asyncrat | c7bbae8717c7c7cc8bb665ae648f9043aa9dec077bea04859ebf6375b7786f40

Analysis

max time kernel
145s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04/03/2025, 14:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GTA IV Crackeado.scr
Size

92KB
MD5

45fd5ec423b9249dadeb514183ab92ef
SHA1

970d4eae78bc6c930af937293e30624837cb1be7
SHA256

1fd9737a9a043e1286868cbd211bae4bf8d39e719232268624308da77e491b3e
SHA512

30bc9dd43f30d50fd8301113b721cf147f5e5e4c3466cefb26aa36ed0529dccdb9473adac5bdfcba33fde4d6b8a762fec3fd67c64dfc858c13af96f588930941
SSDEEP

1536:jvsBtJyPA+ITEtnnA0GX416ZW2I51wr7bepjyDAF80xVY5pp:jvsrYHI6npCQeWFLq6BCg80Ux

Score

10^/10

asyncrat xorist cloud1 discovery persistence ransomware rat spyware stealer upx

Malware Config

Extracted

Family

asyncrat

Botnet

CLOUD1

mst555-h63x-l-windows.sbs:8888

Attributes

delay
3
install
true
install_file
OfficeClickToGo.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Detected Xorist Ransomware 5 IoCs

resource	yara_rule
behavioral1/memory/1784-3860-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/1784-5973-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/1784-9125-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/1784-9126-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/1784-9127-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist

Xorist Ransomware
Xorist is a ransomware first seen in 2020.
ransomware xorist
Xorist family
xorist

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x000b00000001226a-2.dat	family_asyncrat

Renames multiple (2200) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Drivers directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	setup_.exe
File created	C:\Windows\SysWOW64\drivers\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\SysWOW64\drivers\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\SysWOW64\drivers\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\SysWOW64\drivers\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\SysWOW64\drivers\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe

Executes dropped EXE 3 IoCs

pid	Process
1792	setup..exe
1784	setup_.exe
304	OfficeClickToGo.exe

Loads dropped DLL 5 IoCs

pid	Process
1916	GTA IV Crackeado.scr
1916	GTA IV Crackeado.scr
1784	setup_.exe
1784	setup_.exe
1784	setup_.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0qlI3J02O0NJBh4.exe"	setup_.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\es-ES\Licenses\OEM\EnterpriseE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\_Default\ProfessionalN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\SysWOW64\migration\WSMT\rras\replacementmanifests\Microsoft-Windows-RasApi-MigPlugin\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_command_precedence.help.txt	setup_.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\System32\DriverStore\FileRepository\msdsm.inf_amd64_neutral_be2b348981b2ef17\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\_Default\ProfessionalN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\Enterprise\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\System32\DriverStore\FileRepository\igdlh.inf_amd64_neutral_54a12b57f547d08e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-Bluetooth-Config\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\OEM\Professional\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_modules.help.txt	setup_.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Signing.help.txt	setup_.exe
File created	C:\Windows\System32\DriverStore\FileRepository\amdsata.inf_amd64_neutral_67db50590108ebd9\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnts003.inf_amd64_neutral_33a68664c7e7ae4b\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\System32\DriverStore\FileRepository\sdbus.inf_amd64_neutral_735aa3b5ee832f62\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wiabr008.inf_amd64_neutral_27d1c9a28eac4eed\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wiaca00f.inf_amd64_neutral_f7f7e179d99acc58\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\0003\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\eval\Ultimate\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\OEM\UltimateN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnfx002.inf_amd64_neutral_b6dd354531184f64\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\System32\DriverStore\FileRepository\tsprint.inf_amd64_neutral_c48d421ad2c1e3e3\amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\OEM\EnterpriseN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\eval\HomePremium\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\PostMigRes\Web\base_images\WindowsMail.bmp	setup_.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmgcs.inf_amd64_neutral_aafcd45e4e890862\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmhay2.inf_amd64_neutral_ff250f861d941dd8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netloop.inf_amd64_neutral_856142fd87f1c21a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\SysWOW64\it\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\_Default\HomeBasic\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_environment_variables.help.txt	setup_.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_try_catch_finally.help.txt	setup_.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_pipelines.help.txt	setup_.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wiaep002.inf_amd64_neutral_0a982dec66379cb0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\Professional\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_functions.help.txt	setup_.exe
File created	C:\Windows\SysWOW64\Dism\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp004.inf_amd64_neutral_53f688945cfc24cc\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_format.ps1xml.help.txt	setup_.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_hash_tables.help.txt	setup_.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_logical_operators.help.txt	setup_.exe
File created	C:\Windows\SysWOW64\slmgr\0410\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\eval\EnterpriseN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\_Default\StarterN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmaiwa3.inf_amd64_neutral_77e515342bd572cc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmdyna.inf_amd64_neutral_7e4d690d07ee94c1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnep002.inf_amd64_neutral_efc4a7485b172c07\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnms001.inf_amd64_neutral_9b214cd9b78760aa\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-NetworkBridge\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Windows_PowerShell_2.0.help.txt	setup_.exe
File created	C:\Windows\System32\DriverStore\FileRepository\synth3dvsc.inf_amd64_neutral_bccbc5fb46a05558\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_remote_requirements.help.txt	setup_.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_locations.help.txt	setup_.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmtdkj6.inf_amd64_neutral_8087946c82068597\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\OEM\EnterpriseE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Break.help.txt	setup_.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmbr008.inf_amd64_neutral_2cedaac353c381da\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\System32\DriverStore\FileRepository\net8185.inf_amd64_neutral_4ab014d645098f5f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\0c0c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_execution_policies.help.txt	setup_.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\eval\Starter\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\OEM\Professional\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\System32\DriverStore\FileRepository\averfx2swtv_x64.inf_amd64_neutral_24a71cdaabc7f783\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00080000000161f6-6.dat	upx
behavioral1/memory/1784-12-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1784-3860-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1784-5973-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1784-9125-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1784-9126-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1784-9127-0x0000000000400000-0x000000000040C000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif	setup_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\cpu.html	setup_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\mobile_browse.html	setup_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ICE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif	setup_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_VelvetRose.gif	setup_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\bear_formatted_matte2.wmv	setup_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\README.html	setup_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\background.gif	setup_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bPrev-down.png	setup_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\picturePuzzle.html	setup_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_foggy.png	setup_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-crescent_partly-cloudy.png	setup_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\INDUST\THMBNAIL.PNG	setup_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PROFILE\PREVIEW.GIF	setup_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099160.JPG	setup_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_blue_snow.png	setup_.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm	setup_.exe
File created	C:\Program Files (x86)\Common Files\System\msadc\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00164_.GIF	setup_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01268_.GIF	setup_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF	setup_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_content-background.png	setup_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\24.png	setup_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00130_.GIF	setup_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115842.GIF	setup_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21311_.GIF	setup_.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\combo-hover-right.png	setup_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\22.png	setup_.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	setup_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_play.png	setup_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SONORA\THMBNAIL.PNG	setup_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Oasis\TAB_OFF.GIF	setup_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Filters\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Program Files (x86)\Common Files\System\msadc\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsPreviewTemplate.html	setup_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\rings-dock.png	setup_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Program Files\Microsoft Games\Hearts\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SoftBlue\tab_on.gif	setup_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsImageTemplate.html	setup_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_thunderstorm.png	setup_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_buttongraphic.png	setup_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\intf\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_blue_snow.png	setup_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\picturePuzzle.html	setup_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\next_hov.png	setup_.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-full_partly-cloudy.png	setup_.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_divider_right.png	setup_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rss_headline_glow_floating.png	setup_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RADIAL\PREVIEW.GIF	setup_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Americana\TAB_OFF.GIF	setup_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\icon.png	setup_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicTSFrame.png	setup_.exe
File created	C:\Program Files\Microsoft Games\Purble Place\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..installer.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c2eae583dc838dc0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-com-complus-setup_31bf3856ad364e35_6.1.7600.16385_none_e97e2f6c50a1c3c0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-photoacquire.resources_31bf3856ad364e35_6.1.7600.16385_it-it_6eba811e32bf54a9\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-wmpnss-service_31bf3856ad364e35_6.1.7601.17514_none_61acd141e5332baf\wmpnss_color32.jpg	setup_.exe
File created	C:\Windows\winsxs\wow64_microsoft.windows.d..eshootingpackmodule_31bf3856ad364e35_6.1.7600.16385_none_876e3b6d44107d5a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\dfsvc\261c09179eae03d67c9b6f3e70b603bd\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-devicepairingdll_31bf3856ad364e35_6.1.7600.16385_none_c9f831f51cc159db\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..-schedule.resources_31bf3856ad364e35_6.1.7600.16385_en-us_53c5b0bde0044667\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\winsxs\amd64_prnca00d.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_78c7dfdba384826f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-w..atibility.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_7308527527ee3b2e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-com-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e3acc72f1a1dc6bd\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..iadisc-style-oldage_31bf3856ad364e35_6.1.7600.16385_none_02ee3365ea53e1ad\NavigationUp_SelectionSubpicture.png	setup_.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-msident.resources_31bf3856ad364e35_6.1.7600.16385_de-de_05796afd8f9953d7\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-f..libraries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_1c847f00c28d5581\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-gameuxmig_31bf3856ad364e35_6.1.7600.16385_none_820d3d482c3bfc6f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-help-artui4.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_140409b2c46fe238\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-iconcodecservice_31bf3856ad364e35_6.1.7600.16385_none_832d9574a3c54749\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\winsxs\wow64_subsystem-for-unix-based-applications_31bf3856ad364e35_6.1.7601.17514_none_dc6307873aefe815\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-a..apc-layer.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c5984b52a377588d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_3342e6899aa0557f\diner_dot.png	setup_.exe
File created	C:\Windows\winsxs\amd64_microsoft.windows.h..iverclass.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0815c0b2b1324480\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..rectplay4.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_1f6725588fa7ac8e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-e..host-peer.resources_31bf3856ad364e35_6.1.7600.16385_es-es_29c2542781fc24dc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_f35f9773adf74c06\OrangeCircles.jpg	setup_.exe
File created	C:\Windows\security\ApplicationId\PolicyManagement\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..l-keyboard-00000485_31bf3856ad364e35_6.1.7600.16385_none_44fc7c6a7cc59f55\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7601.17514_none_75d78dc0bb37c026\White_Chocolate.jpg	setup_.exe
File created	C:\Windows\winsxs\msil_ehiwmp_31bf3856ad364e35_6.1.7600.16385_none_51361f625837371b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-v..eocontrol.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b54c2fe3cb59c96e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-wmpnss-api_31bf3856ad364e35_6.1.7600.16385_none_48332061386e6c89\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\winsxs\amd64_atiilhag.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_34f5ff99e1c5a370\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..adisc-style-shatter_31bf3856ad364e35_6.1.7600.16385_none_0cd72f8900478c68\NavigationLeft_SelectionSubpicture.png	setup_.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..disc-style-memories_31bf3856ad364e35_6.1.7600.16385_none_51190840a935f980\Notes_btn-back-static.png	setup_.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-wininit_31bf3856ad364e35_6.1.7600.16385_none_8ce7aa761e01ad49\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_et-ee_51a7fb335c52ac1d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..zards-mui.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5625cecf3bcd08aa\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..epremiume.resources_31bf3856ad364e35_6.1.7601.17514_de-de_1413722bc729bf88\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data.Services\0765c6422b48cd504d2fba3765c78c79\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..gbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_be532d50172eb29c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..r_service.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0e75d0c5c59459cc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..essionaln.resources_31bf3856ad364e35_6.1.7601.17514_en-us_8a074a396aa9e5f1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..p-ui-libs.resources_31bf3856ad364e35_6.1.7600.16385_de-de_82ea0b7094a46617\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-e..ortingcompatibility_31bf3856ad364e35_6.1.7600.16385_none_fe75fb7856d846d5\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Garden.htm	setup_.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-n..ktopology.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c0be3b06c68e2b36\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-directshow-asf_31bf3856ad364e35_6.1.7601.17514_none_83382f97498abe19\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-w..e-utility.resources_31bf3856ad364e35_6.1.7600.16385_en-us_ff337c5c22a2bdaf\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-w..registrar.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1c196f3c0b26f790\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..-core-dll.resources_31bf3856ad364e35_6.1.7600.16385_es-es_88d481187a223509\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\winsxs\amd64_wiaep002.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_527c5338200fc31e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-oleaccrc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_666db9f744c2fe32\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-r..comserver.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_6f0d6b422ba18744\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-commonlogservicesapi_31bf3856ad364e35_6.1.7600.16385_none_6e8b7c84e12ac48e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_6.1.7600.16385_it-it_bd67490bab84b358\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\winsxs\amd64_netimm.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6bc7075e29d5c005\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-p..ndservice.resources_31bf3856ad364e35_6.1.7600.16385_de-de_2dc97b99d5774267\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File opened for modification	C:\Windows\Media\Quirky\Windows Notify.wav	setup_.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-c..andprompt.resources_31bf3856ad364e35_6.1.7601.17514_it-it_0e34114dba57399c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..se-bigramdictionary_31bf3856ad364e35_6.1.7600.16385_none_ea480597195d814b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\assembly\GAC_MSIL\UIAutomationClientsideProviders.resources\3.0.0.0_fr_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\inf\MSDTC Bridge 4.0.0.0\0001\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-diskpart_31bf3856ad364e35_6.1.7601.17514_none_c6fe6ac9ac8c7105\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File created	C:\Windows\winsxs\msil_miguicontrols.resources_31bf3856ad364e35_6.1.7600.16385_de-de_1c2cdf70d6ce7fd8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	setup_.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-g..howgadget-ondesktop_31bf3856ad364e35_6.1.7600.16385_none_ab71c7fb8acb77c3\slideshow_glass_frame.png	setup_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GTA IV Crackeado.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
1732	timeout.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IWFMBHFBHLWXXEJ\DefaultIcon	setup_.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IWFMBHFBHLWXXEJ\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0qlI3J02O0NJBh4.exe,0"	setup_.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IWFMBHFBHLWXXEJ\shell\open\command	setup_.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IWFMBHFBHLWXXEJ\shell	setup_.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IWFMBHFBHLWXXEJ\shell\open	setup_.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IWFMBHFBHLWXXEJ\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0qlI3J02O0NJBh4.exe"	setup_.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd	setup_.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd\ = "IWFMBHFBHLWXXEJ"	setup_.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IWFMBHFBHLWXXEJ	setup_.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IWFMBHFBHLWXXEJ\ = "CRYPTED!"	setup_.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1720	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1792	setup..exe
1792	setup..exe
1792	setup..exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1792	setup..exe
Token: SeDebugPrivilege	304	OfficeClickToGo.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 1792	1916	GTA IV Crackeado.scr	31
PID 1916 wrote to memory of 1792	1916	GTA IV Crackeado.scr	31
PID 1916 wrote to memory of 1792	1916	GTA IV Crackeado.scr	31
PID 1916 wrote to memory of 1792	1916	GTA IV Crackeado.scr	31
PID 1916 wrote to memory of 1784	1916	GTA IV Crackeado.scr	32
PID 1916 wrote to memory of 1784	1916	GTA IV Crackeado.scr	32
PID 1916 wrote to memory of 1784	1916	GTA IV Crackeado.scr	32
PID 1916 wrote to memory of 1784	1916	GTA IV Crackeado.scr	32
PID 1916 wrote to memory of 1784	1916	GTA IV Crackeado.scr	32
PID 1916 wrote to memory of 1784	1916	GTA IV Crackeado.scr	32
PID 1916 wrote to memory of 1784	1916	GTA IV Crackeado.scr	32
PID 1792 wrote to memory of 2996	1792	setup..exe	33
PID 1792 wrote to memory of 2996	1792	setup..exe	33
PID 1792 wrote to memory of 2996	1792	setup..exe	33
PID 1792 wrote to memory of 616	1792	setup..exe	35
PID 1792 wrote to memory of 616	1792	setup..exe	35
PID 1792 wrote to memory of 616	1792	setup..exe	35
PID 2996 wrote to memory of 1720	2996	cmd.exe	37
PID 2996 wrote to memory of 1720	2996	cmd.exe	37
PID 2996 wrote to memory of 1720	2996	cmd.exe	37
PID 616 wrote to memory of 1732	616	cmd.exe	38
PID 616 wrote to memory of 1732	616	cmd.exe	38
PID 616 wrote to memory of 1732	616	cmd.exe	38
PID 616 wrote to memory of 304	616	cmd.exe	39
PID 616 wrote to memory of 304	616	cmd.exe	39
PID 616 wrote to memory of 304	616	cmd.exe	39

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\GTA IV Crackeado.scr
"C:\Users\Admin\AppData\Local\Temp\GTA IV Crackeado.scr" /S
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Users\Admin\AppData\Local\Temp\setup..exe
  "C:\Users\Admin\AppData\Local\Temp\setup..exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1792
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "OfficeClickToGo" /tr '"C:\Users\Admin\AppData\Roaming\OfficeClickToGo.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2996
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "OfficeClickToGo" /tr '"C:\Users\Admin\AppData\Roaming\OfficeClickToGo.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1720
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpF660.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:616
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:1732
  - - C:\Users\Admin\AppData\Roaming\OfficeClickToGo.exe
      "C:\Users\Admin\AppData\Roaming\OfficeClickToGo.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:304
- C:\Users\Admin\AppData\Local\Temp\setup_.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_.exe"
  2⤵
  - Drops file in Drivers directory
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:1784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt

Filesize
256B

MD5
6c30082caf3e8e81e08653c5a2852138

SHA1
45947f4dcda2348b5909c282579214899167c221

SHA256
d2ccc750a7368abdbde1403192dcab667677a2505200d556b8ebce6d690c0a24

SHA512
bc7bcff4fd48d10bde47e44902882e0ece2e269bf6bf4d2196e0f9a12d50fda444063a919b072112188291226cff27bc8536662b41f1f85740a975607121fec3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
341B

MD5
26f030008e66727f6a3131bac1be4b98

SHA1
69ef311101838526ff9973b98a477a3b7ab3b1ed

SHA256
4eaa1e9e3c887b719df65e325fb94e55a6f56f98b9c7431ea4f1a25aa15c8c9b

SHA512
33120b1dfb0aaa8c2c409669f7861f888f3b8a325dcf09d4d338236b4f8142edf44e431d992b43bcbd340d0ede59ac0b5ad9c2cc3baa91d2d0b4d61b4f5c206f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

Filesize
222B

MD5
c53240703fc667a04932d241affbe07c

SHA1
3a01db1cf11990b104c2253a29b466214e09fcbe

SHA256
4461307b23529889dd9a1acdf6a51586f9b75069b8882b97de0e103f660c0b73

SHA512
c5a748e5d0ae8d9c988c164bf28837e5469540289bd7759b6abe6fdb402d88d0c60656e02ef204465a2b0ae256b54ca1e1beca6ccdd1e9615f4c8743f92432b8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\BG_ADOBE.GIF

Filesize
24KB

MD5
46880434b2a43f9ccf35615d49fe1e25

SHA1
bb4161bf8e345851ba3c0a5ca15371d9b6a9b222

SHA256
1cffdf53d62e76e9eaa0bdec937f005f3bec984769e070e2fda7498c297ee43d

SHA512
56f29b48cb7570cad913ef10616296c7f318ff0e2600722a18e9004c45a0f9bec694b65c23a20786cfd269c79be6923f36426816dfb01da41b1bf1247c25f92a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\BUTTON.GIF

Filesize
185B

MD5
b462c9add96be71696b48046180da229

SHA1
321650e686299db90aed08ec26d98e927d4369f6

SHA256
2e39ec09c6f68328215d0d8944b9788cda80296dfe7a70d8a38938eacb8c1dc7

SHA512
17f53f583235cf87ccc6865f603bfa04ccfd8922c8ebc784e9032e52065a44aa81517f635c06761fd9bccad2060172dd68b6d5774a6149f2579b58510b5eefc3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_OFF.GIF

Filesize
496B

MD5
f9bad37dcf664de2a3869be771473db9

SHA1
62a12acd80bcbd879d73529f1dfc421417acefb3

SHA256
a07a4d4fefdafe975ebf961c716e7a6e50636fe4ec0f9be94c5677c00462a9f3

SHA512
95d94c3f2af6dfed221a674206f7207ade76103373ec574131e6d4ffb53913a1f88e18b875ab4cf0cccabb6927ca6bdc6a86b5389373dc0d330e4a7262744d35

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_ON.GIF

Filesize
1KB

MD5
0e36ecd18042dd821e101bc9ecfbc3f3

SHA1
89a7616ce85e34f19e8b131d755a6515c57aeddd

SHA256
32c75526a4b83eeb49e16bcd259ab9181a929c1726c14f7b951ebb0c37b9cf16

SHA512
103624fddf15984849b9d38c1e6da9576fcada78610d34eaa19b6fe5936ef4de0dc9b90d0adb1833c6f0f7ff4d843e09f4dbdc603eed502cf71ce7c1a2f9cca9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif

Filesize
5KB

MD5
11fa0fd90da6cc72d68640a3e4249688

SHA1
d2a0cf9ee05a38a2b93e290615b04a31e250270f

SHA256
871020409944af327baf71abf86354bcfa9a51a4494563b4feeb36c9ae860678

SHA512
161349362d4c4a1c8fb5bbf9e676edb2fea0628de5c4070283b1f70b477105373592a34e00c397e96334e83239633743f34b17ccb65d453fa36a008003de74ab

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Country.gif

Filesize
31KB

MD5
8b13a0c63b3f88e2587416b99b0fe96a

SHA1
014d26817f2715fa3e817e533437c4e71551c36d

SHA256
0ee2c1240ad7f3b22e7ffe58d1fac8150185d81091f7f471adc6c92f2354ce23

SHA512
2a0462cdf5c28686b9e9b08dd5f8ba9a46460b136ae9aec0c557e7146a5ed6ea912ab85d249cce040b1bc374b9c788ae85ff4b1e649353f4ce4f6a9263818b73

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif

Filesize
4KB

MD5
5249a423e52ed536cfb12c23b1a3e5ef

SHA1
ba12c8c4e39fbcae649cad9362cd8293f27ce414

SHA256
da86533e468476cd5f4b7505cd38e41f6bb66126e5427fb6670f0d0c5121d2ed

SHA512
1943e6e2bbcfaa7f3c6bd1cc79e3da1e5f2cead18ff30999cf0cd7f994b1c16b5f4f7141cd317935c54d7527fd1691ae19f19516949daf40fd21dfa97b44aafd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif

Filesize
21KB

MD5
ed4dddf24e5d9c70f6cc2f74f364fb92

SHA1
10b589521da22496edb1e24f3c75f8d8d4885d0c

SHA256
b4f88df3c0856b38b06f5dfffcee12632c6d8bffeb75ed1e692a8dafe65d4ad7

SHA512
996ee9fbc97e606d563dc7f548b3ea6e38afc82638dfbae8d4fa7a4643f68967b496f4a8c9d7d51c1237208d40608f003ac439425b365504c56491a3657d4ee3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Groove.gif

Filesize
106B

MD5
4f9a35805c4062e6d5a15cd86f0ce910

SHA1
7f371c25d498a6f46386bae5a9ed40eb05d699e9

SHA256
f4884c21818fe28554f4fccca2bbc377a423566e2122e08787c7347adc85cef0

SHA512
3d3b0ee2367f7e53d8ac0c77c196f440d791e46b65d8419f22f3cab8cc39c0dfda762caa9bccfd9b2cabfe064d33c865768ccaceb82f7ad5a31e40564fb87b19

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif

Filesize
8KB

MD5
4efdececf11f5721a2d387847c881246

SHA1
b8e6d802b1335aca77740b4d4ac02bf80c1dbc1c

SHA256
4a54ad584adb155c5f0632dca8221ae866962a19f72e29f2bc35c5c0a924304e

SHA512
f2b371bd8e96f595cdd8f87eb3e5314e3e740f8f6741ec19e3e4a14c9aebbe98f42dbfce9e1931aa915e3a4652d0d7ee064ec54af82fe16cbc8d9462aa8b53e1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif

Filesize
15KB

MD5
8517c8ee4caa41ce553b8e9618bfc392

SHA1
04687183d1860048c610bdd9ee198e168abf8238

SHA256
283f2b64b628357a8fdb39d2d3be8528b1cef84cbf51151e77bb0a31f14eb96d

SHA512
aa673a7abfb5054e6c3c31c7214450a1a7bc36ac1b7e0591a5036573372cf8389bfc7e043bf631102e1ae2920a3bdfc9e6862ebe8c1b347a6bd3a8df60387eef

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif

Filesize
6KB

MD5
70f14d62a5dc9a88e6841931e89870d6

SHA1
cd9474cc1280ba894be4caf8884c67f0f1d1bb2c

SHA256
e3c6af782f295805a4d714e94cc788f8a7aa6bd70273afbb4c1c97774bbc138e

SHA512
d819bc2178630402a57b0154b1e7c46480f999a3abee86246b166aa570a6093c38ab76a08dc26a8c110337d49a28b046d0c1ccff0caddfe008d1be3040e7cd26

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif

Filesize
20KB

MD5
47ea4ebf1b5a8d4cb0248c3315ef1985

SHA1
48d9c85f25eb613df674eed3965e3211c66c4aec

SHA256
254857a3201ab4e006d036f7ab7e053b6ff95b855122828ec1142344879b8fc6

SHA512
4159ff8624b74062868d3b4e88df5c99d51cb46da15e2debae207c202c727c96653df632f7fa481a69ad7469c9b567e81bf7a01a3a58d40aeff652140a2a6041

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif

Filesize
6KB

MD5
f981027544e8bea94935750a34ec69ae

SHA1
aa31fd35c13ac8929257c158731abc8361dad8ce

SHA256
32e4bbecd2e5b83cbbde8934cd371e7811eac5243cdda767c14fdec441e321e0

SHA512
72d0856ac8b542b9812b4dfb419c8b65df1dc5335f16aab6cb5bfb392853aedec3bdff6d1a4887a8c0880436c59b80e5f7b95bac543da19681021617d8999fd9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif

Filesize
15KB

MD5
efa9bce3d6393c0f5c2cc7703aa88c80

SHA1
fba806bc285877e4615ee01132db7a7f2bf327e4

SHA256
14a05089e80737dbc49bc3cd1cc1934e0cebd1eab2816d26a0d73c5f7749f093

SHA512
6e504a38ad5bf711a4d4edf539c7ccdf9e12ad8c403500c21d163d790d8bd191cc3303af6f3fa4ef585ab89d310ea2ad11369089abbc610338aaab8fda82d355

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg

Filesize
2KB

MD5
7a1ef9aaca69b2be881014e4e50d1ddb

SHA1
18febb84aa7c9713d8acfa8ed09de67d3503ff2d

SHA256
604132dbc24737f5b04108e5ecfdc8d872ae2b26fba2ce65f9c600e8200c1a5e

SHA512
6fb1f6432ef872077d6f90c238b1a6153a798ca8d5a110e6d2d8870299913bcf0ae87f687a627d43abf24d377f79e85718b4bbfdb622ac400516c3d33b5c0684

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp

Filesize
2KB

MD5
b3c24987b039ba34e981ad7a631973b7

SHA1
25f2ce510d8b8a78a6df0c82f6fa81ad1386968b

SHA256
a900874b2b1f362151420c050cbaa8f5f4189f2fbb08396fb62609af3d880374

SHA512
3d7fd89fc3b341f297eacb66aede72f41262fc2d0b838d4ee40946a4f8353194f3515f00f118561ee0712beaf570476d646dd77ec20eff93ec25be42add94576

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg

Filesize
6KB

MD5
4fa17b3fede07f4b24f7eca4339099d4

SHA1
d72e306e58d02e14fce45f7ead3bb3a5397a78dd

SHA256
ec43999e937d96175c75ef9180d1bbdb58d1955ffcd9bb00dc864cfc26f8e283

SHA512
bd46b7eb42fd51433a4b7f377f8a7e3c00ffd383ffe9e1d99295b6a68070171bafee7829521416c96aa6f5f516fe3cce65485f46c1d4771062750ef5cddb18aa

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF

Filesize
255B

MD5
ca8e4886602bf8ac37a7818c191defdb

SHA1
6a175f3ae8124fddbe7f3b160cc0242f789737ac

SHA256
48d8b20021c49812e19286db1010d08af759cda4256daa553e9f130e5958d44e

SHA512
9fc35d25ff2683db7864fcc1ec255397f7b1035f5f9a61456ec040ea1f77f8050f0dc693e431e4903007e43fed73abdd0837b55b982fcd25f200a0623d6bae5c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\background.gif

Filesize
323B

MD5
9bdee179ac273bb419ac99577b262683

SHA1
0809d727f5a43a1279ab0b6dcbc4780bbb8902a3

SHA256
32e2ca66b366af74b9a035ce9ffb89ae225d4837aa3a90a389a62ac9de6d2400

SHA512
995a1f25a5c3bdb96d5dca3691d347b66e8d29f8942d0c6d0eadfe19e24306df63328d75220be583d169e19bd113c9940598f75e7171f93b4f154d1910fd568f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF

Filesize
367B

MD5
8f42d7ef4ca4e38aeb900f5a47bafa13

SHA1
bec10e398fd6fbd6173c82cba345e392f93f0cec

SHA256
88b776b95efc7006652adcfb811949b368b8be17e323665c2dc0a4073111249f

SHA512
2d2b91984b5a2e542d08153f6db6ba1446501fd2e8a7e2c44c513e16f2db89573d5fe83b98edca825196fca7a56b5be23935880e08770d48aafb08648b21308f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF

Filesize
148B

MD5
c97b18fa3db6ba7bf5e7e4c833d24bd4

SHA1
939b5bba819786e6c49449bd5753bf24d6046a47

SHA256
6f19a8f99a032b9ac59fb85688dd93bb2b52f0286a8a8884650ebf26b7e1492f

SHA512
c96b16133617b75e323a52e9a02040ebf092e1c30fbe3ac4ca7681770513fbeaa10a82a4b10cc2d49b52e4d4881203be92fe0ad9962fa811fa2c56734e64201a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HEADER.GIF

Filesize
440B

MD5
a6a5e1a90c6b7b92f66f656e5642b74a

SHA1
d2ff81635dff97dbf5f89a4347a9d95047d64226

SHA256
828231a2d38e4650b880eb4b4254f0eb8b1576d95fac749789f547537ff07411

SHA512
bd4984fdc5e8b78751e37df76a893c26af060bf56ca8f2224ffd2678005a47c977657aecb5e1f5ef1f2744ee5a3545c10a18f70653053fe3d615a493401f4062

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_OFF.GIF

Filesize
462B

MD5
0854333022c44fd81f64274796844538

SHA1
8d8ea0b0ae58c460b1d559fbc27649e2fe9e3b98

SHA256
216f16d6625fc0cf13104d7caa974f47467c0c47428cd509bfe0376d5c212d0b

SHA512
a7a66146086c70ac2561bbf85b6884f4da76757a86486162ab2efa68e61d2a670a6853569ac44f5d3cce3c709e6a9c7b9316753e893eb6caaed09dff49629deb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF

Filesize
267B

MD5
32480e821182e157f356beb8211819b1

SHA1
e6e014a5f1c9c62d80883651a9f75b0a382fabcd

SHA256
eb94e38f0ac29368751a40365bec983927a83d27a97babeb99fe666a8f865142

SHA512
6c842255505c8deb97f03872f6f622134e0e3ff8e287f071ad08486abad765d977709d0443bf10ae043972d83922203724dd48e4b81d49bcb82c871d94cb64de

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HEADER.GIF

Filesize
2KB

MD5
bc22bd3f94ab7f25bceac898442d2bf8

SHA1
8852ab10c6f1bc75e0554a9762a4c5f8c65bede6

SHA256
9956ff924a964e87a888a76635d86a4bf8ab834ba68167ff0e55255e9b498158

SHA512
bea8a0d912227027218c2da75150d9f3aa082edb64d366d338f8e5fe2e85795dc4f5e4d238885e51e4f77ba52ff5874c653f321d327de1377009f9bfbecab1c5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\HEADER.GIF

Filesize
3KB

MD5
9573289cb008d2a4d60797ea561bef72

SHA1
d0fcacdab405c57f8dda9421c1f2b61cfcfc5fe7

SHA256
1547922593ec7f5c10f728ebd05ff15f9b6d44129e2206ceead073a27d774592

SHA512
ecf7fe8f03fc7d0df7414f2c924b5fcfb5504b265ea008e6d812088705b00ffe82356697007bd3c2198789970d7d31f4861d73ec2b58a91286069168d59aa108

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\TAB_OFF.GIF

Filesize
462B

MD5
6d7c1b867cc3036e62cd97d243423507

SHA1
7fa3a26b202eb88ae71b8b52a96dd1cd50037d40

SHA256
911c62702f654c6a18ae70d75449b03d949da6b53260fd08456e4a4758fe44fc

SHA512
abfbb504cb6018b947a0d8518c276b09f80f217a739880cc3f1a6f0c03334313a804d9ab202afc294b65afeda83de1199ebf131cbd152aea6fd73c3eaeb40258

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\TAB_ON.GIF

Filesize
264B

MD5
7b1eac2dd84dfcdc4ace456afced5e8b

SHA1
68e0b0675cc5547d2c2e74b4b6b583348431097b

SHA256
fbfe1cbeeff9d0060f4bf0b2beb98d2b272c69a7d4fe3e6c339d9757e1e61713

SHA512
c10d83a1cbe6b258ecb32d033b2f5b1f1b591313e8a93e9e898c78b670415fa7c4ad1051af6b3df1cc0c555e9097193e28902119c36229aca7ea3b02236735d7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif

Filesize
233B

MD5
fcb6322b90822fb983d456b0a16f2074

SHA1
749605d4c98607b685712a73ea33bbc116c27f5e

SHA256
d4ef8d728ce77214c6f4a488b350089ad3b4378b87b5bd89d8e94a4079efd2a4

SHA512
8ed13be46880c9ad33511ceea1dcffa4f7e9be1c65aeadbdbbb43dfce9f4fdcb44ce523ba6bb9c8f4b28870026c1b16887942fdbc9a561ac97d9956e9592b337

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_OFF.GIF

Filesize
364B

MD5
aa3efd00a0387653e5a071bf833f9e11

SHA1
bf4f4829e4232c254cd565552870eca5070770d9

SHA256
327af67b8cd7da5f2bd5f72792073b3ffd58472e7e6fda61ff3b62c670de1fa1

SHA512
e1ab374f27a8b3bfe1aece1a79d9f14f46948c69dab96e7dd5b63b22e1d52c6d1d97192ccea3e206d53b085f436d612ab6da6cace2e2152a9948e5b155ef9bf7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_ON.GIF

Filesize
364B

MD5
2d6ce246fb6527cce92cd4f7cafdbbf9

SHA1
9877bef38b058da2ddd0aaecc219bf02da2b20c9

SHA256
853bc9487ec1e6f3a53c37098842d21811aa1e6ac464589e44a886a272c60513

SHA512
35db03e4f554b1a0547cd7535f10cf6315cbc10a95c6e71ac82a3e2875c38bbaf92eae58948b21d48842254ee79f2c40bb8188737d5b331d40c831877fcc93d2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\background.gif

Filesize
6KB

MD5
fcc4e88442cf36280f54aa865b1cdb28

SHA1
8fa7a46eb631d1c3f536afe56a93c63c3ae6c9d2

SHA256
f7a54b86ec2d5b03a7edb278bbf282be903bb0c7252c0194c323282b06ff626a

SHA512
4b05f97ca486790d22d4329692e4e152cc74fd54323be808d8d5bb88e00aac2e942be94583b190f4dc87e44526f46f939535f8553c8a25e6385a065900fcb27b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\BUTTON.GIF

Filesize
428B

MD5
da506b61f58405a17ddcff791785d71a

SHA1
2c373bc08f66fd05a6f09461cb9639ff651f1421

SHA256
52ea6d6d6e743c1bc9f4853c83afee667b5d70007f49da0a3ee04b896206138b

SHA512
1686934b8306c4418c1a30371c49d504f030aef93de27ebf938ec76d1ab2b4d3e7b4747dd3ae261817387faeaf3d393b9734d785424649793f2d21c004b394c8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\HEADER.GIF

Filesize
26KB

MD5
f21c1df01941cc2d1402b1c29ca380d2

SHA1
09df161ceb1bf793543661c9e529e837418ca68f

SHA256
d6a41ced9cb4accf0d37e66ae1b08c85a6dac74cc23602fcc9e9eb88ad3e2bce

SHA512
8fcba8901aa9f55f9e7ff97e03aeb6df4bd0f790f03e79f797723f865ab8ab6deec6a01eaeffc311a59ea4bafc387424a0e30044fe700aed25862f465823068c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\background.gif

Filesize
815B

MD5
9dee06dd90d3076d33333370e97853a2

SHA1
e4f78102c47a2c92f1dd00bb92d386fea91f7b2a

SHA256
9d213d67f913ad800a8d042d80adf82aeebed3fe4ec22899ef150844d3cece92

SHA512
09e755d0174395c6a7b5a75683be43a6d7de64ec3d4c5b9082958cd2b9ea3fa4bc6b48d15baf833c0784178c795d619b94d2949f58bf080d7d1fc040335ee1c5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\RTF_BOLD.GIF

Filesize
870B

MD5
eebecd09955ee7b622f102e2dbc8f82c

SHA1
2e283cdd12033b68c69405d9b409950e3c8f02b0

SHA256
47a11f8c140b6060fbf60912b8bdf688d0335e2842a38d7327a08bdb189caae6

SHA512
80db37c14d32b413410c92b2f73883531a81f9bf4bdaaedba9157d5c8d5945cc33105bdbe686e7fc74bae0859bdce5f10c5827a9d57535fc4a5607895ddc12bf

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg

Filesize
3KB

MD5
e631efa18c1c71c6b7f2e1cf87a17f86

SHA1
75bfd3930bfb8b3f814a6c6744671d4afaa880e7

SHA256
aeccbd2e90ee8113e028ccad4f7e783290365ddf34be7dc1b9f0659733c511f6

SHA512
7f9cce6e9d9431cbb88ef0cd1600d76e9632907e4eb475be18bcad9c41fc85fdceddd1074f00a17dbf9b050c313c08fce8c9dc166d06e22ddcb2c6095cf67746

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif

Filesize
2KB

MD5
d298fcc4cc93c01d23f7b3642dca0ea4

SHA1
34f6f7ad8b7375acf597376f3871382fb9232076

SHA256
d2fff44707f5cd12e4d1919d0b235a0d05bfb63d92a63277b82c13a23b16a248

SHA512
2d53fbac80bb41bfafd9ca9b618e56e923475564751d32349e5084df3a84f03b67db874469f156bd8ad47f53eeaaaea1249faf39c0af748c8892979ce993cc18

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif

Filesize
19KB

MD5
104185d84b942a25aac87ac79a7068fe

SHA1
42e8940a54eda0c25cc95d3a40541ca53c567bde

SHA256
7eac7fc363907fdcdfa75bec78494d05c90fff25f675e818872e20447f64db7e

SHA512
570314124e865e6f950526653d09747d06798f1473f6a314dff33b76d1aa9e8975e50faec8be15e1e787847ac68e65a35e7fff003912dc7efae2610c64a9d2e3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosefont.gif

Filesize
890B

MD5
d96a5599d8dfe1510d6199aaf9bb2a92

SHA1
539fef0e0a838480c14555cd896979be82c0b6d6

SHA256
a3fb005f741e31a88fd337bce98dd5d5e9f9ace4d80f0465ca98c643ef483cc3

SHA512
93ee3085fc4e7988a47f9d7bf3fecd9db510331f7e4b339b60b956ccbc102ab887e4b68be75e06aaf0dbe5819ab5e3effd14b075fbeb0051ecd6c5f612fd8690

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif

Filesize
852B

MD5
d6c3fbbb16fb822a6ea105c8826da21b

SHA1
1fa2059fffa98ad52a2549b4f9b3c2ebf53ad337

SHA256
534997a07c59acd0d8b0994ffe5600ce0b34c56b3ebdb9ba8b7f88adda28afa3

SHA512
2f9b5bdfc39512b3ab9f98927f11419701bd21df24cee16ac8da42586c151f4004db387312cfd4beb51fd0cfdd3c7a768f365376665034bbb7139bc5254c20e8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif

Filesize
860B

MD5
cca6a9f28333b6eb4d1bc8a7aaf316d3

SHA1
129b14586b357327285728484ec5db685e25fb26

SHA256
5f16b8b318c1216beccd588cb27f53736c2a107610bb4f65f66f21ce67341ff8

SHA512
87db9d3ad00084e0ff37c3a10715ac0e895492b05ac8600dfded49633f6edb536545e8e9f758d52f25f164c81d64ec67d3eef9e6c2c3471808dd18022d5544cf

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ADD.GIF

Filesize
580B

MD5
84e3c4a665d1d5299253b713bc04e336

SHA1
6d24454db208856eae45f5883ff2e3c50101a61e

SHA256
b0209fe0e4ec55d05e294c28c56544fbfb3485ec2c0ede956bcf5aa2d07ed06a

SHA512
87ca51ff30e3a3dcd132c2490ca31a35518f835f0b38edcc2bfc7effdf44f90e99d4b0b6ac87c35819a91f8306bff40615fe03b74ba1b21bc855fac2006e68de

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF

Filesize
899B

MD5
fa03d2365a16bd047e4116bba6ba29e3

SHA1
e2aa8b14a1b658db17e3dce5ca3ee43b36eee2c7

SHA256
836a4922b7ea02492bc6371c3b3c4396cd590c02e61acdf2b386a58a48eeabf0

SHA512
59b4e58bf5891469233a5e2217c2030e44bae9e79ff4b497da55ac49c7a8f17e0fb648e5461ad25323739bbaed14bc69c14a6793d50c77bf1169a9afd09b7efb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIF

Filesize
625B

MD5
743fd492c0070ff1bdeb3e579edf07b6

SHA1
95d525d969b03e08b98cbfe32b58bd25e4b935f8

SHA256
2de3d05e0199624c091ae9f999b85964fd97b068c26f83a90637ae9d71706f2f

SHA512
9888e95b09a816956c49359e577e568cb68d51d0d2344315503977483cc689850ef92be19e0bd48d4d762eb8998ac9dab03b204e0796c4121e3d7d77475218ca

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF

Filesize
873B

MD5
7f9c0b03c0421ccbaeb509d1b6b5a703

SHA1
fdc28c61b91a0ee5474999230f58e421bfa5bb9d

SHA256
897d6418df222325c39597f7ccb31a0577d8d533e9c38427177e3d94d0dd4ee6

SHA512
8e19ecd6978b30050400bebc2ab195febe1f99b9121156cd4d4854fa1d0d790441dc34110bb9dda36a3e2c21313c36c4dd75ddfa648a3d2b6b74b7c07433f9a9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg

Filesize
5KB

MD5
9b5abbb51c5055b8a0376b3ee66947b9

SHA1
83239e68b73f3fda96dcb83136e8a757000b9fb5

SHA256
f7e56cd598f4abaf661881e36100b518b83c977697208898b0e28fe345a533c6

SHA512
439f249132afe9c1ea533271ad9a7a2927e081390a77379aa4eb34bb08e7ea79e2b25f2c22620e8bfda79923657fc1af2908c133e45d3b6b77d247d77507a531

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp

Filesize
1KB

MD5
1bf4aec13a04501a2434de6eb336aad3

SHA1
b6530a4eb8987bbb96b790cdeabdcf2c1bdd97c9

SHA256
185c4afafd8fa2afff9245e2ccf331531ab13c7af1904144ab0b14d19c685cee

SHA512
8e75443481a3e66fd43ed788bb519d36528fbcf7aea4cd8255779f01af03818d0ad123cdf9671df10b351034078a458a90eaba10046a9cd793c591a6b7e41ca0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF

Filesize
615B

MD5
187288bfee0d406603ef4214b8284bc1

SHA1
b9eb41cf60879ce10fcb9023570ace7c885523c7

SHA256
0525a1c59f27ccba27eded723f3b665792a1432ec33f24e46cdf4602ac359fa3

SHA512
679a9d873fc6e5b8e2008453dd65a52fedf806ddb011c98ec7af35dcb903e8b695195fd4ab9993231cabbec1fa264878c08b4030b3a2b6f04b0a14a7964e2ca7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

Filesize
848B

MD5
3ba80e623dc1720d3e15005d28fd549c

SHA1
4414e13913a78424bade45df67dbf0d382da4139

SHA256
c311fd5e592decc1045d7c4d95447c1bdb5936c3dabe8ae316d0acfc0cd23a91

SHA512
0aa53f47d8438307beef4c2336913550b21cb660d195972135c10154e1b004272469eff033d315160ebb48568e7effde6398369e72f3cebc331f86850fc6fc05

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

Filesize
847B

MD5
9f04fff90845eb1b33528b595f945e0c

SHA1
a9f54b7da542f2a400776a26ef9a87e4704f2a1d

SHA256
597396149c152927d088e50f9fa857512b93b2f9d1570fdae0694b70837022ae

SHA512
c0ad8721dd2ad1db42a41f16559e52c51366abb69947e515eccb870f47d047d9018ea434cf564dc519efed287975d38b869bc264bbe9434434ba091c9794c8da

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

Filesize
869B

MD5
57166e8a3c590609c54ccc3d49942f71

SHA1
61edc7bbf97756c86ed52b4c09679cd852218b02

SHA256
5ddff0db4e673bdfcc2fcd09ae27f4d9f5b3787741c2e2c73c2b6241aec1c43a

SHA512
45ae36162f242abd644b444867f94185718cdbb8e3d9f94cd315405a91dd727b9b650646b869381a578a964b4c7695ea82443cbd85fdb5984b1e108fc7042ffb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

Filesize
847B

MD5
619e3d89ddd3405569e40c33ddf2570d

SHA1
af002c97b01388c65d7290bd6da017753de07a10

SHA256
110d81b62bdd9ad94a519def9bc1ce8fd42bbaf3ab052c1507a5cf85d82c69b0

SHA512
ba60c81e376219d0640db7a37bf03df85dd8fb7c5c82a2ea9b5d96db974474f0b38749ad8695b05b9081d4babd027f06cbf930b00ab30d383cc2a1d491dd407f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

Filesize
863B

MD5
2d29f995bcba10b7e3d30e9d56594c63

SHA1
eed28a5086241db779a2b3540004a778b497501c

SHA256
1f8a80da8175ddac9d187b74962a6ec5e01d77388b9fdeb79a2842e4af19b51e

SHA512
74095f10803d7a77d83ab6bf3ef473b3320897479abe8e7d839bc564193263971b2f428754b1d35f989eef3baeaa285917c6ea4ccc3923e3267bc1bace1d3c6d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

Filesize
861B

MD5
f6abcac6785ea4caa98730bf9ed6fb97

SHA1
0a4e9a3afb8f161fc78d4e1c86acabe916d27514

SHA256
a0f0d96343608a1dc1453853d9f8d52f795bbec6e40b7828731cffbd162a5cf6

SHA512
a99684b58f57cb2d4798afbfe327463c33265d4fb2bb77c33dc49511ccfc454827f57b4c06825e7d21891b7acd8405e55a45c086bb062915d84a0b8be13174a7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

Filesize
850B

MD5
e16394f8ad85dc470d3d64b3c7cda2dd

SHA1
26a3e0d2134b7c621b1031cd94ce12faca109d99

SHA256
613271284551e66a7ed62529025e9132552950622a662685f6bc217ad87fa671

SHA512
b1dc2af8d2fe7345be357b1bc310a91ad6aae8c487bf26b7fb306d1b8f309eaac946538dd98791270b17c42645b9c35603274daa8d011ab98ec076dee0212cb3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

Filesize
883B

MD5
c0b8414afe6317184408b3fdbe602edb

SHA1
19c38090cee53d07a71ce43e23c761dc631db262

SHA256
a6df11f9ecbef3489145a358891bdd8b84c45c9d5f0750014ba3e1a87a8ecd0c

SHA512
a949f6ca2ae1e2a34aee07902b3ace3c43b19c14b3ebd039f0ae7e51f41bfc5837fba15a896920853e56f71b328ca290d01e006d0c8d529860d8df1ac8deeca0

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
153B

MD5
0ababce582412c539faf64eb8352d29a

SHA1
3e6723f54b78f845f3fde735abec283bf69e5c1d

SHA256
ca2c3c30e0a2b2c76b0f1857db31a7d85a20c9c8f3b75486fc9132a2987cc38a

SHA512
49271195157f7bf39960a3ab16a79b37875bde70d3ceb8dd57270e25c406fc9d082d7388ab04b81a4950184b0fdbf5e3445908bd039f911d0da4c04fd8269689

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
e3e19582f5f6066f11bc2bbacce538b6

SHA1
126ac762d18c3b531a75baf553a8092094033be1

SHA256
b8be61f23d1006a4b22ff263bc870249b2f6e84d4e6bc68dfd5863ab1c6d7ffa

SHA512
c9ecc6bd854669df232dbbd1f802c0f52bb535095ea02ff092a717ef6c8c67dbd4cacc44e736050908c86285d5926b3f4f7b96ce701cbd578a790c171d788b6a

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
8KB

MD5
53253ce6c5991feaab38c7adb1da57eb

SHA1
951ed1bb98e19a49da358fbd1d449f55d1dd827c

SHA256
f65e797c748dba451248deed6805cf429b661f2bdfc1ee89ecc63c4092818721

SHA512
7cd5068bb39fc1a692cca6168b2ef3526263298fd7cb8d7bf7ddbd9c53b13a18988f2df90a6394ed677c9b2ddfe2345e9e49378549aca1ff94ffcd546f7d741f

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
e2cc34cb462ab671942fc67d627e849e

SHA1
6ca21acaf3e719e290ab8b97a1edad186670d4fd

SHA256
5500cf8df64181092d2a2d6191631f90429df1c7ffbfc6db822caa0824960477

SHA512
59bc571c07f5483bccc9eeebdc15a2392c5d9b19c2c7f17432e7f8ee29a164f480643d6284a98ba69c747c2d79573acfe647e7e8c96d86b9aca5da18c5bf50e3

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
f4d7fa5f80a010aa019e0b0075839696

SHA1
b3dcd613729ba1de3513cf3edf4faab2f878d0a3

SHA256
6e163440afe2dbc8717d869f0ed63d85964da5338a5c061e1da11a185aab8596

SHA512
c6b960d919bc4087497e80679485a823a367239dc36a379c22350f3f2b3c443222922b3f5d0374e0a79ca0f6e58c161bc91907cb7779cf306c844674db9dc683

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
172KB

MD5
62c609f08672b858a556dc649a670104

SHA1
c77514f9a6a94f8165dcb16965c8880e4fbb9077

SHA256
2dbb037a6adf5a41b078d3726c7b151dee6df3e446eb2668e6ac1f7e0eff82c8

SHA512
f73e9a227415a30c8e5e5c98290f19083c4cc9cc1d6fe8d2257f2b542cb2e04f89830070c0bf6f9f9742b9cc375928d04b996fe6846856fc2b799ce583dbc66d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF660.tmp.bat

Filesize
159B

MD5
4bf8582c4f18c9b890a6b80c72a923ac

SHA1
f42e66fa75a59fb8bd2af8333c68efa80236dabb

SHA256
cf3356d7e85075ab85ec3a6f634bf31afcc92965d57801c7a08c593979840db0

SHA512
a00605c0c626344125c0dfcae85bcd864ed39c4be7acc72defd3fd53f080fffc9ec0d2f04547d92310cb394571b0e73f666d8d048a674f8ee4b279b2559864ef

Download Submit
C:\Users\Admin\Desktop\UnprotectEnable.xlsx

Filesize
12KB

MD5
29951d437e599e9b2f0c11dcacbcaa9c

SHA1
7a1315ab1d3ae29589f730f28201e3a06e54614d

SHA256
7fc144ed4f3231d097c804dcfffddda7df3d8fb572a38662bd0cd38678fdd3a0

SHA512
afe1a5ad259ed73056ae354dcb00528308293c87975751485612ca7632b8bb971f839413aaba021b8b1f5fbc7a32054bb4aed4a73081d82bbaa269f0502520d1

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk

Filesize
1KB

MD5
939863beaf36e2bef63b51b91bdcaade

SHA1
d8b3fa8d9106ed5110f19267083a9f669d6ef1f7

SHA256
8a1795c7e85e7d9ebc2d686c6a40ddce8845bfa72c433cc8a6137a7ec4ce2133

SHA512
44b6566399d41feaf510e6eb7e6fac7b212036c1139be7735515e1895ed61f119126e1c3e0ac288481983fdde593759315a6e0bd4b74a8c5466a9217c835c74e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg

Filesize
21KB

MD5
ef542d5671f90398bd2c50bcb50e0b81

SHA1
52798f8c5f4336ba26eb0cb2c0ff6a5926a7fea6

SHA256
8e337e050ff67b836f097270c21ca7d0190c9197f34244556854d9728f353342

SHA512
a32879f137c5d5c0870279d8b7862c4ee3d9271cd4709d708aa8fbd61f8ca5653a36371c05b04a89df2c9723f48127f311d05f4168ee620cb5f0f2ceaa3a6178

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\HelpIcon_solid.gif

Filesize
1KB

MD5
3fb342850a8740b7a541810faab211a7

SHA1
a1f895ff8444ae1d17d770a236683816412aea41

SHA256
8e871c921dad6b809f3a0ba0cada5a3900d2bfc7b9fd685d0f783a2aad086fb1

SHA512
c2da717b41856ddb464625f3d8d60979267736f51fb57e76bd98c0fdd6f4c8739d86351b6613d52db990d52e6f7cc34f4ebede2ba8ab44f5c9477d67c6aeb99f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\alert_lrg.gif

Filesize
952B

MD5
03575636a49614c04915049259f55361

SHA1
f30cf9ae0a23ad60a03f8327344c2b825a634232

SHA256
0972f94eced02c6759697c66200d25025b226b0e2e01c05df8f4001bb1f4d36a

SHA512
a6d10500d98e2225c4052756beaddfb3c78faf0b661efa3ba5128a0018456c46b8280e551ffe251a38b2c4f24646c4be1efc21ed9411ba4573f59299d6c8a0f2

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\aspx_file.gif

Filesize
121B

MD5
2269d8acba8ba36068567f02714064f5

SHA1
f546575dd93a89c1bef023846626c146b6aa0ea4

SHA256
407cc7f5d7ff65548ce0d9a1405d45bd94a0b8a59b066e0d45313e64a3d2bf8f

SHA512
e6f131d2210b9f84e406fe151aa04a036cdcfa8fe8ad57ceb1857bc8c066978729b5c0231009343894366d5a0a429b63b433cdedfc27099c5731ca812c025311

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\branding_Full2.gif

Filesize
1KB

MD5
426bdec30b345a8a54ec9ce7216a877e

SHA1
98ce43b11751f1b4b2a2795a22786eee32305028

SHA256
23b7d772af470aeb3737fc07586254a53f8be069d6fcff2123a1501320b6fc83

SHA512
8f019affe06596db5bd4e883213e712891aff3c836bed56822bed2e913995a3c5134277807461e88b62aa52cd6a8b6279d31d4f7d6253dd59b535b2a0ca472e1

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg

Filesize
8KB

MD5
a61cb5fd4ff509c8ff628bbf145bdbce

SHA1
f6deeffb7e714d7e488ecdbe493b0741005c8578

SHA256
5621c821ff0254a0eb868815c9882cd2df9ded372c404ebf379cdc7adc0b2e7f

SHA512
5b342cb0cfde8d694b4221b9eb741352848accf8b6f1c704287189f0e2a5c75848bded8ad4e63973d984d0d9ce34937be37d3c978bcaf198f7e57cfdf38b9558

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\folder.gif

Filesize
914B

MD5
821740c7f7aa36fe2eaa9e17f79c1f1a

SHA1
d66ede41cb6fe1f48f758ebed16ef5a6120dac63

SHA256
be08755206c85cdf6d9a192b867e184da07c1df339410ed482fdc82658d7b37a

SHA512
fb78b862b2c1e8a6a62bfc00a9c1dc21fb51066439a3d2e035b96ff826949cf3b29db8356d147115cb92ba38d384f1b0cc2d128291ee1788233cf288ddec6759

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onBlue.gif

Filesize
90B

MD5
cd7db8bf26d7ac81a92528d74a7a34bc

SHA1
012b1c34cff64626f96fb57f9e11e370ded72040

SHA256
8b821064447f5264395336b0197e25e3fb976288c8ddb8cb88b2ee48b81ec252

SHA512
13f38dc0d1c363a69b09a763badf43f87868f74dc04e6e7dfe8a113d8f3b95cd67c449e4cc31317b54daa2575c73436a30d2511eb7699d3c5f82fd2ba2266784

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onWhite.gif

Filesize
90B

MD5
848e05c302ab8f7eccf844791252babd

SHA1
32254685e69cebb011c78556f897f304ec6322ce

SHA256
52194c34e8694df53204a7bdd40c47f5da3f94f5c95685479e3ae594b28ee2e3

SHA512
e9f3244e3c242fab45c2184e5addd6576994c009778ee1c2ea086995fed4e023bf73a29f13479f8d1af1645fd0e378224ba518f7db45a3af0c462d4a24377dda

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\headerGRADIENT_Tall.gif

Filesize
328B

MD5
5e49c080a5dd341e478a39070ef89270

SHA1
6f552d6b3e47357aa43c5e80e9265c9cb8163d26

SHA256
0a32a7051e5316c0cbf075561632aa661032bd5b90b1a44961a401289f912ef1

SHA512
d9ad09f86512b5d5869ee73e5d3675b7b8bd1825d051712180364c62acb0adcf69c03fd864bc470ac7a2a3220d62549ca6deaab3292e4137cd7235b7606b1836

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\help.jpg

Filesize
1KB

MD5
5d432b7dabd6d772842cef346472b4ed

SHA1
6b3a0d4d732336362c014fecf6d661248067e248

SHA256
b4f40ee69266e3c1c14ce72cf76ef4b7cbece64e0b9e8a7a333a28fee7e43966

SHA512
dcb24fab20b1046153da88c5fe8108439b28d70e6d33b347328e5b345f1c3717f1d0a48c5ca5f515c4a3b705959f4bdafa0b9ff5b454d11a3ad7943067db38cd

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image1.gif

Filesize
162B

MD5
9248c0180e2ba5688384db2762f3414d

SHA1
9850c63ae129f6c4a3366f3ab2055f0b6c686401

SHA256
06b4f0bf7f3bc455111e1e631f800a35bd145b5d580f87ac5918f208cff64496

SHA512
8811f06bf6613718c4abefba576a71a1a185d7d10065afd6517feb917a34513ab63ace24971eb914ab358c6c4861edfa0cdbe3eae4239042223d6561ab1c0b06

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image2.gif

Filesize
586B

MD5
7e0ce88fb72714915330b899f700b736

SHA1
15c3056459a52b248e3a991803b8ae6f7c4a8be3

SHA256
0a59b8b575519772779acac4b154c54440fce6c9fc06d31d615cd7bea72ce664

SHA512
eb826c285ac3dd0f9d2fc13da976a93da1ef9945c45da9f2542189335470b3ab5d85c96d0315653614ec3745dc2067edbf257ad2499018ef0bc806cc18d8a0eb

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\requiredBang.gif

Filesize
124B

MD5
86ba53b4067762a5b7065879b8b31ee4

SHA1
ec0188191e7c4ee477f54d0fbc7ab0880ad93bf2

SHA256
3cdad78ce621a71abda05c2705fc7b5abd0c972e2a775a9cd553c5469a18887f

SHA512
52c141fa1fe5da0f90ff386d630b64951c0da3065b3c797ab3bf8b944825df0e72745703174ead8f18956f524e31429b7ee575bca93459301d9615d1ce90e6be

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg

Filesize
8KB

MD5
f5cfe35632028c6f7d53e157fe9fb9ee

SHA1
1e054759def5bd769acecfa59116f9a8c81ecc4a

SHA256
dcc81c6e030f6cb97037c94687c3b404d6d573fad78402ab07d3a6a710089ac1

SHA512
e9e345f02cc2542786ce4d5ed1aec6febe264f4fea3d9639e76b6e74fba2a90e488238beea19b7e3d9c73927477b82cb79a2bccc45cd0a5b4e57fb50dc2c59ae

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\yellowCORNER.gif

Filesize
880B

MD5
8f25b11024a6e2ea5a967d7dbd2c67b1

SHA1
bc26002e80b5c9f4862e2fe4345d261a644f09e2

SHA256
716f5281f3f2f24107c80a54fc03b6336a047bb54556afd378aa27c8a7a31c39

SHA512
03ca6d774b21920ecf333e08bed83b3a9c83232ed55f1a5162f670862fac45a087c4e0f99ec658d955d969c3f79e47f91e7277394a1867bc3067d21279a55c2b

Download Submit
C:\vcredist2010_x86.log.html

Filesize
80KB

MD5
033d9a02a5e6edd408afc547ab8aea1c

SHA1
847462e5c436c9e881e3e59600b91f80fa29f2e9

SHA256
f8af671d9ef2474c6334d505a30f69eaa1696af3a8d10cd7b0aba60609d6493e

SHA512
5cf73c4c395a13efda19c3daf447520e7041dde19dafdd839f10c316a11537451165b7ac265ec2d0027632d02b4dd0e759286d3b1e0694d4cbaac0cbcaad7c32

Download Submit
\Users\Admin\AppData\Local\Temp\setup..exe

Filesize
63KB

MD5
bbe814c269e9e73a532018feb1c52bdc

SHA1
8e99ddd6f14336e786a335ace50c0a0d37f3111b

SHA256
07dc7d670351d2f230c5a2063b933810fcc13f059f66383833f1a66a003c70ea

SHA512
0f1f0bc9d1d8d7c33fce51117480626abdf9f0847eeace161a81ca321f5d434aee930bb4aae679f88fdc4ed28eb72c0c81a0359dc775969abb5896bd9bf2254d

Download Submit
\Users\Admin\AppData\Local\Temp\setup_.exe

Filesize
7KB

MD5
ac5d3ede68d0ee0054ff52d550fa23db

SHA1
d12af0bb41f7b152ee06ea96b856e28f743bad80

SHA256
6e76a936f44596d76184062c59de63bf6a761369ba30da86501eb074bcc1d8ef

SHA512
ea71f5ea1b0727b80a3342cffed24cb8face736667a33f7a4a360092d8c7fc9629b0e0677b0386ec40628dc60182fdeb18a07c310e5515a6ce9c002c749c3d52

Download Submit
memory/304-3656-0x0000000001330000-0x0000000001346000-memory.dmp

Filesize
88KB

Download
memory/1784-3860-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1784-19-0x0000000000020000-0x000000000002C000-memory.dmp

Filesize
48KB

Download
memory/1784-5973-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1784-9127-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1784-9126-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1784-4800-0x0000000000020000-0x000000000002C000-memory.dmp

Filesize
48KB

Download
memory/1784-4801-0x0000000000020000-0x000000000002C000-memory.dmp

Filesize
48KB

Download
memory/1784-4802-0x0000000000020000-0x000000000002C000-memory.dmp

Filesize
48KB

Download
memory/1784-9125-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1784-12-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1784-20-0x0000000000020000-0x000000000002C000-memory.dmp

Filesize
48KB

Download
memory/1784-21-0x0000000000020000-0x000000000002C000-memory.dmp

Filesize
48KB

Download
memory/1792-22-0x000007FEF5813000-0x000007FEF5814000-memory.dmp

Filesize
4KB

Download
memory/1792-1968-0x000007FEF5810000-0x000007FEF61FC000-memory.dmp

Filesize
9.9MB

Download
memory/1792-45-0x0000000001110000-0x0000000001126000-memory.dmp

Filesize
88KB

Download
memory/1792-1876-0x000007FEF5810000-0x000007FEF61FC000-memory.dmp

Filesize
9.9MB

Download
memory/1792-1881-0x000007FEF5810000-0x000007FEF61FC000-memory.dmp

Filesize
9.9MB

Download
memory/1916-10-0x0000000000220000-0x000000000022C000-memory.dmp

Filesize
48KB

Download