Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
19-10-2024 03:36
Behavioral task
behavioral1
Sample
d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe
Resource
win10v2004-20241007-en
General
-
Target
d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe
-
Size
366KB
-
MD5
38d9aeda5745ab2d524d8f29628790f0
-
SHA1
3d971bbc61c99f5cb5a1c8506be5dfba7fa813e7
-
SHA256
d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2f
-
SHA512
7a11d80b36f5213ac7a9ee7ccf50bcc652750e8a3521382ce40304ed2e4cd1cb20b1932070bd9d176b3d6def43ed109ef6af87b28cea33d26f7e463ee1ddf56b
-
SSDEEP
6144:3/sNJUbPaYnJ3deKx5kkdsg8jJa/R9QwA0rM7WqMkCGbRQ:3oJU2YJAKxznQl4MpbG
Malware Config
Signatures
-
Detected Xorist Ransomware 5 IoCs
Processes:
resource yara_rule behavioral1/memory/3028-9084-0x0000000000400000-0x00000000004BE000-memory.dmp family_xorist behavioral1/memory/3028-9083-0x0000000000400000-0x00000000004BE000-memory.dmp family_xorist behavioral1/memory/3028-9097-0x0000000000400000-0x00000000004BE000-memory.dmp family_xorist behavioral1/memory/3028-9098-0x0000000000400000-0x00000000004BE000-memory.dmp family_xorist behavioral1/memory/3028-9100-0x0000000000400000-0x00000000004BE000-memory.dmp family_xorist -
Xorist Ransomware
Xorist is a ransomware first seen in 2020.
-
Renames multiple (2181) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Drivers directory 8 IoCs
Processes:
d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exedescription ioc process File created C:\Windows\SysWOW64\drivers\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\SysWOW64\drivers\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\SysWOW64\drivers\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\SysWOW64\drivers\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\SysWOW64\drivers\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\SysWOW64\drivers\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\SysWOW64\drivers\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe -
Drops startup file 1 IoCs
Processes:
d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b7q7TsuBvQ3W12G.exe" d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe -
Drops file in System32 directory 64 IoCs
Processes:
d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exedescription ioc process File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\en-US\about_BITS_Cmdlets.help.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\System32\DriverStore\FileRepository\prncs302.inf_amd64_ja-jp_96eca15be06b1482\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\System32\DriverStore\FileRepository\wpdmtp.inf_amd64_neutral_28f06ca2e38e8979\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\SysWOW64\Printing_Admin_Scripts\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_providers.help.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_transactions.help.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmdcm6.inf_amd64_neutral_b1db427ce3d2a1b4\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmtexas.inf_amd64_neutral_7572473d88d69307\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\SysWOW64\migwiz\replacementmanifests\Microsoft-Windows-OfflineFiles-Core\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_functions_advanced_methods.help.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmtdkj6.inf_amd64_neutral_8087946c82068597\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\System32\DriverStore\FileRepository\smartcrd.inf_amd64_neutral_6fb75ea318f84fe5\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\System32\DriverStore\FileRepository\wnetvsc.inf_amd64_neutral_548addf09cb466fa\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_jobs.help.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmmega.inf_amd64_neutral_f9c441ed24f00358\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\System32\DriverStore\FileRepository\msdv.inf_amd64_neutral_571f87a277565224\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\SysWOW64\migwiz\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_escape_characters.help.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmpp.inf_amd64_neutral_a9cb77fe1985cd2c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\System32\DriverStore\FileRepository\megasr.inf_amd64_neutral_30b367f92ca46598\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\System32\DriverStore\FileRepository\net1yx64.inf_amd64_neutral_ed16756f950857e8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\SysWOW64\migration\WSMT\rras\dlmanifests\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Command_Syntax.help.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmcdp.inf_amd64_neutral_170c11f3a6d3f0a8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\System32\DriverStore\FileRepository\wiaca00e.inf_amd64_neutral_5a376e6a7cb007d5\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_functions_advanced_methods.help.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\SysWOW64\XPSViewer\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File opened for modification C:\Windows\SysWOW64\migwiz\PostMigRes\Web\base_images\ClickDownNormal.gif d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_try_catch_finally.help.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_remote_requirements.help.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\System32\DriverStore\FileRepository\lsi_scsi.inf_amd64_neutral_cfbbf0b0b66ba280\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_logical_operators.help.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\System32\DriverStore\FileRepository\wiabr00a.inf_amd64_neutral_6033065925bcc882\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\System32\DriverStore\FileRepository\prnky305.inf_amd64_ja-jp_4d77cc4802b17ec3\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\System32\DriverStore\FileRepository\prnlx00w.inf_amd64_neutral_d4c93bb2fbf75723\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Parsing.help.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_profiles.help.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\System32\DriverStore\FileRepository\ph3xibc11.inf_amd64_neutral_bb18e5f134c40c68\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\System32\DriverStore\FileRepository\ph3xibc4.inf_amd64_neutral_310871d800afa82a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File opened for modification C:\Windows\SysWOW64\migwiz\PostMigRes\Web\base_images\WindowsMail.bmp d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Throw.help.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_try_catch_finally.help.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\System32\DriverStore\FileRepository\netvfx64.inf_amd64_neutral_194cb6d2ea3a486e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\SysWOW64\InstallShield\setupdir\0003\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Redirection.help.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\fr-FR\about_BITS_Cmdlets.help.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\SysWOW64\it-IT\Licenses\_Default\Starter\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\SysWOW64\ja-JP\Licenses\_Default\UltimateE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Core_Commands.help.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\System32\DriverStore\FileRepository\prnca00b.inf_amd64_neutral_4412894f52d39895\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Automatic_Variables.help.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\System32\DriverStore\FileRepository\prnsv002.inf_amd64_neutral_6ca80563d6148ee5\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\SysWOW64\es-ES\Licenses\OEM\Ultimate\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\SysWOW64\IME\shared\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Session_Configurations.help.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Signing.help.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\System32\DriverStore\FileRepository\hpoa1so.inf_amd64_neutral_4f1a3f1015001339\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\System32\DriverStore\FileRepository\prnky002.inf_amd64_neutral_525d9740c77e325f\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\SysWOW64\fr-FR\Licenses\OEM\HomePremiumE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\SysWOW64\icsxml\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_pssessions.help.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\System32\DriverStore\FileRepository\prnca00a.inf_amd64_neutral_d64d696193e69d7b\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\System32\DriverStore\FileRepository\wiabr004.inf_amd64_neutral_b1d90b3749c5e6a6\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe -
Processes:
resource yara_rule behavioral1/memory/3028-5-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/3028-9084-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/3028-9083-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/3028-9097-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/3028-9098-0x0000000000400000-0x00000000004BE000-memory.dmp upx behavioral1/memory/3028-9100-0x0000000000400000-0x00000000004BE000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
Processes:
d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\about.html d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\indxicon.gif d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\icon.png d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14791_.GIF d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_top_left.png d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File opened for modification C:\Program Files\7-Zip\Lang\uz-cyrl.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00130_.GIF d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14530_.GIF d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309480.JPG d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01744_.GIF d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD15073_.GIF d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\32.png d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Program Files\VideoLAN\VLC\plugins\logger\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21482_.GIF d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightYellow\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14654_.GIF d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationLeft_SelectionSubpicture.png d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Program Files\Common Files\Microsoft Shared\Filters\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_WMC_LogoText.png d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14710_.GIF d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\Logo.png d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Program Files\Java\jdk1.7.0_80\db\bin\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\39.png d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\TYPE.WAV d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386270.JPG d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierDisableDownArrow.jpg d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Computers\computericonMask.bmp d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\THMBNAIL.PNG d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Program Files\Windows Defender\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-gibbous_partly-cloudy.png d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_blue_snow.png d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382954.JPG d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_Earthy.gif d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Program Files\Common Files\Microsoft Shared\VGX\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Program Files\VideoLAN\VLC\plugins\mux\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\settings.html d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Program Files\Microsoft Office\Office14\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\menu_style_default_Thumbnail.png d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10300_.GIF d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\TEXTAREA.JPG d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-crescent_partly-cloudy.png d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\DELETE.GIF d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\BOMB.WAV d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File opened for modification C:\Program Files\Java\jre7\lib\images\cursors\invalid32x32.gif d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\logo.png d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AssemblyInfoInternal.zip d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_222222_256x240.png d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe -
Drops file in Windows directory 64 IoCs
Processes:
d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exedescription ioc process File created C:\Windows\winsxs\amd64_microsoft-windows-i..plication.resources_31bf3856ad364e35_11.2.9600.16428_en-us_37b47fc8249b0283\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\winsxs\amd64_prnbr006.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_6e3da27bba8125e4\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\winsxs\msil_microsoft.windows.d..s.writediagprogress_31bf3856ad364e35_6.1.7600.16385_none_e38c01a0031da2a2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\winsxs\x86_microsoft-windows-f..lientcore.resources_31bf3856ad364e35_6.1.7600.16385_en-us_dfaa6dd4fee4fe5d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..allpaper-characters_31bf3856ad364e35_6.1.7600.16385_none_bde0eaed84920a21\img22.jpg d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\winsxs\amd64_microsoft-windows-s..s-svchost.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_dc0e2ab77e70a977\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\winsxs\amd64_microsoft-windows-t..nputpanel.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5c8eac3eed0ae313\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\winsxs\amd64_netfx35linq-linqwebconfig_31bf3856ad364e35_6.1.7601.17514_none_b532bb17fea7ee9a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\winsxs\amd64_prnin002.inf_31bf3856ad364e35_6.1.7600.16385_none_111c3e07cc8d7b83\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\winsxs\amd64_prnrc005.inf_31bf3856ad364e35_6.1.7600.16385_none_227092d2a7af4a58\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\winsxs\x86_microsoft-windows-m..qlxml-rll.resources_31bf3856ad364e35_6.1.7600.16385_es-es_f361dfb4637ccb8c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\winsxs\amd64_microsoft-windows-help-shreuse.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_484e421b22e773bc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\404-12.htm d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..adisc-style-babyboy_31bf3856ad364e35_6.1.7600.16385_none_f13596916b261f67\BabyBoyMainToNotesBackground.wmv d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\winsxs\amd64_prnep005.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_858ecde3cc00bac3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\winsxs\wow64_microsoft-windows-win32k.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_56312c4d9f493698\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\winsxs\x86_microsoft-windows-chkdsk.resources_31bf3856ad364e35_6.1.7600.16385_en-us_55ff5c856ff139e8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\winsxs\amd64_hid-user.resources_31bf3856ad364e35_6.1.7600.16385_de-de_18a6abaa160568df\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..ngsupport.resources_31bf3856ad364e35_8.0.7600.16385_it-it_3a1d645bd6940c31\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\winsxs\amd64_microsoft-windows-nddeapi.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_695963f16d6c83e1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\winsxs\amd64_microsoft-windows-rasdlg_31bf3856ad364e35_6.1.7600.16385_none_c9082db56951f458\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\winsxs\x86_microsoft-windows-dims-keyroam.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5c0012b4940c1151\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File opened for modification C:\Windows\Media\Afternoon\Windows Error.wav d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\winsxs\amd64_microsoft-windows-cdosys.resources_31bf3856ad364e35_6.1.7601.17514_zh-tw_21f3781ebd2249c7\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\winsxs\amd64_netvfx64.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_f3a48fe40ecde842\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\winsxs\amd64_server-help-chm.file_srv.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4d89a23c740117ff\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\winsxs\x86_microsoft-windows-l..epremiumn.resources_31bf3856ad364e35_6.1.7601.17514_de-de_c2fd80580d9278c7\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\winsxs\amd64_microsoft-windows-b..roxy-main.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_809a4c7422b47541\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\winsxs\amd64_microsoft-windows-d..fontcache.resources_31bf3856ad364e35_7.1.7601.16492_hu-hu_0a0f1eb10a5ce9c4\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..disc-style-vignette_31bf3856ad364e35_6.1.7600.16385_none_cc1304de922cc585\softedges.png d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..oundthemes-heritage_31bf3856ad364e35_6.1.7600.16385_none_5872c0830d0c4747\Windows Battery Critical.wav d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\winsxs\amd64_netxex64.inf.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_1490d2b319b7456e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\winsxs\amd64_wwf-system.workflow.runtime_31bf3856ad364e35_6.1.7601.17514_none_c340e308b6a6841f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\winsxs\amd64_microsoft-windows-userinit.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_1ab5e009a94998cd\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\winsxs\amd64_server-help-chm.authfw.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_136c8bc51e6bb8ad\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_Session_Configurations.help.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\Media\Afternoon\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..l-keyboard-00000452_31bf3856ad364e35_6.1.7600.16385_none_43a82b387da044dd\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..ediadisc-style-push_31bf3856ad364e35_6.1.7600.16385_none_cc073ae540855a07\NavigationRight_SelectionSubpicture.png d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4a6b77ab9aa530d\about_Windows_PowerShell_2.0.help.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Text.Encoding\v4.0_4.0.0.0__b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\winsxs\amd64_microsoft-windows-sctasks_31bf3856ad364e35_6.1.7601.17514_none_e8657d02cbf5e4c1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_remote_jobs.help.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\winsxs\amd64_microsoft-windows-d..fontcache.resources_31bf3856ad364e35_6.1.7600.16385_en-us_2cd2a68aaaec5026\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\winsxs\amd64_microsoft-windows-power-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c4ca151a686554f1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File opened for modification C:\Windows\Media\ir_begin.wav d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\winsxs\x86_microsoft-windows-shell32.resources_31bf3856ad364e35_6.1.7601.17514_de-de_b2c05a8c483fb13a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\winsxs\amd64_mdmbr006.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_0385477b6a6311d8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\winsxs\x86_microsoft-windows-themeui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_9d95d7f2cf298df0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\406.htm d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\winsxs\x86_microsoft-windows-g..licymaker.resources_31bf3856ad364e35_6.1.7600.16385_es-es_590ecb9428986715\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\winsxs\x86_netfx-mscorrc_res_dll_b03f5f7f11d50a3a_6.1.7600.16385_none_c4ae794258959c84\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File opened for modification C:\Windows\Media\Calligraphy\Windows Critical Stop.wav d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\winsxs\amd64_microsoft-windows-d..w-dvdplay.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_7e8e8dd38abf1dee\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\winsxs\amd64_microsoft-windows-udfs_31bf3856ad364e35_6.1.7601.17514_none_049f9db233833b25\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\winsxs\wow64_microsoft-windows-wmi-core-repdrvfs-dll_31bf3856ad364e35_6.1.7600.16385_none_e48b55da7efce7bd\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\winsxs\x86_microsoft-windows-d..iders-msi.resources_31bf3856ad364e35_6.1.7600.16385_it-it_145d18a454b6732e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\winsxs\x86_microsoft-windows-n..ion-agent.resources_31bf3856ad364e35_6.1.7600.16385_it-it_a26a3b2bf0a79de4\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\winsxs\amd64_prnbr009.inf_31bf3856ad364e35_6.1.7600.16385_none_4d88ba167403f57d\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\winsxs\wow64_microsoft-windows-m..icecommon.resources_31bf3856ad364e35_6.1.7600.16385_es-es_97d520d2da4ae377\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\winsxs\wow64_networking-mpssvc-svc_31bf3856ad364e35_6.1.7600.16385_none_005dd77215ee863b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\winsxs\x86_microsoft-windows-timeout.resources_31bf3856ad364e35_6.1.7600.16385_it-it_4fbb9751d1df8a4a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\winsxs\amd64_microsoft-windows-t..er-engine.resources_31bf3856ad364e35_6.1.7600.16385_en-us_133138db7a4bbc25\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe File created C:\Windows\winsxs\x86_microsoft-windows-d..entsnapin.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ab91a3fa62bd4ef2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe -
Modifies registry class 10 IoCs
Processes:
d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GJXEVPQMPNXFJOW\shell\open d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GJXEVPQMPNXFJOW\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b7q7TsuBvQ3W12G.exe" d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.leycoz d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GJXEVPQMPNXFJOW\ = "CRYPTED!" d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GJXEVPQMPNXFJOW\DefaultIcon d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GJXEVPQMPNXFJOW\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b7q7TsuBvQ3W12G.exe,0" d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GJXEVPQMPNXFJOW\shell\open\command d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GJXEVPQMPNXFJOW\shell d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.leycoz\ = "GJXEVPQMPNXFJOW" d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\GJXEVPQMPNXFJOW d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe"C:\Users\Admin\AppData\Local\Temp\d7285f6df3d2865b38862767dda78f08d9f8aaa8dedaa975d37fb4a394a27d2fN.exe"1⤵
- Drops file in Drivers directory
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3028
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
422B
MD51ee5052508eaf02a5fcf6c574a83d175
SHA129bda576d6c06f8f6031df7cfc56b5df6c42dddd
SHA2563cadf5cca10ae2f3ccb227c09be5d789f1aaadb0ec471f9ad60ea511c158a471
SHA512c28455f45ab22b02406f347c725d6df5167c54a58bbe11369ab7bb84dd677b393e9f9fbd2565cdbace4d7f6a54716cb88f936ed058b65f9060cda9cb96424f89
-
Filesize
341B
MD5fab79b14837145456891c046957ddd92
SHA1af83881460481db16b4dd456fbf3b535e5c1a5b6
SHA2564ef2c3011a3b8d8fd9700d1a7c34d76a93ee8e8c25f87a2ca83e3b9b32e14321
SHA512bdb241ddad841afb7db2eff03b1ab6944a04d4be8ac83ab7b1e973e1fef56b5142da9114dce607bca266173399c8d5f0ea873fe81a8c8f7c76ff54a629ecf247
-
Filesize
222B
MD5dba5f4e597aab312ad73594b254330fc
SHA14010c2933263a6460acd0fe1c37234bc5b0304ee
SHA256ecb68b3cb3807a9a47804e23771ef69985d86e137050e8662f6ef642886fe297
SHA512a98659aecc3059b17853b6d2c29a7abfc512a0b77672c2c4188011f772b0aac087d18938c4322c447bc3616be8d12fadf997e36acc4f0a6df5e74436690cb45c
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\BG_ADOBE.GIF
Filesize24KB
MD5ff984d660b76c40800fd84377364c9a0
SHA15a5f802b2e19c2ca47d6ceb8ef9e5c4f9ca40560
SHA256b6d582138aed272658808055a54f2453028d5be42e567130aee1ced390f1a53f
SHA512193bdd12056bed864ad3c1fdf780f67f319436f9a25bebe2437a9424caac587dc11252b24b3359bae6cc4fe85d84ede7c31de0945d30cbb6292ded16d59a41de
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\BUTTON.GIF
Filesize185B
MD5e7530091acbc4f4f590f3b923ccd2655
SHA119e58221ad3fe71b8d15b7c7cd9a8140280f7980
SHA256b89bbbbc7428c6c26725f646c805719a4357ad4824b16cd5e9ecb75f5e3c47cb
SHA5129adaabc7ab1b2ae44a6f15a0b6236bd7aaec398fc711201405a549b2de06ec239fcd2a2bece9ccbfb398e448e280933f64c6f9cbe99d6d6cafade2734c65924b
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_OFF.GIF
Filesize496B
MD564f02d23bcefbcd9c72e0524dbd8808b
SHA18beb4d585be87fc7e2e9ce93f0243c715d05e043
SHA2569ca90fbd191787f35ea0d31d5f28235a31957db5e95579c7dc9885abce69714c
SHA5127e4f9147155235723b8db0e7ed016016e47d6810cee6a85ab8af94e79d97665176ecb3a2d7ad843492aab0c2c966d1dfefa21db89f653c7461abf3514b0725d9
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_ON.GIF
Filesize1KB
MD5ddaba71f9f0f631b7316e5a149f95a0b
SHA123d072a8a110f0a586ceb5577b63c82395493a2c
SHA2567cedf21e98c915cf479cf8fac2c96488e39c2e9b9051d8fd209997a4c5f358b5
SHA5126af4d54023060ec2119180a5c24e7439a724e4618b74d768143a5cf97a2757e7090472e605192cedd8bbf587bcac58de7619c4abfdf0e5c2cf169ada4d74f9bc
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_off.gif
Filesize341B
MD552c58cdc2124a6b6f76abcf35796b175
SHA17e5754be95fdae38e25b558e54f30093e9e62b3b
SHA2563b3b60c94b4bc1f5073fd30068f7cdc0deb60e837f04fe57162e80047e17e22c
SHA512f62e8a8727830e2365a9f56895b137fbda702c717f3ad343a72b661cf6c40b69a71cd8717ab25b87c89994860052625e24b6ede1475546e0bef242061974336a
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_on.gif
Filesize222B
MD58996aea5fdb740fded44696022a0d4b8
SHA1fb77e5b415ea5820a608db0d82058118f1c21183
SHA256bdb3a095e159864a1df0adda7401173a2062475401780ff9b1c43931bf0b59d7
SHA5128adae966620a0a5ddc8c70f9800b70b797bbd5c1ccbb7bdea9897737eaa2dab79f08d90706a70bda12b1376462081979eb6fdf21a62dfad17be18fc4cf02343e
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif
Filesize5KB
MD5ea041f1911dee6ba089961bf76405eee
SHA116be4d2357b857ce525635fd4f3cd527904d20a0
SHA2564d360a932bf5b8a60189a9b88f018515192195a5e9dcfddb9be4c80ff8548d98
SHA51279d2c522bf7f3adc6af7f4d4dc525fcde5aaabaa89ed4f240cdf43dd05231a14f9ea823c6f68f1198a8de0bd82ccd7ac1c65b92c723b68b723c0523c8affacf1
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Country.gif
Filesize31KB
MD53c08982a4b2e1f3aa0b701abd411916b
SHA14528e3f9d95c01bace3da879df3bcbd6ae0ac10a
SHA25698acaf8f18623492d781c52ca142622621550346983b81fe91f7971810efef2b
SHA5122c4e98a2e4d54b1b4b71dc6e87853bfb6d0fb5bad1798b1176c530b8b40ab351dfde59263ededdff59db7e41a78738528544ae19439d388299faf099ba839a0c
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif
Filesize4KB
MD5f7284960f994f7b9eeb38cd4fb58f030
SHA11028201e24ee6e6c61908cb28ed1c22036cd4385
SHA2561c98b52ad3cf3c4c62b1c53f86ab8652bd87783f118ebc2bee164b009ba1ff58
SHA512fb01f880039b26d133c5de375454fdd7ddb99b864bfa16219737dcdbfc7dce054c066a9a82e11494062bd6566e5fa8e867921cf99fde83e14bb5d0f2a1d1a576
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif
Filesize21KB
MD581747d000374d966cc6ad7d7817efc45
SHA17b06121cb3b92d0b0902873e5e9ac1ec1aeec376
SHA256035a4142b60a2ab0bbb2d06cc1490fda1d643dbfe64145a0fb38cd71c497da5f
SHA5126f2eeda1d412c11a12a91b148c96f4d9c0383a09a94b85ddfd57697808f4dcc840704c9b39913bcbd95ea82e56fa056b013ed4c0e32a9e50387125fda79b21dd
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Groove.gif
Filesize106B
MD57e32f379ea6502587c8f16b822782319
SHA19a8d94b2b5eba43e4ab70271b04e4b3c8e32e81b
SHA2567d8bac769c3ca85dfad56f0ea489712148b025f7d6dc972d3c1c862954dbff62
SHA5128e0f27c9da6e60ebabdd3664b8ebee4cfe4ade54cbb06c8948fc418393c5dae21d73972eff3d87f161ee196d190d8d9427eab65c04e88159ecdd5452c7f3b3e4
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif
Filesize8KB
MD57c666ff156d392ef211247438bc7aa26
SHA1434eac29022d2297e4ba7c22fa5fa594419fdb63
SHA256f79540a2a5bb7307a018f5a5edfe5dfe338ae9859f1dafb19affbd9470eb3cde
SHA5124cfb42e18cc9e2e40f9978d9ad7c7aad5584685fbd9f7566beb65fe83d8284b76d904e8aada5f1473c4ff0c50d2e54d546a399fbede54758bc0dfaa3f3d3ed4e
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif
Filesize15KB
MD56f523da27c161283d1f0322c3fdbb9f3
SHA171fbe193c0eaacea0a818925c014b8cfaded6f16
SHA2561e776d2975f07d27fe510404aad0cef528480b5982f9418bd0b6f8511539a756
SHA512b9ac749078004446800f45984ef2a7cab650ab9bf4cadedadbc47314f11647c7c2351731cbbac4eb82b3826fe17f6feab7d5cae139287eeafda4580ca9dccd4b
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif
Filesize6KB
MD57b85907306d458d331a1544a63a740ad
SHA197290c948c1b3db9382d8a824a91ef3579c5848d
SHA256e74e66b7300e38281740d6d2375f9eeb708966aa8d1c8e8f45e54467d4e7b164
SHA512123fc57e58e148b9fedaf4f4d6f057a1336e83be48be3a7717449462665060c5012e950d351f756956ab38530cb37b48b86da2f2bd54b1af0b7ef5fe7cb12ab2
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif
Filesize20KB
MD514a720b820cc05e07be4e7c1924ad5c2
SHA1f5e1bf7ce813b9da7f422c9b65229d5953033dc6
SHA256be0b73e3bb5926c129e3b8d0aa5fbfa479c6b5ac3db74545e032c8b978577545
SHA512b0b4d116c8267f0438629607ec705dba0eacdce60ab6c8dff2c071a8f712b8cd0acc3fc4520c63a49c2323ba54bba11e33f73daae6172bb527bbe1f8a53edc20
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif
Filesize6KB
MD52c013f671893c70ceeb326b622862a49
SHA1c17d7ecd686518649985c94516bc2b01a791914a
SHA2561b42a5fd9bcacff8d0dd225052b752e7a96d745d0e9632d58c9307701bb0da51
SHA512d26c4a5fe268ff2329ceeec48bba26e3b6690f0ef80edc65ddc9965c3eaf8d483f2a55d6ada066fc2618755288aa839801c34728024dd282e919afd8d3173333
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif
Filesize15KB
MD524e01339a4c420c113389f0ca7df5677
SHA13ba48002281a44a72ef3be9b5d7014d595292ab5
SHA256a155e44b774fc48adaa919f19dd23bdc5f9034265228f536848106806b868285
SHA512486df75446f25c30a37213d1ae3e29c8fcfc5b2f0f4e0aa68a536e828cd99dff20728cd4a4d4ffbb236192b58e35658851f7c5131944e11c80bc25d71a01e466
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg
Filesize2KB
MD5bc6f2316676afabd8007a5fe041ac9f1
SHA1580d2c54169221a1482dc050d6e978161f7aa551
SHA256b17138251cd08fe24951105c1d7a9e8c96c5a22956bd00eece0cb45d83b41429
SHA51255eacbb7f2ee5c85f746a9a4a0a74929400c84f76baeaac201bc710c4a58f4603d4ecb1bfa67e4398987c374d349d3891eae05275e07302d6e57723842a82886
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp
Filesize2KB
MD5baefa7b468b15addc301d13efabcfec6
SHA1255dfd1187df3254477744340c763369dbaf14f0
SHA2560a8110be8ad191cbfcc10a0d38b1a115ae2b03216c512512822b96dd0ddc14cd
SHA51265e8c067e97c6da6e19db4e6a82378138dffbfa4a2a65b946f7bebe7d9a92a8352051b857f146d09efd6894faa8a809a45f8c657996908f53eecbd6b3771d111
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg
Filesize6KB
MD5613cee383b76e0564f831faee7784c68
SHA19dc40ebd45f1dadee1b52abab861f03329a3d86e
SHA2563ade95c6d8a847c37b497acbc5c7ea090004d25f767cca8cb5dd5d0827174999
SHA5122ad4746ee0481e0b82ea85f62dcbe911b3dd5f1e3ae539cd713737187f5f2944af178344174805d09a12c16ef6de7141ff7a3057284dde1d4fef021369ee8d88
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF
Filesize255B
MD5f4ea1ff455e416382446a86dfa0a71ac
SHA12f5716f621e63c85f219f118bf8bf9d45a51f55f
SHA256af2e637dbbff85e4fb325fd7a5e794f5d7800ebcb09694369dd14ed813a1a590
SHA512e2c340427ede16ddee5f10fa85fed87830f858c92f4eff7a8f4b81f837050d1e42ece43a7899780eec873a8db988f9a10523e472ad2ff3d97001ffc66484264c
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\background.gif
Filesize323B
MD5af7269086d9c344987543fd7d7152c54
SHA151bb59e0eaa6839a68c79b929164e35571223cd9
SHA2562a58e8ccd41fd392a2d7cfddfcfe37bd7f4e2e888625bd3e24a92f348faf6b2d
SHA5128b33c294e7522960dee0bab8dbb20246ececea8b578d15251a12adb6f9e9f2ac44328ac8de575155abba55c83e3f60a6e20a41b16d49c1df67806efdc976f3db
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF
Filesize367B
MD516b55298a391c2216b41f89a7666f900
SHA1da79ed5f72a5dcbfa9a164f8da95b9588a65e681
SHA2561c974dfea68c59f1a61eab6f3b6e2705760ca8f94c54e55b49fb5186f002d3b4
SHA5120b7b1792ca2720fdd36ac508a795290996d2b16cbdcd449761d60238363ef42f33dd8c861e2e79da446683a0f52a4221595be93c7014b6f361adeb01ca246699
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF
Filesize148B
MD56d45df4ea7a6926aa7c15ba0fefbcec5
SHA1b246d80f61bf8f3ca00f2a6a5b229433d3d7ebe8
SHA256a79f19f1ee9246213effeb86e533c8bcff8ef4ab827a8afdc30d5bfdbbc98b52
SHA512d9b8aa9323bc988b404beaeb4580d68cc2bad72421eb4917f45f38692b02ff68a832dfb74c35886f6b7e43ee094a428d62d42b9b40e24426a5295712478ab856
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HEADER.GIF
Filesize440B
MD5dce1047b300e73de436b3d9702d7c682
SHA15208bc1125a205ffa4e025cd78edf46a48780ae8
SHA256b58bf731eb4628abb9eb80297e8628b9d8329211cf8b3b87b83733fbb457f1f7
SHA512818ea729bc16b55ddba6ad8700f3b39a7a6fc698e5ea1eb07abb446936f8e78a13862382bf91d7760b4363dec1b8b454fa118ffef33d5814187527cbf17a28e9
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_OFF.GIF
Filesize462B
MD59780be72df9957a0d87f97e0fd386d78
SHA17639f5543c8d13d846186f2bb2c388a7fb3dec22
SHA2563ac6746504383ab5a9f63e715ca3223e396a16829975ca02fc0bb862ebea7b26
SHA512eca40045b49c386cafc7d9835e07d2fc5d776270068cd23994c3eab884e5a08be56745a9d2a1b4fdccc8ac84490c9280d6212447d41ad31c3b6bbe0520936bea
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF
Filesize267B
MD5aa9522e56e817043de24ffce2a49675a
SHA124eae5d4d5cd19201ffe4311607735d87e9d20f2
SHA256dc4582625f803ca9b35e97eed0e44bac6b27770e2b9d791797f6ce6bec919b94
SHA512c9d00afd8459d57fbf2c3b988275c6106cafc80f787f3eb036aff9736110f370c36e292a720cd3b92b0cbbcbfa2b067ae4440427090ea9d48f42a4d6ab181e89
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HEADER.GIF
Filesize2KB
MD59cedc186f84011a6d2a63226f0ea3987
SHA16afd9a2ca22a00f658d8d872605c49933e938b7c
SHA25664f607938bf9187ab95ca9d71a2e0b8d3d85653e966a8624098ba9c10756999b
SHA51240ccab459742d6d08ce411bcafc18f27fc89162d5c58a82db13c4e8074cdedbc7467776d8040d7389ba36a0963dc4e66e11538e6f4374893759d816b9f335176
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif
Filesize233B
MD54b7cdee0ab598df7cbffdb553eb719aa
SHA17e7d8ac12d0a4b09b0b09a09596cc6667eb19629
SHA256ba2b824c8680a3416337529dde304b6f4ad147ddaaced65737354819d1fed244
SHA5129fb26cdbe5ddea90255141907b36f705d79f9e7f90d8ff10909611c1d9c53826d94bab50940c1582f510732b80f5549394c86a9df14aea705b539a60ff65dbc8
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_OFF.GIF
Filesize364B
MD5420586f41fb2e3cc1e34d82e918e57bb
SHA1cc5fde435be407693633964f551549c00f838768
SHA256073a91890e440d7b32a40fac53845200f16e7357734a1a10a824c640fb5dbca0
SHA5126a541f19b96f725d743f15a0fdc3ea180a587d81097ab3da18d1979dc313902cd4d1b5b11b317b938ae70c4e538a0190f7bd40d03b141d89e9c02fd3676192e2
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_ON.GIF
Filesize364B
MD5e89a9e50378ff099cd05f9c7063688fc
SHA10d50ed63d2ec1bef17eb5ff6b80aca8f56003878
SHA256ae6844a51a5f2f1dbc9a62d885e9ae63962a7a007ece4b19da20d2779a51e0d3
SHA5123aacc43d589b0f9ece36df37f13128f3a36b003539b04f4ecca9de6cdfde75454ecab94762b2f9e68c24f05e1b51c17cc2e333193bc1fe5552bc063e69fa72ea
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\background.gif
Filesize6KB
MD58cc7f0813b49d8121261e59e9bbabae0
SHA14998263a7ba58ce9245a4e28bb91b9d4c09876f4
SHA256114f47cfd50376c6efda322992a20f6f854932c546ff4a52fbc025ac8a7f1b38
SHA512ca23a8b765ad944a533131a73ac45f88b1640ffdab72ba38e96513c79137b3666b9b40bbf6437b2c6374ae83a7ad0923220e2eab5445630007f860507be2a122
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\BUTTON.GIF
Filesize428B
MD56c83b58cadccc9c31973430e81d6704b
SHA17c26a94323c0965b736b86b9d6cdb07b7383b043
SHA256d927aba7c8bc2d4225fe9e60c675cb551db7e85af4c295c9ddb808e0d5a0fe4e
SHA512e7b74b9151b32be426798b953d9d8332c5998d758a9d0941eab835e64aad1fab52e43bbfe7b685788505e2701b6b1bc8e2db2461e9c84d461d5b78146f3bc418
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\background.gif
Filesize815B
MD53ecb5fdcefdd77dd1e068a26bd7e1d87
SHA10d47cfb18711d6152b848d692d6f9c40eeda21cb
SHA256470be76ab8a8140edaa73a05eabaa99601e73c42c9d7d804becb5d33643b67c3
SHA5121a50389033b416abb15999d71f92102442cc4edc383f97a8ed5023616bdaceb04deb03a16a8c589709e3f3e050ff5920d2d0f0383b0d34dd9ec3ee9865818cb4
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\RTF_BOLD.GIF
Filesize870B
MD5a718ece47d04eb9262c0ff88730f80b4
SHA1501b1bc291efc9c9dfe1cc2a46937f09bfa7726c
SHA256030e1260f87d564b3c9e6fb9cf25edc1aede983b6ecfd82b2b4f6c2fc4b44fb2
SHA512ab27c9b3acf71c5ec323402af3dee2f0548e9f64f6066abd2acdce9400009f3bc939b2591c92222ac5042a1a834b7c229b6e7b5ec3f1ac0293ae775ff84ef658
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg
Filesize3KB
MD52436a199327daa56718fffb60aaa9310
SHA12b2d3d4c730bcff3e33cabe0d2c62594a3431687
SHA256c86467677f7be4af56db26d162e669d57627ee6a7517d331bbcf6b9eab21ba02
SHA512912ef1204a59414455e424542b49385ce4bc02cca1398045a6372949c3c8898f2cb5c048c1816db6fa647829b1b1a56178ffaad8bff900a54b31377a90cfdba2
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif
Filesize2KB
MD5f56d1e775e651354294ab72ddf9817d5
SHA1fce0d0d8e5ee24beb1b306272b3f71da12eedc99
SHA256dcae4cee65f82df3e9337c4ed264a0b7a98cde847112a223290a1ffbdeb21785
SHA5127e024bd89b40d83271e76a446f732aac1999e7832cd385b1cb5cc3ad5e5ac5d245b1516be7eb1b91343019041a3275d272e60f31ae9f424400a22252334a8aee
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif
Filesize19KB
MD56b6788b8705380840c282f35ba3e1293
SHA12d84c6fd180587cd8d2a04d92e94adc0600e67a8
SHA256651994886d686127d50b9df4a079bd6a887932ade22a03f16aebd165c8d75a17
SHA512b4d9450f45fb6d7af9eca263fbc63c44f0ed3a4f241c4ad1ead01393f762437e255805c394844eb68939572d65ce73a8f9c4cb706b370923df50931328d5fb8c
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosefont.gif
Filesize890B
MD511df471326de6eb8653d329e4add82b2
SHA1f2d0e73da505a1ea96ecf339153abaaf7a231cd0
SHA256038182b40d9e8e3d733d809e83463c27e694395f3b31214a6242c4d8cd0baae3
SHA512715066119d38382b7806491607c9220a13fa56d6a8556e91441159bd3ae04cf668bdf321f03c291b7f3e7888a1f46820cf958f29f029bed4a57fbe80050653db
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif
Filesize852B
MD5b8b7bdf5b085c741903fa825522ea83c
SHA16efe0c82f78d1b1cb50a722184be3dde32ff8ed6
SHA256e5c886a88589cbe3c3306b0abb985d3a7f6fe153ddbec368cd06d81966efbe8c
SHA51257fd0681bf3b01b67610abaeedd1d156ebcdfd3f9d92ad58c156475872018625a9b6b72896aabdbbe98390b887626bfd8333214f8afed3bf9413a9ae84a02e36
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif
Filesize860B
MD5b14fa5cfc73263fdc6110365d4b78e54
SHA1463fd93fa39a8a88fa8895b427f24825fc861269
SHA256063c3203a66a1955f31110b3eb0fbc2355a586ed22b59a050366b6da9a35138f
SHA5123470d3d8788e8a5d77bec0692774ddbebd50c7613ff9f158058f145a16241e2e07b624b807d533a0cf8d1ccffe310b1d71c2b11ff31ede40a00cfbd39bb88905
-
Filesize
580B
MD5b7aa29d71526943390d5ef3fe4159d8a
SHA1af92585ae15b5b6cc3048f8106b23e027513624a
SHA256f4432c0ab9d911f1f100fa1bd91d8de9fa67cb6deb5301ad09d43e1f725855f4
SHA512ee683c180a7aed37dde335f44e4faf7eddd28e9bd3ca51f22ebf33cae6046d546eceb6d1ad3fbc262e47d09e81602938a38ddf63054550096435d4f636910638
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF
Filesize899B
MD543a135fe5444d6be443dd52e21a7a571
SHA129578773452d9b6bffe5f0f0593f0a91bcd76058
SHA256b12a9732d305c26d7ec5e0e33979d5d022258b60219fca24a6a3017fa26c993c
SHA5129f9c52c0e3f96ca6da1ee2b91777dd4a780b5c6e2f26462e9626d1961da8b3c2ecb62f32159cb9725a804de8373e3a042194bee6a78a875567069458f6891d03
-
Filesize
625B
MD52d4eeeded6f36a5c92cad56d4f6546e3
SHA1db36c42312fce7d0d3d0aeebd0e38b954a8d69b1
SHA25689214f456f78c2754fdc87e8cd748728bce65c37282015a85791ce385a1172d5
SHA512c0bb1d5d909e066c54efc4f16fe04eacb5b6f486f21de6cd56e7018f4d2ea6d94b346dfc2530ca17ef84ebd53bf721bd38893e7bf343310813d64aa5aef9ed35
-
Filesize
873B
MD587a47105c2f3e8cbc64b10334f476212
SHA16e8efd8c99e7cf0e0de04788a38b3e07d2a7e3e6
SHA2569cb13afa43ad62e76a2534adb0e6536d01e9095f185deabc9f1e911b9766dfdf
SHA5126960475275023fe70d43c2517000545c201936e4115078b8798ac0e41a08669b5bb33bcc06b859e2a36e8e10f338981093e41b663fbef65584d51b4ef74d807d
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg
Filesize5KB
MD5509ee8dc1c698a5858b1f12b7f5b2383
SHA1339d9df78e40c3abb54cdf69fd1205276097d5e7
SHA2562740284f825cb2cfca50047559b738d02ab0dc8c205ad1c3dadb0545211c36b6
SHA5126ab2b900524e3e34b38fa6aab46791e96cb7b7ad5c2075915082432e5be9e286355459f5c09b56b28fe62266c08b02a8c546dfba848df11945f097667ee1fb5f
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp
Filesize1KB
MD5fbde99110a6290e96067639f1aed6b50
SHA1bd282ac03fd582c554fcf4bc12852e119c53e79d
SHA25634b40780b83c53eedc868076d62bb5cfff05f82446d2699caf9d844589fdd154
SHA512a63be140165eaa2c19b21c5bc9848f8b5bf00a34675d965a9b5d5a1ce59d3533839511aabe906e7582ee0cd022b336269063027a6e5efc1c5c993f1537ff7cfc
-
Filesize
615B
MD571bfb242658155bff22183fd9b7cd1a9
SHA18def653f3c4371aefa5fb95811b0315606c918d1
SHA256e6b8332db07950f4481368523ae1a9267e8fc5ac8f3915f31bfbc26905eb8a70
SHA5121d4b58a1cfcacf462d8890024a133d5f62f07492ce87904142aefcf2e2c34c5733e2818915549d381f1b7021a3063f54e6ceb9454937bc230b9bb137ac44bfa5
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif
Filesize848B
MD5e98b3e567836f34609433738b225b1ff
SHA1f14b4455064cd41ffd712b5ebbd9c69d648632b9
SHA256417055c7616e7c3d90e900b73fa37e135c799013ec45ad9881bdcfc293b26704
SHA512542ea1075b57e9dafd64864e093d0ef43f0225b046cb3f5fc9673c1a78871ef351a098807dab883382436d8e1bea8e2813267f6169127275b6734454c0e0d223
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif
Filesize847B
MD5019ef958d6e485ffb90ff65c7a1a4a38
SHA166caeaeca0d54a19df231fcfa00c43d599d4fe74
SHA256af6dfd85a9b6bdcc68530d616b245d6593637b5862f3b6daa16a1bafee603864
SHA512c537f618ec8e5670937e1d904fb5bffaeed894176bf611c92c4fafeab95bfc2dae46c93c6d1c4040ae90033bbb24d19940dcb4201569830047378df9546e21f3
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif
Filesize869B
MD5c6636beb4e458ae87584640673b4e44a
SHA1325dadf5fc15e2b08960a2a6382580b757db416b
SHA25674e31612bc78be94878a8ca7527abfd3173209dae683f33d8112bce5377e060e
SHA512aeddf1aa09a5eeeae85474c4116418f3b26b325d03c602157fe2cbacb736ccebd9fc55532d26e05c688e80d2c549fddb5a0ebf6c72e78e2dcdbdeab113806ac8
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif
Filesize847B
MD569a836db9a89609c14ff2705b9825f16
SHA1dff5da772cd1ce0c52e76638d274401ccf95773a
SHA256614524ab8423bbd931d1f525a473a7e434be3689036acad25b196519d52c4f8d
SHA5126304e76e82b6cdd5ab4a4516298220b23e6042616a797abca8099ee1807124e9eb49e08c0827454f5e643b293e5649a71d6b3e4087e41e701e74bc4e8f7fca49
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif
Filesize863B
MD56ec2083eae6d01a8e68c9d6f1efad207
SHA1ac1385e1fb10985231ef98c74cda0c094be6ad15
SHA2563a958283224de54395013cfbd10eac3f7d0ae5b7e270c66e8f7c14653b8ef667
SHA51220c1757129834d717ed3a0e2507ca8bb95735bc078e5bfbd538171722f04e1fc734e5b98a27d901ed82fcc5ba6003dcc9cff3926d16efd0e59be39a976c1bcc8
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif
Filesize861B
MD5500ee5680477f4a2ec85d156362d61e5
SHA1f42f7711436738898fb8582a7fb3bbca313b58d2
SHA2566435d3e98350a877ca445116fc982b59df18c9c8bf2a9cec3918e5f15d0e9b0e
SHA5122d9bf00088f947f8660d3548cec071dcd83473d7797e1c01555c0fed3d1bd542ecd4864d0d03468be3744270c0a9831ab53b0f15c4c3ed8161c80c2d6fd03c09
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif
Filesize850B
MD54106c3c6ca8ed4669fabc224c66e9a2a
SHA1ce9e1b4e862db0ed699379e61b36b85b50a07af9
SHA256300ec8aeea7e658544e0968d56465ab274543d9cd2623c31b821a45f633663bc
SHA5128f87ae58932598064ec7a15366c313eb67a5025abeb09e2ff9c26f47f67d231d4bdb2a249c6934abc620b2e852b6516fb02662056058fc16d0225b1af8bee570
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif
Filesize883B
MD5a46eaf1b6b01e07567ca65d29449cc35
SHA1aa492940e2659eaedd277834b8d90eb2b82b218d
SHA256a6b800088266c799ae36d2b49f301e32fa24da2a9ed05c452e9d5a017d370b48
SHA51268c538c1b6b51023502e3ff8ba91fe1aaf27a39327ed10967e20f2ba3de305ea8275a1ece0e755d7d5d8e2ed0b294cd51df2fe1ba38ac9473d70296a2306f6c1
-
Filesize
153B
MD5190a4d6dfbec070570623d62a05c7ced
SHA15c8cbf4a27375e75b5715ec5587288a97d78a2d6
SHA256daaa944809817e7c5ef6f218a14663698715b984c07a6a3ac7d5ab5bbf479ee0
SHA512fd2e60d417e5e19a48d22660db497900891bd3bf9b41ded5bf917b03d64ada3b32c239405be3804e328356fdba32a841424c04673d059473fe33135cfcd5da83
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize12KB
MD5d2a12111f17006f3edfcb76e535b5e33
SHA1dbf85b11ffc2e17ecee785452c68edb9cba6c619
SHA25632cb9a0c4f83908a0bd5a5e5b5538426dd0ef0c1ef48d5c3b496cfdb48e964ef
SHA512b26d476be25ae21309778f4a8281e52df7dd573df72afa151bf56c77e858d10e8af0457bb15b8e968872052d3c3d86701a05f34ef57a5fe9253f314f89361e87
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize8KB
MD5e5ecc9ce82be020ace85b0ed66d05702
SHA1e57291c7a0383ab2cbb4b2042280d7ba0cb4922d
SHA256e1f18801a9a27f48b408fe1518e84b1732e9442ad522809fb920e2b996cef167
SHA512126aee9892046160e31b96889d0359cdd463f86b39aaf88bdd1473e92e8a62726803118767cbc140e769cf04c4a500fee82be78d816fec0b6a899d66d29e8f22
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
Filesize11KB
MD5f2b88559ca319309d1590e4d6bb0b26f
SHA153ae64d95c260cb884d4866f30da050f6813f95d
SHA25680ec4c79918dd2ca47d0cb4c1769814fe0b7731c9c0351ba465b47de713d6f63
SHA512a82d6cf087df6d59d39db77d6f8e10e0a8ab477c0595eccfc582f1b340331cf6e9f716404c7007e8da20d34b7b74aefe1a40c027538f1bfdcc03da030c844147
-
Filesize
109KB
MD55a393b60f646b40ea984d00845073456
SHA130e46524e677f4ea0bd54525e82a3a8bd032447a
SHA256cc947223f3bb56785a7e9d21e51e8ef7ee3cde874fe947995afa327be6df9116
SHA5127109bdbf6c64283cab21dc8e6103a87f47c97c8915b2424515c7dabb5e6b060487de8f83141ace3ef4b2c69ca52ca2bf911d49ddcfd80564ebdf66e51773bc11
-
Filesize
172KB
MD571063670426a286f78de7c68ea42d4f0
SHA17bb07ea13d3fee0edd9d917df64c26f3038a6f97
SHA256045bd182d0d71ac5c311954bcb241f23b6b2f3bd8598c930b275cedf6d315e3f
SHA512ddc05ed88ae862a77e4be6ed04ebcefebfc4004c3e5ec0c87654fe15f8cdd689d9937ba6102e90d2caea78c86910820f0880852c867ea8d8cd849a25aa48131e
-
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk
Filesize1KB
MD599e7704afb7e050123f0c9b7a21bd3d6
SHA192c28dd36c68167b31d26282b03cdd483a68033a
SHA256462ca6de5eb8f5546be5ef4014de1b970528771fa98da6e6899b47960217a0ab
SHA512a8ea5aa09a970ae9efc35b398f7aa41be99c4ca27548a51bc2e216420b43662589e6217a8bba9156dc7bfef2f338d05e70d5e0a3339802aabd5fc9e8bd2a64f6
-
Filesize
21KB
MD560ab67f9b776a7684697067c292e9bb5
SHA1ebbca44ec73c6d0d3c587b6600185e1f6d9622ee
SHA256a90324434911cdd8beff915385c492c8cfb47288e5c9626d92aaeabfcff16d44
SHA51244de40c5292f2e6c86318f9af2bd856d7af3e3c2432db0ac6a1a5556a0c8c761cae15ab2e2835863ebaa4e3cbaa1df614e6095c6f23550f9a6852123045bbeec
-
Filesize
1KB
MD5ca8ec462edad386f065c26f364f6a0aa
SHA11958bd22de7ecea713e1150b3dc4e19058259682
SHA256383cf8b387e7a871428e76d4c165f60876ac666f95fd9549aa92ff2a19cc8b83
SHA512712dacd6a7afdbea862b52c7373148d833e832f28038584fb7dca2f31d6b8fc3a6957aab9631e990fdfe32a4e7207673da03293ae25514c3aa1a7f94cc1b130f
-
Filesize
952B
MD56db99d1df393d7a67084a2c0160d6a58
SHA15011f5f89b071e38387de32319c6eb805525893f
SHA25607f998a69a0960902da083cabdbce52600086f259e979eca16ddf4feec19d8c7
SHA51266909332b1154a2e8cf4056a49eadd4610e7a95ba890e698ca49be0f9857cf65730712751dc3ced4b196e354e96c83ddd2c2a56655239de2d52854d972218ba0
-
Filesize
121B
MD59efc0acf68fda4ec5b17f6b5dd841e67
SHA1d5f437a6fccdf937825b80acfd08d3f13191591b
SHA256cf52101bfcd22a7e76872be349170826df267593ea84f87a2991e4fce337addf
SHA51245dfbc7a3d3cbab9d22fe6a53c0d9bedcc0cdafdae96aad9a299b9e8a7e0de9364865bbeb4f8a175017a2126ba40d832f2c7f7729a8f048c2359fbc591df1ca8
-
Filesize
1KB
MD5d5e366806b979e3a33e2e12ddab03035
SHA1936edbfff215a13fc528d7f86f31997049a3a220
SHA256c5319d529667a2ec89fe142b69827d4700729537e175ed185adb945936271db7
SHA5129e53353117d90362cb04663d07a44f4824952f58a80a9215bbc761ae4a91091abfea070b533193fdebf5c519fb6d96c50c4091b721e783d8e789755384e71558
-
Filesize
8KB
MD55eaee4d83586101ca94cbd6db23419ca
SHA1fd5653258c2c7932e3b21b43b62895d5e3726010
SHA25666165c9f5673e46189a6ae110483ca1f2f8982256c38ec33a5586e7e76b66ab8
SHA51237982a9f3d21abae069b0fc9d10f3f8ecefe7d46fa99659ca9de628fe394674731452e5edae487885a05e19123f7f15990a6a1a40127ea7acef114084ffa6e5a
-
Filesize
61B
MD572046d9ce2b319185af8e439624582f6
SHA146fbb2926f66469ae85f39082fb46dc868dbedfb
SHA256fb5859c33f7084e9209e94206f2a1354c4c466e56b9c8bdca668229b2fc713dd
SHA51217724e6706666ff62dbe233e05b299e52e96ee83685934702204a80c582df11fd18857adb2621f6933104c791450348d358b77150ce739cdd3010f0a4017585d
-
Filesize
914B
MD57f4512385e062b8f6169e308de3f2519
SHA1c6d872111ec511176621d003624adb148788bbf0
SHA2567e1ef2719b5ab8640221112697806607bddeb2c47cadba01b968c87294b23931
SHA5123cd4e005e07a9f7a4d3204c60ff8d6d007bf6115baf91c6adf480eae8268336ded6256a743c039f6c631776f41d42f5652e82466e1c1ace1f955147f0fa0b59c
-
Filesize
90B
MD5d118f5558faebacdef6d4f6800a8d8f8
SHA1c491a38354a52dc0d77ae50706aac7fb412e7470
SHA2561bebaa6e3bba24569c14e3f3b3d88b35d7b4b51b261dbc73fbc3ea9125edbe52
SHA5129549ceaf47ae3abde83c1db029e25033d8d94908b92fb4bb20e173c739f3bd41b02f324fbb3a7551b3e158e95849768ae946c57ce5259313a5f68c45fe90ab4a
-
Filesize
90B
MD5c3a6cbc73d2959018d1c808273483d08
SHA1f47f5efa301e88d9cd7137c1584dad94b9b721eb
SHA256ad0ab299d5b9e06fa45a2d3430300374a51a92020af46390aa10374bdf6ff6f8
SHA5125ab4333b3adbc3f56cbfdcf5e3013b4988727fd7194e2ecb944fd955b8097614ef41c904b83feaf701d3624842aa69fa78e66066e9872cdc652fcca7cfaee542
-
Filesize
328B
MD5a3a2e8e4018769171634369adced8d53
SHA18542679abb36379dd4c99d54191c73306ba97ad0
SHA256891a38ae41ef4309bb412cb344cf9615bb9eba558e20eb66e24fc3e3cf96477a
SHA512339e3b054c7d00f3c8262a8e28b726f751ac37d90490c9891c79b34d5b9882953a7dbfb033317c8ad27239da4b160f2363b3aadae695877d708b7a1ac2c68924
-
Filesize
1KB
MD5c1dd8ad38d7a1f4613520f069f0d0646
SHA174132395034ac3decc4fb06279135417769cbc8c
SHA256230157fb1f1d8fbeaad9d76575a074fcc0dc6004a6bb4fbf065990ffabe52ce0
SHA512061e9fd698a2ce38a2b74f9480f4c8c65147e4aea70f4bac75f74a0c3529c4319cb2e6469a37c1335eaee757d08b44501cdec9b674d99c316cfa7cbceb60dd8f
-
Filesize
162B
MD5cc570935f09863c5b030dc97480c530f
SHA18a723dbb7b77dcabd135e09dd6ac5a60535b02b1
SHA256585af654ce19f1d03fd1086cbb74d095e5fe2a201a44ff3ec3ac1d35eb7c8945
SHA512aaa326847fb77e37329f6d232dae8a7c97b61484296de6941a295111db650ca7dca6ce15ee0e802e731588e803fb1f3d7fe40183a83df701d9cf752246ab31ad
-
Filesize
586B
MD532491050dceb3e33a77722a372cbb8e0
SHA1b31f4b75cb4076ea8ca4de7af2f705d406137210
SHA256c8b12d34b12ed2206e24562e9d5e5eaf7db456baafb79dab5a299b23f8458df1
SHA512cdcccb0bde6cf65ad40092edf33d687b5df808fd8a1272a46b913570b9ae2adada2434ca3f8db939b7d0bee44f7eb800c0495ebc33e62b1d39e448f7356d7f3c
-
Filesize
124B
MD5bb6fbdffae67128f0c4d1acd64e52f96
SHA14d2bc7aba05c36fd1df6baecd3ed4cd292743533
SHA2564f4d45fb2da2953cc003a51b7a0ea5d439c7fe163f90a703c446c7a9b702ae26
SHA5128300d6e9bc28d8e61b3cf01b13011f10a0d2dc59ecd05032a14aab42a29af1e61af6ae13856c69b395d9e8689ac01f67bfd1c8b3a0b1e5e25c4d88b64d589d23
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\selectedTab_leftCorner.gif
Filesize65B
MD518d028b4888b6f6e9db8ee0f427854d7
SHA13748602bf75d436827e2176147e6ff08fb8f691d
SHA256f4007d94f35fbc83e87bd2fa6f7dad1321e80db6dbbd0175abdeb530f56e68a7
SHA51265155193b7d98183be24647d628ef9738cac380c988fab3cd775f89181dc5adff5fee1b1f6aa2fc43e5650f8e11b99e23c28e7382636307e361119aa871d773d
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\selectedTab_rightCorner.gif
Filesize65B
MD521b2f81c7de3321ce7004af728d11a81
SHA1cd7e72941fd5e7980e8c81fb8dcaad45b2b05581
SHA25630a37cbe50c62b343f48af376084d51ad5f0f4a38bf0e21e8bb72d633a206fa2
SHA512466a5be67281b38e9d779dd2f696ecb85618b000ee7f748cfe47ff630b7f9ef0d2a7c97581c4cc0c76e79e0ee640f684c26367aeace89836470c285de2a2a52e
-
Filesize
8KB
MD5e19461030bf2b8f5bb805b7431028e56
SHA1d4645d105b9ef395d26b2e41cdec9af3279438c4
SHA256e0cd484a0256cc274c15a855d967da47298a9f373851a82b77e0e966b3602b6d
SHA512aa1d59368c1461f5c3cdb07565f8e7939e731b185ef5e540048901801e1e19b326a582b6ae3ca84d990f4f62bee2e4a7a7947135f966b0b2effc16cf569b8f80
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\unSelectedTab_leftCorner.gif
Filesize65B
MD5eb84c814eed81f69ef49848d03420206
SHA145b76a995aaea76d9ba72fcdc8560b89a7b1a0dd
SHA256d9fd61b1a3e5fc7f7d39a3b1bd6b5f8227d85b53786146f3960cbdf32dbb203c
SHA512e3b5bee34e28b56e8581529865cd10747ea96e9be558dbab8136c0dcd1160b0ce2382ac51c1c09052536a969f1d03fa00a6bc7a91487cdd0f76d5e0b67260bdd
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\unSelectedTab_rightCorner.gif
Filesize65B
MD57f92eeaeab07437f434742ce0c4f2827
SHA18edc9fd784dcbb612856ed32a28ee49d77267a9a
SHA256e9e7c651fba92b26a74573d452b2dd9e2115ed06c411499e04445fd86ade2eb1
SHA5127a49ba34fee8b461cd2e8b554a38ae8cc1bf69f0b616676565d061ebdf0827bc5af89f53161996f05974322c7e7b2de86e4f589252c09eb0dc9415b162fcb78b
-
Filesize
880B
MD53b7e64065cc1094746d92a408b05dffa
SHA1985e0b8f5ddaa56efeb989a2f8d70cf81a1b7609
SHA256f533c7760611fc66630e5ce4681fe9b57579a63eda2a311fd74ac6fdf55d2081
SHA51283109513ffb1b3444869925a509b63313347e28a0ace4cd10cd9a2e7523af242fab28858d0f8829ed30fd83b052f0ed18a74712f5ca6572960351a10594565d8