4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8

Analysis

max time kernel
144s
max time network
126s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12-10-2023 16:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
Size

843KB
MD5

871564bb0c6973e4eb3f4aafa368fabd
SHA1

da616d5082f810c153ba2ae5cb75a1a44778c57c
SHA256

4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8
SHA512

af92e1306dd61ea7a075aa522cc50b73462f240c979091a33d15b069d6ab928af5edccb032ff650459c75bb617b3c75fee6deb361840d59c60f8c62f4eeb7c05
SSDEEP

192:H/TrG62a6B10k3g4fXk1iTV3HGc7EkpAqEjvu2q9C/YpXnAITZfPtRMwu8V:HebFNw4Pk1itKkpAjjI2Ypdmw

Score

9^/10

persistence ransomware spyware stealer

Malware Config

Signatures

Renames multiple (2146) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Drivers directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\it-IT\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\SysWOW64\drivers\ja-JP\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\SysWOW64\drivers\de-DE\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\SysWOW64\drivers\en-US\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\SysWOW64\drivers\es-ES\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\SysWOW64\drivers\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2GPT3rp9HC5quFQ.exe"	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\blbdrive.inf_amd64_neutral_1aa816fe7dc98c3f\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\eval\EnterpriseE\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\_Default\HomePremiumE\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hdaudio.inf_amd64_neutral_ce7bc199c85ae0a0\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Automatic_Variables.help.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_preference_variables.help.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_script_blocks.help.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_transactions.help.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Signing.help.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ph3xibc2.inf_amd64_neutral_7621f5d62d77f42e\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnky007.inf_amd64_neutral_e637699044f367f3\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\eval\HomeBasic\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\System32\LogFiles\AIT\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_functions_advanced.help.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\System32\DriverStore\FileRepository\image.inf_amd64_neutral_4a983035eaabe2f4\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\erofflps.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\OEM\Enterprise\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Break.help.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Parsing.help.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\System32\DriverStore\FileRepository\amdsbs.inf_amd64_neutral_5cae6933bef20aa8\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnsv004.inf_amd64_neutral_fc4526bbfbd5feb1\Amd64\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\SysWOW64\migwiz\replacementmanifests\Microsoft-Windows-TerminalServices-LicenseServer\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\SysWOW64\migwiz\replacementmanifests\Usb\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_properties.help.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrtx64.inf_amd64_neutral_410e89ed86071c9b\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnnr004.inf_amd64_neutral_3319ff2548f89fd8\Amd64\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\0012\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmzyxel.inf_amd64_neutral_ed1f16b3d0cae908\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\OEM\EnterpriseE\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\System32\DriverStore\FileRepository\megasas.inf_amd64_neutral_395276dd9b7a7448\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnca00c.inf_amd64_neutral_510c36849918ce92\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\SysWOW64\Speech\SpeechUX\en-US\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_remote_jobs.help.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmcomp.inf_amd64_neutral_e5ca2f01ca47bddb\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\_Default\EnterpriseN\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\OEM\EnterpriseN\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-WMI-Core\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Continue.help.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_parameters.help.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_transactions.help.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\SysWOW64\Dism\it-IT\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\System32\DriverStore\FileRepository\adpu320.inf_amd64_neutral_4ea3d42a9839982a\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\System32\DriverStore\FileRepository\msports.inf_amd64_neutral_fdcfb86ce78678d1\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netbxnda.inf_amd64_neutral_c81780c5dcabd0a0\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\_Default\Enterprise\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmpn1.inf_amd64_neutral_e44cc033b67e7d04\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnrc00c.inf_amd64_neutral_53a58f4fd7d88575\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wudfusbcciddriver.inf_amd64_neutral_adc3e4acb1046b4b\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\OEM\Professional\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmusrg.inf_amd64_neutral_814744dd97ccf09f\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\System32\DriverStore\FileRepository\net1kx64.inf_amd64_neutral_1f62482fbb9e52a5\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_PSSnapins.help.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_scopes.help.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_script_blocks.help.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\_Default\ProfessionalE\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_preference_variables.help.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\eval\HomeBasic\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-NDIS\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_History.help.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ph6xib64c0.inf_amd64_neutral_a43df8f7441e1c61\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\SysWOW64\IME\shared\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hklnpbegilnpcefh.bmp"	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg"	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationRight_SelectionSubpicture.png	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14656_.GIF	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\js\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21535_.GIF	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\0.png	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\settings.html	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationUp_ButtonGraphic.png	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03143I.JPG	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_down.png	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_Earthy.gif	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR31F.GIF	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\TAB_OFF.GIF	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\CircleSubpicture.png	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_single_orange.png	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceSimplifiedShuangPin.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01242_.GIF	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\ARROW.WAV	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\highlight.png	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\splash.gif	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BOLDSTRI\PREVIEW.GIF	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataViewIconImagesMask.bmp	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Program Files\Microsoft Games\More Games\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02742U.BMP	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange\tab_off.gif	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\js\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\prev_down.png	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_specialocc_Thumbnail.bmp	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File opened for modification	C:\Program Files\Java\jre7\README.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\29.png	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\GlobeButtonImageMask.bmp	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\notes-static.png	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationLeft_ButtonGraphic.png	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\base-undocked-4.png	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_pressed.png	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01838_.GIF	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VC\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR33B.GIF	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Shared16x16ImagesMask.bmp	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\TAB_OFF.GIF	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationLeft_SelectionSubpicture.png	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\dialdot.png	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10267_.GIF	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_choosecolor.gif	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\LASER.WAV	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\winsxs\x86_microsoft-windows-t..almanager.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_26906a340e967570\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.ApplicationId.Framework.Resources\6.1.0.0_it_31bf3856ad364e35\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\assembly\GAC_MSIL\system.servicemodel.install.resources\3.0.0.0_de_b77a5c561934e089\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-cttunesvr.resources_31bf3856ad364e35_6.1.7600.16385_de-de_1a9b8c79c6d662f1\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-u..-core-tsp.resources_31bf3856ad364e35_6.1.7600.16385_es-es_ca2031b623c48a1d\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..remote-provider-dll_31bf3856ad364e35_6.1.7601.17514_none_aa2b6fa4fdb6eabb\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-help-presset.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_7e12673cc31495fc\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-resampledmo_31bf3856ad364e35_6.1.7600.16385_none_fb60e757f221f37e\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sonic-tables-absthr_2_31bf3856ad364e35_6.1.7600.16385_none_ebc58bd310d87143\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\assembly\GAC_MSIL\microsoft.transactions.bridge.resources\3.0.0.0_fr_b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\winsxs\amd64_bthprint.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_c2b022117b96a11f\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\winsxs\amd64_prnkm004.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0f4709cfc7e99c7c\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..rmanceperftrack-adm_31bf3856ad364e35_6.1.7600.16385_none_0e4964a578d4a5cc\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-font-fms.resources_31bf3856ad364e35_6.1.7600.16385_da-dk_04c24f3c67c50388\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\assembly\GAC_MSIL\microsoft.transactions.bridge.dtc.resources\3.0.0.0_fr_b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-multboot.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e593ee7f79d69741\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-icsigd.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_9f48f39bacf9cd33\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-rasrtutils_31bf3856ad364e35_6.1.7601.17514_none_0f1cfdfc48bca8a8\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-s..edstorage.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_a3d5488f6ee5d330\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sud_31bf3856ad364e35_6.1.7601.17514_none_a9ad5eadba2c4379\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-tvencdec.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_49a9fcc9b61648ff\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-c..questtool.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0fd466538c91324d\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-ntdll_31bf3856ad364e35_6.1.7601.17514_none_c1518e03472df852\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-charmap.resources_31bf3856ad364e35_6.1.7600.16385_en-us_e7154a8d5920f0de\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-eventviewer.resources_31bf3856ad364e35_6.1.7600.16385_es-es_2447be86cb43a34b\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..s-components-jetole_31bf3856ad364e35_6.1.7600.16385_none_7726de8ef25840f2\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..datalayer.resources_31bf3856ad364e35_6.1.7601.17514_it-it_e6a9b09156aa33dc\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..onmanager-uieffects_31bf3856ad364e35_6.1.7600.16385_none_535bb613109cd074\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\winsxs\amd64_ntprint.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_63f8160e2b58338a\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-shell32_31bf3856ad364e35_6.1.7601.17514_none_d4a3da9f5cfc39fb\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Wind0de890be#\d5f4765d7a361b979d8998c5072ffa01\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-csrsrv.resources_31bf3856ad364e35_6.1.7600.16385_it-it_6697f1a178be51c2\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ehome-ehepgres_31bf3856ad364e35_6.1.7600.16385_none_2b88e25b231bddb9\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_b7f38afb92de484f\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_ar-sa_4d97f0fb677d2ca5\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\winsxs\amd64_microsoft.mediacenter.playback_31bf3856ad364e35_6.1.7601.17514_none_ead17d7ddb78651c\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Users\App_LocalResources\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\winsxs\msil_microsoft.web.management.ftp.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c764949d9e0e1f81\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-optionaltsps.resources_31bf3856ad364e35_6.1.7600.16385_en-us_4275b00ef0b79a90\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..ostic-adm.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a446cb055680e9ae\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-o..calmediadisc-styles_31bf3856ad364e35_6.1.7600.16385_none_dac1eab162daeb45\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\winsxs\amd64_microsoft.windows.d..ackmodule.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e5649904d1cb822e\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..tx-xinput.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_00c4f29e8a9efeed\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\winsxs\wow64_microsoft.windows.d..ackmodule.resources_31bf3856ad364e35_6.1.7600.16385_it-it_4d93c44a1311324e\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-p..onhandler.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e1cd4f762107d5bd\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-parentalcontrols-adm_31bf3856ad364e35_6.1.7600.16385_none_e781f92c9603a93d\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..linetools.resources_31bf3856ad364e35_6.1.7600.16385_it-it_2093f5f4d1e0f348\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-e..e-ehrecvr.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a09dd6ebc4e4c5d5\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..ty-client.resources_31bf3856ad364e35_6.1.7600.16385_it-it_28f578f08c80b956\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-mprapi_31bf3856ad364e35_6.1.7601.17514_none_1613eed7b146b444\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\winsxs\amd64_prnlx00w.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_f101f35fb838473e\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\winsxs\msil_system.servicemodel.ref_b77a5c561934e089_6.1.7601.17514_none_40c22e0ecf5758c2\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-cpu_31bf3856ad364e35_6.1.7600.16385_none_4b7bf556f6fe4db9\icon.png	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-irprops.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8f82c242c757672e\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-help-sniptoo.resources_31bf3856ad364e35_6.1.7600.16385_it-it_82dacdd59c68b3f1\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..disc-style-vignette_31bf3856ad364e35_6.1.7600.16385_none_cc1304de922cc585\NavigationLeft_ButtonGraphic.png	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-s..erbox-isv.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_a9995f0c7a0717d3\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-winbio.resources_31bf3856ad364e35_6.1.7600.16385_en-us_9bb11a054c9491fa\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\Speech\Engines\Lexicon\ja-JP\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..otewriter.resources_31bf3856ad364e35_6.1.7600.16385_en-us_47091df38d055944\HOW TO DECRYPT FILES.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_Parsing.help.txt	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe

Modifies registry class 10 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.nigger\ = "THCOEVVQVLADXGU"	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\THCOEVVQVLADXGU\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2GPT3rp9HC5quFQ.exe,0"	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\THCOEVVQVLADXGU\shell	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\THCOEVVQVLADXGU\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2GPT3rp9HC5quFQ.exe"	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\THCOEVVQVLADXGU\shell\open\command	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\THCOEVVQVLADXGU\shell\open	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.nigger	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\THCOEVVQVLADXGU	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\THCOEVVQVLADXGU\ = "CRYPTED!"	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\THCOEVVQVLADXGU\DefaultIcon	4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe

C:\Users\Admin\AppData\Local\Temp\4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe
"C:\Users\Admin\AppData\Local\Temp\4509eb48fa6eb2117118bd33eaebfe190028e3d54976596878814031591dafe8.exe"
1⤵
- Drops file in Drivers directory
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\HOW TO DECRYPT FILES.txt

Filesize
294B

MD5
727fc6170d1eb2d3b31483f668f6286f

SHA1
d5d51704cac493ed2dcbf899724b0c89482ec585

SHA256
58c4945f0e5ffd0e95f1c3ab6c60dd65af4ca65796d508543eb13b9d51cbd262

SHA512
61bd195ce084677ce931e703b156bf3b678b312fcbb6f764914bf79d041fdf832ad3634729686d75c18ecf12f06f5cdebd16273564620a1345da48614a007f96

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
341B

MD5
e968c89f81b1c4ef8ec2dca67b8ad803

SHA1
ff4dd8b394fe6d9645f6fd23f299492d3ca95301

SHA256
cbabe994bc29c6771d8d86e4a5ef3517ea3be79e0fa182c74ff5dbe50acf1ea3

SHA512
0d673a6d05cddb54f4d7a01261d5ecce1f27ce965f423af3985720ebebc8b980cb9fde8d198a2e1d6b2f2e826c7682fa668d5355f22736e764cf66c4472483a8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

Filesize
222B

MD5
f3f2aa3ab5d41704e51ca8d2c3709045

SHA1
d84b832e08562a4e6897941a8a7bad72a6ff61b5

SHA256
f8ee36d1c5ecbd6d66eef015126042b8aeee6b4ea501579ef7c5736d674827be

SHA512
6477f830fed35dcf9c3e94a3f9dabf7ce9026acc5b5c7507958f6484b413f181643b7b8b85adf63658fe41b1327938ce8ba615e1fe593c664169370cff7f8640

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\BG_ADOBE.GIF

Filesize
24KB

MD5
52e9e541b8f16a4ee44e012cbc5b622f

SHA1
53aa4d8effa9eeee46ba70f2a248074751d6e1e5

SHA256
cb891b685b781427ce2c00beb202945c937f64ea2b4f7d43873ecaf745a579c4

SHA512
53a8e66184399935cc9b42a60f66361751fd88b82838f6346401d689de887659237314762f226d9689e2e6af074ec3d7e7013d877bf1b9d1f1d3cd6418fa7a72

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\BUTTON.GIF

Filesize
185B

MD5
56bbcce811fbbea368b37d37b4d624e2

SHA1
d548d7b02470d2e205b35526afda399240ec8643

SHA256
11eeefb7f5e0d88fce2b6dfbe3f4281e87defba1df0ae19bb53011c2ebc22207

SHA512
0bad9c3abc0439eda16d9a28beb06ab8b95434b68968829ad70fabc4cb328b55cd8ee7d0a0ebc8696c96ab0cf0d385a2a5f151f2f0c2651a9f623f124b760373

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_OFF.GIF

Filesize
496B

MD5
0090dc6faa389385c3024aadd8416df3

SHA1
ccf217c49d758e0c5eb6a5fe2cf3789096d4b7d9

SHA256
61e7d5e0236fa6f129bd8d3c9187ae9bb50ff0b58d6c6d98a2813bf5d734e370

SHA512
25e8f09f2a7835f94c6959786021d62810b90cbbe0e3ae8e8125eb734297e73ad3a147807f168e0ff5fec82c73e4688d0aae506e0356f2deed3cae244435cbb0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_ON.GIF

Filesize
1KB

MD5
3d71125a6f5664e3dd4c7ea5c1350d14

SHA1
653e4cf4bee6dcd3505c6255a77119675f3982dc

SHA256
c36508c7852578fcd94c3b30634b820af879f179d28fb913a5197b3aeff15018

SHA512
659c1c78b94773116a8ca006302d602ea9a969cd8fef16c8b64d7c9071e45052e9e7d34031e23d79d98555a130d7824bc8df1014f8cea78712b359f4a9c406f0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_off.gif

Filesize
341B

MD5
c4b5ee6179bba0d859c0080c0b789a50

SHA1
ba90ef6677e5925d27934a3725f622c66e319a37

SHA256
01dd97c0ddb04cfd4d53f168289a3960e33809b4bbeef22627ab6e34c7cdd831

SHA512
05208c04389fbe4ab418b8c371615a3171716a00655466cb215e42d88faaa85a35e852e6e0be4c6fa3555d95dabb61e87010b77a47df881ebba18942d38d9947

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_on.gif

Filesize
222B

MD5
a867efb0053691b74fc299eff2715aae

SHA1
f318d623ec94e0385b65bbef64bebcdd8c3fccd0

SHA256
a176bb5a38f812a04f2940a3707f7bbd158a7ee6240896d9e5336a44292e7eca

SHA512
d8e94d840eec72d666bff7e180bce5da34dd87846e1219544b66b0887fdc5b72cdc7c96400e350751cbad3ebbe6b7cbc9717b4cf8e0bf4f209360993f8140208

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif

Filesize
5KB

MD5
18cb8ed967374085461d823f2d3f7f3c

SHA1
f0b00bc4c846dff78dda37686f7c4a2abb39752e

SHA256
a8b4964977f7987ff7c89ca9ceb837020ca63fbf60b1ac84b93b2238d70e8b59

SHA512
eb61e53b82917743ed176410018fb0e4481f832060b29b55e4e3d8903bd3d4ae6be1e1c88f2bfdcdf8093ba32f4ccfb94606b5e091d44b03b260521c8a407734

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Country.gif

Filesize
31KB

MD5
6b9b98c624dac6a69b34edb1ff3ed19c

SHA1
718970267da07dd748a42984dfb9c8ca7a4d8a82

SHA256
1f9195c85ef1515f0c337cd7075f4d2608b7edeb23220fe0e122d0881f66c210

SHA512
11a069ff7d48fb0d9f1e5a7258baa9ebd09ba8f82ad714a090cb9a767585509a1a46bbbe5bd21e3f6e27f872f75018c6a5334dc73ca779082882c395c992f217

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif

Filesize
4KB

MD5
2be410aa41505b64114210d9ca53b780

SHA1
5a8bdbcdaeb71f98ed55bc0396755ca96ada0cf1

SHA256
74e0e39e85001986d65cf226a8feb214083dac8f807e76dbd7d9435bfce00d87

SHA512
ef5e91f9fc499b6e59503c580e103dc88e60d487a0146ad1b70c957f1ebee6af5f7bd3b29b65e1c8182851b0781662aa42f7873d6b675cf008c1b2b161aa530f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif

Filesize
21KB

MD5
e355c26ae5c6dd7f5577d189653229bd

SHA1
2beef27daad854de94dd97194cee0ff0155fb913

SHA256
c6f5fef9691256e7e47e0b72637a1c0367143bd056d6154eb7a68814aa86dee0

SHA512
45c1a70e1b6ebfadbaac90bd28b76f9eaff2769d133a147de5e4f110e9e6402ba71ebdaa88871925b00e1da2996545125f0808386b7bbee81ee78c3c5e7a62a7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Groove.gif

Filesize
106B

MD5
3e08b308df80a14fd79154ab0e7584a4

SHA1
5e8a9a9892d144e918d073dd9dc7f6f22910896e

SHA256
d15151aa0095a1e8d815caeb7f0c39d31ff35066a78142f15fd61f56f3ddfba5

SHA512
6ca81bbdce008065c308883589266882328ed20172aa46f488a59b5692c34bfb660e21884b4e46d566be3bacb003a55a7973c38eb7875fa2c8a3957c3de07ef3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif

Filesize
8KB

MD5
41aeef9e0046e8c06b67004d981324ec

SHA1
2ad6c3113bef6618008b55c2a4955b137107ba40

SHA256
371e7444c3a0a3b1f7632c9edd3802db17aa0e8e0ca97a7a7f60103891b3ccc5

SHA512
79740fe40207d78d22cb438d2d5f6e7f760c5f2fbcbb310dc748612902989d79aeca14a2074738608c038129c8fe07d40978ae97bc6596f496725cdaa708c118

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif

Filesize
15KB

MD5
857949dcdc28ca7b5494e527decc2257

SHA1
d37aab6d9a076a4c8a3346554b00fc54149a37d7

SHA256
1028edabe16ab11df87160df6c6278e1c66359daf00d1af4545e2d628bf169c1

SHA512
17960bd0ce352dbb292277d9d25bb2e1ad6515af334d8b68908cf0dfaf580a59895df6917ac37d25c1b438614dcf73c65d6df6752deb4960429578356ea89be3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif

Filesize
6KB

MD5
1098e0335d5b152b267e5a54eb91cd73

SHA1
fbf7603a7eb13fa4b8dc48cf9fd321ee8b8185bb

SHA256
a51364517c473df935c10946038f1dfa07a4a9e4b07ffb2b79d27e153bdb450e

SHA512
f18b88c8fafc9743a900b94aedc020f5149891a5aa9719754835b24bbe36388cc62b32ce75352f344895c55df8badfd701cbe043aaf83e39b864deb4a3b635fc

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif

Filesize
20KB

MD5
eccc6e8a370e947831c44c402d7f726e

SHA1
78570d8c5dd9cad36c428bd1c012aabbe4a4b542

SHA256
7e71d98f23d0be09b2712845723e445156981daf22dc532bee7af00b3cf0d65a

SHA512
7559c3344a1979f6406d20eb7f98d84312ce87d0680c6196341f93bba9b2ddf222881ca339186b53fe9359c4c4e092e46d07f27b9810c66c1296c1d19a4fd504

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif

Filesize
6KB

MD5
e85c63897db10d8608bc2403470c19b8

SHA1
c4301fe28da42f16b8e60b71b36ca45522db4105

SHA256
dd94c0df00055ac7f7b38a347c50b4fec0be138448f17572efe5242123efba12

SHA512
51c69c1dfada3501bc7512797bd13c8db67bbf0ed093199fc21768df7656536de8454da65a7abb6ce03efd71a4c0766c3905db206fe9c591d7b3c91288ceb214

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif

Filesize
15KB

MD5
1df6a1a1a1008e5f99a5fa9533305e70

SHA1
24da8692963ad3e14feb90d88c699e13f55d3bd3

SHA256
b8a19d921a705411bac429e682d7c5829c510226430921ce9154ab8d969ee045

SHA512
500c249949cb7f9f50df4a09f46d8d3b8088800ea133383f4d845c75dc653031fcb5b26d6969ee3f52e1d316f168aaa3b988a9fc018c3e72f482c6f51c0984d7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg

Filesize
2KB

MD5
893ea5761174d68f40f739a0ab9dc0eb

SHA1
e966dc4871f089220221526ddf025c9d88bc87e8

SHA256
f98db9e2364b5931539e749b73c9d441519321295170a6c2d04bbf1e61a63c14

SHA512
cacaeb7dc604ffeff5e50d3288021e40555d575a2a508fce233a2f28960cd1ba603436a400ed4e2db0f1e2dabe738125f55d6638694e7d23ac023e6675372f7e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp

Filesize
2KB

MD5
fc1fc894fa4e6baedebda9a02b0eac75

SHA1
d80743fb220b7d4a2f20e0e9ad8a551a0887f727

SHA256
0ee5bf0cf7912af40994ee30ba8b02cf13b20ee6c7bb5ad400bb6d1bef8b4c54

SHA512
a4847415eb58edfbb410c5a782ddc8b8aacdfc0fb4194a80852ef1e295fb98c266d3be5beb63a70a40668753743f134ad084638d579c807cd4f4d75e597d4239

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg

Filesize
6KB

MD5
2b94bc87020542ada3c3fc3b29453e1a

SHA1
d159c668ca5a5a2dca6addc49313057401768702

SHA256
9d728575ac63db64e1d7c9bb8f8b3fe5960d6af003d0a23c587860e00abe0424

SHA512
658527e1e54f569fb2a9e79977ead94339e3d7ebaef4dd38ffb6135877bff9549476540efa2b4da6cd2cdab7803d24be0713e0f634d17997e69363effc953129

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF

Filesize
255B

MD5
b63656d6c2cbc13ebfd4d533e28b804f

SHA1
b37071d237660e8dca1c3daee36a3f9414516496

SHA256
67dffa06b8be276f3d34af48952d030f170a60320eb10fd63918337c788a13a3

SHA512
0a2850247da841d1f77b7cbabe51dfc472a7ea49376e2c3695f673c2ad9db65e503bf381f27e93c5cf754e0ea6aceec0e6c50c8b209471d32f9ea7b85548e404

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\background.gif

Filesize
323B

MD5
86c82aca4cf0a0a16dc086fa9b3d0be2

SHA1
515c8b8219e84cafc873fa0179b6d0519ee8698c

SHA256
4f9ca91440043fddb2f90a9a69188c9e8251555cd026eda6456e42a6575b93ee

SHA512
1d6c89d71bdd0b9ac6d07b58a728d023ba5beb5fc69ece01a8202064d2da415d8ab20d947896803a87bcaf8d14a874266763705377464d9a6adf88301a204236

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF

Filesize
367B

MD5
8eede5f742e890dfefdb97801c557ac7

SHA1
4498f4e73faa8ffef6af781b8b1bdb5826ed539c

SHA256
eb5ec513a897ce046022d35b34ce6a1aa70002b3a6bd48eaf4b6019be3fd3091

SHA512
d9b50da4866e05b19821056f27e1e3bf906c8f502b2c4038985727ae11ec1f57ad2f3c44c0120483f8db1d8a6ac4934e0a33a5d9443cf81ab11682095db01705

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF

Filesize
148B

MD5
3989f1777c30c2ccbeb4d6c0f9f217a5

SHA1
35833f933b8fa2a1cefccbf8248a0230df68bf3f

SHA256
24a95b034b7d88aa62553991feea34a7953a757548d2900b8315df4c522f0efa

SHA512
7824431b6e240f1f6b6efabac790bad04d6dbf2737de8d79644a8b395c9785f4f797e2e9b737926686fb9414b919318e07370b2fec2b18c8ce84d05136aa5ffe

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HEADER.GIF

Filesize
440B

MD5
d07df957868ac5cf17619507c123fc7d

SHA1
d1be600a24421e7631f61f68e837260e52e12f8f

SHA256
4f148c8c0a86c922f52db37396cda067ac860b41b760101ae5e5ace426debfcf

SHA512
e43cdf31047e94e1ed4a96855f70a25dfbe984729cda0cefc2928d98d883b5d32524da6c57bbdde05cf29062b22563fa62d8e4b09a1779faa2f50d434c4ab215

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_OFF.GIF

Filesize
462B

MD5
ae9d7ae6394fde2ec2cc0e5ddbefd266

SHA1
46d4d64bad940376d90d0d698fa7f6a32fef7c6d

SHA256
8efd5cfeb23bb3054761749720876a209aa9fa2037af269f415e579fc8744713

SHA512
3a3568845b7f446c9540aeab5a2c49142ab876250faffae13bb6e08cf9146d6383904385c67353360425b12fb5a119dcb618dc702c1c410ea121fa820f1ff8e9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF

Filesize
267B

MD5
253159c5248fd6a6174b900411645fb1

SHA1
8d1f0f6cf982dca1c7286fea27cfdccebb5d1194

SHA256
9c8f3d7223f2bb996c0e8d902a0bf117d781d37416ab29d41d892b752ffaca87

SHA512
ad7cbdef62348452bdb10031ab484245473c6b84215d0a8531a7a8bb242c817c20c0eb649bd599943b1a8ee8859b6cc8e66bf96fa88f5016d295dbc829608928

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HEADER.GIF

Filesize
2KB

MD5
36a1f7c5ba329420e66cd4802d6b90ae

SHA1
b7d63e5f42b9e73286e613705d182b3b682375de

SHA256
48b5326986ec286386ad81f146c0e1a8060a55c0c5e14c43f0f04b3a9a4b8df9

SHA512
2ec1c5ad5f66b1551ab506a661b9cb2dee19224a1ebeab595eba5bcf4616dd705341b64dcd2efc929191fae676e9cac83119f8a5d97d577178d8640990f64741

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif

Filesize
233B

MD5
29929b48809f16d717ff17290ed850be

SHA1
40df56e11e86b9589da129a3d2a0bce00119077d

SHA256
9ac62dacaea2b90984ec3eb9327fcc66fe61c8c13237aeba05134e56acbae207

SHA512
65ae26897a6eac353600d998bf885cd1cb27a837f10c95d8604cfdf7e6ca0279ef511c0abb433c2028a5fab4402741e9790a355845c49aa71980ee61a162f29f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_OFF.GIF

Filesize
364B

MD5
f2d7611fd7a98e403d1997139cb0917c

SHA1
d4941835c91bc3752bd92c25f9f658bba387f448

SHA256
642a88db6cac7bcead24d37777d524c01136ed7dd427e34013cb910358dfdf24

SHA512
3a8619d90732b66d08e7274d7c0a09899a7d47ec01dd9b92876a4b589e847e3181363709399f9f7c39090cedfdf633b7dd6dd5fd10d77d719c3d590191bac699

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_ON.GIF

Filesize
364B

MD5
bcd429cf68e6abdf8557aec33c6353cb

SHA1
173746cd17dfc6fa9cdb248387d8382882048729

SHA256
13c7312880f73ffae7dc83a0b8d031b55a7ff33027be83c8eeffdc0cc623d1cd

SHA512
a062ccc0b3ea531646e1982e4de7b3f21dc75fa04ca4401961630ac2bfd4ff6347e4d92330e2265ffae46cad693392862b61755eb82a4bb35cca1a5a8a742b0d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\background.gif

Filesize
6KB

MD5
741cc049df50435c07140643b48007cd

SHA1
6d08db67360adee0288c919bbb01bcb6cef20dfd

SHA256
4c57396ea660d0538d62cef2986b92376a89953dff6c6239c04a664359c9535c

SHA512
535ce24a1f28a4f5517651909d920094f067e00eeee8169f55bc5cc7ef5fee6c90efffdd3a6982de12a53639ff8d18ae56a020e6846a2462d2d66c47fda13277

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\BUTTON.GIF

Filesize
428B

MD5
610fa98745c160a7c1546f22c04f6fa2

SHA1
9dbfb8c49d4a933e133f04c275402f41faae2853

SHA256
57e9708956851381f418839b501778b126b87bd83320a988e0a211f708226cbf

SHA512
695b08fc303a1239973936168d20dca930cf1db6b815af50ed8dc784abb7f861bccb747503758d9b6fd275a310d7fa57aac9b2b06635fdde6a7e15d33a49cdd7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\background.gif

Filesize
815B

MD5
2da45cf2e6caebebf091071b720ab6a3

SHA1
606932cad8ea3719e2d56229118160130860c34c

SHA256
a3fee3ebed9d5e28a35b418516f7fb6fd0bbd9b8a584fadf20ea31146ec2646f

SHA512
3435d650ef5fed8211dec75fc93eb1766ca4e01ce4e076545c06adf510d8622f0fbddb7545625a67ce56cc82689c6be59473768626c299d2d9c45a0ee3c5fa2a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\RTF_BOLD.GIF

Filesize
870B

MD5
dc0d5329e9aada42d84973c279ac2975

SHA1
b5b97eeab6044459c8be29ab092192906292daba

SHA256
d50ac2733bdad80f9fc7271cb4556425ca8dc610191e9fcb33fd39c7937978d5

SHA512
52d209d37973bf2eab37d9344116a7e458e038011550b9909521aac1879bfd6129ade7f465fff71c67bf982b8a8364c54309504b3ae8ab201dab986a393157ff

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg

Filesize
3KB

MD5
b8311d259af238a4fb324233d79a5656

SHA1
8ed7c48d574a1e48998caeffa61b37574edfef1d

SHA256
3b89af5e773574d9eb2512207955c2bfc2906da1b5d71ae33a8dc2052e9d8bd9

SHA512
e0a0f84695c279e3d707078cb29e1bf36c163d6feb48910d35abf6f044b534dcd0676e07f10bfa932476c06231eb47d3eb5f7bb576dda41006ba6bc0430482cf

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif

Filesize
2KB

MD5
b6114d37bda2a79d2a8187bfc0cc5ef4

SHA1
d0f52010e66088aceedb8dcaeea6b51de6b91e9b

SHA256
001c98d18065abbb9e89faf9a5b87e613ba4a55eb6b27a65b0bde1d29aeb3945

SHA512
98f0404e5948c4d0fa9484010f0676ab3838c15b3c969749614644e5c5f0e5ab0d204f3c0008ccf069811d953f9b00d1045b7cb1593f0458f70b8074eda36893

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif

Filesize
19KB

MD5
5ac27dddd203466b0a606467fd289980

SHA1
e2f64580fde96f068efc263dea54dc4978e96bec

SHA256
3577664b438a78896ec34e0d4abdcbbf6b23094ba5f3400aff3dec8196aa43a2

SHA512
73a08eec48f58e425534ff2893980616a285f291a03e0c90d0665feae32520df2eb6908811c19412c8b6a362162d856b1750b99c68d2a3c67eb4a5993ec6623a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosefont.gif

Filesize
890B

MD5
d64bb53420acf0b4183a235f1144c3d8

SHA1
8fd2a21d370edf0da193cf0b244d56d5a398249c

SHA256
7d257f200fe2f2269fb4b76b4aa61da5e37dff5499e7ab80423d8476f87f96e6

SHA512
2937aebf4b1226a6f2054f7c6eeab3bc7472a8658c45bb427863e8ffa6c5cf881678376f07ac6fe2c60449a5c73796c82fdddc0894830b5ffca7f4c9734ae581

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif

Filesize
852B

MD5
e639fce6074528d55e42db96d398978f

SHA1
b6395891fb873d83ef170f6daef9d296afb55dee

SHA256
422d5b92c6a834c01a03211a1140642d2f51ab587bde9c2afe7e6b001ab23524

SHA512
ee35b40ece1faa37f44f7a2957a2d6f73fd675d759fcd29b28ecb0cdfeec77ec6b927bcc78f5e23b6cbfd5867975683287f5e48abb6157ca10a39682766993e4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif

Filesize
860B

MD5
6bf7d743335df211b955f65f2d1527db

SHA1
4102238ec854c977fb54efdac02443b27100d3a0

SHA256
27a1f3a3356f388d29e81be6102e0276db0fa7176aa1620e99319db135e52727

SHA512
090a4fae724d93c0ae2a6100a6b441d69f39a2bde4eb867a9b2dcf7130c8204c27a02db65ebf6a71997d25058c26e3b2c473433a4b178efabf9e79982ecf350a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ADD.GIF

Filesize
580B

MD5
bdebcf96db5f4b1896a0d70b562a4955

SHA1
59733a8fc0ef0e61b0501092648094bbe96072e6

SHA256
b55e6dcfba569c0feaddf66c3bcdfa9dd8159bed2635686d38830c5674779641

SHA512
4ab99f28c95e27e0e71fdec626e1ee4f2689782e9783b00d30ed41c7631a022652e16d287ff938c8a32ab93e5c99a769701b68a58f7a0bc0cf2ba8190604aca8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF

Filesize
899B

MD5
22cc9cf1a04e0406502b407751a89f54

SHA1
7f361fa67b7932ca0c56f117ec2b3fc98a88547b

SHA256
a45131b1fe8394e8e0fcabe08685ae766ecec16fb544906f7fd2deea16d6b3b4

SHA512
06bd77f8d83dcad324d56d5ac6e671123971c27ffd3698b4aaadaf311238ddf088dbaa204a7a4dc1a986cd0c53401ae8ee33f6ee6ce72b96097e2f3757d2458a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIF

Filesize
625B

MD5
941d390e3804b390ebd5720e53578cb7

SHA1
9f27560e741e9b1b26f326782683b752f13f9d3c

SHA256
5ec52981b8933650e71098c26d44eef9274890e5f191c8cabcc5160e1eae3e64

SHA512
ba00ba9bdf29f571a5584634d22ae45bae1d8aeee9cab993bd901b2de3b9c579d569477d715f62fb7a964a360336aed69a271e29b116e80f2d36b9bf17e2b794

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF

Filesize
873B

MD5
ad3001f2adb01c2f48040ef6ac71dde2

SHA1
cd595a3507e813cedda96af10d99a9a1a52f3bf9

SHA256
1f1bb96a1abf9e784967694d0e4866fb64d3742dd2990c7d2bc7e9dd3dab6b77

SHA512
8827c79e0de1af74da665671f84cb23a88fd65c5acfdb873d8cf64af992d77ee89d5cc98e96dc28d397fe6742b6560132bbd378b92ad48a03c2a103501aa21a9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg

Filesize
5KB

MD5
5492f962529fda0942340b9b2095cee8

SHA1
a950d3aba056dfb4d93491b531039f329752112b

SHA256
32d8504b7f1a3cb26581221f6897f5e46ce735fef3be1e4e61410439dc3f37a6

SHA512
1a5674350245e9a0fc7693c5f5d411e64a9d527d78927725e254ef06947d6098f1425268f436a859aa6c17d0c9440f25d6ce9b59c4eab9f8ced8a7077fa5b090

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp

Filesize
1KB

MD5
b8ad28ff2609fe45dfb481384c8abe3c

SHA1
08b54a6ca6de03351eb69eb51d6ee7fbf4bae3c7

SHA256
ed13847d31a40c78280d23ff5df802b2a7c97a28058fb600b66f2675f8d4b5d2

SHA512
6fec1796c3c36f4308fe343d47608f4a676c1009e46d192faf033f7e2d5276c02a7053e04bf36336df341763174bbfa4197e51e03439dccef19e209a748e07e1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF

Filesize
615B

MD5
f5865e207dbc89f881cfa2ff33ae070e

SHA1
8ed40784b5fc11420a74d722ec7f6c5b0a30f2ec

SHA256
58384081f628ae3bc7ccfbd6d45c03626ef3e76093aa6d133d6231ac49eae6a9

SHA512
fd8e3be23c33cbe567faeb4ee788489a4173e6ce2b13aaa717bec089700e59875933baf9d1326fa73a308d1df3309714576ae92e9168304a3dd00e303d2bad61

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

Filesize
848B

MD5
82ca6073ec5bf07f835e17411c1c118d

SHA1
817dea5cc6d08ed0f04cf5b31debdc6faabd309a

SHA256
f6f3e7e15ea18810ffbc30a39c352d6b28726e1527dc8275c3b834b092c0fc8b

SHA512
a49cea2605758ff242cf2c91cc43c6ccba111fbb0e354eb25823b4df099e4079954713bcaf02b48b7220a7ed1437d779e8150243eda37a06342450f5bbdecf0e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

Filesize
847B

MD5
1552016a0018020b002f96e0447b9557

SHA1
54e056ab41ac99c26efcf64468ebe8b8aa3dc2db

SHA256
6769a04ab3015af8bd37066854fb6a6af80176555ade2686a0c923dfdd6e87d6

SHA512
2e3f8265977355c4430ed24dd9d634065df46e05b1a2e6d002add60980516075d0bde5bd72c75e40b7010d3b218145ce506fb8107bc6c3992eda186bb08cd762

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

Filesize
869B

MD5
cd01ce3108cbd3229e63e257979d1aba

SHA1
c937fdb317d6a80e18c13510652a65704ecb66d9

SHA256
4aa4e8302aac9b17eb71d29d04fc012cafe5d3148c778741de038847a29e2e5e

SHA512
287df972dbf4839ba8801edbfef9f16e7808cca13efe00a2b09e5d508261a6d786e503764b92a21fff92ea0fdfc34b73b53e8b9377bd414a94f4e4f3233f793d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

Filesize
847B

MD5
98675deee79506ddd4f51265746041a7

SHA1
9cfc390ceb20fc743cca68a57a042f9e6384298e

SHA256
22d4aaa51a0c30da06fe4f0260765e2e5f190c0d58b1896c0ddfece42739cb19

SHA512
3d6357b5b9e49b42c0b28ab44a7b60911cf66b9d4f3c52496b4f77d99b59dd107e1a4cb2de3eb2028728101c34dc4f2a6cd4c580d7f5ae1c45c6c1e25d59d37d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

Filesize
863B

MD5
48029ee56ea05b3c3704d2958a16ff2b

SHA1
6d2157f4defe27a661103e1b3291408ffef95de8

SHA256
d03f716a5581ab2ec4f7516dd5eabe62f4ec2692cb458c27e222e7938d11deb9

SHA512
85be0912fc3eae44465b2e8cad3a6f2d9c2d407bfc2ee5748ded64a5f9c573b2c0085df4c02034871dcbfbc6e9181de33f74ca0024fcd163a7adcc90fe960d3a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

Filesize
861B

MD5
fcee16f956619d0eff8fec1604b5ddcd

SHA1
dfde2e881d684afa4c996c6c435aa094f5a28489

SHA256
45e7ca1f85277effd1e17d181e5f8d01aa69f227c859807846840e3379c269d1

SHA512
a4a4b299da11500982b7d84b687f9cd34ebaa0d7bd4c16d37c2d601badc79b9189e0d9348b3e81de0d4822310b3f965f40434d8b73f2558841d71b50e5c21a87

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

Filesize
850B

MD5
eb08aa063dc1c8d0012fb95c5e56e4b8

SHA1
06e3137cf93dca2c8ae652a34c79d4e66040f8f2

SHA256
7cc9e64c2f3dc45416be87c8b5a8afe8d53109ac6f79c82dd2e284a13f1899cc

SHA512
8099090aa8ac0d366c3d44c99b1e83f8865c1eda269fcc2a25273cfc847b9dd8c2ccb677fc0abeb2006b2005ac32443c7aaf208b0596337b5a3980ac1fd4087b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

Filesize
883B

MD5
4e36cb895eb8b9636c6b0eeb2614f754

SHA1
0b32bd6dc46d3e639a8d2d7676432c4896ca261a

SHA256
e6f8338f05d9358d9909d388a80fd31607e4046b6b85401567df9919eaf32c3d

SHA512
5f71c08de29ce8ad233967fa13df0a4495d602fc3844347252416d8a93bb0552bd5599da5d3684670471e019356aa1459cf33a3c9308da4042112ba6ccf94af1

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif

Filesize
153B

MD5
19944b844714284aa9bc9555102f65fb

SHA1
188633b4e9cef2dc96b9df3a92f92aca995e3f58

SHA256
8a873fc72e6b13ce43346b0d47d365e896e1d8b67e20b23d7e53f2a3eaca5ee6

SHA512
4ed240130fb71c408cfc5d4cd69dea71ed175ed38c17dfc3fb439b0b153912f0a8ee6d84ea9af7f03aa6be5ddaae0f3f19352a9fae3516e1c38e36bec5274dcb

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
3c7cd79792d93a1fa4053ce5fd65d959

SHA1
f15040591480e947862a8125d750e2ae9913653e

SHA256
26f99ecfea1fa0473225dca6ad8831f9f2739e86999810d9003e540319103b07

SHA512
68539e0ce0f158d2804337f80376880733188bfaafab66b6d6d9d47c3105147a0aec3a635e74dee9ecdf89b684c83445172534a65bc0fab57a1348e713d26e4f

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
8KB

MD5
3ee427239e45ee0c95349817b84af713

SHA1
de1cfac3956992d284229a472537ee39cf89a89f

SHA256
a9daf091f5bc3887f8ac0bb6dfc3e7ae74c1412c64239d74065a6888d40dcb13

SHA512
e70903fa0637440b8bf147d58bc982a86487e0ee09a399809025104de8c9fa38a6968af28dde55f696f6b0eb4cc1cdd8b3bc465c96706662afde4b8c1249acb7

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
ebd651fbbe24bcce1e166e0a4363a206

SHA1
bd07b4e728c60d709ed9ca9df86b3b138b1c0adc

SHA256
6a18b230a6eccfac410bcbcf253b332761e7002ad9a282778fc8e9a07ddf1526

SHA512
45a423ca074e6465e4d9a1402f1bd48f2409b2c5607055d64835e33ae83a28d3a94696a669e4d34738875471233fb607dafeb5de63f6b10b418686f143ba0b02

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
a051027305719fe9b0b9588847907371

SHA1
7447be257f6954de171a650efd2ade7670562741

SHA256
5aa7060ed24450af43b4374837ddb87873be50d6239be234b43772daf5c0bf40

SHA512
5dfdf3f77fcbe362d71de6607c04af61e68812e64edbc9f294ef4823669f2961f061130fc61fa6730dbf5cb12a8f09b4afaa37600d745520ee0f4faf494ed686

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
172KB

MD5
30ecebc75bdc0ccb065fcd7f743bc3fa

SHA1
7a2c23f6a7b9ad446c65063b8783e5d6f59c49b2

SHA256
daaa115a26a40323716ced5ccb07183b2684d25834e1e1e36683a0f9ccc89b3b

SHA512
cb2b4f5ca96da3a987f12c1b73c0de949ea8fe98ceff4f43d0520b1eae4c9e5364a3df93c633315cd7d17c1d5677f5e441198a67721c67b700d8041de999f005

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk

Filesize
1KB

MD5
fce48eb3a5139872cd6b4bf83010e239

SHA1
eec3b855ebdaf6dbf74bac46e33e176566b31496

SHA256
ec0245295b0624a5eff170948efea1016893730ab556038ab2655184dc05377f

SHA512
a296c1f04703624bb11d0b82accfe129fadff5b6c0f6220df260aa85582f784229ff171e789af73de9bda97f2e6442ead1d296b7c472304949812c4056b4d4cf

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\security_watermark.jpg

Filesize
49B

MD5
29d592fb7b37c073faa77a0f4b885a13

SHA1
0dc33b779fdd8ec142f767205e1de45963dfc727

SHA256
aab9f0a5cf53c3b5b77676a3a277e691df300944877b225d6e7f6bb624e43d8a

SHA512
7a818be078df65d8b5e01dabc4d2188105ccf05f6e7e6a01f902337c3efc889b0aa83a11fbc586a7a381a02e081d292b04611220484700759be6e6deab549731

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg

Filesize
21KB

MD5
f356e9fc80b5440abcd5f5aad3ee4596

SHA1
32aa20210567c80707a89b25438f1ba261f58be7

SHA256
28d25fd93e32e302e9cee33bd67962ac5458f226a11b840bde086036f6b398b7

SHA512
0fa10b25a8f9d36f416d0ccc08bc15707ea7126641e55bd9cf3aa88aaa17bb5f65136c0bb9bb031dbd4307f76819f803f344a97fb9b3d3122d339b243b943d9f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\HelpIcon_solid.gif

Filesize
1KB

MD5
e11f4c174fdd7e7352df6dda164b9f07

SHA1
99a58f1873b6e0c090c03051d2387d1fc0296c21

SHA256
a19d3d1f688c3155ff2d7cd4eee9f7351dd96f954d76a2dd05dcb821339b4d3d

SHA512
d08aa5a05cb2d14ecdbabaad0f848fb1257a8ee084b8517326f71761a21434c07ec2c68271738642ebdb4e1d467ac27fdd00076a10ee9c7fa48fed0e6277b7bd

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\alert_lrg.gif

Filesize
952B

MD5
d6872a8fe77a981ae25b0178b92b1567

SHA1
b2ccf2e191e86d002314fed46dc8899f113c5277

SHA256
01d1db13573131c3e930df601160959004d01586ed763a7cf6c3369338e5bba5

SHA512
4dd0f72aa48b2cbd0f02479aaa38751dcd019ce72d33012c63f880dc5434272d19a1c76577c30567335ec0f8a2980a3af2e47a29492ad6f95f722532edf8a6c8

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\aspx_file.gif

Filesize
121B

MD5
bf03389c9b765468a460b31fba9c1c20

SHA1
fafc06df36c8eca6ce24346e1cfbdef81c6b14c0

SHA256
df28e4451c1143782b38be9fa4b9c2700bbd2275b1c1a3ba4815aad24c801e96

SHA512
7b975162ba3bd65fa88175cdcfef86908b7733c3541a5408f9c2d35be678208b9511723ed38b38cbbe1dc674b07f03a0e61bf48ab1987ecfea86f226f1655d43

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\branding_Full2.gif

Filesize
1KB

MD5
821be06f99f1b6928b842598429478ce

SHA1
c6cdd3ff8bdecbc7d71fa680ae0c3b11c2d3e18b

SHA256
b5fdf5a4340a33d1bfcf0c8bd1f0fc49281d7d0aba16d8ce9bfff2848cd340ea

SHA512
6c309baa55ce0398425ba0a7e850e7c1ca5524bb8c84021f83d52462a6ce57627bd5d54a3fc2ef15be92ef1b101839c547c563a41072f1de0876b725207b7a85

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg

Filesize
8KB

MD5
bb66fd0645d3fde8ee857124ad98f628

SHA1
e77691307add7fac93c91fddcec7c0e760c465c9

SHA256
c3c38c4882c2bfad3ffb4aad64400e0fb21accc096f0fbc26208b6dad85854e2

SHA512
c16795545136cdc9768f7444c4f8c6c448a2ec8be75fe6153af5533848ed25802350c8170e25d8202f19fa44832382f08162972b8f5eb44a50ca42af46b7de4b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\deselectedTab_1x1.gif

Filesize
61B

MD5
2b20aaadf55493df270a02166a58743c

SHA1
985ba04e90e653407b7443ea98f468c5e9029808

SHA256
20351a5445dae645652241a2ef58b6de353d789a2c9393eead13f182774aae2e

SHA512
f932b5cf51fbb62af17fb6efa6def4f61756857715d2db0aff78c0b625c888397069fc4f9c13eceebe319be09efd62eef4367f00ffe953110dc879612418c935

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\folder.gif

Filesize
914B

MD5
a720ea636791bc9b21ad04c26e4d6dc0

SHA1
2a4276b5fef535944c3666d893d7c528ad800bd9

SHA256
692b35d03ea809306bf2a3e4aba18f7b8671ed0fd193e13c716c1f5aa077d9d0

SHA512
e382ab4a7a23b71f35fd18d43fa1bab884a8575a5449b3ce68240fd9e63e19572bc7bc7b0e3f833fe93010f12879edcca2cd41454d26d938cc22485db6e027a0

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onBlue.gif

Filesize
90B

MD5
bd722bed5fd58b669dc1d7cd4a2bc4ac

SHA1
1ecb98bbe336eeb9bc659bd4f835aa234881fbed

SHA256
21aec1de2ded9a7b77b299d954f548f82efe2c5d75a38d837381d06ce369fa33

SHA512
f2cf496204762b843e4db6e0e10e42577c1288970f3a850f57aba9dcc603c46491e68a2a1fcc46cceaa948c5193178c37b082d367f9bb5fe89ff6aaa75a2a729

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onWhite.gif

Filesize
90B

MD5
c49f8eba0f3a7e041da08a01c6b1d9eb

SHA1
b5866892a34c8d8b8c20220a9a2df64613f26cab

SHA256
caf4ca0994d95ee67c81981900e963d563811837433cf967a436d103a24f65bc

SHA512
d7bebce80065cdb60cf2bf504f968cf43b601ed09407aed5947bfaecc2e7de44713db16927765c76cec646ac091a6973010d835adbbbb486e93c7804e37dbb05

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\headerGRADIENT_Tall.gif

Filesize
328B

MD5
c46ffffc7ec7fca5bba0c11a3d72179d

SHA1
089faf752e9e276d8fa81eb819371aea3dd18d4b

SHA256
729128978bf2725e30cf98f84393b71be93ed89de046198432d15ecfe4578e8f

SHA512
49acd8fa6b7b0a34eabeb0defc2a28d1f3ab18c4d6ed54bcac3e8e36bf16744b08548253c230badd394d724d8bda4cab6dd9f117cafc08a89853c83d3ca73d5d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\help.jpg

Filesize
1KB

MD5
7dfc90e12f4f0bb5d9536242c1e759c3

SHA1
bff1a516a34b09b12999c5ebcbcf4bbf8132ebae

SHA256
48ae1277645b4e4a72e9059c2d9307e9316a3b3a16efd4c526b8161c732155ac

SHA512
1dd82586c7146af6c36e2a27109db35a2a0b506b604fc61ad149b90f6625feff811653cc6b665554afaae796aceb78a1a6dbdb11267da6f9765cfa6c14c90668

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image1.gif

Filesize
162B

MD5
9b1fa28a6df93391e634333d4a1fa0a8

SHA1
f26140bee25319fcf8a8c49401eee1f4c5145b53

SHA256
511e78a917764d7b05b0eab234029f439f8cde8dcd2a899735db63e9e46c498c

SHA512
06f9f73879760baa9f626b79610923bc20de1c00c229b6c294764938221539ee3c99e528182ac9bdf38ad9c10bfd896d0295b556fac68bbbdbf39f881dec88ec

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image2.gif

Filesize
586B

MD5
6974c072081561849ed37730e360539e

SHA1
32f7769a2d8071cde11e5b403e2e8541f7bfd10c

SHA256
54e7b4dfe4c13c73a1b59272379a36f47e5380a2cdac958fa1e3dc5676653e0c

SHA512
f5dbc65d8db78623d812c842dbe06da5aa1869ad1cea8f18c8c7bf8d38e08237dfa2305d0d0810866206eb17afee1a4d765422891c261742c7359a0f49d711dd

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\requiredBang.gif

Filesize
124B

MD5
1379312c339b058e6649d99be88e9a64

SHA1
a2479081a3e75fd1f807380d7acd272f5dc35a64

SHA256
c01d4a51ff379d12ed700d28b9854b842633d129e2886a3a8e169637a10597b1

SHA512
c931a82ac25c6f6f1b0f14f8ae0de6f6463c6bde4f44381204ee74e93bdb922c3a4deedf286a96d01f23522f736e88cbdff71a6a738666dbf3b392edd74f0c4c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\selectedTab_leftCorner.gif

Filesize
65B

MD5
9a3fcce0bff8791ac78517fc9082d38e

SHA1
6b0209e4cb80422f98a4cee8c59d37cd4840b067

SHA256
1e6233c424bc84a45b339900bef066e85c7a5b2ad423882dd3367815d1b26a5c

SHA512
d653166074bfaffc52caddf7beb52159a920cf4a28858eafaecbf4b928ce1bc53af2d27a7935fad459e0b1ca4cf534ceba4cfe82c9efd1ee4f00302b135da796

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\selectedTab_rightCorner.gif

Filesize
65B

MD5
877489578e61ee508f81d0230a623325

SHA1
207304bbc57fa53665256230143fb8ea48b12c94

SHA256
90d3bcadd558c6c6997be7a4a658aaa3934b4c910430a3c50a1e1723817fbe3d

SHA512
febc2bac0beb10bfbdd1776953c8174759e10ae47b2aab6608a3cae9485c089601282363ccadcef996a537b1cefa5922273b88c194a2ba4ca0c904722f44b0ac

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg

Filesize
8KB

MD5
64cf373bbb8f20b5ee863a38e1724eb3

SHA1
c7ff47bdbc656ccdacf6b2cce37ffdc1cd3c6fee

SHA256
dad20df9ec8a3942ed0050dde9823a31a8bf5db1485dc471a9a6e0c7dfc70c22

SHA512
c83ca9bfb38f5b7347412db34c66d94976b98bd8cdd34b6549d3084502d82e8dbc3b22efb9f96d903852bbbe00d23f5abf91b91039051afce31e154f0e40aca5

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\unSelectedTab_leftCorner.gif

Filesize
65B

MD5
f74090d7ac149d0e1a98a9f94a173963

SHA1
c4955ccb81142555869f13b4f7272e04fd0dcbf0

SHA256
087fab00c7fc17a6af7b2567b0b7c99c99edbf5d4f4c8b09feb462207586601f

SHA512
da1465b495ffa00146dc758dcf57b588cb9b6b0399d7b540bd09d5e549f861f4f8aa74277029bb08ebec6307487baa530056b46b53f14c595cbc9c007149ed80

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\unSelectedTab_rightCorner.gif

Filesize
65B

MD5
99e4a9defd19c611122874554c9afae8

SHA1
f614d099bd03f80c65adb8d7b31257eef3b5eab8

SHA256
e675bb99552da61a11ec572a84da1cdae37bc55070fd2ce0be662affa5d68a37

SHA512
0158310c635dbc75af7b8de508ebbcb0bcfc37eddb2e9aaf76553249fc2802b3f4667204c85262822f55c2f57fafa613fcee5899ddd997bab16a9f6a1b7abf57

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\yellowCORNER.gif

Filesize
880B

MD5
a5fbb9804cd2c396a1b5f1367f46e36d

SHA1
42ceb60d4a7ea117bfbe384e76c752840a70e9d2

SHA256
224171ec3fd4e58428e57603bbdeba16490da0b6a013c727c86310bc558e9990

SHA512
74eb8404bd52ee19a22251d3dad09be5c0e0714c6748d98fb8efc705395aa5ecaaf9a6423ec2b70101047b4adf13ec1087bae3421518b4f3a5805cb401e93462

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads