xorist | bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
08/10/2023, 14:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
Size

39KB
MD5

a7ed00a3b0f827a3dccc69d8908f5a22
SHA1

7a36afb00dc04927478303dc7df10c088d00da37
SHA256

bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2
SHA512

b9a55cef1c02c3f23a0065acc1dc20dbea3471f7ce89a67ba75fe993eb6c719901a9128209078bac56a6089d9ca60f71302863d120a842a7b60d5f4c6614b7f6
SSDEEP

768:4rVDCIs4eh3hhNWyTp0jvINEsMUILnidqwH37Zg4cauO2eCmLvB06vfn:4r4imxn10AP3Iuo27ZgtFeD0Uf

Score

10^/10

xorist persistence ransomware spyware stealer upx

Malware Config

Signatures

Detected Xorist Ransomware 12 IoCs

resource	yara_rule
behavioral1/memory/1280-649-0x0000000000400000-0x0000000000414000-memory.dmp	family_xorist
behavioral1/memory/1280-650-0x0000000000400000-0x0000000000414000-memory.dmp	family_xorist
behavioral1/memory/1280-1999-0x0000000000400000-0x0000000000414000-memory.dmp	family_xorist
behavioral1/memory/1280-2615-0x0000000000400000-0x0000000000414000-memory.dmp	family_xorist
behavioral1/memory/1280-4259-0x0000000000400000-0x0000000000414000-memory.dmp	family_xorist
behavioral1/memory/1280-4267-0x0000000000400000-0x0000000000414000-memory.dmp	family_xorist
behavioral1/memory/1280-5333-0x0000000000400000-0x0000000000414000-memory.dmp	family_xorist
behavioral1/memory/1280-5582-0x0000000000400000-0x0000000000414000-memory.dmp	family_xorist
behavioral1/memory/1280-6157-0x0000000000400000-0x0000000000414000-memory.dmp	family_xorist
behavioral1/memory/1280-6661-0x0000000000400000-0x0000000000414000-memory.dmp	family_xorist
behavioral1/memory/1280-6679-0x0000000000400000-0x0000000000414000-memory.dmp	family_xorist
behavioral1/memory/1280-7563-0x0000000000400000-0x0000000000414000-memory.dmp	family_xorist

Xorist Ransomware
Xorist is a ransomware first seen in 2020.
ransomware xorist
Renames multiple (2310) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1280-0-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/1280-649-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/1280-650-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/1280-1999-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/1280-2615-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/1280-4259-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/1280-4267-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/1280-5333-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/1280-5582-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/1280-6157-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/1280-6661-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/1280-6679-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/1280-7563-0x0000000000400000-0x0000000000414000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\69LGnXmwow3YdN3.exe"	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Photo Viewer\de-DE\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert\TAB_ON.GIF	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.EXE	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Program Files (x86)\Windows Sidebar\en-US\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_ContactLowMask.bmp	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_bw32.jpg	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked-loading.png	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14515_.GIF	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Roses.htm	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101859.BMP	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21299_.GIF	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\redmenu.png	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waning-crescent_partly-cloudy.png	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR49F.GIF	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\RTF_BOLD.GIF	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\settings.html	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsPreviewTemplate.html	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\Response.gif	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_Buttongraphic.png	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD10358_.GIF	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR35F.GIF	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\1047x576black.png	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_divider.png	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01931J.JPG	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21433_.GIF	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-first-quarter_partly-cloudy.png	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_settings.png	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\CreateSpaceImage.jpg	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\46.png	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DiscussionToolIconImages.jpg	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_few-showers.png	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\PreviousMenuButtonIcon.png	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\bg_sidebar.png	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14565_.GIF	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00163_.GIF	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)alertIcon.png	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_glass.png	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Program Files\Windows Portable Devices\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10255_.GIF	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR33F.GIF	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Oasis\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-border.png	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\TableTextServiceSimplifiedZhengMa.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.OneNote\12.0.0.0__71e9bce111e9429c\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_es_31bf3856ad364e35\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.InfoPath.FormControl\14.0.0.0__71e9bce111e9429c\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.Commands.UpdateDiagReport\6.1.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack.Resources\6.1.0.0_en_31bf3856ad364e35\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Data.Entity.Design.resources\3.5.0.0_es_b77a5c561934e089\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiwmp\9f570489c98c93a79f0fd793586afdc6\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Windows\assembly\GAC_MSIL\ehshell\6.1.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Configuration.Install.resources\2.0.0.0_de_b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Web.Entity.Design.resources\3.5.0.0_fr_b77a5c561934e089\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\45ec12795950a7d54691591c615a9e3c\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine.resources\2.0.0.0_es_b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Ink.Resources\6.1.0.0_es_31bf3856ad364e35\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Windows\assembly\GAC_MSIL\microsoft.transactions.bridge.resources\3.0.0.0_fr_b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Web.Entity.Design.resources\3.5.0.0_it_b77a5c561934e089\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Web.resources\2.0.0.0_de_b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Windows\assembly\GAC_32\Policy.1.7.Microsoft.Ink\6.1.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Windows\assembly\GAC_MSIL\system.management.resources\2.0.0.0_ja_b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Windows\assembly\GAC_MSIL\mcplayerinterop\6.1.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility.Resources\1.0.0.0_de_31bf3856ad364e35\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.Commands.GetDiagInput.Resources\1.0.0.0_en_31bf3856ad364e35\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Windows\assembly\GAC_MSIL\sysglobl.resources\2.0.0.0_fr_b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Data.Linq\3.5.0.0__b77a5c561934e089\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets\6.1.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Core.resources\3.5.0.0_es_b77a5c561934e089\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Windows\assembly\GAC_MSIL\system.workflow.componentmodel.resources\3.0.0.0_it_31bf3856ad364e35\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Security.#\9fa0c0ee9093a5f1aaabffb101332056\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\0728af1479c3388cadf85ccfc2b12582\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\mcGlidHostObj\18aae97d7e56a28acf9d642ad23ab413\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Windows\assembly\GAC_32\BDATunePIA\6.1.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility.Resources\1.0.0.0_es_31bf3856ad364e35\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager.Resources\6.1.0.0_de_31bf3856ad364e35\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Data.Entity.resources\3.5.0.0_de_b77a5c561934e089\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Windows\assembly\GAC_MSIL\System.ServiceModel.Web\3.5.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Windows\assembly\GAC_MSIL\ehiiTV\6.1.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager.Resources\6.1.0.0_fr_31bf3856ad364e35\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\sysglobl\8abe9d895b3e9efe741b9162cb9206fc\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Windows\assembly\GAC_MSIL\PresentationFramework.resources\3.0.0.0_fr_31bf3856ad364e35\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Windows\assembly\GAC_MSIL\ReachFramework.resources\3.0.0.0_es_31bf3856ad364e35\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Web.Abstractions.resources\3.5.0.0_ja_31bf3856ad364e35\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Security.#\d660f850b373b57c4e22a7100feeb1a4\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Data\1e85062785e286cd9eae9c26d2c61f73\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.IdentityMode#\5490e4be56d6b1a80586439ac8b09b77\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.IdentityModel\b4c60dd01be760ee0452df2c040de8fc\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.Office.InfoPath.Client.Internal.Host.Interop\14.0.0.0__71e9bce111e9429c\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.ApplicationId.Framework.Resources\6.1.0.0_it_31bf3856ad364e35\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.Resources\6.1.0.0_fr_31bf3856ad364e35\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Narrator\6.1.0.0__31bf3856ad364e35\Narrator.exe	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\ehCIR\b648e07269decc9d5a2d8aeba1d48cbb\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications.AddInManager\8.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Windows\assembly\GAC_MSIL\SrpUxSnapIn.resources\6.1.0.0_fr_31bf3856ad364e35\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Windows\assembly\GAC_MSIL\UIAutomationClientsideProviders.resources\3.0.0.0_ja_31bf3856ad364e35\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Windows\assembly\GAC_MSIL\EventViewer.Resources\6.1.0.0_en_31bf3856ad364e35\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.Resources\6.1.0.0_it_31bf3856ad364e35\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.Commands.WriteDiagProgress\6.1.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Windows\assembly\GAC_MSIL\system.management.resources\2.0.0.0_es_b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Windows\assembly\GAC_MSIL\system.servicemodel.resources\3.0.0.0_fr_b77a5c561934e089\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Workflow.ComponentModel\3.0.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Transactions\ad18f93fc713db2c4b29b25116c13bd8\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Data.OracleClient.resources\2.0.0.0_es_b77a5c561934e089\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\dfsvc\2c3e7fda8de40e45e7f5e004094dc7c9\HOW TO DECRYPT FILES.txt	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.keygroup	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PDOMSSVJCXDYMBD\ = "CRYPTED!"	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PDOMSSVJCXDYMBD\shell\open\command	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PDOMSSVJCXDYMBD\shell	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PDOMSSVJCXDYMBD\shell\open	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.keygroup\ = "PDOMSSVJCXDYMBD"	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PDOMSSVJCXDYMBD	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PDOMSSVJCXDYMBD\DefaultIcon	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PDOMSSVJCXDYMBD\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\69LGnXmwow3YdN3.exe,0"	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PDOMSSVJCXDYMBD\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\69LGnXmwow3YdN3.exe"	bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe

C:\Users\Admin\AppData\Local\Temp\bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe
"C:\Users\Admin\AppData\Local\Temp\bf17f462722749cdbad455170d45b0b314311178207921a3ea9144b03eb31eb2.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:1280

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\HOW TO DECRYPT FILES.txt
1⤵
PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\HOW TO DECRYPT FILES.txt

Filesize
319B

MD5
7de497d552d315fc22f53b31f54f0252

SHA1
ea6eb93c0d3098aea3246259644fdd7b05299c2d

SHA256
f2ef35bb0360cc11ba8e08665d1625a420fc425523fb82c69b0af21281cba894

SHA512
5f1fd33c5d2d554f0a1e0c8884545632340c691e3f7fc2448289aa7255e678819ea642f0d7fc0b3d2c1ce7420d1841f83ad7961d0653945c3acfe54be1f0c55c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
341B

MD5
b1e868d5c129a6c824592e4e63e83224

SHA1
01a50ef4ab98074980a2aa32a34913b4b31792f3

SHA256
fd4b29821a7b11bd239fb9a747f338d41a5f607a0d8aed74e0b9f404bfbb7c58

SHA512
f240e0d55338e8d98b69b64a81d81ee2abb01168855a4f1faa7e0527a2806bc176f6d47f043408413eac0da2143b0f201931cd95a6f1222ddf2ab930d00a6a01

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

Filesize
222B

MD5
74366602803cc68b55cd19742462478d

SHA1
a18109cd9a4ec1988cc36c1ca9a4cd460fca4e63

SHA256
1f538e39be562d446b16a44433f8b2773b37146cef5f7de47eb1453a9d2b9371

SHA512
d37cc41fdb04d87900764be50f8787d227995b176e52641ba967c128926b427fb2d9bd70e9efd6abd6a03fba03a495c59170ac94dd7b71270533322c1f9b4e10

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\BG_ADOBE.GIF

Filesize
24KB

MD5
ab2b1448877e8deccc23567339504fc7

SHA1
93243ce62b13b308d29604023b9c9f7f7948d017

SHA256
3adbc5dd168f687a2244bc3f65cd958ff4d489bb23dcee4a7868c63b1133f328

SHA512
89da62ce2056d691a0119ad0fe3bf110b282e71038feeea6058d7fb15c226b5ed696db9f3e6d6635db1fe06528f7618573a1f73651fe99428f6bc465477021f6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\BUTTON.GIF

Filesize
185B

MD5
ab5b14a26ff386cd39944891a84b0c5c

SHA1
1f377e4964581dfadb05f6f06665bae974b90948

SHA256
d5d7175446cb6af73cb203f246b631cf13e56fb93b56d60585bbad6927396449

SHA512
b444e4cfe02ebb9286443e62f0d916ebfe19ae9b458ba1b0790896d583e3605044469ad15e8b1ebe6158c8ac8dfaa66897f68e8de7c6c9b47fbddff08c44dbe0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_OFF.GIF

Filesize
496B

MD5
bb8301bdb48d621837065daaf585da7f

SHA1
93e0c8d63d1d10fd776a1a6d424912625d8e43bd

SHA256
5eed9d5bfd47ed309336aa91d2fe6d3d950c8701f3270a79be626036f1b3b92c

SHA512
7d9f45b270d48d4d4481ff3779efa273bf6e22fd0c741a6c4acbde1416ca6aa18c32d4da0ca271ad99529535bc34f199ebce6750569e3225f4130b06d924b1d1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_ON.GIF

Filesize
1KB

MD5
25438ccb90e617fc030e601cdd1982e9

SHA1
74235e72f8a378a577f4e0161b017b2e18bf09fc

SHA256
6976a30a99d4bad01bf1064db7fa6e4f403cb4dd7b5dbabe2a7b559e127d3a44

SHA512
8bcbb49836275bb39e0e01ca0b912c8bd82f0236370839eac3ad41438078bc8c84b2f15ae3b8752885edc06f2eb6471ff2bb64af1eb3ba1fe752d34a8f1038bb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_off.gif

Filesize
341B

MD5
05963369afc401e5ad327c966eb9dbdd

SHA1
bc2011b5212c4c0e67357caffd90433dd86082ec

SHA256
61594f9eb865ae0d1c40e942d9cb237865b6b1816a65aa72d89465f4214a9cf6

SHA512
c59bf51ec26850555dc0a0116c76b94c8da0ae051ebe410f943ec590a7763a0d62336e60c3429b2ec3b7557ce7f2005f61f82a9d2a807138ad009f766982737f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_on.gif

Filesize
222B

MD5
9fe8860af357bb79f3f0f875e2e72a99

SHA1
2b33980d48fc9288ec6a074366bcc1c541f673bb

SHA256
ca73041f242294d3781843fe5427b3ddd9a1a20a9f6a834828790da06a88640b

SHA512
a75315f34d02a8aab1af7648a1f3dfec45a66dd93d064c96905d9e4cc29e8e1fcab4b546d45bf0324a199613f75d6d4906306a4c9afd85ff5bfc0052a0a7b315

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif

Filesize
5KB

MD5
f6946b475859d64919687df41c78fb83

SHA1
0eb55b68cc7ec7c79b0ba8f95860cf617b1cf697

SHA256
619ef89a0da0ff065fd9f4b2bfd3e6ea4f9e3f3a688b332bde75d3995411f89c

SHA512
ecd8464f6e9344ee6a538ac7d5f443a847bf4fdc1acb90e550728850bf63d3bc953de9443c785ef4f07e34de6e9c5c4f9b362923a17c5f4f1d5aa5cc9c60e3ff

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Country.gif

Filesize
31KB

MD5
d2bdadd279eda8fe8065d6adc991754c

SHA1
648e95daf53bbe82b487a0e63c0020ed009204a4

SHA256
5078c22e2c9e0849a2e828b27746ef7af2262fb28e64d42ac0a1b9208906cf12

SHA512
ed683d6d7a1e65d8237b86cb1fef35400d4de88c1631d7f1e7b72d9da5614a5567c81f4852b350b2cf8fc456978b4b0c0ba53494211a8bf2115201b48c57677a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif

Filesize
4KB

MD5
19087b5eb4f5490bed7b2ff20f9b265a

SHA1
2ff0176a82b975c6202eb0924eb1b0c6cb9b1cc3

SHA256
1dd3e0310b907464ad1d0da793c272781a93435e7688331473f32655faef94c0

SHA512
a4f7bb374a937cb58fb7377e5225fbc2a5e47c30113e15fd9c6718d39025cb014201ef72d007f7ebf21b6412cea23a331a655770896469b2c47f02b494436090

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif

Filesize
21KB

MD5
57b6cea04be9d819100f9890fc6d3297

SHA1
59ef17d2ce629c522bdf5726261ea9a33ce8e697

SHA256
6283292ad94b9d248536411267b59e71d5a2e8b7e2a3187d93dbcecb3742c596

SHA512
b979299ada79ffa60b632f391bf75c9bbe2d5e048a0a1c42dd5d96e47a229d8dc8fba24d7b59f0a749a0aa93d3f9b2853ec089151f7a57fd2d22456a73e56f7c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Groove.gif

Filesize
106B

MD5
fb025307dd1ebc8bd5ecc12d90c1fe6b

SHA1
5cf419729db0c3a1041f1db3d4e83db1ada37318

SHA256
759b09c12b9f8edcf3bed1fbfceaadb02c7bb338b355b06b34eb77bff80cc576

SHA512
98d07d3a055df901ecfd8b59fb77f9cb0bb97e91a02c840e44f11a4a63503dcf917468b86505ef99d3a52450ee1903ce24098d83eebb5497f1254f4eb69a6dfa

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif

Filesize
8KB

MD5
91fbb59546fb370ddfcd44591c1e0441

SHA1
d9893a782d77ccc97e9a92212284e6cde909b0b3

SHA256
bad514abcb5e8d1325f1c0c231f22ff4c54b9cd860a7fbd9bf5a621621347dd6

SHA512
cb2faf3bc98d2401660cf861f38efaad658947d5e02774eeba299edc9fa43eb9d9ac0bbc4b9b6c7fea5e32e718a1ad32bd1c33eed6d734cad3caeb66e1c61396

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif

Filesize
15KB

MD5
57090f39cdb4155fe4b17315657db88e

SHA1
ed2e2f7284de3c502371d2836140fcd06f7f7c94

SHA256
5e2dc6ea7d00f024e49c68268b68e1687bba065fafc7654edcc54b647c01a244

SHA512
fff03370cf8077c19def706b6fb33ca527769c80e9168def50b808dc2a54d7e805bd089ffa4c1db6c1a698df50ad2662f03a8dbeea46eae6ce9b3ffdc8ce78f8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif

Filesize
6KB

MD5
2f990ca2658d54438e56cd5cde69025a

SHA1
817fe71fd9ce384459da287785b22a26e322f7d4

SHA256
50f4ac7bee593434ef5a40bc4748f24847af698a680c2bae69f54cf63266e8bc

SHA512
737a94db3ab2f67fb4f0e2ddcc8df3ce068d0658545b0011605eaa85b0717dfcf11b7453ffaf84254f467372b0756aa55351c55779c748e4978699c9ae050526

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif

Filesize
20KB

MD5
dac708443fe6720d5a2c6ae912907f08

SHA1
8bc8b94fc8410665a73bb01d49358cc9bf8a7462

SHA256
c31a360734a2c4aeaea06ef3e1fa59938b4256938c9636c5812a3fe05266cda2

SHA512
88523ba321b9844c58a05b4210b77f34102a6fb7dc0423fa9c3dac92bbe21a08ec76228a96d67c9701e77177c129bfa1d4439044240e6ba3a1eceed9e9a50e3c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif

Filesize
6KB

MD5
70b91474d9d354e67f147e8b7322cb59

SHA1
53539b92d7957ed22f336561565bcf756e246dac

SHA256
7b5cb16479df17adf6c534a750e4b69695d86acfeb22c2c98a02b2bc3ec41f5e

SHA512
e875be856be5c8d0ab6c0929b1d78ed58b0eda20f11a9b147d46921673e108624228325f27bf2db0c9229d40540d15588f28e3911dcc66b3c66a3c16396f59c2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif

Filesize
15KB

MD5
a63443aa2200448197f00bb2ba576043

SHA1
650313f726f598e5326fe21ae57ba9622aab3d6a

SHA256
3683b433440cb02f07a712ddc53879fc846f7b87a9dbe08b93fe7b627df0561f

SHA512
fb8655e31f36c5028ae2044ebe9d55ff448c8afe4cd87acc7f0dce7e276167fbadd8fbefac1c3a95f75d0c46bcbf4ebdc25a183a6f07ab0b79b5dde8c57ec787

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg

Filesize
2KB

MD5
29d8a8d9c16c390ceee01e91e4ab6e4e

SHA1
1fd7fdfa5a21a04b0943c0693d79917381856f16

SHA256
cca063fa18a14212434a62f1a4544e8a1dc21a44af90930ca155ac70227613b0

SHA512
31612ac032d3cd88ce21ef3ca6060d0f61a073b6f68f03ad3c0a0ee040014ce9a312875daedab5c6fb99117ede6e35966665c879e6d843769c63023b0668906e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp

Filesize
2KB

MD5
01a96ba2e13c0513bf6724bdc3c55c11

SHA1
2ecc65a1d9c002d3b0d1c29b466666cfd2633052

SHA256
9aaf98b3322a0c2765f548d4135931c36cf416ee54d5ae54629895edf9fddfa1

SHA512
2c667ca0886bc63ed2199864e80cc115ba8d1350b1cd300442dcea0d829d709bce4f739150eb0707c02f10f6598835be86e14abaac39c03e2ec6cb7f5e9a893d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg

Filesize
6KB

MD5
c853258dc6e69f8b88ca0ae5bef7a5c6

SHA1
f9aed08328911c6807947f596601ab85c951e2d5

SHA256
63c54e4fe2172b1f6b505078dd282bbb58e25f46ad5bd82e2fd1246703572c77

SHA512
1b4aceef843ea4defa70821bfee3357c11dd52d5bedea64e060d7945559a2576c6a5addd196ac4a4e8eed01323c7542a16fc7b574c2bce38be751d6648ca07f7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF

Filesize
255B

MD5
b0321dddcf7fb91ee5d111cbae27690d

SHA1
10d9b7ef08ef43dae0f0162869c32abc44e08e49

SHA256
c27d493bda8c99b00233b7641440e2cf15499de8b5377ee501287699db5eb114

SHA512
b994fc9d81ac90645662f94006f069225db3fa7d1dc65719457b7d38419200503af0ad6aee0ac53a709e55642bac1f2ad63af3283b5d17bfe42672cc086433b6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\background.gif

Filesize
323B

MD5
4e8904e4c4a6e6afa20de7629870cbe2

SHA1
faa7aa71efd11d83ce23d426c3efcdb7392ff579

SHA256
7d616082deb5d5d58edcf8a1f0d158350fa9221f3f066d7c85159754a8b23d67

SHA512
63e15b3dd0d099d254d851aa53b2e7088f2e3e1ffcd9b5ed8e2622d4149a0f67a624aaa98e0c87ccc80a3051e4091e5792075d04425b2a3d9023ef2adb440faf

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF

Filesize
367B

MD5
52396113793126c70ef46acb9c9a3339

SHA1
300dcb2244f47bacbd963f10582f04c25c1ab117

SHA256
42680d89a355f5ad65614757c60c73b374c4ec61d1bae74574f2c9b13a05291b

SHA512
7736fdf1f7855c9ac0f73385da31a21a0dbb19d78356b2ccbe0a1669a3156f515932421825d802ca96983324afb534f87d876feb194c5f9c9a5cb2c76e4338fb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF

Filesize
148B

MD5
9f484a83cb714ecb6ab5ce296f34cf71

SHA1
e6d022fa1a5a16f848175c30b0bcab8809875b0a

SHA256
721b0dac6bbdbcf76956e18cc0dd170dc31228ce7bbbe4a0fef42cc51db561f5

SHA512
a86aa41fba718529362d57ef72ce03b588665d3331dcc76627d586250256d809b227ee52ae6ebad8ca84472eb2a3fdfe7feb42cde9fd6fe9b1d81f68d9735bb2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HEADER.GIF

Filesize
440B

MD5
f4edf71b84fa2c28c6c6234465278e96

SHA1
85821dfdab35ba3d2a5cdadb92c0cba5f743de0e

SHA256
150d1b5b2bbaef71ba3634833ab86270adbbed5a4f3658312d90f13789055bd1

SHA512
dbc9999a6e03739f133651e88fcb490747541bb4a76ca9436570bf0ab849559dc10d88d8b0a7af2c4869ff3f3ebc0fee4dbaad956b2d0f220777e177a532b0e7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_OFF.GIF

Filesize
462B

MD5
c251e270b56f3be6667e97ca9a2fea5f

SHA1
18c9974a5730818dbee24e3383a29315658c1ca5

SHA256
d8627c9b3655078dcb29129fafb1372e16124c3c511c1c36d53a7b6b96f9ea23

SHA512
51ed99d59e5ebc0e8c29279fda51ab4063851f5424d9369f6067c0fdedf7fa787e3fe9a121b751bb762b8e09bdf1890b6db6085f9a3d980e0603e252ccded67f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF

Filesize
267B

MD5
d8c8156fd321823fe4d86eabfcae926f

SHA1
00a3accdc7724f4409dbbabe811be7b7a3e12944

SHA256
695ba1dead1d102b086350d907e0c6b405b49b4af2093a575b002d819ffc8b8f

SHA512
5bf7544fc78e8f401b221b66a1cc2c1f2f58f909b358ab768331d23bde47dd56f68c14fddff0e5debd3b16a295d4bd4dd1642f36900da17f4d2e6496daf91891

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HEADER.GIF

Filesize
2KB

MD5
775ad1f3706f1f7d7268b59d73c4478c

SHA1
deb37f32f253aec31698cc4b53b459f874e3cd16

SHA256
8a26a166a6b42b0ed1b30f03682f5b735ce76a3fedfdf5987ab06eb576830045

SHA512
9128fe66e900a35627f60a90f41de202632ed38b88370a6ab4aeb9a6f4e68b9f808e740961abd27d43ce2fccf463ef506fa63c5ad0a4de07203f185f7e589c59

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif

Filesize
233B

MD5
0fed02ad2ddabe5da59ad3e477571dcc

SHA1
6667f9dca04728c2c96b1dfa6b2fb6f0b51dba1e

SHA256
e7b57c7b98de5c8d7d767e881b75ce89eeea8f09cb08eeaae1162507572f9a8c

SHA512
6130806a61021edb9a70a5af7cd050161823fcdb347055e6c54e232a0f5207bee670370b3bee894d43be20b0fa8c056e03e78c54853d00c9a3863c8cfa45afe0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_OFF.GIF

Filesize
364B

MD5
e33061f72d6f4720dd42b38e8e88725f

SHA1
19a657c60c448ade4a9d070fc341cc5af77ce804

SHA256
a2b91851e9979936e4c3d13464f81f5b655f3cf2b30e0e99b19389401e526649

SHA512
97b180c45982d7417a2387f1d2cc1d5be086608e893c7754cc3b5e5d16b88c488783393d4ea3d2268e51778593394e32c0a2eca7d11bf67c5a2eed3b67211c0a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_ON.GIF

Filesize
364B

MD5
f7f085700b968a2cc9a5ddcf5ffa1d74

SHA1
b5a1372e2a326b74a6fafdd01155dc36e8ed100c

SHA256
7cd41ecd9ddefec86dcd2448884baca07aaf14f6fe415db92c56938525a14f52

SHA512
7c042a27b31be46bb241741e74c10650fd85733b10f8fd4e0928d28560bd3661db0f1ed82a62cc7b0bc80d1ee99a44278903bc0277d319d91bb42eee378b67cb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\background.gif

Filesize
6KB

MD5
65c220f8c9edaf35c5745746bca7f80b

SHA1
e1a6ba1f6a480e07cdda415f3aab5937aa841616

SHA256
73254a5cb44d546e6b1a00d9b17edf4d6b212eb7f69114be540472c790e5afaa

SHA512
5bac826f9776f214d2142bee95f03e36c55456c3dd0fa5eaf45b301b39393163b0751f008a077f424759c2acdb98a000b8e462b041be2dbb5773bd0ce4c78139

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\BUTTON.GIF

Filesize
428B

MD5
d70ee90e671c5b5fccba7ddbb9a228ee

SHA1
966eb80d91c80caea22bf646284a466fe7ebb9d5

SHA256
3dbb67488a3d58a5d908ad6652047e900ccae007e39854f4adb83c9f1ec0f2ae

SHA512
140831e659c21a78a996e68779dee217b9e9adb569879f8468658b7e9c53daa4e2eba1b7c7d4227e574c98a999c02ef772bd6980aa7472a502558aa7f89cf8d4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\background.gif

Filesize
815B

MD5
c645c047ba3ca2bf304e0dce4ee25bea

SHA1
88137ee1d361e31b46d20f829702ef4920798335

SHA256
40f2be6a3c9a21baf5ef7d6cd606ff0b578436a9bd5dcabe3b694302b4b4c4ca

SHA512
17dd805fca5276ee941357e29b8d5e469b546b360c772b3f4f953948dc0c3647786f524e9b5b91e9854b9434ecf29a6a3658734b89b8cc12086635d6c14137d7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\RTF_BOLD.GIF

Filesize
870B

MD5
1db99758ac79bb2345c31a05e9058cfb

SHA1
355c0fd64fe8475f0bebabbde5760777d1c212a1

SHA256
7970672add7d35dd9d01439d0646ab60067a27acc83fe9280af3f4cf1d05c652

SHA512
e98ab2290f2ce7009c79be321d4fcabbee775277611d5d9a58fb81c140575ce6c6a87090a179a75e610dd632483ce60daca4fb3c0221238db94818dff5b85a80

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg

Filesize
3KB

MD5
14f298cc449a5735c004be152045c7b1

SHA1
fd9df60a3c84a84fcea05e45e3b4b0e6b89e222f

SHA256
8c4d84b31a1210710552b8ddf8c9fb99b9bfa0f4b2339afaf522f9f672cf22da

SHA512
78d116e848ddcd28e92c902735ebc25ddebd201c1794e02954b7aab27cac5d1b96d3efd88716339696d2401e1585d2bcecc726c435ebe9749bca61d870fdbbab

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif

Filesize
2KB

MD5
689bad447e973a4fc87dc861993d3b33

SHA1
15e78374a3ecda36976b45ca55c5b0e84788ec67

SHA256
dc9bc76897cc02db2f248664e72931b3e01a9a33bfe724c2b4141d8899b6910e

SHA512
f2ca9aaf110de36ff1d31267f9ba1c8b048bea53c7779077074958085bb7820fa23ee7f144c62fa019c24728efadb5e13274fe891c599a94cdf447b5fd2a907c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif.keygroup

Filesize
19KB

MD5
e5cb7b5bcc2bda1c0887da7298c42645

SHA1
e463d61baf318e66124bc3a2bc7d490f67106215

SHA256
83c268ce2d0e029778f6f089f300cef2f48c10745b3d8d228adc5f9d5e8a3e10

SHA512
7cc4ca2a98cd800459c4bd9ccb9778cb45ef60eb8d5238390735d7d49b6c52f6462e7c191264457563aac6995022ffcc14a3b7988e695bdbdcffb80326163371

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosefont.gif

Filesize
890B

MD5
7732eded33f09b09c363fa4d1dbe46fa

SHA1
927de17d420fd9351a329bd2404069f2e1f52a1b

SHA256
cf809bb9164f40f7821443d661b843c5c95c2a1bebf22d16c834d63b51a047df

SHA512
570901ff6fcc8d311666436907116232e2e64b4a053d77d5eddee67ed7d186c80263f2afff340dfbd2d9fc70ad2a9f03d014f7f23e060190d128c7c81694f54e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif

Filesize
852B

MD5
0053cf3166bb07e1910d98430cfca2f2

SHA1
4515f08bb32144208e3b9fcd525a15a9f48e0984

SHA256
6a2890fb7850198fcccaa2d8b83b7f948dee25d43361d79cd37a280f7dbb7c9d

SHA512
5b5f6d912d271bb625f3e7108098c6869d23f25ba103a6eb9f64f748931b487ba5c151dfa6292b5671062f2db4bfa0459e57e3c35369e87a0c105cf75b6dd489

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif

Filesize
860B

MD5
d6d1ebedba8d7be7a1bd9d8149ac2147

SHA1
8df84069d4eee888fac22dd25c44bc5be9055924

SHA256
6a4fe46729385aca7047fd5b69d0fda088a32540531b79adcf448c496ef12cea

SHA512
de37a223b49e31879b65e6ba38b14e4cafc86dd3a5e21c538e162c8cd98707716bffc507fa8096279f6ba3836bd246b3a2e848e667a5e1ad8217157e62d827d3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ADD.GIF

Filesize
580B

MD5
c1538aa3114eae956569c998ae57233a

SHA1
f58e43f5fc3ddec40bce16a97c824448e76aee19

SHA256
2624c7ad98dcd30bb5299abe3018df0358c9e8dd0315de723a6fcae708a7fc06

SHA512
4bad57b07eef85a711eb77b0f9ce779c2bb55ef9435db670be65b697199a92008fc3f2683f1bf444b774d1454b6eaa3b2fbf5a9a34d599f5489677fb17446bf4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF

Filesize
899B

MD5
e69ebd9c79627d1bdacda07be595f007

SHA1
3e2303dcfc38e77a30459b459314e5f5b9585725

SHA256
bbd68102454cfdbe61a07d913e25cd445582f5ae6bab064b3ae73144118ec06f

SHA512
5b2fb4a042a9afce1e52ae6a990e4d3b2b9ac8bb5165a45e6e55d88563c1521d0ec71e02bc3275b8c4fe38acaa50e8087884cba280c74531d2e682e9897cea7c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIF

Filesize
625B

MD5
6038b20c59f0f0c7765594aea970527f

SHA1
058b4ae3ef41fa4fccd57e3052da777c539cffd3

SHA256
2747b55bf8ccb218898eb1ec544f46f274bcc762ba0980ddec89f72e20b35cf0

SHA512
f15cd5c5b3f3d2cbef428f6e31b29d49a2c7883426ab60b87aad5197b383f9c7d1ca75c66a1c98668c8ed051267225685388f05c08179371521a9074a96a6857

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF

Filesize
873B

MD5
e82d5da1cd1104780e4d6a016c8a3688

SHA1
21fe81ad6cf9a6c9bdf60545c005b809c49bb4a5

SHA256
a0a5beb7902d4e3a519edf8370603b9abdc70fe8b612f1a293c7a769be714071

SHA512
5af77c1c03cb737f465ec8829a3826a5281f0bd7cf56d832950940f01df47116298cfc415ff41838cbf6be81fb027828783c8adf88760d2867488b2c07191551

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg

Filesize
5KB

MD5
3448f00201eaa2578287e4938f3cef97

SHA1
1389aaa148dea62a0d3a5f4f264ef72d88ab452c

SHA256
5d8c1fee0e78c01d297edce264b9992239d4f86841c086172ce6649e26df512d

SHA512
4be50b82968351bb4f862ea7fe8621b7a3e485134d1c1ed388a12593b9fc37a42ce01fbec77261fa118cc3e8eed7058fa31855af3b14ed298d6dba0ce3ed2797

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp

Filesize
1KB

MD5
891af05e72ee72364ddb521053f61ec0

SHA1
8fc1dff0726d8d5edca97f39d3bcab96a70f84a9

SHA256
3317b9a8d9a836c9ee0e2feeb428bcdcce4de3b0c5e6e129910c132e106ef323

SHA512
eba50c183125d41d5fa2da4c9c4c5a79d9f7b95130879e6cb1d451a3528f8ec5a7e6208141b8779f1862d7e4933c2f713cc7e30de7d3f86977226366c47de790

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF

Filesize
615B

MD5
5a5a92a411afb0183951dec6cd0f1c09

SHA1
d5a62f74eb01bf87c8e5a7bce680542e3247b122

SHA256
9240157736b2c672be58afd331de49d3e5dbf60ced99430877e84fd2bca45350

SHA512
e55406356f6e6865808acc1b75fffc28b02c5545b7b6eb47baf888020de5af54c150b8b514ec21d6bbb24fa5619aed7bc9c931a4672367f5d39d14da7a4c0090

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

Filesize
848B

MD5
53810bf312cb1a0fa80aade6755a7ccf

SHA1
7633528d6b6a97d698fb9724c39f52fe1c8e2451

SHA256
bc690381417583dc60a49c5c5104a4a00e102238a1674abedcf0c2e6574ccb91

SHA512
4d46868a11fca32c63970001a95bff8cc6720ea76368fdb6bf4b82cbedd0d91091fe9dc8e4c9e2bdbecb0c39fe8440106d517a704bcf1d0b15f9f34c78716dba

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

Filesize
847B

MD5
be5fc0e05a051c6556ba3e7039695a8e

SHA1
afc64356a0e193883bbd4aefa6e28377dc199296

SHA256
46ca8cc998edd3ad043bc47301123ddedaffb5e9744709601566b0b276b025b7

SHA512
f055812d057ff64433d9bd1fcc5520fbae0ed2a0340f6dd4b56abe8b7f793e70a6f5da01b2d06ec0fbcf5cd8863c42c63af971438df30e6c5b2820169a78d499

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

Filesize
869B

MD5
eb4773877af9494fdea82e4172df97ed

SHA1
722e869095203e4622cf0924d64eec3ae70b20ad

SHA256
152a6ad20aa524179118e02773cefcac06f246f07034b8c3376a0b33f879906d

SHA512
cc75c264e9c2034fc546c53d1f55840c74923ebae5d2e40608963886d8dfba85a16612e88697250a1757512a7ac4ac134c1c251c2c23ccf9df173c23d9f12e1e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

Filesize
847B

MD5
1c0a8fb3544b0545e7920896283a454e

SHA1
7b94b01e2513ec3fc6178881f72729263585e155

SHA256
8cbb3b517edb1a9255234f286b10709f10764148ce975ec00d416b503d1bab64

SHA512
6538b898d73465ec8677ed330c4939e618f2630fc21bdf596626f3d4d630dfe91f4b06d6351971e768f136a7d01a4fa888da9c71193b20e68a3157e04fae45da

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

Filesize
863B

MD5
9cdbc13ff761675f0e7117f97c9f5f59

SHA1
7b3d91da87b34b916c4a4aafb4d91313038fcfb0

SHA256
af34d0ed7687b4faa5d3ff8bb1fbd32da5f1aa812271e7c6f54c3d522d608335

SHA512
d8d56e15965983ab4798530356660e45f6ea05cd0e4743e4c43509eb4dc386d9e7fbcff49fabb0685cd4484e274c475804204f305b4f240217ad3a26ee61a2bb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

Filesize
861B

MD5
eed406db6d4cdb956a35dd411d0e9326

SHA1
ada813ee691d58d24eb54c43738fcdd83e2763d9

SHA256
791f6414338153f39ca8c794c7aa8e629dabe36aaef2a62b92b06e5d608777fe

SHA512
1b3e2b836e05b4f0f80d313faeb4fc9085fcff2a5b26a02c35de0da3eb11d573a6f26a853d20f2d632f3df9de76dd640e54b4a19a3ef1a4c8082720cc1a6dc33

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif.keygroup

Filesize
850B

MD5
9d3d66de8f30bed64f971aed0c0211c4

SHA1
2c00e18ae60a6e2e19b8107a7cb0ec76ad0f8c34

SHA256
af51f7f8ac54628f22433c5ff61ada5adacc5aa3628676e38bac5e8cd4eb7132

SHA512
1b87753590bde7183d3cbe22478735bf776e1d38ad048b523db3f353d87cfedec92436c6ed559595b6b6022329e8d554fe2a64d28cd2e24459a90dd93ebe40bc

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

Filesize
883B

MD5
a889229c708efb369527638e080d8103

SHA1
748e518a83c232cfe5cce42fbe19f3cb93be0ca9

SHA256
f49ed6622008b2d47f7bde221f5a4a5bb66f93748f51df2013d369a50e4c0a27

SHA512
f4f7fe596333b1bbfffb91d61e663f274ec5ce26679373cc9b7a35ab67a30e2703d64a2a26428df8044a79e3e8355e0280b04181951d6fa5bfcb5682d7216dbd

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif

Filesize
153B

MD5
6e0025e714d1b8000abac4a9f235aa3f

SHA1
2cce0c561bf6ca8e29323842223f8acf376142c3

SHA256
c4a24706e1082e6236286ac3617261ca0b02d9ed0756895c747e95e11346acf1

SHA512
33acbd38be0a5633d267f6fbcf76fd7956110ba87aa5ae32601d2c2ad57ec06f9767bea02860f9a839f4d6c70168e2b6fd0c2c70aa4893302fe6771dc197f1df

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
56efeb76b7087b401b4f235abd0bcd1a

SHA1
702a052725fd5bae6026931a09716cffbe0631f0

SHA256
5e3c2f81296a329d804ad01f80d4e69018214e5784874409d2abcd87229dfb68

SHA512
6a50b1e9e3958b8bb5dcd8648cb02d9716a98548b2db60e8c6286645f557facf73270dfc0086e4956f1ca6890b5c914770d398af1d12ed20ad89ff7ec1f14d7f

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
8KB

MD5
a78eb05fc3de01a57aa49726aa7436a1

SHA1
efc0537f2671677151cd8f5bc37fd1058ae4675b

SHA256
8c26bc9591dcc34cc0b981e23c80317a25ca0bc74e69490bfd59be9f00062dea

SHA512
c86bfb9541606af1673a4e49c4829d1429755be37e7b0db8309198810a9e4304bd7f1f8c48e1701601d6d424e4c8cd0e6ed3453219894c52a3c3cfd4dcf30dde

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
e65f064482b5a89a54e57280e9827de6

SHA1
dd7af4d30264141908c98bcab92fc67911421c4d

SHA256
66df4ffd1c2524bd94de38254e8c857a42808a6c57ab86eda86604e0179ef5bf

SHA512
e42c5039e7e727c4b8a017e76c92d0b1f85ed1d6a78c53a237d0955381705a5ed7e8de6487bf49c21d86de3b2648b7203c402c7a296571ab85db3f66b14edc77

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
38989dc1f7680d21b992013930ae3c62

SHA1
c9c8825f025eab989587e0665fd24a82093dd478

SHA256
930d8d8fc0e123e9f3cd68ad859162adb71db3e5a63a946de3d1c46d29ca2eaf

SHA512
a956e728211a346162fce6b0fa19d2298dedd0d060da3f42587b634b459906802b904777528ab09a2010573bdaa00aaf924c33e8e636a81f3cbc2239f883aabd

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
172KB

MD5
7d12e60ca5582e9fa11f17366d574e06

SHA1
ed1693c72720f73702bd9c05cd7fdde732e1e0b3

SHA256
50bfcd7da2536714bf11d6d85406d6ab7d539433091e4c8aafc4a5a46c216c9c

SHA512
1858216c63632f214b1c6be3ee7ce247dc7511257225caf7ab8761e91d3e19e21213d764ccc3e14dd934d25745f70edd0b8d0d24a85503df257b1b1d4994505e

Download Submit
C:\Users\Admin\Desktop\HOW TO DECRYPT FILES.txt

Filesize
319B

MD5
7de497d552d315fc22f53b31f54f0252

SHA1
ea6eb93c0d3098aea3246259644fdd7b05299c2d

SHA256
f2ef35bb0360cc11ba8e08665d1625a420fc425523fb82c69b0af21281cba894

SHA512
5f1fd33c5d2d554f0a1e0c8884545632340c691e3f7fc2448289aa7255e678819ea642f0d7fc0b3d2c1ce7420d1841f83ad7961d0653945c3acfe54be1f0c55c

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk

Filesize
1KB

MD5
388464cc490224e8d3479a342f4605a3

SHA1
2c68b2bfcd5acc9e46a4ae545f20a01ae7f57e43

SHA256
01b4f485cf128593ffd5e37374890697461bd2659b6b2c5188021d8520f1bbf3

SHA512
465e4df470a52c154de3d167dd27866dcb74de86295ce41947a89c7b975b14db934addd9b438dfd62d55de3acadcfb2c73826c0848fcc481fa8e7c4ac6cee6cf

Download Submit
memory/1280-4267-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1280-4259-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1280-2615-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1280-1999-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1280-650-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1280-5333-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1280-5582-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1280-6157-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1280-649-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1280-6661-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1280-6679-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1280-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1280-7563-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads