118719d851b6fb3464fce8afe0d21ef1bcecd69974b4adb15c10bf310310739838a5b672710910cd90679e9b03638428c243ba193be

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg

Filesize
6KB

MD5
10933fb3243e2c14e9ddc7a237204955

SHA1
137ca5efd37ef2e760c7a3bb883a9ed883b1d760

SHA256
ab0e90ceae023596621e1739e421d4cdb5d8929248d86b8cc8ed687801e0a952

SHA512
7f19ccc4cd5069cce857ca41276d91bb4bcb74d562d1eea291d29db5c7cd4c586eb46d5f95bc6a0b121b7c4585be52c3ac14bc618351f9b94935d31427c8422c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF

Filesize
255B

MD5
acbbc07baf2c106aa6dc095cd66b9b18

SHA1
a1b6d78793179d9e55837a339a8a187d40c5e524

SHA256
63201e2b62d8758b7e3f95d2dda6bcc23fd2b98aec1fccb2cde2cc14656922eb

SHA512
b3d9a46e95007ab5eb71d665bc8cdd69ce541adc4ca5a6ad3fabd632d33e983bacf363b75fff3d4d9439d49b419b72512f8bc418d8b494680c7b21751ed27494

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\background.gif

Filesize
323B

MD5
04c13548eef80e5791ee9f609d7542ae

SHA1
4bf2e9b8fc8c31386800fc1a57184b3f6c7b1cb7

SHA256
f0fd5bcbf1c916dc1fe232b11373d1320452f31e6c5d2b0652037fce117aa1e4

SHA512
883724be8533dc94689c1146a4a404c7c594710841e88a24e4dc723c04fe73f3d583b19d5b0c63a2c58d5f5a269bf0b82ebab430f3308365546c33c3abc01a47

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF

Filesize
367B

MD5
c76ececef1ce87cb2644293580e1a738

SHA1
1b0f1c6f9330db4af96b0d5ed7313e7cc0515da1

SHA256
54ff8c8ee2f1e967b14bda02313f6241105a92736c916db3cd8375d71b9d2d97

SHA512
e204cb4aecdcd184b1f26f8a81bbc177ed6eff330aa17848163d656dafe1790230d115fa5f291376ed716672bf96276dad596c736eeeff3847bc9aa380a0ae49

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF

Filesize
148B

MD5
2f146e4792c6eb4c4c4afc9c3fa88858

SHA1
fd51b0eaf266901dc12fc08107512dce73982edc

SHA256
d00340618f7455fdaae5f351a78672384547974c11d0097bfb9a128820dbd54f

SHA512
84c9c6c45b137696f0daedb3331eaa87a60c7d1b0826555bdb8fdb328b8983e6726c7dd88fd7f49de7248226ee6845d49797836e6f623db8bb9c02871321a38d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HEADER.GIF

Filesize
440B

MD5
a1d813e88bac318f1789ae9a107ff3fc

SHA1
1011e967f05266634f65609b112eff338308acaf

SHA256
b00cbf9bd05ace27ae411144ab9bfca73a063cb29f94df741e39582cb35e326f

SHA512
b91d2544b80999bbdc7595e7f098107cc80a848aa16d82e950f62f1064a71afb2b3d48b8722dea8811242864828c501acbb2b73293969c1f426fb5fd0e1f4318

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_OFF.GIF

Filesize
462B

MD5
dc1d69076fa86db62aaff3ccb8d255ba

SHA1
e2ff608a1060c0e9ad7c6178a4ee4e5f3a96384c

SHA256
21a9a4ef86004dea28de3df3e60b2518da069b330c885176e6b722d886fbddaf

SHA512
b3dc6ca21ec6f118eeca49551010ac305a56066fd6367fdfdf9f178402c02b213f75e337debd6240955cb10ff276575c854d4ac22b4cae0e5c84a05ae054e0a7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF

Filesize
267B

MD5
3350a429bbcccb13c75be9306f58bfe9

SHA1
3a45966fb6429e30e1d900125e96679e70112edf

SHA256
363901e294f67095eea0f84e3915aa9a29f68fbb294ded638fcd5417dd8d71ec

SHA512
d3f24869e2ad2b7a8135e596031f56efdb34787a5edae99932c6ec6288ddbf575693d654e50bc5497a5d529016d0b469324b895bd7ee5b14dd25ca7fce8e3f96

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HEADER.GIF

Filesize
2KB

MD5
c6b4cb6275d3555bde339ef04399fd70

SHA1
bd1875b88ee997d58b90b3a463b206ee7ea03523

SHA256
93704f4d9e91e7e8e311032cb40bf175a07180643a26dfdc18480175b0ce0aaa

SHA512
b0fcf75db4f34127b1d2999e1222cabc5866e8101c9b1d87fe839fd249df793bdccafcd3aa8ba1ad76b5b85096537c0583cebc5c8aa4914df21a6926cf4f0663

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif

Filesize
233B

MD5
ebaf9e02485a5f79909ce17d14848b3e

SHA1
71c6386d474ce90e47aadf2772778cd1189401aa

SHA256
1f0279169cbbac4e0ebcc1258a104ec7a0932012496b21eb801e5cf90df59e85

SHA512
37c2959eeaccf0a29ced9cf9bf3e2394a6a8e9b454de1e5d063a5628dabf1fcdcea17572c0f84e75edeba0a75c99379e475a9c377072d16b2ec2d13164db4dd2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_OFF.GIF

Filesize
364B

MD5
658ef92618f71e8fd10353e514212196

SHA1
4786857d8d105ab4167edabb8bd362cfd1b65583

SHA256
5ceac73a9f5d25db7c8a054ce0c80614da9ebe7ab8dc44205c3e52b1ae3b4ed5

SHA512
833665c1eb84c5a7d8d2aa402dcecd82f3b5cf9e5d56df9ec11e61fa7cb0faacead15ef2c83f175c4cbb3a68847f60b65fad1f55c118b1785fb06f7e4973927a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_ON.GIF

Filesize
364B

MD5
cca6ded7eba88d52986284eb629b6e4c

SHA1
141f1d56a0c806fc1fe116f0bcb2aa0aae3c46e9

SHA256
5ac5c200bc9e3faeee469e72f3db4a166bd43ddfbf1bdb4c904ebf3348015bcb

SHA512
06162707cbb578a3e94968f9471b60f40ff3a0c2e3c4d0fef4b2896fe99bd76211eb9579ce2ce19226b3a7821b066650bb6a6fd2f28bff0c998743c8fdf2006e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\background.gif

Filesize
6KB

MD5
16dce8a14aca4779e25dd01992b15c01

SHA1
a0539afabea040c6d26833798c989f76d9e2fa9f

SHA256
ca524959e8d9dbc2f7d90d66e23144f65ac2975eb39ed8eca205e82592df5dd3

SHA512
f2340ba6795d540dab792bd767a3df34a908cd4642d5343e20676140e140b7f2a7d4db07d751d27f29c008ac481e9db9dcc1a5767ecfcdecaae54cd2e0d68cdd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\BUTTON.GIF

Filesize
428B

MD5
77342c3b35c587cd4b79b3ab148cc85e

SHA1
07c527f69fd1b9bbe220917c3218ef54458b340c

SHA256
f66c0ebc8a712f06e2859c80b5c5a7a139c41e3fd0eaaa766e247c32ec7e846f

SHA512
9531182c109beb8e9786051f2ba1ed048aedba8ba7e2eac0a5ab46c35ee8b0a6010213fa9de6e3ac0ee89ce4fe4631a3f311638b35fb06afba88449296a5bed7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\background.gif

Filesize
815B

MD5
41326a80f67ba75da5fd279ca21a5d98

SHA1
46a7c21cd582e6ec5e27e59eaa3389aa9d226733

SHA256
0fd5660ed7d5530214dcaefa13e5db9addcb07cb055b8d1d0f9bace096b30d82

SHA512
15a292e1c18de9db741383e7bb3e690501dbc863f9f2cd8c09b9bf14a60077a24dd7944569ac55243c24c2dd500f7e8d8e5d28df4890aee0be81552801063ff1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\RTF_BOLD.GIF

Filesize
870B

MD5
3508085506aaaf48a621c6d28f53c8ec

SHA1
161f523748d9d1cc370f57791966c9a6b536bdde

SHA256
e6ca29247c775c0af9448c476adcf3c4e63379c01a4e7672aff76760a668555b

SHA512
11708110d2764515a9acee9dffcefcb300ab8b10cc24278fc1d2824c7eb91ade0860eaa0d75add0f392daa4d423b194ba0cf33694ddb8da95e229ed7b12aca0f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg

Filesize
3KB

MD5
926b65eff89277a7bbb2d5f5cbae7ec2

SHA1
d32261f9c9fde5d897a3c11e735b8809b916e7db

SHA256
72b8e5f0486576d772e08cf1936bb6b8a9779229c6fb8ff6f0e72dbb4c0c8167

SHA512
208bfd684ef4d63d9759b07855a39d4a4c353af45d5caebad32227c11e2a608883bc5d8df45575cb3033a4f13f6bdcd027697da1e085277a8d08f5155cd178ef

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif

Filesize
2KB

MD5
a04e3e681e1fa59d081990d2724e53a8

SHA1
9927a29eb93a09b022f4dc66b592ddf46a829661

SHA256
d240728dc18ae4d80e436faaaa7428d0fd565cc7ee5d6b6593b6460708163e9d

SHA512
935f42f2c3a5006e6b628c1e9417ce48d23cc7ea4a938d06b341d76fe535a8f2a55271841efee0ad16bba2434803e8fec7aa1a0150d3e02a036ed3ff0674b2c7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif

Filesize
19KB

MD5
2aa67da944f3259c6f7f48a52ffef52e

SHA1
db61ca6e7f39e648f79ca398cfb889393fe02e00

SHA256
327dbc572cc29becc90113dc2ed4606369302c8b5dd44faa35b25d8a1f59e027

SHA512
8c7d5ab5b97bfb060051167c7047bf611104ee0b01ec98b0a32f27a35b871a780e379b1f62eb6562b56fc963c0d3c686e373dbb2215390aafdea394ec97833bf

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosefont.gif

Filesize
890B

MD5
541fa089b05d570b7ca867ca7e9d8aca

SHA1
fac17018c3af2a67dc4912cb3743acc6e672e1e4

SHA256
2f3629852afb222afddea9273e2eeb433b1783a9326523797339757423323840

SHA512
3676aa70569ec1a8c2d37c5b178b5d9a4637ce098ad74073910095a05b49dad283a81734467bb2aae5fcf1a06e08900526623a05524c876936e7c5658d03f162

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif

Filesize
852B

MD5
20e35642251be20f517798e59be0fc9b

SHA1
8de03110ed8710548cfc0674a2d08e1529508ba7

SHA256
af20218907f671d39a57d26ecf97c14599f02ed29b23a789762b2ade2bb6ab3e

SHA512
047bc230e74353573fe9cc52c1f861ad83ca827df737fa87dea43a2c2cfb5e2823e38404f41a6229000236da83cdcb730c08b02e8f67b9ea03a73fecc6bd9a8a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif

Filesize
860B

MD5
493eaf90314b125cd5c0fef0bfe6adb6

SHA1
7e17d6e40779d826675a01fac8aa5e994475d7e5

SHA256
ff791e373c3ac73d872de7db258167a3c450b2fed2635c08eea4e4c7a7532360

SHA512
5c958e72de7f5a0a3456373e90a3c82ff75e36529407d6ba37a84e2f9354c9bae68a2f98e79d69e9f2b153b35738ab1e089015ce01ebeb15a5623cdb5d7d017d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ADD.GIF

Filesize
580B

MD5
7a3e39266e211fb546c7a2bbc4808c63

SHA1
d595ee84bee34741a69a0039faa2f1a81113dae7

SHA256
48b024546e2dd89469070eee862c81e9f277afec6b77c7b114b3c4b1fe399f81

SHA512
797960554440a5912f595279b99cf133aaae133f349f5d58d055e5461ad8575817c9d9839fe1849fb4685049f647fd90656eb63a55ad12f214683bf29bbebb3c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF

Filesize
899B

MD5
6c75a8f9ca81799dfdd127b634d9d99e

SHA1
385f5f614bae78775a58759f591b76996b41a6c9

SHA256
05e773dcb3fb862df889f2d22c382f00159852d8a298aa8811432dad2f6394f0

SHA512
1ebf3a6845e66bcfccf66f5d8090f97f1eca863817796bd7048922ab27f8f8803eb41e0c2967d8602fa4ea680da0b94ccc9555bc5d66b1a00ab4702b310f03dd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIF

Filesize
625B

MD5
f6dc6cf45d4478c077c5a368f9af4713

SHA1
c726b2378d72c96364ad12ec168fe684b9ded331

SHA256
f606e2ba902a0fb9df23c6d3d085ff7d8803713a97e537a35c3808d67d99dc1b

SHA512
6be90746acfdf2553c54db3fab6b408f9dad99eccbfdbb5648849febcf197c4b3e378c87279ac8296373c3ec5347cfd660344e8ff7d9136a3255b305ffe61bf0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF

Filesize
873B

MD5
b32d0a17ff0ff59166b819fac9c958fb

SHA1
8b29036c9c18c9df28783c64ed91e55dfe2a60e9

SHA256
4fd5b66ee77b64b61f54e5fb53e800d98581a5dab19948ee193a178bea0d1cb2

SHA512
065f039e85069f4a3a86bdb21c5f6c5de282192ce361241ace86ea0de38879e9f82edfee97f01f5f0d465c40ca9fb750141f9fd93818a4d9e96ecb2c12464f5e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg

Filesize
5KB

MD5
86078bc0a2a455f5603cc158957a670f

SHA1
5e695a946abc46b65da076fe55cab0039e610ffa

SHA256
79a25548a7bb5a7e8a1324b3a4b3c18e33a25747bc40ee036884117f369cc066

SHA512
7308884e1723a7a10f56bf8856f3fb621dafaf668ff03b89de6513c2ab06b45d9f432daab045913c5e6f692b70c9f753961cd0e0d0482597a303dd2c3822f7dc

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp

Filesize
1KB

MD5
cbd93ea1e1216e3002b42db994d27c66

SHA1
48146b28d406078c436b413b062873ee24d7f285

SHA256
4bb8f8e7fdbf377b624c6a8b7a7042bfd518f34b1699c6077c0577d997ac3e68

SHA512
acbe6bae3a53477b051253cfe0980efcb9e5b39740efaa2357b856c842298274a80da03c3034a47a13419a8223e32d8087c7138cda95e209fc08c76ca2974da6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF

Filesize
615B

MD5
3d28997a4a80f54980a7838106319d78

SHA1
0d7add1a30f14d4b48bd3425e8ef14829b69331d

SHA256
434bceea1137644618dae869ff290be1c09269c521d48224a202dd76afe17193

SHA512
6369c7699396ea9c14378ba7358b7110194562ada0dde97f8fe9cfa1304451cdd9d7566ebbcb661671dc79943e7ed3fb5aab3143f15a3788684d179f5d2798fc

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

Filesize
848B

MD5
47ce16793150b406c4ab51b3a2493b68

SHA1
28bd8ea23cbeb0ca6391e17748e5278ef043b522

SHA256
c4a5f6a879c029adafa4b39462821823436b2ce2d4b15b2bf55a73f8f8d02b41

SHA512
4c9462f3e1da5d3a9bdc6e927661bec0de1bc724ca073d269344ffcc1f33252d541cad88e0c4289e17dfdec29d48edd76b86017cdb529f7eac3d7c940a2286a8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

Filesize
847B

MD5
186026fc2dd052ea7fa92b62228c7bc2

SHA1
a5df8ff68ec0747096aaf858936fb3eab1308426

SHA256
cf2b3d595bb515d26cb838833ac597217d61ffe2346a69254da3d02b59c248ea

SHA512
42956971f03b8e9ca3275bbc09d197aca8a3991bf0e897a7964160d63bdb8ed864e9c8bf74ffe356d1a1e771c4f088aa0f785d08cc1f7598abd35d0da08cc600

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

Filesize
869B

MD5
fbc0cccd67abb94104b92c98b5bdca11

SHA1
3c4b2b6e0f2d70980dd0bb30c1bb1af566351b37

SHA256
ece5770c4be896da1936b6f8522148b9276d5d2991b060e6c3c05fbdd33203ea

SHA512
4684bf6e8e915b3a2755bda3747f039dfb61935ae3e3062d14303a1b75e06d05657ef5b3f7c938ac7c6bdec123554c424b041ab6f85f0187a321d57fd2305135

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

Filesize
847B

MD5
7be103470f13ea9b474e43aba53bd639

SHA1
6b89a2ddc51bec4a659a25308d6d03df312c36d2

SHA256
680756dcf23826469202dc47241205452ffed301256749a67a12fbb3612d0618

SHA512
c890e55420238426ccfbecc024a2b210fff060192c43affc97e409a502ea546443f4470836b350336b1d5065b771a8d1c0bead2af95bb3c8b979e17de54c6c87

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

Filesize
863B

MD5
19ea85710e2a4cd33a859e0fc5ef1b75

SHA1
1288fe136be2ea2238c9287111baa61242a01699

SHA256
61a22f826aea4c8e9112ec6eeb891f95492f46256a5eec5bf7fd1057201d246c

SHA512
0027732422b3402e981d267bfca29d6cc32a42674d7d3fee711025ed2bc741c31bcbfc9efcdde1d3acb2ace51c508ebfd6dc8ff000e172988513da3af804b2fa

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

Filesize
861B

MD5
4d723fc7b1bd1425c487bbd7a2ed42bd

SHA1
0a8a3d93a641eb8c7eac88914a120f4db2e8b01c

SHA256
914a679c3a5ad914f986f09ab1f902edb22bc082fe65233a9e614f19596fad8c

SHA512
f17023b81ee549264828be6a559375575397bd1a5f10ce5734df168647baa2b6cf314b9fd6d997d421efe6aaa7c10a63da3d0f5341282fd4a043457e0367be52

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

Filesize
850B

MD5
a0fbd38b0b76dd76a168bb39affa04dd

SHA1
3df8e1f3d3949d24456fbca11c3ed267b763eed8

SHA256
338dbc31718b19e406bf6e622c448321f1c24075585c0c4eed4aa3317fe1af69

SHA512
39f785e4a5e64b353768de059a43d9d8da99a9b51c916926f5238c40836570a881b57036928e33304125de5b743829c8c7314584dccff5f2354f266473a748ae

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

Filesize
883B

MD5
2411f971101e225aee5a132172a1d63d

SHA1
e315345d7142d5318d7a1e612cf2971921fdc318

SHA256
6a267735a3093bab60643a47586452fe7ecf740b473fa549b856cecec6f97971

SHA512
06b06c0c7bc8d8690456caece51b19a6f5f96b6023d151da73cc372c1d4edb999e6be9b645dee2a2b732469c4d428a6b7b1b321af089163930fb29cbbb130bf0

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif

Filesize
153B

MD5
08f2cfe34cebe148078c3a7acf94bb31

SHA1
315b3938f07790fb2157888361784391aa0d61a6

SHA256
bccf7efdee3b264eaa9ef2aeb0ac8a1d08f25a734dc5d3363d5e93d3ac018f45

SHA512
9957b419e1bdc3307ebfb91ea1f328e2c78f892978efd9b396ddd670d846d8f55f10654f1e2206f480e086f7188bb00c5a633a8bb6a33fea20ba4fa058e1a447

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
6297811b284d83774309ccf1306b1566

SHA1
6ad2ec7f6cc8c2dece7958eff50b3c23934c6a93

SHA256
e932d518609310afab1a530642ed89644dd232b4213d8ffa802c962ea6d4f8e0

SHA512
5d1f3159d907837d2683fbbf58dcb17e0068c087fd9a005716594d4cff211b8631d2d5477e94943cb5ca8088781af4d548859de4b5004e31032ff02456672f1f

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
8KB

MD5
39905e9e95aa0c068847b09fec132287

SHA1
21e7a9a43f86dd6170dbc0275775eecb8e9ac213

SHA256
2885e05a4df381b389a49386de1560649623d5d01e14ca5f8c74a4f9e1737b72

SHA512
79f90b71c1b5c4b492f66de860a5373a00fa6192183437f95256915bf0b8d7b79b0d40c837c6fa5f04eea79bd9d7b18b54a9e0280354758153ff392a60403d5f

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
f47cac60cff79f71231675c678ed7ba5

SHA1
e6d590897783278e83036844d71afe3a5ffeb7c4

SHA256
efd12c4c365fd5e40c70c634237e3b26e0c1f143890f9d1faff05f7656a05fd7

SHA512
9284a60a198c6ff8067114fdeac9fc6385f7e982d022dc1dece500ed16772881305ccab85fe605d7568d2955dac2bf0fb93dce4cc509a450bb39a31b91e6b566

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
04febe01252981e90b62b3f53e54db85

SHA1
18dc4f5a6a5293b3a7eeff656e730dff5ea7284c

SHA256
7dd62234fe819fae78fb26a3a9f1041d7bcddb6074fecf0aa6c0f3ee79a07022

SHA512
f86300a683811aa132e7ba53ff85c80d5604feeb1850be23c8061213315b822c7b959d2122756edcca81bcac9d1144f5c82087cbc492d94613339dc29e2b4ac8

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
172KB

MD5
0d9d1ab0fa19db45cf0b285322e75708

SHA1
602d9a93a4607bb8b292f65745e4efdcc9630520

SHA256
18a9cdeee46170ad0ff155e538eeaff97d4e9f7280c3e67275ed05f3293969d4

SHA512
8b2289f07dd0a9bbf7df30969627e8810f964ca274f7a474df18b6cb73dc72bff166e6391624bf9247c3b91eee4b37519effa82829e6ecc7e806a0818728edcd

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk

Filesize
1KB

MD5
76c268934b8c9b8a95c0637e601b8999

SHA1
491544e014b4983f82029119c10e30a589f92fa2

SHA256
f8d3c2016e92b652871e263a21a5bf3e4213644afbd3a0369a596388fdfaa0dd

SHA512
d74ae623c9405d5a6ea2c47f0dca50b509ec11640b3b79a0614f758dbcf070c366a5935c18c168e6b9943ca5f248be4ee98ea7d397cfd7de2d5fcb58ae7c5133

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\selectedTab_leftCorner.gif

Filesize
65B

MD5
cd43f10f293437ed98b69feed71d30ef

SHA1
16c84001f49586daab1eb7042bf2c74755c77183

SHA256
9c41c70255e2eb65dd4f0f1d7452da3b621b856bd49aa56f6fe0b0a4ea80fe91

SHA512
fef0c266717c493c5132e97976d276b3b101000cc0e1a241045e833c5db1ae99fe4b03c3336873d28e18d378efe3c047c27b0d8ddbb9b536bf9725be4343d1e7

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\selectedTab_rightCorner.gif

Filesize
65B

MD5
0bb6bc70fefb5d6ef27e28664b39b1dd

SHA1
511f31e41e564f6220b8a332654010bc96c4d5eb

SHA256
d244035662ba0c12d001fbf619bdf30ec4569c264b99e9804e02339942a13ebf

SHA512
25362f4a6a0fd36aaaa4e779c8fee68b2c114c96e593f2cf2657531de39362d63730c43678582be05cf3d41b0e6901fe6bb23fce52735f66655f0b1c84ce02df

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg

Filesize
21KB

MD5
3415999555a454a84c4df6c71d8b4478

SHA1
2b9bae38d0c0a09dd020f085658fd3acda89d21e

SHA256
37ed87b67d0671012d526990dbb0db5218e9a12f5c6440adb19cefb4801dd76f

SHA512
8150f13c009b1369beb1506f0e11a1512f4ec568bc8124a2ea9d5e3f3df7f029053e99478100a6f5a312d39e62646cdd8c7adb3ae416e3f34070bb4d7fb3a108

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\HelpIcon_solid.gif

Filesize
1KB

MD5
f788e769962fdf5b7401fa5f612ead99

SHA1
9dd2ff65788900b99406ec1a0c179bfe58eb93b7

SHA256
effe354150f3de056e5e8baa436e82b3246a980eb9c5304125761adf144a9019

SHA512
aa14f80794c0da7b9c2db2c5f7a2414d3cbc36ee03cba68838ec3d4603673f47dfe298920fe5da2547be346bdac69155890db7c12a9c1bef93e280689dc44c67

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\alert_lrg.gif

Filesize
952B

MD5
8fe6b564061790b55b40da0986b34b17

SHA1
92c3ba477c6bf8ad1d0716c5532e0bbb28fc4cdd

SHA256
589aeb27b53cef581781ce57d810b4a87afdc7f3a3cb564be4e90cabe430f485

SHA512
b31b58f352e5f4042bc9c96795c00ac81235b54c4a4bb30eb9da5f8d67e9d9a30d0f2dab158e579c782427da6ad1fd7f9e0ad4582e50f95344ec1ff441fb5bff

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\aspx_file.gif

Filesize
121B

MD5
cb69952f532d80e150b1a4374972a33e

SHA1
aa9fd84d2d0c0c789260c2015e27c84ac9ada283

SHA256
0550b93896284e53c64c38b64a4ed7c49bef24ea218ac125d80d407efb600ac7

SHA512
2739cbb6583e7409c028dd670bfbcfa3c6b85fee0a756f39e3e0513ab99f63dee2d2d3bf10a38bfa104f1b51e67aee1527c8f94542eae08bee5dce41a39fc6bb

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\branding_Full2.gif

Filesize
1KB

MD5
4b55384ad143b7b5d26f0450ad58812e

SHA1
cb86199826f0e80a83ede9d56add571289ad1d17

SHA256
657d1f8be59009b0ca070e1b354b033d638af8ebd8c366b93601fc9389f8f3d9

SHA512
8188ff9713e3cd332341517ddea21ae0d4bed2ed5343718c36736d1282943596620fcc168ba53d50abfc1bb07d6a858860f5d2625118643419d8dee9843df1fe

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg

Filesize
8KB

MD5
1f529927fdc085cebc5142660181ce57

SHA1
dd943c069f2bd4692ecc6a1133462371fe923dcd

SHA256
2f58e4679693cf3e3a03874e1735eb435114c984bd15eab9ea9647852ebb64b9

SHA512
ddf50f5e0bb0b33166bc5c10da6a93e8e6dd2c5bff47cb1b108202354e315978fa1f5ced9db6d840b3f70ffe37bd40ec4b63a776ca13e4328a8f0d3e2b6b58cb

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\folder.gif

Filesize
914B

MD5
e6ee79b625f4796d8fa71f33417dfbbb

SHA1
27ae23a79ecd542fe5e896ed81cb7246353e9a55

SHA256
6e91bd27a30b52ae1fdcfb3437783d8674679c1d43758f6c4978736238d6ba35

SHA512
38fb1e3af1ecb5b1c5e737be303ba841a1248f32745a0129706e5decbe078ffbfea70c10f50a56a98627e65837d1be87a673d11343dd99e0ee3e23689968edd3

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onBlue.gif

Filesize
90B

MD5
fd276608c917d7362d920fda637e00f6

SHA1
3f1e570a444d1d6e80cee4db73b7fa2bdfd2abb1

SHA256
1e987b5ec1eb345d6c7b05f86dfeffece0e3f654b1e4104b63acbe1c014df2b4

SHA512
60fa5493fd38f3417e15fe40020c9b52bf7a8c83176c67c19489e879e10e04455e27b7b49b0d17a46e962827884cd3c7f0ae4d37c5bf5265ed1c510b3b2eb5b2

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onWhite.gif

Filesize
90B

MD5
190c8fba6feb67b0ddafbce5d10e93bf

SHA1
cf4b04cf92d3791b3e8946be32d87cea8a398deb

SHA256
b844b91f4902a6278d260bf6f018ba9ed4be16841855cabfb50620da7c7a8ebb

SHA512
10c4d6cfd520e8eeb8f1f8343ce3cbe92c46eceffe75a2d8836a89a95f362c1591b7c8bb68b5327c7cdd42ab0d4cdea98d76c8168f8fd4be92455a932f408fcc

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\headerGRADIENT_Tall.gif

Filesize
328B

MD5
3c7ac6f3888b0721e7651f7f555d5f15

SHA1
8a589a12a93363806a5bebc114372aba06228a33

SHA256
df2c5dcf2ba4e54c97cb9005ad357774600f91abd3d93aba181137ec20ace282

SHA512
bed661317e125848d34aa319dae25c6b8badcec3abfddd10f7a21990bd35c6d2483548ef23ffcbec6fff904adcd8d4705d6f4bd8bb55bb544f555776668a20f6

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\help.jpg

Filesize
1KB

MD5
842511335c505a6c78b0c9e2f64b1e88

SHA1
1993c79644d93cf303ea1658af7acf4868af45fd

SHA256
5f5c43b24b4c4f8f601fee1467494a0ddf487cfc9a0dc2147fbf4731d1dd2128

SHA512
f72d44f900d3de9087f0a058f1a6cf87eee188b1a6a4aa82620341888ab7c123bb683d1d09a69820ae1efe7a2bc2c197217a37f0aa44fb782581aba2bae22cc8

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image1.gif

Filesize
162B

MD5
3acc32c348572764f29d57f36571da64

SHA1
40d46266ce58dbd747c1509993ddb82f8512fe6b

SHA256
de79893d41254e5457ac9a005f67e1b8863f0fd56bcaec28b6d642a2efc3ce1d

SHA512
3a88bbcedf29633184189339b5be9c288bd8bec74fb93a2a076e9531d950a8c51a6cc950d46e1641dda2a6e05e8b9a259d38e4fbe9b6818d8325db41cf7c1edc

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image2.gif

Filesize
586B

MD5
64bb6fbe1796224b372bcc2f810529c7

SHA1
b0f19e6f61bc3467a427fe3f26975e061c1c7f67

SHA256
b4873dba017286d134abe13335987d20b51de7cf814d3d06eb89d970563be710

SHA512
a55f8e0f94a0401fa882119877608bd23c29e4f179fa413f1f32db02d7cd7cea1f08e117fc4c4f7227bce1bb4137b0145422670667e81b002f5b3f81a7cec907

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\requiredBang.gif

Filesize
124B

MD5
660cb04130784a0381c56bb3a3b28187

SHA1
06ba083030f52df062e38e1139f08bb418e5851f

SHA256
28800ea587d3fa55ec498d47c15a7907db09f4fc9821e931a13f4140db372896

SHA512
35d05e6e5216d0ffbb7605bd84c6ac02b96b1cce9e32f1865806ece5f6b27c4234fd44a91e800b2afc0677494cd885bd49b725c1cd7bf35d6c318d6affc6f68e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg

Filesize
8KB

MD5
11b2c256a38f7c40474dc99e3cd7225f

SHA1
95b35c186189a2a379c361c0a9a73fc99611285c

SHA256
b5a6fc5be725ecb7bf03f937832686c35468508668fecca770e7df6e022ec62f

SHA512
befe201854675eef10128fb742d517dd1305e412603b079c61fcb3d263ba0d772a43a8d7b2804dbda4f3f3ccfc095a316de23c198ba3719f35bc819a52d3b9bb

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\yellowCORNER.gif

Filesize
880B

MD5
4ae36f977a335fd4f60a598bfe1bae2a

SHA1
f58f334fcf94ebe13eb5356d856b64258c81f531

SHA256
f2ef205d0db66bbad7d828cdbac4b51d1f21014ea7b4595224a023094a9b2446

SHA512
dfd7706c0a1a2effbd0cfe59bdb62bd06f2122454beee348a5a98ad6efe12d78e3ac02a2daf7670140df721198ae2f1e4d563e183bd5905b6b5dceba2d72518e

Download Submit
memory/2696-6-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2696-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2768-3-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2768-4-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2768-2-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2768-7-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2768-10-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2768-7479-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2768-1-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2768-9151-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2768-9152-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2768-9153-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download