xorist | e9b99706a9b48b09974dd18c1af8a0e402ccddcaa0c91edf43fdd838128a7408

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 02:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
Size

43KB
MD5

c86e6c9a14e2c11428dea7f72805d999
SHA1

1e41e641e54bb6fb26b5706e39b90c93165bcb0b
SHA256

1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40
SHA512

32ed8ef777e5d30ae086d6bd05202b94932f6894e25a48c2e92a2e8a77ba80651c45ee04ed0b70831d479a74a2d48af14b40623e59c06223289cb3d4b144576d
SSDEEP

768:wO70S7b0vJinmDOxCRfcwt5Dqcjgqa57R/SVcQPnmX5URz7D7PpUmNq:ngawv2PTq5D1jgZ7RKJeJU1D7PpUQ

Score

10^/10

xorist discovery persistence ransomware spyware stealer upx

Malware Config

Signatures

Detected Xorist Ransomware 9 IoCs

Processes:

resource	yara_rule
behavioral24/memory/2068-2-0x0000000000400000-0x0000000000415000-memory.dmp	family_xorist
behavioral24/memory/2068-7037-0x0000000000403000-0x0000000000407000-memory.dmp	family_xorist
behavioral24/memory/2068-7038-0x0000000000400000-0x0000000000415000-memory.dmp	family_xorist
behavioral24/memory/2068-8790-0x0000000000400000-0x0000000000415000-memory.dmp	family_xorist
behavioral24/memory/2068-8798-0x0000000000400000-0x0000000000415000-memory.dmp	family_xorist
behavioral24/memory/2068-9172-0x0000000000400000-0x0000000000415000-memory.dmp	family_xorist
behavioral24/memory/2068-9173-0x0000000000400000-0x0000000000415000-memory.dmp	family_xorist
behavioral24/memory/2068-9174-0x0000000000400000-0x0000000000415000-memory.dmp	family_xorist
behavioral24/memory/2068-9175-0x0000000000403000-0x0000000000407000-memory.dmp	family_xorist

Xorist Ransomware
Xorist is a ransomware first seen in 2020.
ransomware xorist
Xorist family
xorist
Renames multiple (2200) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Drivers directory 8 IoCs

Processes:

1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\SysWOW64\drivers\it-IT\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\SysWOW64\drivers\ja-JP\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\SysWOW64\drivers\de-DE\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\SysWOW64\drivers\en-US\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\SysWOW64\drivers\es-ES\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\SysWOW64\drivers\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe

Drops startup file 1 IoCs

Processes:

1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KR9SpeDJd0PU1OJ.exe"	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe

Drops file in System32 directory 64 IoCs

Processes:

1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Continue.help.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Arithmetic_Operators.help.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_functions_advanced_methods.help.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\ja-JP\about_BITS_Cmdlets.help.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnky009.inf_amd64_neutral_8e54c9ff272b72f1\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\eval\HomeBasicN\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_providers.help.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_script_internationalization.help.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Ref.help.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wd.inf_amd64_neutral_759109899b486d47\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\OEM\HomePremium\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\SysWOW64\migration\en-US\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-TapiSetup\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Throw.help.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_CommonParameters.help.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Throw.help.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnbr00a.inf_amd64_neutral_e7f3f91e6832ef5c\Amd64\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\SysWOW64\wbem\it-IT\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_script_blocks.help.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\OEM\StarterE\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mstape.inf_amd64_neutral_c2bb3ef1c45cd5a1\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-Unimodem-Config\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmdf56f.inf_amd64_neutral_26a79521b746fc31\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_CommonParameters.help.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\SysWOW64\XPSViewer\es-ES\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\_Default\Ultimate\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnts003.inf_amd64_neutral_33a68664c7e7ae4b\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\System32\DriverStore\FileRepository\usbcir.inf_amd64_neutral_379fb0c62496be6e\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\SysWOW64\Speech\SpeechUX\es-ES\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\default.help.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmmotou.inf_amd64_neutral_eb1d978f38f35bca\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_eventlogs.help.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_WMI_Cmdlets.help.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_functions_advanced_parameters.help.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\System32\DriverStore\FileRepository\circlass.inf_amd64_neutral_cf52485bed804e02\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmusrg.inf_amd64_neutral_814744dd97ccf09f\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnle003.inf_amd64_neutral_c61883abf66ddb39\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\eval\HomeBasicN\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\SysWOW64\IME\IMEJP10\APPLETS\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_eventlogs.help.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmtdkj7.inf_amd64_neutral_7c21481229e1e66c\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnms002.inf_amd64_neutral_d834e48846616289\Amd64\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_remote_jobs.help.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_providers.help.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmmcd.inf_amd64_neutral_49212f5920298e45\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\System32\DriverStore\FileRepository\nulhpopr.inf_amd64_neutral_e078ec466987bb3b\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnbr009.inf_amd64_neutral_fd2ac5b9c40bd465\Amd64\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\SysWOW64\migration\WSMT\rras\dlmanifests\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_trap.help.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmaiwa.inf_amd64_neutral_560c956da9bcd8f5\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_neutral_0383c5de75359695\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\SysWOW64\IME\imekr8\dicts\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\OEM\HomeBasicN\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Redirection.help.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wiabr005.inf_amd64_neutral_e14a0514f37611d8\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wiaky002.inf_amd64_neutral_b898f5982403f3cb\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\eval\Enterprise\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\SysWOW64\wbem\en-US\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmaiwa3.inf_amd64_neutral_77e515342bd572cc\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\_Default\EnterpriseE\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmpin.inf_amd64_neutral_2415474b9db0a888\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnms002.inf_amd64_neutral_d834e48846616289\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\_Default\StarterN\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral24/memory/2068-2-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral24/memory/2068-7038-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral24/memory/2068-8790-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral24/memory/2068-8798-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral24/memory/2068-9172-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral24/memory/2068-9173-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral24/memory/2068-9174-0x0000000000400000-0x0000000000415000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\base-undocked-4.png	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_rest.png	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_left_hover.png	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationLeft_ButtonGraphic.png	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationLeft_ButtonGraphic.png	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Program Files\Microsoft Games\More Games\fr-FR\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR4B.GIF	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\IconImagesMask.bmp	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system.png	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\delete_up.png	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21366_.GIF	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14595_.GIF	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\settings.html	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ICE\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\HEADER.GIF	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Program Files\Windows Sidebar\fr-FR\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\6.png	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SONORA\PREVIEW.GIF	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Program Files (x86)\Common Files\System\ado\it-IT\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14655_.GIF	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Program Files\Microsoft Games\Mahjong\en-US\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15023_.GIF	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Things\SHOVEL.WAV	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_Auto.jpg	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\css\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_top_right.png	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\InfoPath.en-us\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382926.JPG	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR36B.GIF	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14768_.GIF	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\STS2\background.gif	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\README.html	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WSSFilesToolIconImages.jpg	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\3082\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_thunderstorm.png	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\COMBOBOX.JPG	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\info.png	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR45B.GIF	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\RADIO.JPG	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\css\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\TAB_OFF.GIF	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationRight_ButtonGraphic.png	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground_PAL.wmv	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\slideshow_glass_frame.png	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_mid.gif	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewAttachmentIcons.jpg	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\SmallLogoCanary.png	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Program Files (x86)\Common Files\System\it-IT\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR35B.GIF	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_ContactLow.jpg	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe

Drops file in Windows directory 64 IoCs

Processes:

1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe

description	ioc	process
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..ilerepair.resources_31bf3856ad364e35_6.1.7600.16385_es-es_9e9ed0a57388c0c0\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-cbsapi_31bf3856ad364e35_6.1.7600.16385_none_aa56c4bd0a17fd9b\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..ctshow-dv.resources_31bf3856ad364e35_6.1.7600.16385_it-it_00e561f494950570\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sort.resources_31bf3856ad364e35_6.1.7600.16385_es-es_416a2087e14e0ef1\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-w..deviceapi.resources_31bf3856ad364e35_6.1.7600.16385_es-es_51ca5bff2bd5ec5a\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-w..veryagent.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6532ce66c7876d89\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\winsxs\amd64_prnlx00a.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ac1fe0a1f2373518\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-w..publicapi.resources_31bf3856ad364e35_6.1.7600.16385_it-it_68ca844f2b8cf82e\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..providers.resources_31bf3856ad364e35_6.1.7601.17514_it-it_ffb4f54190f8ceba\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.MediaCenter\6.1.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0000000010\9.0.0\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-e..ingfaults.resources_31bf3856ad364e35_6.1.7600.16385_it-it_030d7f185a3bcc14\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-secinit.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7ca14b0ef6f0c73b\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..adisc-style-shatter_31bf3856ad364e35_6.1.7600.16385_none_0cd72f8900478c68\NavigationUp_SelectionSubpicture.png	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sensors-adm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_83ca5b5c78961c4d\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-w..omponents.resources_31bf3856ad364e35_6.1.7600.16385_en-us_54dae30eab8f9a2e\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\winsxs\amd64_ks.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c493a9022d4ca415\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ehome-ehentt_31bf3856ad364e35_6.1.7600.16385_none_8f626e368134068e\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..maker-mof.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_9ea7cae263215d1a\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-r..-postboot.resources_31bf3856ad364e35_6.1.7600.16385_it-it_4f27716925182070\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..clientsku.resources_31bf3856ad364e35_6.1.7600.16385_it-it_760dbd030659c14c\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\winsxs\amd64_netfx-ldr64_exe_31bf3856ad364e35_6.1.7600.16385_none_f98e4869675ab367\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.Commands.WriteDiagProgress.Resources\1.0.0.0_fr_31bf3856ad364e35\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Threading.ThreadPool\v4.0_4.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_6.1.7600.16385_de-de_181a1bc5e35bb95e\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_d7244b05e242e449\diner_dot.png	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-photoviewer.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_1dd6888842f48185\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..mcomputer.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_599ed02e3f0f3550\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\winsxs\msil_loadmxf_31bf3856ad364e35_6.1.7600.16385_none_388de5065074b62c\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-a..iagnostic.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_a370be9aa0513adf\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-n..35wpfcomp.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_f43a4c8c59f1575b\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\winsxs\amd64_prnnr004.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c7bed6f835b5846b\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-cpu.resources_31bf3856ad364e35_6.1.7600.16385_it-it_363407ad8b3bebcb\cpu.html	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..iagnostic.resources_31bf3856ad364e35_6.1.7601.17514_en-us_e42d49001c40300e\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-help-bitlock.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_5726a9a8aa71368c\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..lprovider.resources_31bf3856ad364e35_6.1.7600.16385_es-es_cd7551d9c0da6e56\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-grouppolicy-script_31bf3856ad364e35_6.1.7600.16385_none_64ed8ea5d0ffd85e\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-w..ar-wizard.resources_31bf3856ad364e35_6.1.7600.16385_de-de_3aebdac123cc0c12\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-webio.resources_31bf3856ad364e35_6.1.7601.17514_es-es_014c5fb597133b29\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_015df3e3bafadc7a\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d2d.resources_31bf3856ad364e35_7.1.7601.16492_fi-fi_859c7173e1e43e4c\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\winsxs\amd64_mdmirmdm.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_996308fc0ff8b91f\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-o..tend-apis.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_a08d02ec66c8423c\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-w..-provider.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_f527960ab3af6642\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\winsxs\amd64_unknown.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8cd033c4f648edd0\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_4db0b909695af8f9\activity16v.png	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-keymgr.resources_31bf3856ad364e35_6.1.7600.16385_it-it_7adc72826b96a932\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime\v4.0_4.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\JA\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..fications.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5c61b44e908fe330\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c02a16e1ae17ab94\about_trap.help.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-n..line-tool.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5d61e1fa1702bbba\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-g..edsgadget.resources_31bf3856ad364e35_6.1.7600.16385_it-it_13dfc4b03a7d762c\flyout.html	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-g..edsgadget.resources_31bf3856ad364e35_6.1.7600.16385_it-it_13dfc4b03a7d762c\settings.html	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-s..-vbscript.resources_31bf3856ad364e35_11.2.9600.16428_en-us_96146216ccc71f7a\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\winsxs\amd64_scrawpdo.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8e6e6a92749b0c89\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-i..lprovider.resources_31bf3856ad364e35_6.1.7601.17514_de-de_5044e1a3e1ac929e\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-c..ermodepnp.resources_31bf3856ad364e35_6.1.7600.16385_de-de_9e8c88ba3cdfd040\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-g..picturepuzzlegadget_31bf3856ad364e35_6.1.7600.16385_none_ce76f352fa54bd75\settings_right_rest.png	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-help-offline.resources_31bf3856ad364e35_6.1.7600.16385_de-de_d5acdff000e257e2\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..r_service.resources_31bf3856ad364e35_6.1.7600.16385_it-it_9b553d0b8f9855ac\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..moregames.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_cd54bd2dbd5436da\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..-ultimate.resources_31bf3856ad364e35_6.1.7601.17514_es-es_79ab1e6143614d40\HOW TO DECRYPT FILES.txt	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
File opened for modification	C:\Windows\Media\Landscape\Windows User Account Control.wav	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe

Modifies registry class 10 IoCs

Processes:

1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ZFHYSOJPQQFOIHX\ = "CRYPTED!"	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ZFHYSOJPQQFOIHX\shell	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd\ = "ZFHYSOJPQQFOIHX"	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ZFHYSOJPQQFOIHX	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ZFHYSOJPQQFOIHX\shell\open	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ZFHYSOJPQQFOIHX\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KR9SpeDJd0PU1OJ.exe"	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ZFHYSOJPQQFOIHX\DefaultIcon	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ZFHYSOJPQQFOIHX\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KR9SpeDJd0PU1OJ.exe,0"	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ZFHYSOJPQQFOIHX\shell\open\command	1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe

C:\Users\Admin\AppData\Local\Temp\1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
"C:\Users\Admin\AppData\Local\Temp\1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe"
1⤵
- Drops file in Drivers directory
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\HOW TO DECRYPT FILES.txt

Filesize
583B

MD5
403bfaaa91c60738361399702b9945d6

SHA1
8193fd7d9062be23d726f36e7a6cc3a9f6128c4e

SHA256
02b79fe6ced690038ae030729b1865a36aa1bebd9bd4fe16ac1c2268417d6a47

SHA512
54ebba8b7304fc95a44762f34da41adc68a2630bc1a9ff2a6cef75edfbf459bc38ccb1ed479070311efdb3a0f8c1f9070d397783f5eb44287143105236f80354

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
341B

MD5
9168b1ad79697308b82b6fea19d42b46

SHA1
ff8ae37facb5ae30fa77ac125edfbd53d706b3f1

SHA256
106efdbbae9d8e07e8673624cb47169af36f89834f670132a83a6b6ec4b9b619

SHA512
b5927847b0af4913e9431481c67aa6c2cd597677511fadbf898b38c0fda35ebc05ed6ac02d5b368daffd1bcd87e8159910bf3bee5bd8bee745a55ad02dfc3fa6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

Filesize
222B

MD5
e8cead5185c91c529596e35af0e46ecd

SHA1
64d4c4c3d42f9669a7bb4455bbf4d77d2468af4c

SHA256
5c2a8d7e936132c182af7f448fe4d1ccf82039e11d49642351a69a92fc2d8d8f

SHA512
72b565beae28f4ca1b1c61c7085e0ff300ab0bf30d57eeea318fea77dd2310c8e55fc027bd0a59b1e650a2bb7e995c94cea1b054069b1c023f86a0095e437760

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\BG_ADOBE.GIF

Filesize
24KB

MD5
1d48a281b2f1c6f10952480ec6594ea1

SHA1
0b1586f17291734bffe0a1c987ff41b7fcb89d07

SHA256
322813c3a0bfc78670238588f55170bb48edbf7954df934545cb5d28ed9d1d2c

SHA512
c9f81037cbfc8678c9fc9d089959139396635edd6891000a584a2e780924d820801ad5b037cd476ebd9c100521541604f60455c8ae37d8c00d2623280f276954

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\BUTTON.GIF

Filesize
185B

MD5
66d6820de640073229cf3cd935b094da

SHA1
5405cc33485e016ec5606f56a5de234b76778ead

SHA256
07d057c66440de22342b51be811385e7f468b6602f87f908ea3e19547b84f73f

SHA512
ce11645e7361474bea20aa0582eaa5abc263612173d7e841f984b0e4a39346f13a4448a4068ef3d063ea50803a6364fecae043d693d61b636dd2e64a84e6bca0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_OFF.GIF

Filesize
496B

MD5
f3b2a27104bd84de907b1d63f14d03b1

SHA1
daf617df5d5e6ba0ff52408dd93bb506c5d74689

SHA256
fdf2caa6e813624d93667e575065c72636e023fcc1cc66f7834f163c56f4ef84

SHA512
e68f626454a6b862d894b0eb64b8104818f6a887b85e742677fc816a7c8d7f76165450f89ee7c823f73b97ba84e7a74309cb0166cd7cb892f7d9fee44ed09b5f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_ON.GIF

Filesize
1KB

MD5
0dfd3888cadc8d35821ea3dbd8e2f0db

SHA1
dd9fee88a74d9b970901574bdd907cb3cc25e0ce

SHA256
3bfa3586b56ed484982359b1a69f916ad0edd2f3e8c81acbc74bd8f9e99c772f

SHA512
0774124683fb0f79ae908fecb7b3258ab8860dd6de9ce5598866adf31fd996b474e60bf2bfe630dc30a8fa268012d0b832e76b8cb86836d5ccac40f40ef46f31

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_off.gif

Filesize
341B

MD5
d020ef033decc9b992aa4bd445dbff7b

SHA1
727e2b45ad3e5c0bbeae43913a1ea97813a9c01d

SHA256
82c221e5d22bc78b2eade8de2a6154db44e1565504e2c4dd88bfc845e6f8a6d5

SHA512
8422d270f3392e87e841f96a8939fb9afd6c1bbfaa70ead6a0accd93cd063bc656f3386093865cfb71f783753754c5c8e8984368b19c8d9c6206152fd125357b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_on.gif

Filesize
222B

MD5
cfc3928c91406791ada1bf0b41749c27

SHA1
311583f4180011d44816b75715fd822a915f168a

SHA256
b3d262c344e39e1c0e73afd8f6a079baade9b5adfe43c02c8b7a393ab27ba3a5

SHA512
b56a1b8d131655e8d6b31f98ea1d6a115ad9af146a1f5d4d0671c731049e1b1d2caaed9f875159a4475eb838ab109cffff175e31854ed621cf70ffee16a1bce4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif

Filesize
5KB

MD5
a66ca423edf28ffc2d77bd0317916c77

SHA1
e3a794112a77dbb8560fb8b54bfa586c4fcd4c40

SHA256
6fc590ed21fa0796124443ce1ceae0958cf8c3a02122b21aed7a8d6eaea09a56

SHA512
310156493ea4a923261559c6ab10efab282acf213c171ecd3c704247e2d12d2d5a28a7b8381adfb7e67893a93ff115efe4b62809eb7dffe9c43daff6006b84e0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Country.gif

Filesize
31KB

MD5
d53a41145b67543c95cd2c6ab244d684

SHA1
60f37d83dab1fb4e695c5be0c0e1594023ac4087

SHA256
fd4bfda4ffc51bdb09af84d10a6ba576d32a057071dcc221ef444eec8a481c58

SHA512
0a45698f8d6b204a695dc5ede461ec2f655e670491b52ffbac551611238b6fae7b433dca978f9e142c7f040d2ac0a1ca93f946e2ec3bc896a63befaf5a0e820a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif

Filesize
4KB

MD5
0d824fac75fff6616570b11ac068b495

SHA1
2b673cbad386097a5ed309bb1e81f72b98d4c028

SHA256
73a316f991b5e1cd59b3f9fccdca7228390342a38fcff02855996fc6a7bb163d

SHA512
00a53455208cafeb82580f9512e2b017c9a79433c0922c3d140266e704a60445972667f6382c3ca368a888fe250f6a05df878a92508ed56758364e113ccae98f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif

Filesize
21KB

MD5
63d58b975b0ce0edc5cd1026752f76c8

SHA1
ddcf5248a8e76a7b40aeff06bffceea54bc0fcdc

SHA256
22f333809b0558ce2a308856a4313948a0bf4f507a41e021a86d93e4f0d43c40

SHA512
cb6eb6f81b7dcae1187ab3457af31048a90f4e4d950fc41353341bf0b16c5d20eb1bc647390e4617c3cdc04db75957789c0b52bd3dc092ae17411cb4dd8bc979

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Groove.gif

Filesize
106B

MD5
a2d65ed0f087c5cf5d85faa4c9029306

SHA1
3d744e87a58a47edb2e0d8b6967cb04ba65f1576

SHA256
2eb372fb56e18c42f0a988087aeb7019c8da91ee94b43857737577a287e71f84

SHA512
6590e8b19cf38bae91412390bfe1f507e08bee65fb4b567a4138f17f62b36fb91f40ba7efd422b8957a098891261a901c7fb3d30b2775b2161d9986aa0fdc15d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif

Filesize
8KB

MD5
ee3d1b252a89b80200828b50e0bb36d3

SHA1
3e32f32666645f32e7fc14aaad8fbd9fe003e91d

SHA256
dcd2120dcbd12a9fedce1ebac8a428ac2178ac766f62b69d633d6860d5fcf741

SHA512
55d7f2647f0bac8b9089dde9b2abbddca5aec8d5533ce8125fe78488b54e766574add2e20352cd6c4fb276c867dc3c83ef7178907b3dd5c29d10b60b93d3fee8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif

Filesize
15KB

MD5
9683fcd45da94a942eec018ddd8337ad

SHA1
147922e7b11a2f6d560e552e64858e8be1026e78

SHA256
a7f73efefb17a0a3c30d4afb8742d6f5460ba3de0cc3ab218cfac9fd7ca00dfc

SHA512
efbcff59f812a56eb139dcc4359059028de0d3564a023f3cf59c45e718b021d3c85186656578c889ea85cc91898eb1b7eec274136fa7590d084c833e828dc8c1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif

Filesize
6KB

MD5
83ca0161e9c9d9c1bbea5193950145d7

SHA1
8f75e8ea1626e2dc32cbebe91011999754a1ace0

SHA256
9c706355e6656078f1685b4c7a5bda03af365e7c8709d9e13dc864e87645b908

SHA512
bfad014a5dcd993b93d29f7405d208567c274a4ecb9ebf6db4ab8cc1b3d01351a33beced6200c5d55d2f5c7e6d16eb8d64571c13c1e9fa16e28a7bdfd0430f26

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif

Filesize
20KB

MD5
ca6d9c9a5b5603ce759eb5292359607d

SHA1
c6bfa6a09bd8128f13c208c2592b91e142282a21

SHA256
33d2f4cc2d6e391cb0bd77150976727e8a3c98b28d99ef329530ccfaaf0a8be8

SHA512
430f723d19086d51c04c5953ea2f48950874d234ead90ab41df30c156fed94c3ec14d07823f82c11d676e071d27ee36b843fbd9c8c77c82728544d568990148f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif

Filesize
6KB

MD5
a008a93e2a5ae27ac3ca51ca5c697f90

SHA1
6a1e0e0880647d2a3d69bd578a068f082bf0f7f3

SHA256
df5c1814e095e8973d585db19b69e77f448817a863fd19173f9593a9ea086ade

SHA512
3ee92b58c7740dd497b3c33e8ef545d76a210cc83e017cde45c360ddf3df318ef9891d53ed7cc3a029a643c62b28063865616331746acc2cee84e4e237e1b993

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif

Filesize
15KB

MD5
a42ab0d5004519822ffc5eac508a0e2f

SHA1
6de76732ec8df30018f83d30097d74f09b324a45

SHA256
0f0f89a3169b1678ff0c7ffb33f32d1312a486561b2b8f1b3d43cc9167f0f34b

SHA512
214520c8fdc6b0ec7f5571e72b8039f278eed898b19b7ad830d10b9bf76fe0679d6227dbab83abd535a708f6a6defd6ba0d6048553357df5d0afcc2497651028

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg

Filesize
2KB

MD5
1baf52d6bc176fc0611f30b8fe8678d7

SHA1
39059c87fc898142913bc42aafdbc2ed725bd3d1

SHA256
84d6cb4c3797e7cb3f187987bdafc96b4976dcbd20031cbd7678cdd631a07922

SHA512
08e42dbbd96b2d727745a133b675052f1fcc781cb5817dc726b87f9ed787056e87631651978f116244faa1faef936ec382f9121bce698e4054adde7093185b5f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp

Filesize
2KB

MD5
09917808c5059a7535387c276313e046

SHA1
5ec24dd1b761c3fbaabf12a17fe9ba54afe47ae7

SHA256
57d1d498d07a80f3f76bf4166cdcfd28b7ceb33e3049ed3e41afaaed50caf985

SHA512
118fd9ca01e82106fe531a47bffb862cc6ed3fecefdd315c8c9dfe46ef536062784caf3acf5b2e68175c366113f546f926633f461a1e2c67e3e7f87edef7cbe5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg

Filesize
6KB

MD5
e32e2e62d03139a5287157a4eb91e249

SHA1
4058645da9cc196f6c19f99325528fecd5eaf54f

SHA256
e58cfd344aa0ed12a0e3903d383c7a6d36904bb96d74ee845fbaefdb0b39061f

SHA512
44d83aa8828e2c5f002c28a0488a7e209e179f28f56a3a0faf798057079d7a210962206b2f45df77f7a5bd7187855988da81d6d3ccb36624bc1d7f9b8ca189b7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF

Filesize
255B

MD5
4ac5901f6b947bc71ee374888d855c88

SHA1
bbd6f8c653b1d60c9fd1dbfd0c858f183dca42bb

SHA256
38ee9f227f6208e6a9aff10ffce2b1d36ef64f8ac969c9a35235ac3f663c5d65

SHA512
9abdad301583022ad0c63551af67136b910b7cb7a2fd4d468ed46dac780129ba01f133dc6e757fcecc77f57e03e75797953b681dee020914a13086a84d02412a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\background.gif

Filesize
323B

MD5
5ddc6dd8436c9b149a09fcd63f3a86f7

SHA1
6f2e119d45caf10729b0bfd631deca33c30ee10c

SHA256
7910e397c0d68871a1577f1bb70e101a0ee9abddf06c8a3e7748305e81107beb

SHA512
ad92301ef6cde9cd0f6ec5dcf082737c9c34a5a27be57351f0174399c1925661df630706b13605a09778d28478d5facf9e6913abd53f8492e56f3140438d59b2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF

Filesize
367B

MD5
e611ec46e50676cf3588bbac2d73d9be

SHA1
f2a4d1bdb9af707d5f626a11b7abea91a981b213

SHA256
bdcd58e073da2d486481535f240c66abe4694eacc1be6a1a8fb1289d65925b71

SHA512
646390f3043e11ba1adb2b1247d54a09669c1f585fa6255b115c8885e798e4812aa9168fd7c854eb55f6aba8954e7edd375ba2fc9a9669aa9fa246f253e14a6e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF

Filesize
148B

MD5
5c75daa6a7c31faed8b228d6cdbbb919

SHA1
78a551bd52dabcb7fd93d15b3ba125eba68233ff

SHA256
7324584eca1d6b9e2e2bd609ad0edc2e48fc736425d8bafceb13a8d8a4a03405

SHA512
027bd3de369c5ac9a95834a4e968cf4b74f806d675828181bd141d9750175e553bfde514236578aaa2dd194257295ae42695fba726fe4bb6982990487bd9878d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HEADER.GIF

Filesize
440B

MD5
216c7883a5feb2a9a300293bffcf8e32

SHA1
58c22aa9bdadb6e7b796984ed5bbc04bf613c84b

SHA256
efc94dd4a724567ab5f402461f1248032b381ebadb7d84d003ac5413d24e35d4

SHA512
258f66069798c8252809116c1eec04e3fab30ceeb6705c1d37556fa11f1c1c75454c8e8952f8b7a1fcec3d7f0924b106119ec238c60ca31179845b46b1b14e5c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_OFF.GIF

Filesize
462B

MD5
057f79b04d9e869d6438c9b73c790e4e

SHA1
274dc6880c07e8175cf037737385d0f6b8a96e89

SHA256
22f3ca6ba53c4f37e1ffc7e0b32e2aa913d8b7f9ecaf8bb7b09571c463712688

SHA512
8091ecb7c393195b8e27dfb8a432d6735eca90ba11e572dd40959370ecc48e30693231339b8c131cda4cc4801a031fa99a8cda80ab6c350de8361b8d55b1a8ab

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF

Filesize
267B

MD5
fec391b37c7aca23b4acf4911385e0d5

SHA1
e45a8f738f38db3e01be0bac3f7f950078b59691

SHA256
a41a5388924c8e95798aeef18d5a8a015d938b66cf021242d7f42e3beaf5da5e

SHA512
c9737d61da7a99e19f6dd0439b057b13cf92138b4b3374a87a0bb8e54e8bc174e7f4d57974780c8d857a9dcc5088514c3bc2964c351df2dfeeb9614b0030b87c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HEADER.GIF

Filesize
2KB

MD5
a9347f44353c4a999e5a93c2c7f1f5d8

SHA1
15e6432207d7171c41ec9010068074ab190da55d

SHA256
768d505e0082fb456cbac3f2ac50b83c35081f3ce475e55b20c2a1b3b9994387

SHA512
5996317805f38fcea7ce06b9092937b9dce327b1fdc10946d7d9dc5c3166147ac5ede61d03afcdc2d134fe3c4a4932d7705e1afdc59d4f839953578fef0529dd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif

Filesize
233B

MD5
af7fa5ca8bea5a7197dae99b8201d9f9

SHA1
1d8da78ccd17a348e30cfdafa6e36b88a7ac8776

SHA256
1f92dacc4a57ca216a854ee1dd611b776d6fb315a4fd0cbf16054cf769adcef6

SHA512
fa2a9d49eb7a9bc85eea19fdd10c1bad08dc49af32bdce46f731462adef5aa2b5954c7079109fc0f3b75532180df591d226b7cc63e7acab46e52aeded9796254

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_OFF.GIF

Filesize
364B

MD5
fbb3e63abb2121f9c8fbfb982cd143ea

SHA1
5db93196745792536ec046e8a19fd6b546f74f24

SHA256
2c3a333c27a2b8eb3ee0135276f2abfb5056ed4bbdff3319d17f7ba51bbc882c

SHA512
60cf30416205633d8a98b3a85e233b4b5285bd39afe154e418b1a32833a44b1f286b12224b89fb14c0b264cc6e283291f1035956555d4f80608243668e827af8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_ON.GIF

Filesize
364B

MD5
ded317e06aa75c89cd29f79cff34ac80

SHA1
71510755de72fb8940bd4340a836a63ae840c3c8

SHA256
7d2eefb1d8c06546b91d79bacaf326c19c6f5393ae6ff15e78a408857e4d2959

SHA512
2ee186f2ac5c978d5bb229e72dd41417bc7d55865494f931c81b0a98b030e25fa1fe430316665d1932ea5042bb05b8f7c06702dfce158e0a6d8a69a9367bbb0c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\background.gif

Filesize
6KB

MD5
1faa537e0904cc514c5054c550115d30

SHA1
aaba0bb5cbfda626cca78e80a74188ac78a299bf

SHA256
9f4ffceb475e96ad6a10a6961c76c3a0d31c091968a1c1020e3995e617980a5c

SHA512
bfbaf6e5477adbed7c7d13da547e5bbc09ff40502e8921ea9d9e9dbffc09c64af9d7897271f18186e52604df3ef029083601edd047da6644995d06517d41e72c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\BUTTON.GIF

Filesize
428B

MD5
5268530ed1b749b9e33c480c8c7320a9

SHA1
650d6422b7a2c96a85e4c63ce69ec4e5942e160a

SHA256
e1dbe8c20661dd996d399bfa0a2403b304e85ca6994b0e22e596afbfe842eb92

SHA512
d722d2e07476508fb4d094beb5c3bd06d908f87da880a591a57e80d66e901584ec66ea5b135116618736d384b633a8d3feb2442263b60f1afd68b048c5bf222e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\background.gif

Filesize
815B

MD5
43d8b5e7a4414c400d0f8fd10527f416

SHA1
5eb1d993e22d964578f1c488d5688132fe040df1

SHA256
437454610947954694ac58139f0bb2a7224b5e7954293b2e6c8abb811a2f7efe

SHA512
9011177b2c71b0d4595fcd8fdcef28c2e9b5170a4265796391baa5f8dc0a3ee3cc7979a5d16171f439c99e9e46e2bf374b88d64df191a4531e33795124b927cb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\RTF_BOLD.GIF

Filesize
870B

MD5
74034db9823229c664332cfac2bf535e

SHA1
b4363fc21e65d59354db97ce1171229e008a8c74

SHA256
6ca024ee8e56ec80160f738d0057b78b2f19ca84b0d010c4653e9a7b4c895660

SHA512
0095b1b8f6f179c3920c207b50593e28038831f565a172c0a01802e76771a3ee0f03de99ab9f8287b53ce2ba4b9aa74c00455a122b5105eec42933bf9c61669c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg

Filesize
3KB

MD5
5e3e445dd8015f9bdb0c634e19f5fdb5

SHA1
7e170217d8b21079fa587a72649870977038695b

SHA256
c8d14e06a383dffac60e37a03523b18b4ea6c8d9782574a094161e28e14f7444

SHA512
4720e9979e3963416bc2d1c9f114c00815a715b43a5609b529fbaac842f168b769778b5d04068797385b8517c2d26d061aea4af3e15ae341b3c1049b53b49c04

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif

Filesize
2KB

MD5
a83deffbcdef2879888a42147a3a5773

SHA1
9f1084903e0846bbed729d3c158f81a83b10be7a

SHA256
bf2d727472d57934e3a3e10c928cdce59dfedab6f4aeb629b6c31a94b08417e5

SHA512
cb782e4f192ccab589dc47885bbe79024885015caedb7879d306766553598c0e804847cfd7aa8684b57a4a49af07f2951ef2e44a5eb737b8ab3146235927140a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif

Filesize
19KB

MD5
af80b873c6bd8c35282c034e264a7036

SHA1
483c1491d97756611ce400a2504d8b46089d8654

SHA256
7a7ae554335c717cf371fa16673cdb8edd96032b404d907fe777d7de59bcdf38

SHA512
73e5657c088b9066e278181f6acb18e2409215dcb606c2b517f8cb6e206ef9521b97335f5d0b83c027bd8795146bb156b37f633a697c36e51e57564b4ffa10cf

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosefont.gif

Filesize
890B

MD5
9ef59bf3d042f9ee9e9e4cad3c962d89

SHA1
42e2103980ec307a507c7bd7bb3bc89bc5241805

SHA256
81f2e54727fbf67d60b89b215d1d46e37f6df991054f9046d300624342c492f2

SHA512
b7007bfe476f528ddea68740410b82b5b2c58edb035ac7367933fd629dcc902866ff5f1e5c3623a6b92e5849b6c5d79fda32d5bbd28446de78971f8a6fa95d3f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif

Filesize
852B

MD5
8c70182fcf48070723d8b4d7eb9d15a0

SHA1
955a74eb0bde03555b7496941e521806da971224

SHA256
f648b045bc70df6d30b6d3373fb7c21f13b34f74978b24891bc37b591cbb226e

SHA512
e0c8aac2c438e54b245d963e2ef186854e578eddc49357656b444cbe5146061c5307a0c73275f9c7cd0a4669caa269d43bf9a3e1b24716b1d906f62a43de42a8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif

Filesize
860B

MD5
c6009bb6598013e85bc9e3a4fcd88bc7

SHA1
b95b235488cb9061762dc96f9fcef517f4f2aff6

SHA256
60e32ab69bd212b366e17a1797bceafbe4f1a549228e4ae7d31115291472cd6e

SHA512
33f6cdc3439c96bc7764f508f2f9a2e13e997cbd81d1b08e4d11273c51e0ad2f2678ee81869d64f8a34dff730ec292aa872724fe5f9ede1e7d78dd7df6822c10

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ADD.GIF

Filesize
580B

MD5
fd26341eb8b4a46f3061a7e8ba49f90b

SHA1
a1979243a338d72a979774e3d2f7931bbb117a3f

SHA256
5739aa7b3279ec0c429e973fd46d216dd834811fcfc9143a90ea2a18436f6547

SHA512
2e9dbdc37f80b19e8391e34c45eb396904bc05956044e0c574f63c1437c17d4d547fbdf298415ea3d52cbb07dc57487ed7daf41911c1097203ffd906a5f3ba57

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF

Filesize
899B

MD5
3bd886c52b4362b5aaa2e18e4b051393

SHA1
13228e75b6f5b516ab8da3d058973af3ecf70b17

SHA256
d24761099a6b28fcc4ca14200bfe20863fc0813ff11745175a449f052942fa33

SHA512
0b20fe407a97de50b9457c1bae8df199ccf11e77669c3e190f554299a894bb4ef8c189845d4ac3fb348acaebf44e77b1bede24302dfc59a54ba72d39c4a82bc1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIF

Filesize
625B

MD5
5457b82832da386491e7123cde4f7913

SHA1
c3632d4e485f0d6938a182948022304c11e02999

SHA256
155444780f0d8cc29ae508920f1ebcc6494874966023d9fd86db31442cab51aa

SHA512
e821cdcdd9bcdd301dc9c0c4f7bf31b797fbd3e39aa5d292c40b5ed94a2f3719629308b4d7d6b1c39cfed3ee21983226adb785f088d3c261850c485ac173f3a7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF

Filesize
873B

MD5
c32cdcc5163c402b67bf1f7f25b7181b

SHA1
6dcfc33a7431a59d36724d1fdc6879e5a7c1d60e

SHA256
550c52ba7ae503e336699ebbcccae7882a915490f9823bbdcddc2b483b078935

SHA512
7e5206b29bc1f61ee4c0e3d04feebb6b8dbdd406a1a94f59971f44a2ff936eccc7f3604bd8bdb19a37b0535750c525e0dbb4f6b6d29769a098c3c334e7ebe8c6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg.EnCiPhErEd

Filesize
5KB

MD5
dfdd6ff5718b4a33370ec609f22a2c45

SHA1
adc31ac6a5237f8ce72b8cbabacab14f210b6e9b

SHA256
3157922305a8bf1fbad29f4bf6f872c7cbab34a5afbc9902580befdc74f07fc6

SHA512
09ad3e057e452c7c042d46024b3649cc692889fdc1de57a76a91f5151f99eb500652ea8a158a071d8d5b1b3945468afb73a8437f1836718739e5e59607e0b7ab

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp

Filesize
1KB

MD5
15e456e1f5d41e7a2c1b73875703b093

SHA1
e3a04ce6b217343f5b0e6cbdd2d8255b9dba57b7

SHA256
3596fbb846eaac5030c3516224657f0b8fe6377575b2e1a0b61468303d58ced8

SHA512
1791fa247ee8965efda62a651ab55fcdcb1cdf0973ceee8020cbce06bdc27150a9be444821f4c755868f1d95d955b0ea963eeaa1e2ff593976c93fc284d92721

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF

Filesize
615B

MD5
61e2ddb2fbcf57bb8a49470c99f1dac2

SHA1
6b05a6fca636bfda4363a3b2ad92c1890b5740bf

SHA256
33a752f94368c57221396d437d1741993f2cb4e5d5dd5b5ede8da6752bbee558

SHA512
4db360ba27a70070d96e2fd15d62f96d5dc7943464508d51ffb49aeb2badf45033170b7adfcc251ce5b6b10220d1e40aa1b296366a1903524cd3eab36ffb9d43

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

Filesize
848B

MD5
dc8db2342e90990ca0702b0b5f7a8062

SHA1
4e86c73afc3ff186742fb8af564fe43e5b21e554

SHA256
dcec95bf26fd92829d7730524a54e7782a4c9fed8d722485717997f7d4bb702f

SHA512
3aa6119c6fafdf0da5914c6338835de2ac1861c5cff570e7f3d84f6faa4654073a175fbd116e2a75f2bfaa345083210f25d877ba8b9bace8690fa1757921becb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

Filesize
847B

MD5
abd6b47689fd45a80dd5df86b4e6ef38

SHA1
130df5b8436d45059148ade6c76c4a06c46ba425

SHA256
50cbde5d8ba34070205ce15284775679e6e0549e7fb91debd6900e63c507af5c

SHA512
b86ebc7f9c688011a93ef06c2f436e1d1d0bc772a5b84646c7a310472adab6a067b73eeeaa129d24fa17c0b987aa2c4d82ee6f3b36f786a643832cf051c80e21

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

Filesize
869B

MD5
30e6465a8782add249e869063a54e9b0

SHA1
b40794def8ff0aa6ec50dc03014270a5c213fab7

SHA256
c84cf2bac8299e280573205099aad77a08a0843167e55a5b40eeb2f23969533c

SHA512
11801b97879c57d755d968d0b7c5bbb95f5934a4be5f5f7971cb2cfe904a7ff7b31d09095828431bed70445cd5ee0202309a8d28b4768fbfb5472bc5b577d0c6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

Filesize
847B

MD5
7a8a0a1938f0c9b72a596acd9fdbaffc

SHA1
8f0094d919771e87b4a0cf6d0bedc54d5fff38ab

SHA256
94409b6e7aa402bd92ff86d5530dcaac04f7bd93cea530b2a2a15745990e7c03

SHA512
499cbdd84e123818b91332fc4332a479f8187ac27c4105087df11df59c87c94ee5aeb2d42d6c51491dbc2c55aa341a4b9107a657a4956a591c0861bd5f00dd19

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

Filesize
863B

MD5
cac76c45723cb414f8e6f758e2681aa2

SHA1
8bf796484c517f806dea55c13bdcca9fe3f9dbfc

SHA256
7359ccd28074bbcdbc3ab72638024a81033e57f9c0a012a2c1c49d2dc995345c

SHA512
8e5a62ac53d8532e12615e0535479e4c763e5603642c2b6e19e1407608367a676ba756d2e5433a22a39c506bd7bda7b5f332fd7702383230aa44b298d202dae2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

Filesize
861B

MD5
0d45cac1f53a3b79a16fc8117684dd90

SHA1
06463e5c80a99adf04f66eeba0b0a9c14a8ebafe

SHA256
0a19a263da9143d80a401598c276ec476cd55c5bb962e5a4de6b188ae60cbf6f

SHA512
e10d55ced3faac692c14234519a01bc115c3f1ede5e7629c87b9181b1c30b040f721352ec57e632711330b4542f8acc1a6054aa81a39c0ee57aabafd31b2758a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

Filesize
850B

MD5
d39b71226c8fbc73930f091f41ac416b

SHA1
b1d8765de4e04b605418c5b9f421d2cee8890915

SHA256
f52345f9c35a6f144ee96fa441a8c97080a4f17fec0376768604195ab29c85b4

SHA512
8a4bcdd2adc53e7dc52f66095a78a7855386558a451738b02f7db3942d98a2f8862b1cce975c3798080a2d859d86fa7bc39b299c6fe91926ac7114d83bad1553

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

Filesize
883B

MD5
e510589c74f44b3715965e036d77adb7

SHA1
1059f40ef9ea243a78de5d912aae3c1f517a4ba5

SHA256
89ad560739f817f3cdf6ceb6ea7f81c24207caf60ea95836249edf8dc50b7902

SHA512
df3250b296fba4475380b5bcfa59eb0374d2c656ac4d7b49ae42fb1e01ffa17fea913d8b7aebae0afe2198114441df802c6db40a9b21d5d557e06ec73f527910

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif

Filesize
153B

MD5
e8f701444779a65edee6b7ce59ff8fe2

SHA1
341ff8f54f6a77e4819231391fafe62a004c6c28

SHA256
1c70e6c83e51c816da5fb4ca51d050ae6f5d7c6eb6c111fbb0c3d84389319f5c

SHA512
46de3084ec5a94652e3837eb17b17ede1d141c4c98529d0481cb8c817fb0581f7a7993b662f4b661812d948b52c8711f65b9b76ba54e2650ab5d08980ad6b60c

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
aba54cd08fb54a13bf3c51941cf95fed

SHA1
ddefef0fff11e8b97a883a49e92d9d1391198c04

SHA256
0ee475327a1603cbb99f59a38999a4b0b90a2b408a9e8aa17334aa1939ddd8e6

SHA512
f17193d94e3fbdc6a9820705ceef7f87e909c4d96e0fc28da9c8ac2fb65c3ab4204ce4cc31e65b62ebc0bb0fb7ce1d9aaca7af4860a2ab3d593397c9c6aec89d

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
8KB

MD5
fc9a25ac36c7ed2887b86483bdf557a6

SHA1
cf4df71d25ad4fe3a6aeb682a4a9104a8c30116e

SHA256
b2f253e7a41c13ba35469f0cfccc1eea311f184f97f00bdd3834a4537b4f0949

SHA512
24097366828223725a9d0d0fd45d9b6aa504ec9ac95b82733aa1f685fcb626c77d63bd7a62e74c5f73dd7761d764e14ef2a7849d21714b5cbdabccf8b5c6318d

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
51e73718c2a4e35c3ca8bf55037b5a48

SHA1
45d34e824f0623cecf0e3a9bdef6c53f1b237397

SHA256
ccd017c55c3ae8fd111887d570a44ac710205c19f06e7db4e982a2daa0148b58

SHA512
91ea6fc3beeab08da6a3960cdbce7ad8f1a685786adc877288607d3b64f0f4522373da049396d675f8a23a40f91c022e006e3a33c84920812bb816dc9a66b693

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
73ef674e9c8d37415edb4081c9448ae0

SHA1
0d27b6ac4db575983e504ca8f115ae8de12f2f61

SHA256
c39f834a47c7907902e096224ae0b1e16c37b2d43c9c7783c73ff720135f22c8

SHA512
16d525509d66c5d5a7b2555c7a4fd88b59af7f86be3e7b8f62174bd1055114e80e8583ec9591c05a3542a6485c891276481bee5a3fe0dae0ca9bd44a95b43f56

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
172KB

MD5
97c31e18c69e9e98253921a64f885cdb

SHA1
4d22ef8585af16310ecd9618e206376ba459ca52

SHA256
fd02366c347d18b15970cedbcd7a965361ae5cf56e52d420bb5c39aadb40c088

SHA512
43ba073ca1a0ee8c0ea50f6ff75cfed469465788b88cf80faa8ca32aa90e53d5dbb904805543f3d8248a294a27508ba824f50c118fb5440d153298e1d298f28e

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk

Filesize
1KB

MD5
81de3ec94e247223ef9d4da83afb51ab

SHA1
fcef9adac1a400efef72d5a5232a467b96423835

SHA256
482bdad3561ac547bd90f52986749d55e94050a88e563094ef639ddd92c0ecfe

SHA512
cd0dfdbe7bdfbb2e35379e630d110c8d5f203781afa1c18f257e686c4d3a36751597a894760acec96af184da903256db05a1ae7f3a53a853d5e415fbad34245c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\security_watermark.jpg

Filesize
49B

MD5
20f2044701d0923e013515d7b32b4928

SHA1
30d30544445da6513071b08b1b962cf81993006e

SHA256
8d68b8781d83f14ac66efb2f8e9875eb8c06bb03129772908eb1d76bb6745b64

SHA512
560ad7494939bb91fc2df2bdb8a0f7b025ec2a9c47bb8dcee76e534066489f2a2fb73cbb8cc0e1b41b14a89948faabde72f65c7374d8d03faed21d76bbba37ec

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg

Filesize
21KB

MD5
22f5a98fbc9a514a6af4b534d9f858d9

SHA1
61a13f66428b2cdcb12663de5a7cdcde242f7623

SHA256
484c3a3de2737011645a444353f1bac4a8b91a6d93d2674701670eec5fde15c4

SHA512
294fba00000734db4bd30e70f7a140b4e61522db398cb2a0e9dc0ff858fb1f90fdbb9b8de4f19db4e73be33c508ea8b68cde8f3e81e20b4ad62fb75f326e1356

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\HelpIcon_solid.gif

Filesize
1KB

MD5
7bf832e1e4a15c7541c1ad1b497c9033

SHA1
f86c704f119d232182ccdc2beb21c60ff28296cd

SHA256
1b3fc6cf0caa18c7dc73d19c0b36586a9fddbf8c1e206399b5d782bb51b5c6e6

SHA512
0f983931bd91e3f5e8f2b0d456577a41023a985fcdd7fb93e36300b3f7c570bde038fd9f2e632d07b538f01947e0d6ac2ce54b71aaea1ddb95063c375165646f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\alert_lrg.gif

Filesize
952B

MD5
58589a00e2a4e1f192eec7f63e881bea

SHA1
dc9cbe9a4c87f424ac6ff15863e85c82bad5a192

SHA256
4723a146f2b903ba09a324f4c5cb4fed524780669caa28181c49d17e9ec8b006

SHA512
69fcc5489d3dec0ca7b03cc41104a1a909b36f969a76d8bc21f30483ff307138e902f4f07223617490a5cb03c620055acce79bcb9e555e6e0ffa227f83872eef

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\aspx_file.gif

Filesize
121B

MD5
c42eb19e9bfec339ecc9a2f684527016

SHA1
3c381644a2bbb526e2ea6e11e6c7d0396800738c

SHA256
9fead7373d52b3a037356621f6d47a9cc530f25576c64912341d66e58ad50543

SHA512
02607f8686a5a382bdf1ede1737b0db07f7f2c4fe48f12ad266facc84c0924143e001a64bd5c10a6b5360ffae7b81b33d442c35603cdc3d556b1133c82227666

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\branding_Full2.gif

Filesize
1KB

MD5
f2bff720a852de2db4d9d966b83ec09c

SHA1
964037d7c4b64137fb751fcd918cd52d752acc58

SHA256
201ae8ed2b563bcda7d689aac7ab205d88adba9dda3e6fe22e33f10397a9ab04

SHA512
4e5463dd2251fa73a5caa303ae031ade95b77b6e73168c5fc65d89f1ce90e4c67d45383c042158e96589fc03cc919d650e1a9e592748731d41833c73678872fe

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg

Filesize
8KB

MD5
78fb30cb23c7d887f0834301a56d844d

SHA1
b8b66be59d4c4b49f79c6359518388f9e15662ef

SHA256
d97fe1636de39aa5130d057e56e855a58c7a33994f27bc411b7ebfef480f4645

SHA512
b8c5590ab998f43867c7f030e6a2b78f232b0ebfba9534eab10c798b9ec9f4e19b7e7fddcc2a4be544c75e3775282033ee32cf17247dfabcc5c643d1ee09df12

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\deselectedTab_1x1.gif

Filesize
61B

MD5
6c27c510cf634ee915ad98efd33fa9ca

SHA1
a391e0979dfe65984fd8990f6cda0b3b06fcd846

SHA256
ff4f15a96944093e4546deb6c1c11c61f9c580f6a128d0aa24f573105c456332

SHA512
0adb07d3b20e8a9beeb53ef222c0d51ccfb28a1bc1385946082bddfcce7231f07dff4b563c0abb88ca4ae998410be77f34e0177fd88678afd7e2d769ae9f3399

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\folder.gif

Filesize
914B

MD5
e513abe9f14f466896e76af3e5114673

SHA1
bc9f0827c7660b66f3fad82aac2dffcbdfe81b59

SHA256
0c771e01ad21685545b7626b3b49a4809da76700a366f3507604fba7a9287f98

SHA512
be3f83a388b0d6513a82d6e86a480620830c1223292a5ae3523185f810f6db45e6a5e16ad746946b406999f3c8804407ce6434ccd3ed2c5c6cf8dc1416500428

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onBlue.gif

Filesize
90B

MD5
7d4dd188901227cc373fcb2d46b092e5

SHA1
0c14fe61e10eefa82f9b0bf3ea2cd273e2d4b268

SHA256
f092a6b2c56ec9bc538ecbb73cc4a46b507836e9b313ba0bc30e8ec59d2570ab

SHA512
ce2621ecc35e4e24e9e121eb2d6dddc7a329548fd17af09fc862356ace3af406cadb816191f9d6379052a9ba74b72e7ba1fb4b5d628935d49f288cab6ca32244

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onWhite.gif

Filesize
90B

MD5
ec12a35e08fd0d01249d0cc6812c2dc7

SHA1
0500f53476d9fdddd6d6a6f2007e438076ebf2df

SHA256
a749ebbb124f2ef8746066872e6a9c7f04f5f58227942fe4e9692875d58e6885

SHA512
fdfc5b96a69a1d772ab67ec65f1a442cc1ccdee8070e39acaaf48063fdde05b84f56a3bdf9c21575a83a93e902a46a7132c0bcc4ed35f99ffea34c31cf4f5735

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\headerGRADIENT_Tall.gif

Filesize
328B

MD5
92decd1691e704ea19c543566b711d80

SHA1
21d4832ae76c917a4ef22f9fca665d93990d369a

SHA256
b5e5e1d3184ce7fe656363dc47e3767977d7054031b379968ca3394eaadd6a06

SHA512
9c70ca28df33bc497bdddbdf5d02fbfba760108d476d70a943ec92c04d2832784498ed4ddc2abe9e4b71e61e6ccc136081216f57a8d5a8edd696d1ad26edba5d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\help.jpg

Filesize
1KB

MD5
98bf9d09fbc7a3e20d4222684f1755c2

SHA1
40b68681ee2f2f01c7b5b39583ed2687969718bc

SHA256
a96ba78ddf0547c62a46480c77e4de3352dd7abf114ff493c80b9e11c2e35006

SHA512
0014308fd3b52f59c661dcddb7e40c4a6f96cd0fb61b0a8efd441a41c6269fd4cd93991ae42a1cacd23212441b49a0791e0847bb55f2257bee164ae9df91cfbf

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image1.gif

Filesize
162B

MD5
bff5530f721097a58df0a1da0a33848c

SHA1
575839c4b2e0cb5114e17c636cf5caf0c0f4773f

SHA256
df436280ca5fba18da991f17aa398c8e4668fe54e94a791409a85db520c47be0

SHA512
f2c48b2c72ec90fd52c32eeed63f665dcfe4ac846edb63a234d49dd95acabe5078eb001fad24eece7e2b6f0e01c005a6c6644c460a5774600997c2ca46996e4f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image2.gif

Filesize
586B

MD5
97dc13899e4f46bb38f5c20482d67420

SHA1
c5d7aef68a3486a9531a085c0de827c01afdca6a

SHA256
a6c1254fbd11376d4bd5ba2700d80b0934c059d08f273100a2062b7124777e04

SHA512
02e4c25943eaf88625dab92a930d7b0675358781d0f52feba0c9c56af09b735537e9d5ac1574b58490d6370b88bda8788945f960e86b3368ad9bb61566c81b8d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\requiredBang.gif

Filesize
124B

MD5
e5519bbc60d8f7f24f26659d3e107059

SHA1
67b4bd8f0fa4951a1e44bd1328a965a1e3138bc9

SHA256
ca903e47300e739bc8ed20de07a5fc3b4416091dfb148f4f55c4ecbd807ecc0c

SHA512
ffe14dedb94795f0f8383aec4559bbb6dbfdcaf9f5c39b304e42354312fa84bad0513459e257693072583e459625ee9d8fa343ef93eb16de1971f4c384e3b068

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\selectedTab_leftCorner.gif

Filesize
65B

MD5
e81b5e68e84b6409b741515f32902582

SHA1
c0f1d1a432f1f677f68d5eb197e5c72261f3d107

SHA256
ff8a00a2c1674ff1c2a5f54f6ca95a2ee8e14c8c450db38657ab52706e832244

SHA512
99c5e05498e70ce6bd5d693756a773289b59c556a54019b3b8cff1817918b0bfdd8e2f61a4c458afd6447df8e6d7e67bca438fbb091eda826828694fcc4d80c9

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\selectedTab_rightCorner.gif

Filesize
65B

MD5
bfba1bb7f641e484400a18b43c4c3055

SHA1
675f94ae0b9fff7c4466d3095a378d6b02fd2ce1

SHA256
6aa7f5fbd44eee209350cc1ccbff391290407010c949971c9a17cedcdf3446b8

SHA512
cfb1ab92146e41c1402e19a02bfa33f44b55aad51346b44eb416b6d3bb0b90c528a1e8aae1390cffd03306c959d81e1de6fce87fae16156506963eed52951c60

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg

Filesize
8KB

MD5
cc825fdb421e84c5138a3e87765aa762

SHA1
36bfe68cf55c30cbdf3ad342d90cff4e9bb7af1e

SHA256
71eeb4beb23c7e39af9ee58b214b827888656bfeabef74712e3092f71fd06635

SHA512
c99bfeccf8d651f278497933f042a0910fd415efe9b427a06ca84a6e17aa54b28856387f628b507382558d31754a86ae92fde3ad03269375f244964d00ba098e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\unSelectedTab_leftCorner.gif

Filesize
65B

MD5
b423830b9e6c372be85a0e2f6f304e03

SHA1
c8825dcf392c8b6a076a4832a92a88d06a4dd700

SHA256
8e513700926b74daae8482ba9ef17b66860ed6070f2be53d6f8e2ec499189304

SHA512
346d0fec56fae8a4e2eeaa4b09d974ac9a7745d470c24fd5b1476f7aeb600db60928b1876fd19838ee5945ecf80440d50cb47066ff52eb4f79f53283cfbb60e8

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\unSelectedTab_rightCorner.gif

Filesize
65B

MD5
60f93f3f3cf6a34606e295981a7e5b85

SHA1
b941ac3eb49c93d08ee2c043e2d643fd943ed91c

SHA256
b75a10a248a26d182a0310a7cd4db02d066bca4127e9fece732e1e965b5ac202

SHA512
12b68512db831fc7ce4f1e63fac7aed1447c902806274954d2271a546b296a3d66a49df9b9691d8205b24ab9beefe2813a02d76f7d7dd18a77f352fb93430710

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\yellowCORNER.gif

Filesize
880B

MD5
1a27d7cd6bdd8bd487c1da1b1be0160e

SHA1
cdc21e2ab05f39cd002618886457ed6ee8c16e5b

SHA256
17c6bcb5ca3ca05840c2b68d5d2d94924e270e9f0ff6f93a7334a3db01461b67

SHA512
d008331e145696a15edbe3cb6a13bb6fe38d0063e2ad66a6ab81d87e3b27b1184b006f1611ffb6028588cc74d93e516c72803a6c21a195f070f6990e2fd1fee6

Download Submit
memory/2068-7038-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2068-0-0x0000000000403000-0x0000000000407000-memory.dmp

Filesize
16KB

Download
memory/2068-2-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2068-7037-0x0000000000403000-0x0000000000407000-memory.dmp

Filesize
16KB

Download
memory/2068-1-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2068-8790-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2068-8798-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2068-9172-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2068-9173-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2068-9174-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2068-9175-0x0000000000403000-0x0000000000407000-memory.dmp

Filesize
16KB

Download