xorist | 668f4d750f26504348477e32cb73aff0cd68d8a0997619f2d1402338d3011f03

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
31-05-2024 16:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fotos/foto2.lnk
Size

1KB
MD5

dd3735c04fd4134d97f38b34b5544e3b
SHA1

d250a2a1b545e51c3b3dffaa90b5cb0b2f30f090
SHA256

23ee733b758eb9c05061cd93fe7856e7ae9cea68702b6d833ee3778419ba6b02
SHA512

b574e4347ac9272ed2b9a0b0f373085acc58a08500b81713385d0fe85907fbf62eb0e5741246cb9fb9c0ac5301d953f6b5e8e189faf5d85f7ea6e49545380add

Score

10^/10

xorist execution persistence ransomware upx

Malware Config

Signatures

Detected Xorist Ransomware 3 IoCs

resource	yara_rule
behavioral5/memory/2788-77-0x0000000000400000-0x0000000000502000-memory.dmp	family_xorist
behavioral5/memory/2788-78-0x0000000000400000-0x0000000000502000-memory.dmp	family_xorist
behavioral5/memory/2788-74-0x0000000000400000-0x0000000000502000-memory.dmp	family_xorist

Xorist Ransomware
Xorist is a ransomware first seen in 2020.
ransomware xorist
Renames multiple (2044) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Drivers directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\en-US\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\SysWOW64\drivers\es-ES\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\SysWOW64\drivers\HOW TO DECRYPT FILES.txt	svchost.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	svchost.exe
File created	C:\Windows\SysWOW64\drivers\it-IT\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\SysWOW64\drivers\ja-JP\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\SysWOW64\drivers\de-DE\HOW TO DECRYPT FILES.txt	svchost.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt	svchost.exe

Executes dropped EXE 2 IoCs

pid	Process
2760	ud.exe
1292	services.exe

Loads dropped DLL 2 IoCs

pid	Process
2752	WScript.exe
2932	WScript.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral5/files/0x0006000000016d4e-61.dat	upx
behavioral5/memory/1292-65-0x0000000001180000-0x000000000126B000-memory.dmp	upx
behavioral5/memory/1292-80-0x0000000001180000-0x000000000126B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\C8a75H6gX4JW48R.exe"	svchost.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\es-ES\Licenses\_Default\Enterprise\HOW TO DECRYPT FILES.txt	svchost.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_do.help.txt	svchost.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_types.ps1xml.help.txt	svchost.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netefe3e.inf_amd64_neutral_b71dd3dadc5c3e27\HOW TO DECRYPT FILES.txt	svchost.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_remote.help.txt	svchost.exe
File created	C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_amd64_neutral_dd659ed032d28a14\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\OEM\Ultimate\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\eval\ProfessionalN\HOW TO DECRYPT FILES.txt	svchost.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_functions_advanced.help.txt	svchost.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnbr004.inf_amd64_neutral_a78e168d6944619a\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\SysWOW64\DriverStore\fr-FR\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\TroubleshootingPack\it-IT\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\SysWOW64\com\de-DE\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\System32\DriverStore\FileRepository\acpipmi.inf_amd64_neutral_256ad642985694b3\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnky309.inf_amd64_ja-jp_afbb421e3dc1cb6b\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\SysWOW64\es-ES\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\_Default\ProfessionalN\HOW TO DECRYPT FILES.txt	svchost.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_hash_tables.help.txt	svchost.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_try_catch_finally.help.txt	svchost.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_remote.help.txt	svchost.exe
File created	C:\Windows\SysWOW64\zh-CN\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\SysWOW64\DriverStore\ja-JP\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ph3xibc12.inf_amd64_neutral_ff7295ba5a46d63f\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\OEM\ProfessionalE\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnky304.inf_amd64_ja-jp_1b1a158086a263a4\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnrc006.inf_amd64_neutral_7e12a60cc98d3f89\Amd64\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmnttp.inf_amd64_neutral_18b899bdc8a755fa\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\SysWOW64\manifeststore\HOW TO DECRYPT FILES.txt	svchost.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Comment_Based_Help.help.txt	svchost.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_format.ps1xml.help.txt	svchost.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_functions_advanced_parameters.help.txt	svchost.exe
File created	C:\Windows\System32\DriverStore\FileRepository\lsi_fc.inf_amd64_neutral_a7088f3644ca646a\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmiodat.inf_amd64_neutral_839e9ee1a8736613\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\System32\DriverStore\FileRepository\net1kx64.inf_amd64_neutral_1f62482fbb9e52a5\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wvmbushid.inf_amd64_neutral_6708ad28050a6765\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\eval\StarterN\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\SysWOW64\migwiz\replacementmanifests\microsoft-windows-ndis\HOW TO DECRYPT FILES.txt	svchost.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_pssession_details.help.txt	svchost.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_types.ps1xml.help.txt	svchost.exe
File created	C:\Windows\SysWOW64\winrm\0409\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LIXMVQOA\HOW TO DECRYPT FILES.txt	svchost.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_providers.help.txt	svchost.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_remote_troubleshooting.help.txt	svchost.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\eval\Ultimate\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\_Default\EnterpriseE\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnep00d.inf_amd64_neutral_dd61103f3a2743d4\Amd64\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wiaca00c.inf_amd64_neutral_27f4ad26fea72eb1\HOW TO DECRYPT FILES.txt	svchost.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_hash_tables.help.txt	svchost.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Command_Syntax.help.txt	svchost.exe
File created	C:\Windows\System32\DriverStore\FileRepository\elxstor.inf_amd64_neutral_4263942b9dfe9077\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\OEM\StarterE\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\OEM\HomeBasicE\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\de-DE\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\_Default\EnterpriseE\HOW TO DECRYPT FILES.txt	svchost.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_arrays.help.txt	svchost.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hpoa1sd.inf_amd64_neutral_caaa16c52c48f8ac\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-DHCPServerMigPlugin-DL\HOW TO DECRYPT FILES.txt	svchost.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_arrays.help.txt	svchost.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmmct.inf_amd64_neutral_15bb3ed734fbbeb3\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ph3xibc6.inf_amd64_neutral_2818f7b3b62bdd39\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnrc00a.inf_amd64_neutral_565c5d04cc520c48\Amd64\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ql40xx.inf_amd64_neutral_77a826e5c0a07842\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\ja-JP\HOW TO DECRYPT FILES.txt	svchost.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hjgjmobbdgjjlobb.bmp"	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1292 set thread context of 2788	1292	services.exe	35

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Program Files\Windows Photo Viewer\fr-FR\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\HOW TO DECRYPT FILES.txt	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\delete_down.png	svchost.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\HOW TO DECRYPT FILES.txt	svchost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationLeft_SelectionSubpicture.png	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\topnav.gif	svchost.exe
File created	C:\Program Files\Java\jre7\lib\zi\Atlantic\HOW TO DECRYPT FILES.txt	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT	svchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT	svchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RICEPAPR\THMBNAIL.PNG	svchost.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\HOW TO DECRYPT FILES.txt	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\JUNGLE.HTM	svchost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\203x8subpicture.png	svchost.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Program Files\Microsoft Games\Mahjong\es-ES\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Program Files\VideoLAN\VLC\locale\am_ET\LC_MESSAGES\HOW TO DECRYPT FILES.txt	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\flyoutBack.png	svchost.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\HOW TO DECRYPT FILES.txt	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\item_hover_docked.png	svchost.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Program Files\Windows Defender\en-US\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\HOW TO DECRYPT FILES.txt	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14793_.GIF	svchost.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\HOW TO DECRYPT FILES.txt	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099168.JPG	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR40F.GIF	svchost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_VideoInset.png	svchost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationRight_ButtonGraphic.png	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImageSmall.jpg	svchost.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\css\HOW TO DECRYPT FILES.txt	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_thunderstorm.png	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21328_.GIF	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_Earthy.gif	svchost.exe
File created	C:\Program Files\DVD Maker\ja-JP\HOW TO DECRYPT FILES.txt	svchost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_notes-txt-background.png	svchost.exe
File created	C:\Program Files\Microsoft Games\FreeCell\it-IT\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\HOW TO DECRYPT FILES.txt	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01607U.BMP	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02082_.GIF	svchost.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\css\HOW TO DECRYPT FILES.txt	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\dial_lrg_sml.png	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\next_down.png	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\Mso Example Intl Setup File A.txt	svchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\1.png	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\UnreadIconImages.jpg	svchost.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\it-IT\HOW TO DECRYPT FILES.txt	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\background.png	svchost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\babypink.png	svchost.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Program Files (x86)\Common Files\System\ado\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1036\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\HOW TO DECRYPT FILES.txt	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\logo.png	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\TEXTAREA.JPG	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_double_bkg.png	svchost.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..-lpksetup.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_fd30fb074d73753b\HOW TO DECRYPT FILES.txt	svchost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_WS-Management_Cmdlets.help.txt	svchost.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-whoami_31bf3856ad364e35_6.1.7600.16385_none_ce52d479e329be32\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-r..iagnostic.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8a371f8237ce9694\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..k-msctfui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_151b6ff191ba8508\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-c..er-office.resources_31bf3856ad364e35_7.0.7600.16385_it-it_90f60a1ef84a3566\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..w-capture.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a596658f96cb2754\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-i..escriptdetectiondll_31bf3856ad364e35_6.1.7600.16385_none_22c2050af8e2b32b\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-e..extension.resources_31bf3856ad364e35_6.1.7600.16385_en-us_13b4dba4ad4e97ac\HOW TO DECRYPT FILES.txt	svchost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-usertiles_31bf3856ad364e35_6.1.7600.16385_none_f385bacaa98d1e8b\usertile30.bmp	svchost.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-healthcenter.resources_31bf3856ad364e35_6.1.7600.16385_de-de_46037ad069504038\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\winsxs\amd64_mdmvv.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_1e0b2170bb5d8d1c\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\winsxs\amd64_wcf-m_sm_cfg_ins_exe_31bf3856ad364e35_6.1.7601.17514_none_5e47617f33c574ac\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-usermodensi.resources_31bf3856ad364e35_6.1.7600.16385_es-es_3bf2c930414db993\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-x..lugin-mui.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_f828566d189f067e\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-ocsetup.resources_31bf3856ad364e35_6.1.7600.16385_it-it_32812db4254fee20\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\System.WorkflowServ#\7f1f91903e297c234f177743d94c318e\HOW TO DECRYPT FILES.txt	svchost.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_data_sections.help.txt	svchost.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-g..edsgadget.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_59e6a839753b16d1\RSSFeeds.html	svchost.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-mfplat.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5bc1c119a8bd5a47\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l2na.resources_31bf3856ad364e35_6.1.7600.16385_en-us_a62167de39951d5f\HOW TO DECRYPT FILES.txt	svchost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\drag.png	svchost.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-n..rojection.resources_31bf3856ad364e35_6.1.7600.16385_es-es_70a6a334bc4b8c36\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_d33f52c4d452cdda\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\winsxs\msil_microsoft.web.manag..netclient.resources_31bf3856ad364e35_6.1.7600.16385_de-de_ed73cf91cf007c56\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-hlink.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c973bc75fa2f8c3d\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-lua.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_795003e0434618dc\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..cconf-exe.resources_31bf3856ad364e35_6.1.7600.16385_it-it_51e385719bfd6c39\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..serverapi.resources_31bf3856ad364e35_6.1.7600.16385_en-us_f16db8d6692b1fbc\HOW TO DECRYPT FILES.txt	svchost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-g..ets-clock.resources_31bf3856ad364e35_6.1.7600.16385_it-it_68a732179d3e6395\settings.html	svchost.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio53a7a42c#\2d79de2180c7f59325a5e7105e6b690c\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Web.4961ff77#\28b0b7573c3bdbc27187e3dbc4f1f1ff\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-bwcontexthandler_31bf3856ad364e35_6.1.7600.16385_none_3aeb09789cac9bd9\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-e..ncywizard.resources_31bf3856ad364e35_6.1.7600.16385_de-de_17df7de66e4f6f9f\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\inf\.NET CLR Data\0411\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-icsigd.resources_31bf3856ad364e35_6.1.7600.16385_es-es_70440848efdabf78\HOW TO DECRYPT FILES.txt	svchost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_data_sections.help.txt	svchost.exe
File created	C:\Windows\winsxs\amd64_prnxx002.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_4d6cbbc8e10bed65\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..pbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_73ca4df093205138\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\winsxs\msil_microsoft.build.utilities.v3.5.resources_b03f5f7f11d50a3a_6.1.7601.17514_de-de_43c9714a467d8e9b\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-simpletcp.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c94e5dcf21515355\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-ipconfig.resources_31bf3856ad364e35_6.1.7601.17514_it-it_568f62012625f944\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap.resources\2.0.0.0_es_b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-e..-ehepgres.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_03bd28efd1e471bd\HOW TO DECRYPT FILES.txt	svchost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\35.png	svchost.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-n..on-common.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_42b5e45217c61c4e\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data7706cdc8#\d3c9daee844c6d685e059108aa87b3a4\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..fontcache.resources_31bf3856ad364e35_7.1.7601.16492_de-de_772af58d442606dc\HOW TO DECRYPT FILES.txt	svchost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_3342e6899aa0557f\modern_m.png	svchost.exe
File created	C:\Windows\winsxs\amd64_netfx-msbuild_rsp_b03f5f7f11d50a3a_6.1.7600.16385_none_1dc7324c631cf49b\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-shell32.resources_31bf3856ad364e35_6.1.7601.17514_es-es_5b7c8d693744aea4\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-a..istant-ui.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e8cc54fdfec885a0\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..fessional.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_811b377c89d18189\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-b..xthandler.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e1760ab4fb2460d9\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-runas.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b1a95d7e60722fef\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nap-oobsha.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b82221aa0614b22b\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\winsxs\amd64_wdmaudio.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_e730945d85cdff3e\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-mfc42x.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_f148573ead9e671e\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\winsxs\amd64_faxcn001.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4d04bd1f32069955\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\winsxs\amd64_netfx35linq-system.addin.contract_31bf3856ad364e35_6.1.7601.17514_none_862122ae53e2e567\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\winsxs\amd64_prnle002.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_4160604d88a42500\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\assembly\GAC_MSIL\SMDiagnostics\3.0.0.0__b77a5c561934e089\HOW TO DECRYPT FILES.txt	svchost.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..shell-exe.resources_31bf3856ad364e35_6.1.7600.16385_it-it_2964c6c4d8dd4130\HOW TO DECRYPT FILES.txt	svchost.exe
File opened for modification	C:\Windows\Media\Sonata\Windows Critical Stop.wav	svchost.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 10 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DKOHTRGZIXFFOSZ\ = "CRYPTED!"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DKOHTRGZIXFFOSZ\DefaultIcon	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DKOHTRGZIXFFOSZ\shell\open\command	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DKOHTRGZIXFFOSZ\shell	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.n5GdKE	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.n5GdKE\ = "DKOHTRGZIXFFOSZ"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DKOHTRGZIXFFOSZ	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DKOHTRGZIXFFOSZ\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\C8a75H6gX4JW48R.exe,0"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DKOHTRGZIXFFOSZ\shell\open	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DKOHTRGZIXFFOSZ\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\C8a75H6gX4JW48R.exe"	svchost.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2656	Thumbs.db

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 848 wrote to memory of 2732	848	cmd.exe	29
PID 848 wrote to memory of 2732	848	cmd.exe	29
PID 848 wrote to memory of 2732	848	cmd.exe	29
PID 2732 wrote to memory of 2656	2732	cmd.exe	30
PID 2732 wrote to memory of 2656	2732	cmd.exe	30
PID 2732 wrote to memory of 2656	2732	cmd.exe	30
PID 2732 wrote to memory of 2656	2732	cmd.exe	30
PID 2732 wrote to memory of 2656	2732	cmd.exe	30
PID 2732 wrote to memory of 2656	2732	cmd.exe	30
PID 2732 wrote to memory of 2656	2732	cmd.exe	30
PID 2656 wrote to memory of 2752	2656	Thumbs.db	31
PID 2656 wrote to memory of 2752	2656	Thumbs.db	31
PID 2656 wrote to memory of 2752	2656	Thumbs.db	31
PID 2656 wrote to memory of 2752	2656	Thumbs.db	31
PID 2656 wrote to memory of 2752	2656	Thumbs.db	31
PID 2656 wrote to memory of 2752	2656	Thumbs.db	31
PID 2656 wrote to memory of 2752	2656	Thumbs.db	31
PID 2752 wrote to memory of 2760	2752	WScript.exe	32
PID 2752 wrote to memory of 2760	2752	WScript.exe	32
PID 2752 wrote to memory of 2760	2752	WScript.exe	32
PID 2752 wrote to memory of 2760	2752	WScript.exe	32
PID 2752 wrote to memory of 2760	2752	WScript.exe	32
PID 2752 wrote to memory of 2760	2752	WScript.exe	32
PID 2752 wrote to memory of 2760	2752	WScript.exe	32
PID 2760 wrote to memory of 2932	2760	ud.exe	33
PID 2760 wrote to memory of 2932	2760	ud.exe	33
PID 2760 wrote to memory of 2932	2760	ud.exe	33
PID 2760 wrote to memory of 2932	2760	ud.exe	33
PID 2760 wrote to memory of 2932	2760	ud.exe	33
PID 2760 wrote to memory of 2932	2760	ud.exe	33
PID 2760 wrote to memory of 2932	2760	ud.exe	33
PID 2932 wrote to memory of 1292	2932	WScript.exe	34
PID 2932 wrote to memory of 1292	2932	WScript.exe	34
PID 2932 wrote to memory of 1292	2932	WScript.exe	34
PID 2932 wrote to memory of 1292	2932	WScript.exe	34
PID 2932 wrote to memory of 1292	2932	WScript.exe	34
PID 2932 wrote to memory of 1292	2932	WScript.exe	34
PID 2932 wrote to memory of 1292	2932	WScript.exe	34
PID 1292 wrote to memory of 2788	1292	services.exe	35
PID 1292 wrote to memory of 2788	1292	services.exe	35
PID 1292 wrote to memory of 2788	1292	services.exe	35
PID 1292 wrote to memory of 2788	1292	services.exe	35
PID 1292 wrote to memory of 2788	1292	services.exe	35
PID 1292 wrote to memory of 2788	1292	services.exe	35
PID 1292 wrote to memory of 2788	1292	services.exe	35
PID 1292 wrote to memory of 2788	1292	services.exe	35
PID 1292 wrote to memory of 2788	1292	services.exe	35
PID 1292 wrote to memory of 2788	1292	services.exe	35
PID 1292 wrote to memory of 2788	1292	services.exe	35
PID 1292 wrote to memory of 2788	1292	services.exe	35
PID 1292 wrote to memory of 2788	1292	services.exe	35

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\fotos\foto2.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:848
- C:\WINDOWS\system32\cmd.exe
  "C:\WINDOWS\system32\cmd.exe" /c Thumbs.db
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Users\Admin\AppData\Local\Temp\fotos\Thumbs.db
    Thumbs.db
    3⤵
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\o.js"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2752
    - - C:\Users\Admin\AppData\Local\Temp\ud.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ud.exe" -pkj4h1k74y4 -dC:\Users\Admin\AppData\Local\Temp
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2760
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\i.js"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        "C:\Users\Admin\AppData\Local\Temp\services.exe" -dC:\Users\Admin\AppData\Local\Temp
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1292
        
        C:\Windows\SysWOW64\svchost.exe
        
        "C:\Windows\SysWOW64\svchost.exe"
        8⤵
        Drops file in Drivers directory
        Drops startup file
        Adds Run key to start application
        Drops file in System32 directory
        Sets desktop wallpaper using registry
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        
        PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\HOW TO DECRYPT FILES.txt

Filesize
451B

MD5
17577453662e0698aa2eee5625512902

SHA1
58d34b87aa937f37622d233813c0c952ec7d776c

SHA256
f797743d75f0bcafed490ce2c0b429247e990e296281ffe529af0e7c4130f72b

SHA512
0f40cc68ecfd01894d491a7165761ca325eaa9dee18e24b26a644243cc92458c18fad814c80211d5dc7f3338e306d25e91eb85d6e4f30ffe66702f2458586f7a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
341B

MD5
063e04be6a4fd81d89cf23043f79cfb7

SHA1
c2c2b0997e8505fb98c5a31a18d616831d27cbdc

SHA256
1a197ee52e24fdcd49692da710def97546de9705c60bd46a283c123722286a70

SHA512
fff0fa75e6f0ea1209082923386d8e48101cfd9fb276e95e26aa87ffed9362029add3ce891a6810d81217815a39e87c8b4f495bafe4ddfd8653ea721a5bb1560

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

Filesize
222B

MD5
855ddb01300011f993c36d671260500b

SHA1
fd3fd5e385df99bf81091ab8d5e7983a7b8b5d06

SHA256
2866f6e8452e0cb89633e32e67630676612264a3ca2ec8e43dd1995ca552b830

SHA512
61efb302056991a82d3f27044fe2175c46d824f2130307a06262eaa3f06579edfaa5f9b66d31f68eff07eaee5e29c983b2fba6cb45412f5f89e07600c2ec848f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\BG_ADOBE.GIF

Filesize
24KB

MD5
3e23a43fa2d8a1c3666d90cbe197b797

SHA1
c94ebe0808f44ed0cb724da7116a630eaf0fe8fd

SHA256
e656f11c2360e022423a9ed12d51e616acaa21cd80c34833afbaf3d9ff188b6a

SHA512
847d830762dd61e3f8be26fabba08ec84f72ad3a6098fe7f02b97c387b67faf56c9c004286370b833980b57fe9f0dc0a387293328290ec31c7b7d569d77494ad

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\BUTTON.GIF

Filesize
185B

MD5
632055674505d446e72798c10ebe71fa

SHA1
8d6d1a1f14179ae00f04e5aecd5e637e62f36e26

SHA256
053f9c0c219c9a03d5a89e7c6dcbdfbab3f0730c6b7ccce0ba525558af76c511

SHA512
8b65c77888cae9c47ca48910f0ae48f329656491dca81c8768de256e4fc56fb22cb40cde2cc4c64b4ff86592792659bac92d32666e3d56d470223ca3b70012d2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_OFF.GIF

Filesize
496B

MD5
521ec8fa483010240628005e936b8fd5

SHA1
a9426f90407e2f3212279c8db070cd306fea63a9

SHA256
bf32d782d1c4a5ebdaf03f8f479cecdafa645f9b281a9296ddee1b79d61fa3b0

SHA512
8a368fbb92254c1285ac960d997cc66fa5cc8de74dfa3ae9c249ecbe0059f5a9b44999bb026f54802e39cad8ce31a5539282c30b64e718104ccd18162876218e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_ON.GIF

Filesize
1KB

MD5
e25d1a976e296a2b2ee5101f78ddf1d6

SHA1
9c6814d837353826973b6443360ee7f89efe82bc

SHA256
39a3a612c44fe61831e3daf97ea0a20d52387bf30c4f5bcbf43a26fd84d4baaf

SHA512
f2e46b9c75a32b92d5ae1c569c1241241df1bf3468d7f4c38c16e15ccbd1b645db4456ae54d9c93c18c4a06b29b1457bfbcad6df219b615fe3c6ece83e0fcf44

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif

Filesize
5KB

MD5
cdca9ae014bbfe6ec44d6549a2eee48f

SHA1
ff8b274edea534b0c79350433a1d23c5e254d79d

SHA256
701f0d987110dd0d661e9e4e8c8bde5c22416d15d041d50f56f60c3106c26bac

SHA512
9a382857b301d853a73900706534bf44ab7d344042289c74df92ee3e86e9b9d8e8c2affa1e4cc56dc3fc452cefbdb30d3527ebaa25e456251a6f9ff96cc478d8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Country.gif

Filesize
31KB

MD5
d04b523ec2f84cc45a6a4ed00b524e47

SHA1
fabd5c278f58d46cdeede8680ac59b1e93e16622

SHA256
e7c7f89130ca7ebdcdb0e773626947d6b26a6335c54665941d0044a1b6de8d4b

SHA512
18599e2b282b00edc438806675d120a5f4a0cf648127bfaefc7156104908c2eaf0f1c4c527fcb53fe0a9949681fccc190d703170a512e6ef6e0aba2559e54acd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif

Filesize
4KB

MD5
b4dd9f3936091dca21da3f1ac33212b6

SHA1
fe1c626c9889231ec3806edead96358861c6836a

SHA256
14d00b0a6054620abd3948ba9ac0d88d5f328a6b3e070acb24bf0ede8b425dcc

SHA512
5afa9fc78dcfeb0c2e5148f3bf9402cef01b2ae4cfe0cc3344b4dfab9ab222e6294c5250276847b6d7b30d0326cd0d0e210f1e57510f401d631118038c138640

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif

Filesize
21KB

MD5
7aef93e5639aed8e18607c9fa770089f

SHA1
2101c4e5fc2f48b877af9259cf215957c70260b4

SHA256
f61a64b79536102456a5da827c511fae899abb52d3792a378455ba8987856c0c

SHA512
38ce8dd5d0cc0739b0fc6cb8ffc84b01d22176a75568dd5204c034f999562ad042fb9c206bde494a11a6b6e72eb1f3fcfff56d53235732c06c9adfaeb6ea1c69

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Groove.gif

Filesize
106B

MD5
ee59744b4d8d20c9755af131761b23fb

SHA1
3a2d3d1c237c4155b34e045d656bbf8813c8f054

SHA256
79f06775b0d5d371a46d637ea39ed5f5c65aa052cbe252b155891548f9090094

SHA512
06b412f09116e269394c16bef0ae159a61bc57dba846a3f1ca3cd0a34b1765b4045fcdf6e1a114ea3bd5012617588228e751ff9dd759347a49eed04d72bff334

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif

Filesize
8KB

MD5
2eb748166e361afb0bad3edff19d79fc

SHA1
a61b147ad7579410a5c71042733da943837f539b

SHA256
59cd67691d3db37deea6fdd407857b661cf8bbad2d7184f4b6f2d22c9e5098ee

SHA512
b920fcd468e79e0837963b62939ca7c1f2ab59511e2c6cc30de7ea584b52cc261ca367be970ab92b4a587fa570596e21caa269f3fe64828a904076999deb4fb5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif

Filesize
15KB

MD5
38d7eb9ce54995bcba7cf42c3c6e3834

SHA1
5c5fe4a2e95907d86d74fca4d2b0daa2e3dc4ec2

SHA256
1eb74219530a93e9b4c679711357f3238fdb00e55160ff2596be167d646f0dff

SHA512
84479eab1a7ffe9ef9533c27cb44c640b53f207137b3c9e5b82b2f7a17117467dcf7a934566ce4fd3d473da01473bbeaa787e517c3891ddf4a9da44bc3165ee6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif

Filesize
6KB

MD5
4159461d5bcacb8f82c1b4b381f05ce0

SHA1
867c85bba81adc57579b1be7a1a7efd3064eecd2

SHA256
2da205a0776555db63c76ca728ff97a18feab3f55f64152994a4a733be7350ae

SHA512
a56506f5366da84043207b578f0ee5b6bc7651e2efad15621a885651b19df52b6078c1b7a05d0cef143865c3033721cc4aec268d4c33ac0db7fcf7daa954ae50

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif

Filesize
20KB

MD5
19acd2fa37cf4f780c1aa67c0cb379b3

SHA1
0b058eaa1803a5aca8d85c0272b2a7ab1e58e726

SHA256
46d57347227624994b6c66c1866afe4832bbe4a24809be1576679ce6f63b17b9

SHA512
cb05a10afc4f50d77e44a6bb8ebc0b70a359c4357114ce15a16672bde274a607b11266dfa7e58f0663aee6488cacdd3a58b4fd27b8492bba01b31fde3212ea66

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif

Filesize
6KB

MD5
06f7b69042e8452a829ad52519c46a70

SHA1
365c4968482e957c4728e3cf965890a7c1fefe1a

SHA256
577cc3f36ac6d4c7713387a4f78c864749e10587127bbef5a7d1aab5b34d037c

SHA512
69358d243792c2f8f3ef6117bdec8b0361c5fc106aa2380733e7529411a1f9f6490edb8b04bfdf7e02a5941e08bd1be013215a176cc1e6e92d9998e93fb974b4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif

Filesize
15KB

MD5
da793aed20ccb1578a12b32fbd9f515a

SHA1
18ad1dbf77b15f49bff5b34c07bd582d8ec188ce

SHA256
843b99feb81f162ced958ce59caa1fc798fbeda8bcccd629722ee731256f7883

SHA512
c38f5b73eda4d12a469876ddb8b9d01aedafaeb46acee2e1f495a29ca34f915e5c1707022d994b2ebd05860cec6f5acd89f740fe3b4e6443428b77993f4b8de0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg

Filesize
2KB

MD5
f857835fe75bbfdd5e3c53de1e8d811f

SHA1
7e54567045c2f8631d2b6a7b8f31285368f8df8d

SHA256
7c830f9addfaa07e49f43d16b4b2aa89e35c0e2a49608cfde683f6b8066cc121

SHA512
14891a81d627e31f4df63ea2a568a826dfd729c24874a39aca125ee74cbb93c2d2a30e489fe77cccdab438b112080f4ac50faa94f42f7b10e91224ee827c8883

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp

Filesize
2KB

MD5
f49e431df177a809fce60e4dc24a0cb1

SHA1
b207618d30b9b88c40063a550dc2250f6f3142f4

SHA256
093c2467d4d8e03035475bd1e2d102ceafebcd2ebd42b6a3e7438e68a16509bc

SHA512
ec8be82bfc4d93ca2e192eeb1d6c89b2290c0765651aa819d5f5bfbfdfc25f647fc7c04c966b8ba4c6090c1bc38615162732f4a2fd7d5289818f128def886b56

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg

Filesize
6KB

MD5
ae61c0cf74ba649d720bc2e231f74208

SHA1
472cde20234d8d4cdb15ed5c9335ee0d1469b8ae

SHA256
8a1d99d5af6537f579d1e78d6dd76502bb0cd25f385e69594022492954777f61

SHA512
231a9b0acd30712cffcc6380fe4a53c2f40073665292f173dca3f16e4c62f14e82afe79703d18e17e1ceec5c8e4ba9e5ecc033004e982f1d4d04a6e17d18b760

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF

Filesize
255B

MD5
71e0d0df1bf7c26289a41e45443739e2

SHA1
8569f72414fd1be62a8f7ca07a2e41eea793010b

SHA256
3e759b9acebdc24150849ea0cc765fdb6c32fedde01c16b95ddd6969f06acd0a

SHA512
254455d091c67c917aca5f60da7eb1c71cf2160265e7ce0da671b3fa5d82387bc4a1db7df34a094dcd5905ad2240ba8175cd4182e46b389742245a2924a63cf6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\background.gif

Filesize
323B

MD5
f4ec0a8d7aba37577a1bf89b40564f38

SHA1
93bc030bc507120c6ec583ffebaf71e7fda5041e

SHA256
58f74b3b38e07d715f1ac745e549c0b4073c6ca9ea16f9349a9fd75744423d90

SHA512
7295f09632fb5df735d5c5575dd5b31d7e146f36663ff626910b0f0bd17610d49125ef18adf6e749b6a881e1f1adc0db54bdb80b9d80d12ca7b59ea433541d12

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF

Filesize
367B

MD5
18bd0ef14810b8b025e8672c39ed932c

SHA1
3d3763d4638087ee153bfd61a160d6394eb452c6

SHA256
d480db9fe4e309904195d6986dc167e9ed1eab27c34969e72686adadc1847c41

SHA512
b5bc45b5b2594dbb3973d135585b9347359c23a30c02c04aca3713a6a1348290cbd388e6a827f03647804de5d8caefbaf6d668305600ebb068c0cd2e830d3ec5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF

Filesize
148B

MD5
8d685fa5f9dbbd5136da03f1eaca6402

SHA1
06fc03886d5d08cea58facc1d0dfb7f2ddf6e930

SHA256
81289e911ce4a8c5be6752f79adcedce392450255a12dd8fa9f5590c1930c8b3

SHA512
ea7e57779613bee97ccb1eed0e1717326eccea80056d8257942cf802fd8532dbd138fe090e03a4fb930c7e89c24ade031ce40e54dee74a5e7cf4a5afdb219c41

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HEADER.GIF

Filesize
440B

MD5
6f884118624cb9456fa852e0e57a88a8

SHA1
9b95c7579df96db61394020e48de68584da049c4

SHA256
dcb7bcce032752df96a9a780aaa68f5314626b10719772b00b1b573179a41681

SHA512
aead12a3c3a6463411cbdb4ca8ce956c119d20509d3ea9c2eed7f288ddb436ec500ca505477120186b819a9c2f0d40092a8307d4d8d0091d6d8f16524bbce4fc

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_OFF.GIF

Filesize
462B

MD5
22f361edb0a6a6613c3a02b95fa05d8a

SHA1
990e9427d8ffd438e86fcbf40d482c0e82696edf

SHA256
1c6ac19631f743656c79f221a1aad094848a3e43ce40fb4c22967c4a4f497583

SHA512
80f8afdd5c0ffdb04eec9c5efd4d523013bd818ac41a6307bd5320d788cebf1efbd5e811557f6a3c096d253bee03b0e229d7eb4f5ff9941d2542986343ec8a85

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF

Filesize
267B

MD5
edc2478c0d541e5675bff2c610b5005c

SHA1
95a5cfb63a33ceef0e70cf328ad90f7df5793a51

SHA256
372f9ca797ff4a9a6fae8fdd7233e2f3b78976c231ec08aa08afba39904a25bc

SHA512
3500875633005eb3970e29d6a2d6b9da08fb242093bda4187f17af2f337599633e58274255ee1e4b32f4a21d4c703c6b0319a3ab33740b59eec4fb9b95ade0af

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HEADER.GIF

Filesize
2KB

MD5
65c26314907174b83a346ec2bdba784b

SHA1
267eeabe4bfce2543659886b4d3a6096e02d83a5

SHA256
5db64e45e758c8d169044bf8e2f2f198170a25d637079e5dfe5faa5eae017c73

SHA512
fc64cdf3473e3e6de2095143459d207861cb1324f2e9bf884611c324b688d5f07df83570600fcb6a02f0022d46faf9befb0a76c643a7e71a5e049390ffcef69d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\HEADER.GIF

Filesize
3KB

MD5
cb52929934f14046f2ca27eed3efe3a5

SHA1
babacb802c42f8feb39785c7811d430926c8300d

SHA256
8399fad0c39cf2b7ede7cb593fafbaed5e3e264430478228b50cde82b131154d

SHA512
51ede28337ec9e484e0c6195e0b3a9eebb010f24672ea7e4fda69a68c9a6f3ab341018a8a754bef664030ef292978b81ade26ece9a2069763cb98b0b0544cadc

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\TAB_OFF.GIF

Filesize
462B

MD5
5a9c15fc0dd392811f885e1c4d931ac0

SHA1
f5be329fafcd16c2681235983ff22f114303a4ef

SHA256
329903564e73a673d411531a39a8e5e25b675e961009e57ff50139b48423ae80

SHA512
f0d0625fe5f4b0399b57b371b36f5658ad1c06065da9ada07d2ae804be7022435e375e3c4a47e98d82286b4c04551d4cb4895755f202bcd4610f915515831387

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\TAB_ON.GIF

Filesize
264B

MD5
b62f5cfb9454af317e38604341f33f85

SHA1
815f4bd0410011ed1759abefc4fd2d3a3acb8105

SHA256
80916a2ad1cce4e9ecfd8d89048f614d58442d2a8705d19115adde298f89b69a

SHA512
fcdbb008be8f23a237846f1b600f0e9a4307006e88d3a2a6aa8267f1d6f75482ada42032bb043c80d99ed0476e8d02164670fd44977f3ad479d0d3361c5e1e10

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif

Filesize
233B

MD5
12a20380cb8580347ca489ea312f0d6f

SHA1
dd97514eeef985142b6be6f12aaabb42f5b64a7c

SHA256
aac789f3759a80ba12bd9131bbd13c87e86ae708c2e46d47db63e5e3de0f80d8

SHA512
644623672b08552bba2664a8502e7d7d5111cf3b2ad629cc79bc88bccd9af4afd75b2e531cff9d139ac23519a927af234a8809f4f49b02b983a4b09069c0222a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_OFF.GIF

Filesize
364B

MD5
3215c7e29ea1f323106a1ad8a4696e0f

SHA1
87bd85cfc8ea929a16f9c435da03c81987da29f7

SHA256
4d09fac08c97ab169af9cd77c08d77265df1b490133938bd456e0cacd339bf00

SHA512
5991f0ab044d0058503be7ae40f5442829a5dec8e3bed95d9275e2b48486fcad0b9cb82e7f207f5aadcca7fd4617b067f58a72ecaab8ec605be4a2b9b6d760c9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_ON.GIF

Filesize
364B

MD5
581d56eddb93d8cc82b365cbd1264167

SHA1
f0330e876e4d4535382f8ff49bb09cea60f8837c

SHA256
c614c094fc6a487c5adba441f55f09f46bb8c420908d8d3dfd564544a1f8a2d8

SHA512
5552fef9aa2d2faafc27ccdfac2ea7fb106dac3d2e52df7074f0d7d7a44d29bb3992a2a82f5b2812d26814fca1a62ab9a6e28705a436cdfdade5b57e88000ccf

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\background.gif

Filesize
6KB

MD5
0447513e083142fb487b2075e8571ede

SHA1
ed9ba1dd7a81634b225def4775191f2f43d00abf

SHA256
a3371f9002be55b3db5dd12f770b008ce6c6ccaa64871a9179d81b1de05e4879

SHA512
b4c5b85a1f585bfa31ce328ae9b505836fc552d8de9722be59f521ba2e5144dca69ffe8f28870dcf5b6a2bd46c0de80b5056c02f84d04a12c89945ef6f658e51

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\BUTTON.GIF

Filesize
428B

MD5
d2b168abbbde890cf67fd0f51ea700b8

SHA1
f8e220512db628f30a5cfb394a70b3935d081846

SHA256
05fc89c2e57ca9482ddad7c5305db064ad0051ec60f1e9030f918b94760c0de0

SHA512
3ce4ffd64b7fbce2ff83d7cfdec2d852a59af8755090e84939f7ce528ca2e17022180829f417dd70cd0f741058f6a1c920a087c249f1fbdf2094070db80b075f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\HEADER.GIF

Filesize
26KB

MD5
6e6f76a7b18bf52dd295eddb3389b6aa

SHA1
028e396ccf3bb44f72961689910482e928505d84

SHA256
3a4f8125687dced8b9247d034df9244bf03e856d305797bcc4f331c5ccdb5e0c

SHA512
2401894867653ac0d11f08257833c6fd98334b3047fe49f2fed0a03083f16e5a37822862069493fea78579f85fbf51e134393c750e6f2284dd3c36a90dc247cc

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\background.gif

Filesize
815B

MD5
cd9808ef732bd5f53392f0cad0f4a860

SHA1
59e44584d31d95af71aa7ef530425507299e6f09

SHA256
7ec00b772fcd426ee645450d4928fc9c08d5a37521bb45730d169dde1a9a784e

SHA512
3f4cc029d7a57f956a1a2bc3c3dd39fe4248c96121f27d05a72108ed041e7e5fff507aa42aa03ec0fd5aa7c83b38f232f7e1eaf9b6e3397620e93ba7a56ec7a8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\RTF_BOLD.GIF

Filesize
870B

MD5
413489f64dab2f0de6481d3c5693c1eb

SHA1
9ce353e5dc16d6f67f7c7d6183864a34525cda4f

SHA256
10b5241f05eb3e7df807744fbc148b06952370e65a7cb8910ee0ae8f46a5af97

SHA512
7dfea4195c69784964be33041961072c919bb2177af86e3f9ab970fa620a4fa16e45b17fb87c0c3f99ed5aae8144c31db14b31e111ddc532094fcb9fd4c3ecc3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg

Filesize
3KB

MD5
18fee9597e7fa55f20d1a5e659c33977

SHA1
1acc7f3480d76fd8ffbd99d7eba140aabf74956f

SHA256
abdcdea97eeb9c3ae4607f9d7a413f8c046ad36ef1f5d4d66a429eaceba82bb9

SHA512
bd288ce1eb7ea7880aacd70ac4d2a9bf4b304be9886fb5d43214887ea79c1e2d97807a83e0a921b7cba0ef199c3cc63fafc64eec8662ced9d15200217e90f321

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif

Filesize
2KB

MD5
650a2e4f33d315fb203bc868fba621a1

SHA1
b2e9b68d7a6c89f9db36a5d6631cd50e810dadd8

SHA256
f658f4d59d260f16a8b5e3a69121be8db1f6a90443388a8fb53a5a236a3a6d4e

SHA512
3dbba66dafc373d96f09486fb154b15a336c9c263a6d8d147ddd6c12d07d1654bf0b1bada8788d2fa8b79fdf2abdfa04d9c18aa2c988e64bb56b33e6ef42793c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif

Filesize
19KB

MD5
3105ccbb23c7584c8949794a52ccca17

SHA1
ada8378293b027a171ff626f5f59e72ea7f6a68d

SHA256
b6ce2ff9597ee6c1c38020302f9c19272cdae4bb0d73485111a3828d7c3614e6

SHA512
9c1ad0604a48c1bc6e75adfe2f1a9c99607eacfb443be1afd1588c916fee005ee2a293b995aaefa9796ad39a21f29d15de4867701b2c63c31300b4947cc996a0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosefont.gif

Filesize
890B

MD5
2662a17a2b90f0ee8e3824a93dddb4da

SHA1
85a9e4f123f53ca845593ad729317b729a474695

SHA256
9fabe8faab76603376237232cc6c97bd530c7b8ad16b93d6d51b4026bba4f591

SHA512
8d55542ebed56ea4d055cd3c9326274c98f316d555fefc6148fd5fffb13a3abba7a30c5f75805e6ef9c727552ede31f2a1fdebfca54084db1d3b86df7f160230

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif

Filesize
852B

MD5
3eee078ccb0c0fe62c220ed7a933c4b3

SHA1
85a7ac06c0631507b119357e2c80c0b17e65a78c

SHA256
7fcca4d96c212e9b25bf7aac945f67b72fd10f851084aed534ef344a5f383167

SHA512
a7085fa7617020b4773629636d463ad9b06ae0e0ad41c43c17d755b4ec500e7d59d12e5a081a7c58b1063f45b2dd439e235379f4d6f500f0ca00108d110d42fe

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif

Filesize
860B

MD5
1e605987afac81f38c47f8ea004ec6e7

SHA1
f2b0b099260811c769de37387a21c2b7469718e8

SHA256
670af22d011de3a4defaa2e8f95349fda7697b7475a31781e3c1c400a86958d6

SHA512
257cb9e3d7ebf117bc3d9db9df246548c6d4143cacd1f85f45da68fc4ee2102d612ff5848c3ad7e6f468ef5c77c4d0489df46a5fbeb50799c0b8f2e7d4c78256

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ADD.GIF

Filesize
580B

MD5
726ff53e4b6f616988f7a251e3b3785f

SHA1
45b8fd054ee01c33a1498786dc4b40e9a91b41da

SHA256
be7b69376bfa47bb8f81efc03393fb82b565cb0be394acd25c5caa40e24b9644

SHA512
e1da347c4511784db058b6fd839ff09f5e21f8948412571d665f429690076245405caec5403cff3d39a6e14ad4888d77b5bf4ec394cc855257dcc2ef4371227e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF

Filesize
899B

MD5
3ea7e01c94fad0d4063eb0e151804237

SHA1
704fa8a24633d50e289c64f1f075e1a605fef97d

SHA256
5591accf0537d9bf7d65616a338d535c72006f5638e18de1830045c499130e8b

SHA512
29da05191dc4fba8e6b82b3cb4a742ef9f1b0b59245a3a5d358f8602e3cfc0b76b087e73276d8257672720bc4f0cebac7c1eabec235a74974ddff0fabadb09ac

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIF

Filesize
625B

MD5
735588dba30c5f9f247564bf97683da9

SHA1
a494ff6b872c1159cba817160f310533da5b88ee

SHA256
f50e19c2bf568ea2b6a958bdf7fe7399780511f3030f9da3ff8f79d8ffa846a7

SHA512
2a7a57c37e4cd7a11fd27405d756cd3720b23a9c4e049741418b9e4e2c42867f3a279b0311c1a01a4f5b3e6e4594e797aa45945e56b1ddc25bcc19a7efff5985

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF

Filesize
873B

MD5
f6073aeaa544c55d0da7d64cd44bf8d6

SHA1
ae33211b848cbe446e1462b50cc16885f347d74f

SHA256
1c4ebda1fdf2b0ad17fbcb72d7dff1c667f83e6b357e4f9c5e6529188ce5c504

SHA512
2420d4960681d500610371a9604a2acb97097ecd6995774300e4a40dfffff8e2df650b88094701ec9cb1302e2d730320407bc41c892a654c178bd240f474e159

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg

Filesize
5KB

MD5
f75e3ac502e08de1a5a843dab20e3e54

SHA1
c3a8452a6ff4555a1d2f509ea6961b9836545783

SHA256
f5d7f01a9e02352cfa3ca7d1ae6979eed29cced39c9152ddfb7ae5f69da287de

SHA512
32060cd5cc78a77796130c7b693dcbe6069835434950861f1ffe823ac5a80bbe8837646acb38ec73490da7f0588f6697628e5a6500284231a64184d0e82d7ae9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp

Filesize
1KB

MD5
505d26852f0a706150dd7e1ed947f5c2

SHA1
ef0d9723e3928f096df08856956740ef8de0a926

SHA256
fc3fec868b73269908925f9d9529f42da70bd1d7fb6ccc8b8bc7c87b0f357dd7

SHA512
546e9be7e56dd4d0ba60980ecf4a817f1ff04e5cb69b53572b33c9dcdc89075514a9de6e1287120a813592e6b3f69f216c8963ef8dfa4f58cfaac3da8d0a8b84

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF

Filesize
615B

MD5
cb7a7a142cbdd00080761f07944c3f01

SHA1
9050434b98a506f7bbda9e9bb7ce81a96314932d

SHA256
30f08cf3c89a79c1a053f1071b432a7fdd90526e8397c94d815c8b8e037b6781

SHA512
b56f5eee911baf09b0a48bd25bc5e741b34679d340ab7da721ac22a516f26ae1c25b2dc8de2f180af33b409479bb8f3fe07c0e48746c9fc063ff5e97f528e032

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

Filesize
848B

MD5
bcb0b0d93eed485eedd15f7fad92319b

SHA1
23dfc3df08661cf6828c1dd99704909037a380e0

SHA256
071e072f5e4d39992e1b1b423f8b13422c3cdfa1a24e3f6479aa005e793cad59

SHA512
376c0aa87f9cbbc9cfe9e0ea92069c55d680ab316788258dad9fb67fce9d05c5d977e1511b347a654b3ee10683617761f4ba2c303c5500c3cf30e83eea319089

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

Filesize
847B

MD5
456375dc759f7c0dfd59493d12575360

SHA1
b76f3fa9d1058de5e8538a8b89f8030f3b6dfc88

SHA256
34d959766ff4131e523605acfc3305009bf5a74d0aade2d36d7f9531526c64aa

SHA512
15d6e30432ff8a3633ca7d50947a1b028f122ba612c9f4404a61675cb060fb39accd748d96b697e90fe12cc2f563813134b8812f9f5ae2e2a353a181d6251533

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

Filesize
869B

MD5
6bab003d0bc9f67d4003f043152ae58b

SHA1
aa32b20f2c181eefc32c62860323caca0f5ec367

SHA256
f3f43d0eca67a5d439cb4c4c4b018b2e79d767c43cf73da46d355f16f5ea7860

SHA512
55c95a53af45a373936f14eeba8625301ddfce634f9f01acd787e5210d712f01b36ae7252985bf3eb77488af5250ca3c623506812ef10bf6013f501fe546546e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

Filesize
847B

MD5
afa4c25d40a3e0a1cd78cb100871fe90

SHA1
7870841179590db0b737772edf5a579dab08cf03

SHA256
58696c2d88d6a58a7e3ccbc81696fbf6f0eb74f06b6e7020b8ea41f98a4a9e59

SHA512
d2468515106d10a5e008906f75cf57afba2ab333c29b5ef3a70a8a6853089b1bfb6bd3954670182c093e1a3c00dc434f58357487337368da172505c16a74e5a9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

Filesize
863B

MD5
2c4fe034dd2802c93b9643441b664efd

SHA1
cc1ec15c958d67f710bff5d0dbfee473870acec7

SHA256
fa497cfb72cbee49cf67108af5ca4f2e1a6ef4bbd82ed0a604033fd36da12bda

SHA512
cfd2d924bc0b8818a77b09f48cbe2fee1a513fa8adf9bbae73e0f369473b8a457498167655370b9dfd13ccafe07b620ee2b0d79a18d23674263912736c4195ee

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

Filesize
861B

MD5
f32e5316ac83caaff4831dc08cbe10d0

SHA1
06a61926e7083ad3f78d29d9a0362d9d4d7a2b5e

SHA256
c33e10cd775d3effa50e9094f02294e653c447e239a3581c5dd2a359f8ff969c

SHA512
6dfaa117177d2e22295c8413dea99a13b4a337952e435b053e2135d3c57680655c2ad229ca1a0df78bcd3be7de8adf1bd82bcb47790a1fdbc8d93155170532a0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

Filesize
850B

MD5
597abda52bef28f9e73062a4cdd6d6ac

SHA1
8db5389fc5a97b90c424be3b2d9f8f1121e0ec49

SHA256
ff187d8cff1550a7c8e31f14d82aeace60be3f1dcdf4282005dea8b3bfb9d2b6

SHA512
92b5e25ee30c967069d19662b7d3cb40ce83c829ff09425a7fad7614a1507cb1030b9413740ac4d2d2dac848a6498439d8d05514d17cb3fd9617a2b4e05c6bc3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

Filesize
883B

MD5
939a0d8321a60753197f691dae598f92

SHA1
76b832b1185d638f23b3c14aff4f0062429465f9

SHA256
77e3f593beaa5890834d1f348e1496988b4516d652345cdde661ef4cbcb6c5a7

SHA512
3aedfb3c01afcbe5a3e449d8ac05b8b419c36bb3af2186a218250c0cbc6e071c786bb834d99e971510eb77ca9634435e1c9a2ac3a2d45a18019003f6814ded5b

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
153B

MD5
872c35d7d8340fe73d6c719cc62eacbc

SHA1
5149a772de893fbb66b22ac0084057bb5c658ebf

SHA256
9f2ff9d06cbaafb34748c9170e3263e820566bc2de583c850a489a88936fd007

SHA512
5ce485c20f30c5fb0d006fcc12c27c345bff3f051b932764aec372a09b633b8bff9847063307ac7911bc03cfa0535b9e30703ec637f61c1028c5c930cc46a92c

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
fffabab94b64234457ca4cc438e847ab

SHA1
f75e87b9a4254a11aa8f694e7fe7d766ec6f1555

SHA256
b99daf66a4107072b092d75253c3fa9c622f0cbaf698633540b1be9cdd684494

SHA512
73193463a37352c58a8fb20db5171fec90c8571cf0178dfbe583efe7c933f0597fb4201525386eaed5c471df0f424583f714187f627a951dc6c05b902cae7667

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
8KB

MD5
0d0051cd729acee44389103ba597d79e

SHA1
18aa4d4235c04450c5b8856f87d610f41afd9b07

SHA256
a5f97493c2b257730a46486ccaed048f0867e9c7aef6ad3a654aba6719c27514

SHA512
2297dbb1d8045083e64446e4d0af18ba87487d42304543f919df849df5c499e36938a111454cc4f0b1010c5a9fbd15d03629532611baa274cb404e9ac754a0fc

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
3236f5ecd778e037345deb5535f4fb5b

SHA1
7f061e322d47931020a46a07a1b23ae7701b1f7c

SHA256
34fbc946da46c314eb3d5fc9f62e2f8abecf2efe077b3c0053ceb9982ccc9b93

SHA512
ea697521a9e6d6cae0ce3d21e7472fee8047ab8ee938eaf238b55c99e27a7507736cac6176517fc5341e24c451b8d3226f48dee5c14fa0553a0eba5f41a99e03

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
655f0266bc3d5e2ebe8b7080d6bb3dad

SHA1
ec520f6eeff0d36d1b9d2b3684623080ae66ddc4

SHA256
063aa339ca8ff27b60b099c6f9fdf7c66ee860c4ad15acc0fd0214741796e52e

SHA512
64f966aee758b7877e76128e1b310e1e857baf4649edfd31b52edd65beb299d9d8d96c36a217db9fc710b9295bda0c5c7b4d2116697efc392ca2bfd3b87a3c68

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
172KB

MD5
5259df30240833fde009fc57cd0d5ac8

SHA1
178690775b0473312b9436b6e0e4109b2eeba563

SHA256
c48e78a5475cd93b962163f6b377a03ff41c7a97ca47b4fd227391dc039bb43e

SHA512
476c835d7a0a0aa0b773ee35656e46bb635a59c99efa1b4218c1c9c8922ff673ac8fb72da2ff8439156cfb046d4a2531b2fc77a4e8aba30608aa5a5e8607dcfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMG_236.JPG

Filesize
76KB

MD5
b3887ff0b1d3d901ed4c63648d230e98

SHA1
6fbf1c60d097922594d6f342a84b9b573bd6157c

SHA256
b54f22702b701c651d6abdfad2109765de5d2cecb7b6ce33396a2607df051471

SHA512
12bcce6a0f66646ab65fc20295adec03d943882456997024002fcc3989d982a633ca4b8adf6fb2ac366925960768fcdfba744ac64819dc5058970ea0972b3105

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMG_237.JPG

Filesize
162KB

MD5
2f321533eb313dd2ce3dbef3b802ea1c

SHA1
7f577e3dea5441ad0bed705203db114378eacf92

SHA256
19991bb3935247ef4a285662a6a8709f9d33238a554100f748d90a6ba812334c

SHA512
c6429ac2710cc9e417e7ad3fe9f40541ab249b603cae3abfe2eefdbe4ca9bcd76dfec9a22678a2aa50f1afb22fdf83487ea14d3a3c779b0f6d1d82df50cf0314

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMG_238.JPG

Filesize
128KB

MD5
9142bd7ea7f15ce679808d7f30b992fd

SHA1
d5b8b1108669fbdbb5e0280e485f384f7e0b14ae

SHA256
d2a58215b32a2a60c1291ec9fd390d6a5510382a7ec42075829567d3b73137f0

SHA512
46088624b538a93a4b3c6d32df4889b0e8975b96355e2328384bf2f9a4b9c4c7880b03a836d7915dc54e797bfd28ec39ea0a2b4d68dfa194a9a29dee4ac56b1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMG_239.JPG

Filesize
75KB

MD5
e1f9d00bef60518ab0b3c32b82800d04

SHA1
43a685871e637cef1ebb04c483941c711a66c13a

SHA256
e2538f6d1a943897b7d3b6fbc9970de09e06a526215bf8c8c7334f613840b110

SHA512
9efe21ede22708617d3c0c2831a9a1396df9b5a259268b98ccf565f12b199082dcd5ee721baf5d92088002a8cb2e14a070c08603d8877fa0b8b76dfeabb4c6df

Download Submit
C:\Users\Admin\AppData\Local\Temp\i.js

Filesize
892B

MD5
c44e0be468ad3e4d016ee148f59ea1d0

SHA1
275ccc3741e19e102d2fa365199710c35cf61362

SHA256
0cf22b742dfec691fdb0531e59bc46c031d594d8a75409fff0d0fbc306c1def3

SHA512
71b08215ff1349628f398aa6acebb0d05913c2fe0938dfcbab99db7a49790a0e14c98cbfdbd1b4d81a02cda035cb958943fca945f112b2a8521bc08ff704fc15

Download Submit
C:\Users\Admin\AppData\Local\Temp\o.js

Filesize
415B

MD5
f95deb6d1fe48a2e7447501a893b5b91

SHA1
9ad7889903b88f9c8f19d44ed01aef1936c36ba9

SHA256
2a04df2cb236aebee59e85db8bead72e536e0c9b6eb585d31f921b3e662abd8a

SHA512
99891bdcc8a3253c08490e3438e0782edc012e0b52b998afb7b53b04eb7cb9015157f2bb6b97f26e2781c55e5010830fb511738b89c51277caa8576678c209fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\services.exe

Filesize
2.3MB

MD5
90025f125534097e89bd0e0de9e56f56

SHA1
adf4aa493119d5c99d12ccfeebd772ae3c017d68

SHA256
f61084a3869bfe6fe753112b1747bbd2b1b65ef35efd88834fd071efd8991012

SHA512
af41f6a3b0cf8a3ab3ed452b41b93cc27a3b24fe61d919941fba0917eb25c6a50c81c0be5708e6bfeeb73eafc3a0f3f5ab1fcde09d64327619c49718b241dfc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ud.exe

Filesize
1.4MB

MD5
5b8cdcf8a540ef238744f176d177f3dd

SHA1
2265427bf216afe7db649ed15379a935414e7984

SHA256
9c9e1c62faef3a8aaa8ded65ec4e09c5baabe15dad96722924b4d330e101e9ef

SHA512
03507a9ba187b4f57fe935ad9f94eafe4874aafa15b7d9b38124bdc0b96d88644718da9b133e4d1fa1b0c7db8dedf1460af54459792012a03ed06157cf090dd5

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\alert_sml.gif

Filesize
49B

MD5
742b11fbbd431d9225141d8f73e3d2fe

SHA1
0fdf53f64164faa9339fe48bf00e58728b854a60

SHA256
e45aabd926721aee234a83e6673a32f914f57020b0130aaecca01efaadfc8757

SHA512
977b9243abccb127006cda21db27b2e7547ad2200fba2c850ce4c2eed78351c4e06384dda2e972ec792a4523eb7c7d8eb830698281c5793ed4e85de8ecf9a650

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\selectedTab_leftCorner.gif

Filesize
65B

MD5
2e423b2122dda8b0c7af871d4ff88fc8

SHA1
97409e7f84dee7701b91deb38101ecef532a4a58

SHA256
da1dad1ca636b95a5be41042084c5653553d7bb4b2c1f4e76ed5609b8e3ae932

SHA512
87d4a1e3e6731148bbdc69504b24e4181191482f03c22ccb19caf456448b291eaf87ca44043458c1736e5fc96a9eaef45bc0cc414ba39592e11a4c3a8378c2dd

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\selectedTab_rightCorner.gif

Filesize
65B

MD5
3355ffbfc64dc9cbad0a22e0c2b2f108

SHA1
4c64bc0b8ef448d69455c3bd91f9c914f21634ce

SHA256
3966159b72ef322de81fdc2fdd3cbee55489ccb92de6d607f273ffb7d2e6be69

SHA512
13fc4b076ed56fb1188e568487a3afe63844e25911295ba9f8821bcc45c5f726df4f582695f4fc60d84738be42b910e6acd8504414d9d5b7b5cd2780c2daa84d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg

Filesize
21KB

MD5
af87a479c51400d442aa92cf39371d6d

SHA1
7b3f2b738ba4be4df12bc2d1086e6008b7cc8f21

SHA256
ee4e0bf95abdce41005a7390c2b3338f02e7faa4647ee7bf343a4242e0d289c1

SHA512
5df1f53a80c1342b2ff58358a457694711552de15fcca4fe9b307db42c36fa3fb2795712da46bbd0ec51ada00e5153dedc28089763955d5d855ebbea1cfa9a6d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\HelpIcon_solid.gif

Filesize
1KB

MD5
b2d999236565a8326dcb87a75f1fc438

SHA1
532f4639c0b0643653c8c91319e6629e2f3e1eca

SHA256
064054905522cb18087a1076575ce79f32fe3e0497904b692ef18b2cef841cbb

SHA512
5b345f6adf7e91f56577d07ecac56a4b902a3fe65be489ec95624d5e52ac5a210dc5d95a540f7e2a089df4db423a5011e8e55174915b5155169cc2da265e1b5c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\alert_lrg.gif

Filesize
952B

MD5
5fba2655466e94dd6c685167d8f819b8

SHA1
e4fbc73129ed368df54e36e56e2b25c2d7b7928b

SHA256
2ae48d9b36ea637cee9a08a362a903ed3f9ce0bcc51f7d383445e2424695aab0

SHA512
72811b43f4e2ceb1bcdd54c1fa66786ad8bf812dc524204a4a286bb64e57778dc99d4c5614606d17cc4fbd24519a44f47c5cf9711c020003da62b8bdbde99b7d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\aspx_file.gif

Filesize
121B

MD5
00262ee845c71423a9f8b33c53955546

SHA1
1f0e2edbb4550eb2febb8baa1a6a64b6d3b7f37a

SHA256
58c4ce501d3120971f876eca54c30bf263213e37d26b24997cbfbfb0e17eef6e

SHA512
39abaea7f6e0b10eee64d4f0d15351ef401e7f7802f477c1f4a761db9bf4aa68bac9a56b3f58cc7ed3ff871fb79216e0d8c74056f685c792d6286734fd4ba3f5

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\branding_Full2.gif

Filesize
1KB

MD5
094787f151f51974a5748776b58b6c3c

SHA1
9dc7d84580e01a4c1518666cde39f4b3096fa3e9

SHA256
75882eaf17892708dc616d79cfbc44dba63707a8257238cb462811dcb4944b2d

SHA512
818429622af0e1112dd02749358d36b5663998764aacddfe736c684322d512fab64c3ce440c5dda9fb6773341dc57725a22b60c7a2b4c681c876ad6499fdeef4

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg

Filesize
8KB

MD5
7367c6c5b863ab3f8f6ddd9b076b95c7

SHA1
a26bd628985315d18ffa779e20b1cfc0d9c1b0e5

SHA256
248a7510e5fee9a162a9b5e4fca2fd5b20810e68a9b7f42969a16fe0d9b1eb73

SHA512
4f119d03a082b7510f8f0eb94c41328293e43c569d5ebb499fc03b64d6de864969bcfb5fa97e569f9df6e6a230b26ceeeef75828e5076db8090c29262e2cc672

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\deselectedTab_1x1.gif

Filesize
61B

MD5
d649ebfc8c905d9a3113553cbf35f17f

SHA1
5e9bc189299dcd1607df98a48db9d22e1465bf66

SHA256
1474e2c1ec66e28ab7575770ee738736df9e135a0f9a4e039c8eba817bcafdc0

SHA512
9ba885e2da7b0d7237bad7a6ad0bea8a3faac25e3ff05bf59a6fdfa74883d5ab20ca4f93702ad373facd349bd7b3be15b2dd906f294d062741e8afb90c84ac67

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\folder.gif

Filesize
914B

MD5
9c3fbe2c7500ea5c2648ac42447e62b5

SHA1
1896325222bc9cc7038bf65d0e9542ae80cfdf62

SHA256
bd1b766ecd0c8d5e06fa8416f305f5d2253365050bd17919a22a2558f77b758a

SHA512
6393bf9109d7b04e9b80e260086b657cb995727c4db00af80ed62353d34e4b5e45470828808dece5a08c9eeeb1f8d23f8f598f81b9e46efae0a6babb758b75bb

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onBlue.gif

Filesize
90B

MD5
a74bb605f4dc01393cce57d88e87a314

SHA1
4d35f3f7435ece4fb0edbb9b46d8fd351e2b73c6

SHA256
d375369155b39c495f71e14ebcc332e8104f5c82bcdb33ea8352952e98316385

SHA512
cdb23b9b6233bdf6a3506429f13288adaecddfbb025cc3acffddbbd56132ddafac4420c4f3713996526108a663a5a7de414864cc4d322726c452be3d72c24342

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onWhite.gif

Filesize
90B

MD5
8c8801bebca07475cd26b734e5c00027

SHA1
52ca911f7c31547f701336ba275d3aae0b14dacb

SHA256
425eb84c24bdf032e467ca2da02b3f2dcf856cc7bfa4758b0b7b4860404d48fc

SHA512
b205d03fa058064d138b269db2cef995e21e9514f4def800de4839084485193912181fefed5769720e97dd2c110ea5e0282fff3fdb612117b3ad32ce4df091d3

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\headerGRADIENT_Tall.gif

Filesize
328B

MD5
cb89d66d9f8b59c62a6a1b52cb9191b9

SHA1
c289709be57179ab1a30dfc8d7a0cc6c68d50ccf

SHA256
5abf8f2fca4cc95387a8491dce2a176c10ea48eac4ea775c759a970c41d69eae

SHA512
9103a5d01e1d4283c3ff31748457ee7b3478aa241a9c7177c38a91e5621fec039e99d5921cfbf990cf4abc33352ecc34a8174adbf4c58db7a3473f12049c2a26

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\help.jpg

Filesize
1KB

MD5
718e192cab432c61d9ed6e2ae9806dcd

SHA1
a75205bd3ee6f44cae3936058590bced3fa8869a

SHA256
d649d5f47dfa8b1802c0838ce9ad9b20e381c5dd7115d742694c866a8b80c891

SHA512
82152e4c67e2597ce7783e849dc4e258675bbaa576a7465010d4de87c58cf9553af2e1b9a77d0f7c10125c530e8ca5f186727fab99c2678b4bbd1e7e0d5e713e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image1.gif

Filesize
162B

MD5
b81caa62bf24763b337fe3da276138aa

SHA1
c0c815b36e3391d7da52dc732cb0c930504f980b

SHA256
e949054972c6785e9a9602c31f909fe7fe24b5a80f244e865378715a011000a6

SHA512
b6ff90f812ec5953d586a3c24cb30f8f3785c9120ffb6ac72936a0b71afee1165ad89c9f28971d0b5c72f0cb97d03dd77fd1d149f6f29730d91623b07ccbf86d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image2.gif

Filesize
586B

MD5
2994dcd0e9efd7f453d6ed1b7401d33b

SHA1
521011866644736665f71e9972bcef1a9f83054b

SHA256
68e42b2e5f7f5d806ecab8ac99f66c70060ef43ed8555a155a4882cfc63ef417

SHA512
eb9165ca78d4fcbd8f7eb71e20bc915b1fcf586226d39fc36148bc3e6e863cc1505716ed1a76e12fa638e036bb80af57dc6f9d32eb4458672cbe79e1d198bdd3

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\requiredBang.gif

Filesize
124B

MD5
1feb6d16ef5ef5775767325e7bc2c9aa

SHA1
df35766c8aec36d2ef4f6fd06d46fd9572b8c2f7

SHA256
fc33e1286b7e9483d8fdcd546e9e223ddb5ce0cc65a90ca75084e07ffa4df3fe

SHA512
8e88c1e37cd0d219a6d5740a6ef66219555cbfda1714171dcd667cb47628ca894f9d750dd91045644663ab91ffdd5daffb1351856007c5b7420bbc5476ec196e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg

Filesize
8KB

MD5
e3bd1ea3a3dd310f8c9299d12b19d76e

SHA1
f8262fb3ffac48de1f0aabc802c60ec4c20dc982

SHA256
1a35f30aa864138dc9560c71df36f5fff220135550f431c81f6bb93c25273705

SHA512
d115a340e94fefea26ecd063000515dcf7b0d9c232fc430d9ab422a59d742c5a85b331fa2354e53b5bcd29e4f9cb7eeb47093466b6e22f58d37647da2435b81e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\yellowCORNER.gif

Filesize
880B

MD5
b848beb503e65abe293162f53e343c27

SHA1
3d0e7389485fc15d92c589c1272c9a61fb04e92c

SHA256
10f3bf9e1245bd032c2ea68e52d69d2e2beb465a4f26bd68ab24f5275f9c3000

SHA512
806f2103bc0dcdbeadbb09c2709899ea03b57fbfad68860752a605e6ac60aec1ae1c5561cce4be20aea67f47d1d31cf496406ea23d0a45012aeedbce63f597d8

Download Submit
C:\vcredist2010_x86.log.html

Filesize
80KB

MD5
89c5917374a380129659179222600afa

SHA1
33a44730705fb1d922cff4518c0a519c23ed993b

SHA256
e26c7a787398ca7406679088d8a28a8d247c16d538134bd9e321ece4a954666d

SHA512
1650f2adf9fbe3872d3c464c1fb69a5dffd0dde5ac4a545d64b102cd01a69a4034ae01d54081402a54305521a7ac45cda74b6c31d1c92e765811b6e5bd990908

Download Submit
memory/1292-65-0x0000000001180000-0x000000000126B000-memory.dmp

Filesize
940KB

Download
memory/1292-80-0x0000000001180000-0x000000000126B000-memory.dmp

Filesize
940KB

Download
memory/2788-78-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/2788-66-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/2788-76-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2788-68-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/2788-77-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/2788-74-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/2788-72-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/2788-70-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/2932-63-0x00000000041D0000-0x00000000042BB000-memory.dmp

Filesize
940KB

Download
memory/2932-8935-0x00000000041D0000-0x00000000042BB000-memory.dmp

Filesize
940KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads