Overview
overview
10Static
static
6AES-NI.exe
windows7-x64
10Abrechnung.exe
windows7-x64
8Box (2).exe
windows7-x64
3Box.exe
windows7-x64
3a66dde2298...43.exe
windows7-x64
9a7768f4973...e0.exe
windows7-x64
10aa7ff3bc28...1e.exe
windows7-x64
7aace43af8d...99.exe
windows7-x64
8ad3cc219a8...ws.dll
windows7-x64
10aee03626b8...b1.exe
windows7-x64
6afd3b729cf...2e.exe
windows7-x64
10b56c4569d6...ss.exe
windows7-x64
3b7989d9eac...ss.zip
windows7-x64
1zsgblrbrum...ke.exe
windows7-x64
7b7d9f11c16...b0.exe
windows7-x64
5b8f60c64c7...af.exe
windows7-x64
10Saldo.Pdf_...__.exe
windows7-x64
9Transazion...__.exe
windows7-x64
9bc557a7bfe...8f.exe
windows7-x64
7bd2d4d4300...17.vbs
windows7-x64
1be03e43db0...5F.exe
windows7-x64
7be03e43db0...8A.exe
windows7-x64
7be514549a2...1f.exe
windows7-x64
9bldjad.ex1.exe
windows7-x64
1bldjad.exe
windows7-x64
1bldjad2.exe
windows7-x64
5c145a26dd6...a0.exe
windows7-x64
3c325092750...db.apk
windows7-x64
3c36c46f4de...6e.exe
windows7-x64
3c3dd2e3cf0...04.exe
windows7-x64
7c71c26bf89...3_.exe
windows7-x64
7c846282987...fd.exe
windows7-x64
5Analysis
-
max time kernel
354s -
max time network
356s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-11-2024 03:09
Behavioral task
behavioral1
Sample
AES-NI.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Abrechnung.exe
Resource
win7-20240903-en
Behavioral task
behavioral3
Sample
Box (2).exe
Resource
win7-20240729-en
Behavioral task
behavioral4
Sample
Box.exe
Resource
win7-20240708-en
Behavioral task
behavioral5
Sample
a66dde22983583da6d3b1e5b9eb1e8fb019f5157eda508305942292c0d10fa43.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
a7768f4973ad7cf8217212a4d12dbae0.exe
Resource
win7-20240903-en
Behavioral task
behavioral7
Sample
aa7ff3bc285bcb4ec48bf2f361f0ad0a1d9fc8f17b7323d2f0615ade68973c1e.exe
Resource
win7-20240729-en
Behavioral task
behavioral8
Sample
aace43af8d0932a7b01c5b8fb71c8199.exe
Resource
win7-20241023-en
Behavioral task
behavioral9
Sample
ad3cc219a818047d6d3c38a8e4662e21dfedc858578cb2bde2c127d66dfeb7de_PonyNews.dll
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
aee03626b83a88b71b06899116cb7ce4b8092365103d69792b0c2d7153f24cb1.exe
Resource
win7-20240903-en
Behavioral task
behavioral11
Sample
afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
b56c4569d639e8ce104d9e52dffeba6d18813c058887a3404350904811f32d54_not_packed_maybe_useless.exe
Resource
win7-20240903-en
Behavioral task
behavioral13
Sample
b7989d9eacb5a8b224fd183f6ba65e4e6bd30a4f0e4e1a299f0d2b63dcb56730_Archive_useless.zip
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
zsgblrbrumorwxfizuke.exe
Resource
win7-20240903-en
Behavioral task
behavioral15
Sample
b7d9f11c166fa1a4ceef446dd9c8561c77115cb3ce4910a056dd6a361338a2b0.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe
Resource
win7-20240903-en
Behavioral task
behavioral17
Sample
Saldo.Pdf______________________________________________________________.exe
Resource
win7-20241023-en
Behavioral task
behavioral18
Sample
Transazione.Pdf______________________________________________________________.exe
Resource
win7-20240903-en
Behavioral task
behavioral19
Sample
bc557a7bfec430aab3a1b326f35c8d6c1d2de0532263df872b2280af65f32b8f.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
bd2d4d43009623941f49554f5932188154fc9d16d820e00db1281d057468b017.vbs
Resource
win7-20240903-en
Behavioral task
behavioral21
Sample
be03e43db0b190b879c893102a76183231ea39ec51206d25651a3cacffa8d81d_Dumped_TDS=4F8C315F.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
be03e43db0b190b879c893102a76183231ea39ec51206d25651a3cacffa8d81d_TDS=4F90A68A.exe
Resource
win7-20241023-en
Behavioral task
behavioral23
Sample
be514549a2e654706aeeaa15c8cffce504f0e271c904fe07d865f3999ebaa61f.exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
bldjad.ex1.exe
Resource
win7-20240903-en
Behavioral task
behavioral25
Sample
bldjad.exe
Resource
win7-20241010-en
Behavioral task
behavioral26
Sample
bldjad2.exe
Resource
win7-20240903-en
Behavioral task
behavioral27
Sample
c145a26dd6d200080c16300456e7c0bc95f2b71f56d94136619e239e466a04a0.exe
Resource
win7-20241010-en
Behavioral task
behavioral28
Sample
c325092750dd55898c47be7ec8a7622c3bf8d1a79c40b160ef7901c2ef18f5db.apk
Resource
win7-20240903-en
Behavioral task
behavioral29
Sample
c36c46f4de045ef332decc006694db6e.exe
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
c3dd2e3cf0ebeec7a6c280e187a044a32b54b369a78aaaa89c600a0767b49704.exe
Resource
win7-20240903-en
Behavioral task
behavioral31
Sample
c71c26bf894feb5dbedb2cf2477258f3edf3133a3c22c68ab378ba65ecf251d3_.exe
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
c8462829871b7bdb005f4dd881d253aa255a1b2f6f3d89edb1d609b51f5d04fd.exe
Resource
win7-20241010-en
General
-
Target
b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe
-
Size
33KB
-
MD5
d9789bfbc54d5cb6d52c385fd8f5d288
-
SHA1
b8f60c64c70f03c263bf9e9261aa157a73864aaf
-
SHA256
c0fcf3ac6b125e985c6574ed7ef1a7929f3be8f6487b68e4d58a48a3b1517b5d
-
SHA512
21e81d64136897e86362304666cb0a8510ae2280c432c8b768875d5459b527e2cdafe9a61107433d3ff7ccf8092f3bbc226f9366623c1d39f76445fc490dc4c8
-
SSDEEP
768:IPXirrjYZp0Tf6yFz5Om5jPwxgjAqJTKV/Z:I/iTYHQCm5DpjhJTKVR
Malware Config
Signatures
-
Detected Xorist Ransomware 9 IoCs
Processes:
resource yara_rule behavioral16/memory/2740-55-0x0000000000400000-0x000000000040C000-memory.dmp family_xorist behavioral16/memory/2740-51-0x0000000000400000-0x000000000040C000-memory.dmp family_xorist behavioral16/memory/2740-50-0x0000000000400000-0x000000000040C000-memory.dmp family_xorist behavioral16/memory/2740-7365-0x0000000000400000-0x000000000040C000-memory.dmp family_xorist behavioral16/memory/2740-7499-0x0000000000400000-0x000000000040C000-memory.dmp family_xorist behavioral16/memory/2740-7503-0x0000000000400000-0x000000000040C000-memory.dmp family_xorist behavioral16/memory/2740-9122-0x0000000000400000-0x000000000040C000-memory.dmp family_xorist behavioral16/memory/2740-9123-0x0000000000400000-0x000000000040C000-memory.dmp family_xorist behavioral16/memory/2740-9125-0x0000000000400000-0x000000000040C000-memory.dmp family_xorist -
Xorist Ransomware
Xorist is a ransomware first seen in 2020.
-
Xorist family
-
Renames multiple (2188) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Drivers directory 8 IoCs
Processes:
b8f60c64c70f03c263bf9e9261aa157a73864aaf.exedescription ioc process File created C:\Windows\SysWOW64\drivers\it-IT\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\SysWOW64\drivers\ja-JP\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\SysWOW64\drivers\de-DE\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\SysWOW64\drivers\en-US\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\SysWOW64\drivers\es-ES\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\SysWOW64\drivers\fr-FR\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\SysWOW64\drivers\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe -
Drops startup file 1 IoCs
Processes:
b8f60c64c70f03c263bf9e9261aa157a73864aaf.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
b8f60c64c70f03c263bf9e9261aa157a73864aaf.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vQVykYApjMM758B.exe" b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe -
Drops file in System32 directory 64 IoCs
Processes:
b8f60c64c70f03c263bf9e9261aa157a73864aaf.exedescription ioc process File created C:\Windows\System32\DriverStore\FileRepository\wpdcomp.inf_amd64_neutral_11bbf54c8508434e\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Core_Commands.help.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_operators.help.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\SysWOW64\de-DE\Licenses\eval\HomeBasicE\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\System32\DriverStore\FileRepository\winusb.inf_amd64_neutral_6cb50ae9f480775b\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\SysWOW64\fr\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\SysWOW64\fr-FR\Licenses\OEM\EnterpriseE\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_functions_advanced_methods.help.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_functions_advanced_parameters.help.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_preference_variables.help.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_trap.help.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\SysWOW64\en-US\Licenses\OEM\Starter\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\SysWOW64\fr-FR\Licenses\eval\HomePremiumN\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\SysWOW64\fr-FR\Licenses\eval\Starter\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\en-US\about_BITS_Cmdlets.help.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmmcd.inf_amd64_neutral_49212f5920298e45\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\System32\DriverStore\FileRepository\megasas.inf_amd64_neutral_395276dd9b7a7448\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_escape_characters.help.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\System32\DriverStore\FileRepository\prnlx00y.inf_amd64_neutral_977318f2317f5ddd\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File opened for modification C:\Windows\SysWOW64\migwiz\PostMigRes\Web\base_images\WindowsPhotoGallery.bmp b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\SysWOW64\Speech\SpeechUX\es-ES\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\SysWOW64\de-DE\Licenses\OEM\ProfessionalE\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\SysWOW64\de-DE\Licenses\_Default\HomeBasicE\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\System32\DriverStore\FileRepository\bda.inf_amd64_neutral_41c6262952846788\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\System32\DriverStore\FileRepository\digitalmediadevice.inf_amd64_neutral_6fd673519d66ab20\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\SysWOW64\fr-FR\Licenses\_Default\ProfessionalN\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\SysWOW64\IME\IMETC10\applets\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\System32\DriverStore\FileRepository\prnbr009.inf_amd64_neutral_fd2ac5b9c40bd465\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\System32\DriverStore\FileRepository\sisraid2.inf_amd64_neutral_845e008c32615283\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Parsing.help.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\System32\DriverStore\FileRepository\usbvideo.inf_amd64_neutral_836a6716cd56c692\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\System32\DriverStore\FileRepository\wiaxx002.inf_amd64_neutral_fbe080a7dd77c4a3\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\SysWOW64\ja-JP\Licenses\eval\EnterpriseE\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_environment_variables.help.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\SysWOW64\ja-JP\Licenses\_Default\Professional\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\SysWOW64\en-US\Licenses\_Default\StarterN\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\SysWOW64\it-IT\Licenses\_Default\ProfessionalN\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\SysWOW64\migwiz\fr-FR\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\SysWOW64\com\es-ES\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\SysWOW64\de-DE\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File opened for modification C:\Windows\SysWOW64\de-DE\erofflps.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\SysWOW64\it-IT\Licenses\OEM\UltimateN\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\SysWOW64\ja-JP\Licenses\OEM\StarterN\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmgl002.inf_amd64_neutral_e204d4267d752eb7\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmnokia.inf_amd64_neutral_a8e9a41983d33a0b\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\System32\DriverStore\FileRepository\prnky005.inf_amd64_neutral_8836be987024e6a9\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\SysWOW64\DriverStore\it-IT\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\SysWOW64\de-DE\Licenses\OEM\Ultimate\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\System32\DriverStore\FileRepository\cxfalcon_ibv64.inf_amd64_neutral_d065aec3fcf4ec4e\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\System32\DriverStore\FileRepository\elxstor.inf_amd64_neutral_4263942b9dfe9077\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Redirection.help.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\SysWOW64\ja-JP\Licenses\OEM\HomePremium\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_environment_variables.help.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_remote_output.help.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\de-DE\about_BITS_Cmdlets.help.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\System32\DriverStore\FileRepository\prnca00x.inf_amd64_neutral_eb0842aa932d01ee\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\System32\DriverStore\it-IT\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\SysWOW64\migwiz\de-DE\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\System32\DriverStore\FileRepository\umpass.inf_amd64_neutral_e3be362bfab667d2\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\SysWOW64\migration\ja-JP\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Return.help.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_hash_tables.help.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\SysWOW64\de-DE\Licenses\OEM\EnterpriseN\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
b8f60c64c70f03c263bf9e9261aa157a73864aaf.exedescription pid process target process PID 2960 set thread context of 2740 2960 b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe -
Processes:
resource yara_rule behavioral16/memory/2740-38-0x0000000000400000-0x000000000040C000-memory.dmp upx behavioral16/memory/2740-44-0x0000000000400000-0x000000000040C000-memory.dmp upx behavioral16/memory/2740-47-0x0000000000400000-0x000000000040C000-memory.dmp upx behavioral16/memory/2740-49-0x0000000000400000-0x000000000040C000-memory.dmp upx behavioral16/memory/2740-40-0x0000000000400000-0x000000000040C000-memory.dmp upx behavioral16/memory/2740-55-0x0000000000400000-0x000000000040C000-memory.dmp upx behavioral16/memory/2740-51-0x0000000000400000-0x000000000040C000-memory.dmp upx behavioral16/memory/2740-50-0x0000000000400000-0x000000000040C000-memory.dmp upx behavioral16/memory/2740-7365-0x0000000000400000-0x000000000040C000-memory.dmp upx behavioral16/memory/2740-7499-0x0000000000400000-0x000000000040C000-memory.dmp upx behavioral16/memory/2740-7503-0x0000000000400000-0x000000000040C000-memory.dmp upx behavioral16/memory/2740-9122-0x0000000000400000-0x000000000040C000-memory.dmp upx behavioral16/memory/2740-9123-0x0000000000400000-0x000000000040C000-memory.dmp upx behavioral16/memory/2740-9125-0x0000000000400000-0x000000000040C000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
Processes:
b8f60c64c70f03c263bf9e9261aa157a73864aaf.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02058U.BMP b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierWindowMaskRTL.bmp b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightYellow\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\TAB_OFF.GIF b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_single_orange.png b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_snow.png b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File opened for modification C:\Program Files\7-Zip\Lang\pa-in.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Program Files\Microsoft Games\Solitaire\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_right_disable.gif b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-full.png b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\js\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR41F.GIF b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386120.JPG b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_18_b81900_40x40.png b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\VS_ComponentSigningIntermediate.cer b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\HEADER.GIF b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\grayStateIcon.png b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\README.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\PREVIEW.GIF b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02897J.JPG b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\arrow.png b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsBrowserUpgrade.html b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\css\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_pressed.png b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\js\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0315612.JPG b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File opened for modification C:\Program Files\Java\jre7\Welcome.html b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Program Files\Microsoft Games\More Games\it-IT\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_s.png b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR22F.GIF b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_FormsHomePage.gif b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_divider_left.png b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_foggy.png b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0164153.JPG b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Lime\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\background.png b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\graph_up.png b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR47B.GIF b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\NOTEBOOK.JPG b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_m.png b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382948.JPG b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21344_.GIF b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonDown_On.png b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\SplashImage.jpg b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATERMAR\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099196.GIF b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay\TAB_ON.GIF b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_WMC_LogoText.png b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\about.html b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\es-ES\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUECALM\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe -
Drops file in Windows directory 64 IoCs
Processes:
b8f60c64c70f03c263bf9e9261aa157a73864aaf.exedescription ioc process File created C:\Windows\winsxs\amd64_microsoft-windows-security-negoexts_31bf3856ad364e35_6.1.7600.16385_none_1434ded81321974b\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\winsxs\amd64_microsoft-windows-c..helibrary.resources_31bf3856ad364e35_6.1.7600.16385_en-us_fff56be556f7bc4e\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\undocked_blue_sun.png b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\winsxs\amd64_microsoft-windows-l2na.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8eeacc8bbc1d7c1a\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_Path_Syntax.help.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\winsxs\amd64_microsoft-windows-r..tance-exe.resources_31bf3856ad364e35_6.1.7600.16385_it-it_74deb36d94bd1786\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\winsxs\x86_microsoft-windows-m..s-mdac-simpdata_tlb_31bf3856ad364e35_6.1.7600.16385_none_8d99b8faf65cdf46\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\winsxs\wow64_microsoft-windows-t..ion-reflectordriver_31bf3856ad364e35_6.1.7601.17514_none_80a0bff528d7b32b\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\winsxs\x86_microsoft-windows-i..converter.resources_31bf3856ad364e35_8.0.7600.16385_it-it_f249f192fb93e45e\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\winsxs\x86_microsoft-windows-streambufferengineres_31bf3856ad364e35_6.1.7600.16385_none_eb86a517749854b9\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\winsxs\x86_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0522ecd1ea2fa29e\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\winsxs\amd64_microsoft-windows-audio-mci_31bf3856ad364e35_6.1.7600.16385_none_79024acd05e90673\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..tbranding.resources_31bf3856ad364e35_8.0.7600.16385_it-it_f998bb70621dfc39\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\winsxs\amd64_microsoft-windows-w..oradapter.resources_31bf3856ad364e35_6.1.7600.16385_en-us_688bce682bc4b24c\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\winsxs\amd64_prnca003.inf_31bf3856ad364e35_6.1.7600.16385_none_c4148f7740e2dfef\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\winsxs\amd64_server-help-chm.devmgr.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_c81af0e277697bbc\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\winsxs\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_he-il_a5612ff788fc14c2\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\winsxs\amd64_microsoft-windows-g..in-appmgr.resources_31bf3856ad364e35_6.1.7600.16385_de-de_948f9dd6df3c4588\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\winsxs\amd64_microsoft-windows-e..-protocol-host-peer_31bf3856ad364e35_6.1.7601.17514_none_c239909bda09b2ac\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..disc-style-huecycle_31bf3856ad364e35_6.1.7600.16385_none_810df6f57d9f2a73\15x15dot.png b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\winsxs\amd64_netl160a.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7c260e8d374d4379\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\winsxs\msil_microsoft.web.manag..davclient.resources_31bf3856ad364e35_6.1.7601.17514_es-es_aeead09ca19ac868\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\winsxs\x86_microsoft-windows-ie-jsprofilerui_31bf3856ad364e35_8.0.7601.17514_none_0fc0aacaa3770915\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\winsxs\x86_microsoft-windows-ie-ratings.resources_31bf3856ad364e35_8.0.7600.16385_en-us_744dc9f0621c4d98\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_scopes.help.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\winsxs\amd64_microsoft-windows-e..e-ehrecvr.resources_31bf3856ad364e35_6.1.7600.16385_de-de_552a2e0fe30db209\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\winsxs\x86_microsoft-windows-a..-provider.resources_31bf3856ad364e35_6.1.7600.16385_it-it_82685c3165ec1ed1\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\winsxs\x86_microsoft-windows-sud.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_f804fc3ab9b02239\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-calendar_31bf3856ad364e35_6.1.7600.16385_none_6a1946701e0df451\bNext-down.png b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..lified-chinese-core_31bf3856ad364e35_6.1.7601.17514_none_763763505e93084b\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\winsxs\msil_microsoft.build.utilities.v3.5.resources_b03f5f7f11d50a3a_6.1.7601.17514_de-de_43c9714a467d8e9b\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Wind5cb9c182#\df5d78a6328636a4ff7bc7992531d6d0\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\winsxs\wow64_microsoft-windows-mobilepc-sensors-api_31bf3856ad364e35_6.1.7600.16385_none_68b9778d5cdfa6d6\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\winsxs\x86_microsoft-windows-deskadp.resources_31bf3856ad364e35_6.1.7600.16385_en-us_66785ef5b68459c4\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\winsxs\amd64_microsoft-windows-photominfeature_31bf3856ad364e35_6.1.7600.16385_none_1bb49460b86b3cf5\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\winsxs\amd64_microsoft-windows-u..-core-tsp.resources_31bf3856ad364e35_6.1.7600.16385_es-es_ca2031b623c48a1d\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\winsxs\amd64_netfx-web_engine_dll_b03f5f7f11d50a3a_6.1.7601.17514_none_c34e666ce012ebe9\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File opened for modification C:\Windows\Media\Cityscape\Windows Hardware Remove.wav b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\winsxs\amd64_microsoft-windows-font-fms.resources_31bf3856ad364e35_6.1.7600.16385_hr-hr_ecc8398c10d3edd4\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\docked_gray_hail.png b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\winsxs\amd64_microsoft-windows-help-netproj.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_bb9cda912b93c047\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\winsxs\amd64_netb57va.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_3303bab87fcf7cdd\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\winsxs\amd64_prnle004.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_264ccea7e8944ccb\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\winsxs\x86_microsoft-windows-accessibilitycpl_31bf3856ad364e35_6.1.7601.17514_none_5b652abeb21da986\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\winsxs\x86_microsoft-windows-dssec.resources_31bf3856ad364e35_6.1.7600.16385_it-it_5913064a54494ed7\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\assembly\GAC_MSIL\microsoft.build.utilities.resources\2.0.0.0_de_b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\winsxs\amd64_microsoft-windows-a..ecore-acm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b56f3a1a1dd48572\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\winsxs\amd64_microsoft-windows-help-print.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_6a78ab990b8a97c9\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\winsxs\amd64_microsoft-windows-p..oler-core-isolation_31bf3856ad364e35_6.1.7601.17514_none_d21bb9d14b917922\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_bacc7ceffc55dca2\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\winsxs\amd64_microsoft-windows-s..gement-ui.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_239cb8cccdbb42af\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\winsxs\amd64_server-help-chm.iscsi_init.resources_31bf3856ad364e35_6.1.7600.16385_it-it_9c47f75a94d4c99a\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\winsxs\amd64_mdmlasat.inf_31bf3856ad364e35_6.1.7600.16385_none_92e94086ddebe21b\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\winsxs\amd64_microsoft-windows-a..ility-assistant-adm_31bf3856ad364e35_6.1.7600.16385_none_7b487ca06770a648\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\winsxs\wow64_microsoft-windows-p..-wsman-pluginworker_31bf3856ad364e35_6.1.7601.17514_none_c8755080ca6c48ea\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\winsxs\amd64_microsoft-windows-ipnat.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_e2c0317b98bcf5c9\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\winsxs\amd64_microsoft-windows-m..plication.resources_31bf3856ad364e35_6.1.7600.16385_en-us_915aa9599296fb2b\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File opened for modification C:\Windows\winsxs\amd64_microsoft.backgroun..nt.module.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_0fb7f94ddcb90850\about_BITS_Cmdlets.help.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\winsxs\x86_microsoft-windows-h..ragelayer.resources_31bf3856ad364e35_6.1.7600.16385_de-de_f92689fcf1a7edb9\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\winsxs\x86_microsoft-windows-w..nfrastructure-ws232_31bf3856ad364e35_6.1.7601.17514_none_f4bf1aae2c981ecf\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\winsxs\amd64_ds-ui-ext.resources_31bf3856ad364e35_6.1.7600.16385_es-es_79f660751417b764\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File created C:\Windows\winsxs\amd64_microsoft-windows-m..ents-mdac-ado15-dll_31bf3856ad364e35_6.1.7601.17514_none_6a56e7f587463b17\HOW TO DECRYPT FILES.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\about_modules.help.txt b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
b8f60c64c70f03c263bf9e9261aa157a73864aaf.exeb8f60c64c70f03c263bf9e9261aa157a73864aaf.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe -
Modifies registry class 10 IoCs
Processes:
b8f60c64c70f03c263bf9e9261aa157a73864aaf.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZIBXKKHVYMVCCPW\DefaultIcon b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ZIBXKKHVYMVCCPW\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vQVykYApjMM758B.exe,0" b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd\ = "ZIBXKKHVYMVCCPW" b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZIBXKKHVYMVCCPW b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ZIBXKKHVYMVCCPW\ = "CRYPTED!" b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZIBXKKHVYMVCCPW\shell\open\command b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZIBXKKHVYMVCCPW\shell b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ZIBXKKHVYMVCCPW\shell\open b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ZIBXKKHVYMVCCPW\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vQVykYApjMM758B.exe" b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
b8f60c64c70f03c263bf9e9261aa157a73864aaf.exepid process 2960 b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
b8f60c64c70f03c263bf9e9261aa157a73864aaf.exedescription pid process target process PID 2960 wrote to memory of 2740 2960 b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe PID 2960 wrote to memory of 2740 2960 b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe PID 2960 wrote to memory of 2740 2960 b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe PID 2960 wrote to memory of 2740 2960 b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe PID 2960 wrote to memory of 2740 2960 b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe PID 2960 wrote to memory of 2740 2960 b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe PID 2960 wrote to memory of 2740 2960 b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe PID 2960 wrote to memory of 2740 2960 b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe"C:\Users\Admin\AppData\Local\Temp\b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Users\Admin\AppData\Local\Temp\b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe"C:\Users\Admin\AppData\Local\Temp\b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe"2⤵
- Drops file in Drivers directory
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2740
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
394B
MD584aa889a87f60a5efba19bf8d6464613
SHA14fe67d41d2ed917651e5820f131780bf078e3c7f
SHA25643fc35d4b08e00236a28300d95f7426593db8f95f47e995477a77bfa5fb0ec99
SHA5121d67c2552d16b8c9fa33417d45c8229d291077f45a12692d8a7e9ade813dbc629a4b13eb4107a773896386b9c4e6993fbefe54348568ef28f44f40c6153ff0a4
-
Filesize
341B
MD51af7d34ecf54e18b29b4521ade01f482
SHA176aeeb49f2db5b5ea19cfe94003757cf76dca92e
SHA256761a41ab56c996490019bd9b7a2b14372d9cffa64c237284643bef9297f50937
SHA51221989a19abbe03f023e19edb25ce57472eeb8b2a60ed0468b8753030c1b99f649e128af5eb8938162146bf64baf701b873fdc366c4094ce384c131275f6ceb21
-
Filesize
222B
MD58321938fde27f77a50bf2340b0fa405c
SHA1db54bb8b6c243abdc7e3fbeacd5be46afcb150ca
SHA25630de98a31555a2712d2fb74c6ee0b27ef1d7db74805c4116eb9d94c04ac21bed
SHA512d3b17b98654bb73185fdb1702d5ebb0e9163230049c5af0a9966d3c74058418b14382e3ab5634020a6091723ab1c419030d3f58fcc32785ae20b885ea7e49c84
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\BG_ADOBE.GIF
Filesize24KB
MD56cc7dc7807dcc77ede213cde5e316579
SHA16fa92b6c5222de926752f1870967f4256a5b062b
SHA256dfb926a62310724d4d3bde6d018bc209d31b37a2e74e5470d1f27ee8356f672d
SHA5121d97eacca8569ea3ff369a264718953e2d02adf7441cae137b73b306186e9131d109b67ef6560d09c2f76c201940771850680fe9ea096b29e1d049210f3d2edb
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\BUTTON.GIF
Filesize185B
MD5129b10bc49bb5bc1f57f72ddb004ebde
SHA1a61a554555135bfde998ef7303f1989b87070880
SHA256c351655e7779e970fe8681634d92622ab14efe721c5895d52a7ada2d1c5172bc
SHA51220a17c7e639e613bbdebf8f73c4de25846eadb5fc1bd90146456dcef1bdd0219fbe97874a8ba182fbb2727ce579c96d20fa06f207b88ebf01c87a9ffb0a32a73
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_OFF.GIF
Filesize496B
MD590ddbfcde3b20377a35bff127cf73ff3
SHA17a7ede591bf8d9f21de616367b3093b285dcb21c
SHA2569eb0010d944bcb52540c519eb0ce7fa7a789567e706701bab250d57c01af5d79
SHA51262608a4310529c745cec0f62aac9a49fbdd00698a2c2ff65e774797639b18a38fb9aae5de660a54e5f13c14a59627bbd7814625d694d094e3a2fb50ba0076097
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_ON.GIF
Filesize1KB
MD5fe670dae5a67ec4be196b6159f0fa4a9
SHA154b7d1ce5f11146fe70cc08ba26866fbaf7170fb
SHA256f139cd555236f56d0eb47ba750b18f9fc63dcade07ab8ac04ce3339238f644fa
SHA512f683cf92f425b7eb74c5a86c0fdc260649ae63af771bf99ebab9a77ca1930f0c53646e042b72a1a357b6ed04fc5c4b2a5e63235b1767c4bf82326a0652908c03
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_off.gif
Filesize341B
MD52191f9e12b06c48ce41f2a87c3da5665
SHA1766db16171f27a44b3fd9c73db199f5ce5c42984
SHA256716503674b82752ece37c7fc0e302329430d675b3fe1f8bbd6073a744d1fcf90
SHA512dce47540f50a05a3e7ee6eca61d90998b553ee608daccf43e12fae400076e862fc5ee924e4f82639ec78bd54a82895322eb283aa2064e461136e9c52b93a8ac6
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_on.gif
Filesize222B
MD51ff6398949983dd41121f17bb6372ce7
SHA19ab8267a552836d26968472d24a89352a20a99b6
SHA256dbabe0cb31f73881e8ee5772a5872722f9326bce0694f05bc0f4ed077a3de21a
SHA512afefd4cdad836019995189ac901920a2f1f07d6725e67ad5c54beadf5f30d5fff9a5be2965ee24bf4e042514de3fbd6e55c1e3596da6fd328265fcb85fa9c266
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif
Filesize5KB
MD5f3633373e8e0c7766b0f95579bc4ac3c
SHA1c7bdffe2bf44bf4c2e4439594dc21f4044b5d455
SHA2564a17527487be1048fd913b65a1e578a44d40de9a252f2c8ce354c736fcfbcaec
SHA512e4b7facd7f12ede517614fece819cb88de49f69491158c7c94c3b0c02fc6f1979ea9b9c882288da2fe091adc05dfd3c4ba67933ccd122d8bc44bc5d4c4a8a98a
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Country.gif
Filesize31KB
MD50874d67fd3a220a291bab11c5d6ac794
SHA1cc6f56089dbd3b8209870a82984208c43d01cd80
SHA256536545828d40a151b4eeade33fef03b8824a7b7cba0292ee08fd4e1511fda755
SHA51204827149c1dee564b50cc1c596301528d08c8c80787c00e69309cbfc245d04ead4b9db14446758e4e645b6c8ee32680242415edd5af01ff485414fcb64e416c0
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif
Filesize4KB
MD53b02fe5c5472e8562208798eca30a4be
SHA1db04ddf930e3cbd63230bef71dd3872d882dcfd9
SHA25652607fd4de7550b57fe177f9559b0a8206a84688944e85cd56a8aa3ad8a148ed
SHA512eb64733a22988d5532e6d07d37670a789d4c7a5de5829624d32cac65e49c7e224a19e90223e7b26dfa2d547c79a3072d659277fb11b4f8d4c2aeb7b9cdc398a8
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif
Filesize21KB
MD52cc390c00a5fd530acc33d0047a41d07
SHA1035a954db52459c1af0d1b92aba21e88820ce19d
SHA25629e65d51175ac9cd88576b9776b55caf40f6deb643a7b134b657fc2817dca928
SHA512df1b393bac3c7cfd1b5dd0c7ce1ae8e55d9356d72c05ef7d4c6dee8e390d65fcc3aebf681c2add565f78587aeea5814d56e728e8cdbdb5e58179dca7f69d6989
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Groove.gif
Filesize106B
MD5037a40463211dcef7895e83fbdaf51c4
SHA1d4061d838f68179bfe857d47f7ccad8bfd1ab892
SHA256704fb0f7bc0b9316fa7eb7d3b6a7aa433aae1a36f0e37423bebd7f9006e61eac
SHA5120a926b8c562cda294c8828088409457a8e0800b06a560709c3015e7a312f5625821350bdc87bc241f1256bcbf51ba4585f13a724e8c2698dd8d85038100289a5
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif
Filesize8KB
MD5e4eb37d9927edd263c169bfa8380694c
SHA176c0dd6a9a3d175c619d73c17539b78d8a86574a
SHA2569d1240e24a870dbdbe285e0261d62c093063b7a1d477f5a0c1d00980abee6e79
SHA512bc93b9b4211b404cda7c9bff60bd547c7ffd1f3a2e6719ab39f4f268261239f450f6b556e643ae515943e81e95c4f483cb85740c3397a6d5963b0167c808ccd0
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif
Filesize15KB
MD50b5333afec9f35206926e204f5a0dec1
SHA1cde48354e72657c12e47ec4f24b054f47284a26c
SHA2567cc0c9233f07d999a7ac7f1c601f74b98c8ba825c4c275a477a4b2e4151edd93
SHA5124c16493a1632867ed6bc4adf648bd14e1cb517b11febf6c446f93272a0aad5696956fff53cc705ab08cb2579905f8780a2a0cf25703fe01a9a18d59827611043
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif
Filesize6KB
MD59c362b8c6b3cdf188a276b002cc14312
SHA12beb8de0eea83839e2309fd040e08593dc398c6d
SHA2565b5371344edf9af149ac0c651215e0ed3d34a833e04e017ecdd8f4a919ff8227
SHA512fe16f3bdcf60a21b97e0f90558ba5a833240a93f1b5abc8a059a3c486477b50cb59ba9fcb3d91090d699afacd225d03bf11c6830bf27385c552a9e4523ca1a8b
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif
Filesize20KB
MD5239a81afd06619c189ef5de4e9d2b31b
SHA12a715c8788cae6b76c428d0e0d043ec8d18d896d
SHA2560c521a36c64fdb6c61dc8d4d7e1a8872816b3c1d61699671c07fbb74fc85f631
SHA5129d99b4a4c77108858c3239bbb33ecc181cb8fcc856088fecf3a1436d1c17df90d930696ae4f064cca07ebb8c5ee246e3719823f6738f67f830ecf29944c112a6
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif
Filesize6KB
MD5189313edf729895068a09a40d48bc6bb
SHA1f59b014b8426dff96512ef7f217f54e317fad268
SHA2566b6672a3ba6f8294bb84551f69227a58865656c03355045cb7cfee2feb5a25b7
SHA512fd88918c92dd23c1312044b803f893f998355342496cb97dc9c18b96d0b73f5cd0ec3d91474d702e7058a57d911a01abb0467c8a129403e8fb6b3af90028a739
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif
Filesize15KB
MD5571238b7377504c87fb90931bd3e8fde
SHA1b1d54a5e2e1fb59bc673ad5910a8f6cdc7e4223b
SHA25632749a6331c55f7c4b0028be698e119cc94dfe3f8e3b55616aae4a8a5aa156cc
SHA512b0832b63561a52db5294c372218100b362f9def57710e23e47c5a7510a6b84237f9920c845f56818619ff9393ed3737883f357aeba56d7ac35cc3105f41fe8a8
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg
Filesize2KB
MD577ba715a0b8f4a96417464c1dff7e880
SHA1037881f283a0ae8a1cffc251cbdbcbe03a70f462
SHA2563c85e83631e5c64c73e89486c3fe9de952a203dbcdf7870c0d91618539c121e2
SHA5121e021b19fff299543e2494bf73358e88224c6704152167779297820603913b0a6279d47d7d757b052f4cfa6de2138dd4ab339da7acda1c83269150b24b671f6b
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp
Filesize2KB
MD5bbfc9fee85b3cce5e01feeadade57067
SHA18e41a07021da1d89dd05f25d23f74f1ef5d668fc
SHA256aecf2f6aadd43fe06a095579ee03b2741d8996f3aef6ff5c73d947ac3c989e1c
SHA51281c8436b4c4f259a287977e7ab01a5a5d05574ab023106c1cbd82d11e1f7445bf1c271f60f46a6f70f7381ff8e2e32e0d7e0d9bdf12256278630624849a7462d
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg
Filesize6KB
MD5fb7ef9bf5138a01442a111f9176b2706
SHA1884f716bc9ddcad0a7df541cd6afcf1738faad3c
SHA25663205119b10b720404aa0088f988c4040d8457a57a36ae5910bc20ff09c553ab
SHA512da53b773ac2e949b533de2f820c80581e508d6bd53de6419932ec5e1ccae44cb96611d53c44755cf96c194625ce34f995ec6458369fa1244512a29f48e54f5b9
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF
Filesize255B
MD5aa0df9608730ca7882be62542c5fcea8
SHA1b938169f5b3e2dc38859584c95bca590728d992f
SHA256810d8e04879cb2023cf1ae4673ebbfc2c4497444cbd0d065398bc90c7d196641
SHA512b9b8e7de87577cd2a8fa0332110d76edbff5ba1fbf834157bc43e933f89d687335935a6f5282bc756fb93f85f03300a9ab50726db89c68954759095492981aad
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\background.gif
Filesize323B
MD5ea00bdfe137da25d60eeda1a8cac86a2
SHA15ad3c2de5e197cafe4a8919dd357a622ef62dbad
SHA25656d65fee28afcf0b6d2bb8857bd203db283f6620d1f0c1ad1260acaedf74b1a2
SHA5124388a220e47ea3fcaeca93d55d9761a9c022f06e6b3ed3f1da2d3baa9ecffe19a4539a428f04595f14ec0826d0f368ea2703c848c8dc2481d7010dca934f670f
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF
Filesize367B
MD575e246b20447144541d8e0f090ff6a6b
SHA1e996764bb7f7ff60044654e985d93bf7cabbfe0e
SHA25647aa405570f20e7b19b35d463009d865afb9717b8ca7378fc81db75c0e327a2f
SHA5128e782d4a72918c8f486c5a548dbcff47f9fc5107af456366b6f3a0bbb7f14ffbce1a5aeffa92cfe2ab3e23f7711b9e22854f19f8e408c0a259a9b3ff55eee4f1
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF
Filesize148B
MD5dc15280b790fca5bdbfabab3bc5446f6
SHA17428449183562ef329bc3fcdab355a3e5800724b
SHA256a151d05b42161fee381ed99130f60c6002b3ccd97a10bd156fce5e3eed8dcbaf
SHA512aef9a2f423259b83c48f9cb305192ae77fa5f2a45df59f6308079fa2db17dd52b7bf157cea269b6cdcffcd31579c112225951422963183b7e4f04ff0c481d3ff
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HEADER.GIF
Filesize440B
MD596cc94b8826144226e703172f6996627
SHA1a6b6894ffbce36ef1bc026cae991367bad9da20c
SHA25672aafa23161237c3ffe305f5b60bf84def198e741b56ceb79d5c76bc5b1d4c99
SHA5123c8aae13146a89bac8eed311248f6cc992d62e4e2d961d6df83bd3aa49a9dc3b36b5b0d424b5f69485be73ea8d2facffd7c63fb47230a1e64dc8778fba9b2bb8
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_OFF.GIF
Filesize462B
MD5ff57a6f0d9b9bc45e08c2d785863507b
SHA1cb5e1611b69fc97af9585413409d8efb1069630f
SHA25647ed0c154653cda79e633095b05b860ee59f8becbe27e5726cc133a46c9d2678
SHA512dd14ad9024704eec2acded45e116e0509f75b4ea3681cd3466eedf245430380f8165766cc5e788b262d0490fe699b7c702f791f72d7464309714290a72ef0558
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF
Filesize267B
MD5b5ed2a4e21c005dfd68a5ddc944027c8
SHA1b012bfaf356436773a9eefb71533295224008958
SHA256a520142c90a32538118bfd76fb11b549bb2a295a202c7b555631dc0df18a6f85
SHA5125e833354d4dc8cd6ff1c222ba891680ca04823fe246e9819ede09edfe4b92da8509c8d11f39e384c87577df3d589a76cf7507cfa8a62252705d3accb0f9037af
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HEADER.GIF
Filesize2KB
MD52cf1c26777eaa7724e67786a6ca48a81
SHA19c3132acba55cf0532b85d928e83aae04dbab033
SHA25619bd07f62873b934a29d3eab74bb2e7f5ec5ecae751fa6499759bd9316a65ef7
SHA5125d9d0de295687fedc342e2d05dc85b35221c9ea48ad660b70cc5ce6141e3173c1080be0a7142bf1897841348d8654710c63c55b45b3d6dc779a06528e9c36b12
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif
Filesize233B
MD5145842d6c8fe02679b5deb4096bad130
SHA1699a4d263663f7bd753fc5ce2c1bffb006b4ffed
SHA256c88b1bc2005800f2cc6ba64dc3dcb5b2c4e008a22b8bd83e053d427f3598c6ae
SHA512d6950580bf8b615fa2deb1eaab8a9553bc0735c7d95e1189504bc2513c2228dfd9bdea2c530e0ad83958fad87acc19c7c834bbbb44fd673709f5be4bad21e9fe
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_OFF.GIF
Filesize364B
MD559c102ff356b708076fc11c840ea92e6
SHA18fac6d7712a18d13e113b7ac07fd98fb9f362603
SHA25633b128e9614c64504e0cea976975e96337578970285d1eff73fc1c471f40a70a
SHA5127d327ca9f5f9cc730336193db0023ba498d6dce60bc64926aeefa6be446b04a6d86637612b13a51ed74c815927f57b8b7f183e00ee5ae341679ae5d29a37280d
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_ON.GIF
Filesize364B
MD5999ff477de483db6fca4043de9420d7b
SHA156290a59a63fc0750dd4b17a288898f86cb4b7b0
SHA256d0bd2e06848ac27e92564c6134c4b6ae9a3d236a3a62537e9e7317665bbba503
SHA5122d48d69406231b832de3130133d549dbdb93516dcbf0baaf01c014c6374ebd985740340320a4e03522515e1c5fb660df6902e099a959e403ff47af542ec256c2
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\background.gif
Filesize6KB
MD537bcb3378c6406012f98e09bb01543f4
SHA1491a4e728c93e72753fb220d1ed4660e77c15631
SHA256c262c865d610f582d647c2df016bc05a6a64c65e34700661af229d020cbe040a
SHA512ace302257f76a2a502c30535c2bec50d04c67bc45a64ef5a9899c6073892c6601ea7bc6e6033b1dae817482034bbb6797b2f6b548b99632b4da3a246df64591e
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\BUTTON.GIF
Filesize428B
MD588f055405cb3f1036373ec29458aa04e
SHA16ece1dbb791601a65d92cb630acae8cb8616d4e1
SHA256547c5402337effc10fa5a67e5dd7de9df13497bad2cfb153d29ea85e848f3ad1
SHA512f094be8bca8731294911a1769e83f6319668dc8aba27e53fac755270136f8bf6cc94169f5ae9fefd43b22bd0e88d20d94880e8908decf12583efa99a4bd9f912
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\background.gif
Filesize815B
MD5ff964617307777c91053a822cb6d7c01
SHA1300c86581d3c540058196f97145d31d6e4114b1b
SHA25623d066eb19d60da76aa3c00607ef20ad069ee5a3303400d427928e8812c46819
SHA5124e81825e522ea80eb48d961aa319f42bc34101f5763324c95a2de2d9341b4e8a6959ffdf954780a2204c51e16fc7637ff8b391bbe5930dc087b9689bd109185a
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\RTF_BOLD.GIF
Filesize870B
MD5f38758e1513385075b72b53a280ab302
SHA1d31fa8aba3282fa49ba32f1a9f5246d939c288c6
SHA256f25cc7b3162b8817152712bb9472244d42d0e01ab81ab6ce4800b112653087a7
SHA512ce5438aea734081098246fe499914bae2be0fbfcb8a48f85abfa30ce38c96a712dd88fffbd3f65fd0ebad77ac6b3663a018cc8b64e6afe54b3e0d95b80b7596d
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg
Filesize3KB
MD5c9a07ce0901259930e2667bb8724b281
SHA14490a70fe323700b51e58331cb5938e0dbc4cc19
SHA25625ad073765302530d4d99f9faff234a46f23fa621b08a6121ab5d1b3c83c113e
SHA512d37e64fa87b065c77dc6656312b8a4c4efa6161272cd7eca8bef04646ec619dff544c41b554d160847669d8d1c5986b56c96d726b0f2149299bfcb925de50108
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif
Filesize2KB
MD54a96cd84440185cb6450ff80f9515963
SHA121c23ba3bd1e2996cd4b30a321651131e1d0282f
SHA256c483fa507d3ba541202dea8053c0294ba49babcca5a0a94d21bd13c9390a4f9c
SHA512ff9fb1a1d03188adfcb066cd0407ef8c7661cf6b62bcd593a92a122b822b673a68a7f9a80ff17a6f87835edc21054b20bb4cb3bc69ad7afa0f5ba5157717398d
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif
Filesize19KB
MD552e09aaadc8c1bd1fb62c148740939b8
SHA11e93c9fad83ee2c11b5e74860e053ef9b22869e4
SHA256adc8c15207c98cb57c12a70c5e50b0cf2edbee9811f8d106619d47bd869fdf22
SHA5129a28269aeb2950e3b5fbfa76a026051edf10ac0d313c651d986183d79a5774d38db0246549d27c2e4549a0fa502a6c807a7001199cb5aa019a90972a9026dd31
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosefont.gif
Filesize890B
MD5529610eadb200dec457b8ca9509793c5
SHA135822e8762aa6c342503b13cf6ca546ee5ae20c5
SHA2565830b60ea874131243788e4e92b6f6e6d79477685d09a374f966d07984a85f5e
SHA51222100675f81a9b70fab257fa1aea73222dcec9fff39797adaeef470c0ab1433b8bb12d350cc8ccdb2f6b99419db29aafe4f11e7af612499438150cfb49fff982
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif
Filesize852B
MD55a777f24df2f3a838c54a2eeece47c5f
SHA1b3ed1cafbb1ec3a16b40aa155868474f108b1d6c
SHA256d65f339175116d39d5e60559939fd8bccb303f3a0c1b8f4e70fe73c04478891b
SHA512edd206aad270b2e30f59852e3f9623d6eb69d42c95c6def5c2cb4dfe32ca0d0ffad0ceb0af6c87b2330e27055bc04ce4ccec4afb6adc9256a9fe3e112e75a46b
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif
Filesize860B
MD5a1860c16a2e6d7531411610550892fe8
SHA1b656cc0a27c3677bf6fbee9dc050e4336b3be89c
SHA256d2fcaa260240d9cb0c73fce0db625f9317b82674c8054d878a0bedfcfa71b80b
SHA5120899319cb416e4bdf4c0b9df22ce0c1def403f8d9327dd6e88ae53b0971f8810ecc08938969f893b86b0d3676b33d83c5375102d65dd1f67aad9274003cd8fcb
-
Filesize
580B
MD57fe23a7a8a2b1e39855bb443c3549007
SHA14cb92470641a6e0d5fec3ad21c4da30f400a7c08
SHA25646d40020b0d1e82e0ee3c81fc6338b1bea27866ec5e1b7ebbf516a8b723c84f4
SHA512848af5a09029347af5653878c67c58f68522dd937fc078ce7dc6c0a985fb7fb209b2c70e2949b66ac341dd53f49adf8517867f18024d53024d53ab30ce16af5c
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF
Filesize899B
MD5104a8fc104adaa6ec0b908110029f029
SHA1db9246d360163a0002e1cba970a0d8e468a00d41
SHA2562a975372744f4901d0e527773a5aece8ab49574d300d480817d2ab5e0ba30c8e
SHA51207221ed73cfab40949411192c34b101251cf58bc7445933d9ec8b02cd86ea6273c0043797d2e1015600593e0671cd24269ee2d311650af1b88eed81d06893ae5
-
Filesize
625B
MD5199b5c0a10456d55a63e1d5d31ef931b
SHA1d768145dfb504e3f1a3abe5c2549581036455ea7
SHA256a299207d72efd127b79224d01025f5f27cc721e4959a4fa93bab10ce1cde6a75
SHA512f01fc015f1bf05dbfea8a793503564fd367667a519b62546eaff234fed4cb4a3f7c76c5c86f418fb9f156d4cdeb5e72acd29497c4e4d29bb6f1c99d08924d262
-
Filesize
873B
MD5eb6f6b867242d0d794fa5d7494a3fc5e
SHA1999ceccd9fcdf73691d04493cc33e0e41d9c1b49
SHA256af79cebd96f06612eac986adc6ce098d66408e751dbea2a96dc65a0a34ae9ebf
SHA512b8d3019b33cb18cbe0160bfb88abe9d9625b545e7b54f88f29b23b80542cda356d9a099cd71d7fb67e7d2407486f2901248b214770dd7d811e7d6b24d2f71ecd
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg
Filesize5KB
MD5d40f18421223be9fbafa73f4d2d3549b
SHA12a6192a75767259e4983e715a733fcc31f32d130
SHA256ded969a81919b844096029bd067ce71f9b1d8a7fc84494ccad55d663bd3d76fe
SHA51251158af49a9d4bf23bd1d844d4065b4074d15c4c080062bb9556f1592d26d6aede2fb513deafb6753acacbc3371fa6a5638b398bcf1dd1b4a22b630ba289048c
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp
Filesize1KB
MD55bd49cf1243394561e3fbaa0242bc501
SHA15c402d4629e8973676bc0233cf712cd36ab325d4
SHA256eb0116877343e27cdd9dfefec196d1230aaff96fd38f8ec0cef4d831cb647bb9
SHA512458621c66b057a9837c677f76f9e76122067c57df58a8c42e62e99fc3f5217eb51f4d2394713980726ceffa547ef37441105b3741036374298e6e8383d94575f
-
Filesize
615B
MD597ac4bdc1da5ef7d7cc21a02de934423
SHA1830ce88d496230d529bc507bd51b07123b2ab5f3
SHA2564a8e5c94f264aeda3bda0abafc9d7236f7775a2b7d1f233fd18712fe9360be7c
SHA5123dcee6c41ca476c8b35fc384a638abdb6de2461bf435a31b4f3fbc5e1db98a6fd69521112b42f3d8203375b728b5fb4707095b85d6486c96ec49f7db123ab416
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif
Filesize848B
MD5a2b435a9ee8eba8b3a732af749cc6e99
SHA10909fa22df696dc1afcc5206e56c405320fb9f80
SHA2563374217860b15d352e6eb55a44501550f672ae986b42db66829dbf79959c61a7
SHA512b9381a90d6fb4e4219dd2d999166cd2a789021539c33f922f1e674673852f9c7eb043cf48b4f1d4e85afcca3a548e3025ac039722879b4669554fd8906fa401b
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif
Filesize847B
MD5fb101ff707df20cfb23be6df94c1e01d
SHA17d2f9252c7e8b7d929ab741d4d888007fc5d1dac
SHA256c8df420f7ee9a895c5a7cab749e6914ff5af06adc3f74e2f74cb6a0dfd25fffe
SHA512153b41a2da57dd541076ac7e8ffe440b1252c2a6d7bcb1c895229e65c67f02d440d24e8daeb01a9b77740ae1040b72e2b1c281ffaf8e44644c2e04a77a0ca91f
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif
Filesize869B
MD5af9eae512bb1fe024a90df083bb9628c
SHA1349ba6a80e54ca46f3808df8bdeb4a32c9c7a44a
SHA256f46e2e37aba8dbcc957f979861de961eb9d0e42cad9a53c994f197825f6c7bb3
SHA512d1c24d52ba800ee9d57ba9a93b2ffd49047c8ee1c9e019ed9039be33f9ffcdad688f8233270fa2b2bf13d287f856a3bee93882d87a8abd6443aa085ddbf6e9b9
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif
Filesize847B
MD5f1d7c3479982db1eee8069c3d398c7fa
SHA1924629b426685ea84ec83bee1d057041c9821529
SHA256cac8425aa84352cf861e1334954feab1ccdd71a2b3e8a92f0a9086620077b4fd
SHA5128e30700061a1fe0198137750e5778b9bce8cd3abf1c9a83fb77efaf1a92e21eb2cc6c80eadca920337712dec3c3358cb35f4e334afb16f8f709dd3abc3bae429
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif
Filesize863B
MD56fbe7345ffb868d21ee2dfeddbc9fca0
SHA17bffbec9772f2137f76843dcef120732b36d2f68
SHA25672d6cf5bea78745a8db2207c9e3835ae4ce36c5cee1f70253886835e60990d85
SHA512879f9d171eafcd4b9a8225d679a33ceb409d295e1dc7b18049102691ff0673623c1c082b6252d3976237d7a413408408407e63a05eba48834fd7d0c340aa4f01
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif
Filesize861B
MD52cde10b142e0e2a2ef03efeca791a46c
SHA1c323134f4c29d40e92fc61fa46468c8d3cd5d0b7
SHA256a1a7536150a3fafa238d3862363eb66b5abd05a5b6d533a10a47c15f9944c0f8
SHA5122f7fe733d57b00a7927bbbf1efcb73bc9ea9758d2101cbf83fe6609bcc53de0cbd0fb0625ece2ea439771c1cb2b20a9e9c6ecda9bc035b345dd88a4b45280134
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif
Filesize850B
MD5b7412761d9fb158d2665c7bebefb6a11
SHA100d9429c8b1e28395bb5ea5d16eb33cd501c4f6d
SHA256b90189b5db13e7a61f0ca6dc1a7e7238c524f78f9039e67b13d7e80e3bfc4cff
SHA5127896f47a94efee6fbbe44448c07fc80af40d81fbc29da8140478419d4fa2e5e07b047366226492326596e4a4db50ff00a80d39b3c98cd6730f63e9c3040c2db2
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif
Filesize883B
MD576495b6cf106051aa1ba8037a1ca934d
SHA1949447acc4b553113a8261b8777ff202936e771d
SHA25612f098b9712c6bc602a8a58a1aae93fb2e31fd70dddbd41c42be7f8d6014fa69
SHA512ba726e2246a6253f77ace8f714d9657ff458543ff75e8411ae585cc09614d3fa3b791a766621ab9a38793258393327fff7eb118cb0b51d3f13d7c8960c38a273
-
Filesize
153B
MD527c9d1245163f6a2ba76cc91b0c3bb3c
SHA15f126d6fca1dd15ee1a058e5e96a0b3c89dbbfab
SHA256e25e7c97fca79b1146429e074fd830cea1283c464836c5b0e9676054e9469542
SHA512c331ac3a69f9c599bf00cf6bc934ddb6195d8454af11603a7e954115376c8e0d1d7d9513357c2012c200a57e9ef6d43caa2d3bb3f2eae4eb0a063a825edf616d
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize12KB
MD5331ecf38fe5668c78edb8f2bb51f0aec
SHA121695e4b52735a172e86a732c72202802d89731d
SHA2560386d83e43e17e64adbf24ffa5a52d5640accdf4c8072a19f4c7e6c13f8f5312
SHA512a7a89ea5ee617ecf375218a96e3bfbf37574b400ad3e78a7c849cce29dee873f1b364547337147f83ca2fa2dfd7c28fcccdddb17dd902eb3442c1659d20d0c2f
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize8KB
MD5371b241caff76c21d055604f7675fb91
SHA128bee99eadb23f6aef2bf49d609694394d4ba115
SHA256a4725bf11da5be3e0a849b8c242a9eb1859bde3f061c8491abed29bf48dea725
SHA5128258a5c185fee6d540ec933bceff4b9f6ef86dd47ce7b6c654065448882a5cd2036b949263504b32e74925c9d4072eb518fb86d84fa3b126c4002e2362fa7f03
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
Filesize11KB
MD5966f4cc9ad4ff431c8f1d8d062939882
SHA1ac03fe94102cbf1834c9a94545e3b5bfe6938b95
SHA256a0828a0adea714702b6320c10ec46e1b92befacb621d9562db257d43e410e412
SHA5124c9dbc87cf7ea0c757ccd5c965b9f63a5cce97bd360bf92356436fbc3eb8dfe3a9a0f4c91e7a48074a5c30543a12c944667fb0497ba13314d5d92903522673f6
-
Filesize
109KB
MD5e3adb8dda9d633a95914de56f1dbe84f
SHA17d321579b36f5c337868142696a1a39dbd1d920a
SHA256e0e86d5a7275cc2315198bebd385e385700ebfec3a1f6015437f644c2afc9e22
SHA512fc0d5fbd22924df69bc851f4dcb06c8bc3c11a63ee2f62a29cc435c63cd47ed47d7fff4e7c18c4e064d43d6d11a87fe2bae131870aad92d3230021bc0d853edd
-
Filesize
172KB
MD55789f6e2fd217194f716477b7d2bb1cf
SHA1677e3359be96317acc0989271ffa306f0218e547
SHA256a68145965acc56b247030d8cbe79606490b893b05529940e652d054f803ac2ab
SHA5127039e07572b2d143f80559bffce1a265a3c120fda3f0f801e7d14bc9ed9f409398f7dc753999c44de2940f1b032e88d306ad4adcfffd01d126112f6064db5b24
-
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk
Filesize1KB
MD55d92af01977406945c2816e61e8dfd54
SHA1e30a5794ebfd008bf6c243bd2b85848506f9a433
SHA25688971b384a86c5fe7286b3cb84b0975e901835cea27ccf8b5e8cfc76f8d2560a
SHA5121a1d545689cf2712f0fee43678b5a848a98b859ad1e7f279ee506cf62456859b138b05d65cf12ecc131892147fcb5d5df9cec43e68daa8ed5535b06102ecaa2f
-
Filesize
21KB
MD595e26a99f1735b921594c263341ce2c1
SHA101b3a9a236573f120f0c786124ee9ff2ba96f700
SHA25659105a9f1c1c11ca4e7abb87a266e7b2bc594d6a9d4b49d51bd4afc958b4713b
SHA51230ee1538d076d742a8e684d157c16d71daa37f7054711bb9368e3d2f69a2795a0f972fcb298becb527eaf1dae4632aae86db09e210af75f1ad554eb07e8a484c
-
Filesize
1KB
MD541526eaef057cc772abb093fcf3a2f09
SHA17ac26633f72ef4e634f665242977ceb9405bc983
SHA25670964a3775e2d2e9dbc68ac218fb0a30b45460f8327d0dce70eefa439f9de82d
SHA51289d44d65d738891559d0ee3e78fe3dfa46476d7418b5be8d989f3788d19a09914b41b2c8cdcdb126b2e1fc106832382038a2a201d2df6e531bd375fcca38162a
-
Filesize
952B
MD566c643fe3add0b511f0667f7190daa3d
SHA1bede5464a77e2b9241103883351d67591f3c829c
SHA25653841b17be03947251789fd8843814b2d686a330e353d0934ba59e8a42d440c5
SHA512ed3f84325e86115948b8b59a534f5cd7153b9b9e1fa6e532ba092ec77eb60fd43f57bc3056bcca6f171ca59dcabe5964a864c2b9299846e0a9163a1ce9e28578
-
Filesize
121B
MD5c4c893bd72e7f20347c96166150212be
SHA1b521785d1972475fc0451b4e185b69d70a0f002d
SHA256b3065b47d6999dd2dff7f1cbd2a490a1a0cc14925264e77ffe4a78c40f2fa014
SHA512d9a994ad6d864e2b890047e14a55cb354d03a782387276f45dce56019ce32daf4e25d01d59ffe337e54645f7f94ff790ae81218ba04a37b941295066e11e5da5
-
Filesize
1KB
MD592ca8e0fcf7c5f1c4094b66090b90391
SHA173f9dada15010e660e996c270b7e66dd4fdd4cff
SHA256e3bcfd660c68d3dcb98f84447d260f4adccacbea46f6deec8dfc315a0ae8366a
SHA5121df478d4a29b9b853d4f4270a48d1233afe397537ef6685e2a9145b00e89fba82780c4638afe6fc8dd14ebfb17b5429a8492c40e531fe674df41bc674ac6057d
-
Filesize
8KB
MD548d0e43e1ff4c61cbb4819b6cc87b8e9
SHA178b5ed201b438366946419de394450d6dd63adcd
SHA256f8642f052cfe5bc6543252bc9ac14dd3d5323d7e9cafe0e2e0d4d8ce08224f6d
SHA512d7ace69436d70f1b19b0069ef55773d8e9a2a9b8ce5795649141deb9ec2ba83b42b836830e3bf53f2be66ff3f6b14a7ac208b908864f100ed492048158240750
-
Filesize
914B
MD591f00ff2312c7974c0d2902391da8399
SHA14f8ad04d575cc8914fc6cf58695429836eaf711e
SHA256542013c56fb0fa58084282b35891362bf8d2a516cfcc418ea3efc7e8a37db86b
SHA51242ec7fd1e2646ce908e60480d51c021ab4fc78aae43e8004b33400d38d620c3fbbb4454d61cd7ee8db84d7742085ad2eecac0e2ac090af52c642d942614bf2a0
-
Filesize
90B
MD574a92b45e5cded1b5af9fcb568ef242d
SHA1c5d110452493c1b92cf3db67b39779e5a3e7ec6f
SHA25693afba154fd15e29879528cd877791b73dd2acbd8549020b912450ca3e26dd59
SHA51272eff94a1b385c602720d437e8d1ca273c0c7556b2dfeefe571e455ab884574ab80e2e19770572cdbda0330fe5d19388aa8da7d82d703c4a5dfc53163e8b8c8b
-
Filesize
90B
MD5c184ee4c96058287f30cac484bd9ee8d
SHA17a8ee8b9769d276b1aeea044fc74c1cd441a3d6d
SHA25645ee7e26cb782243f7ae1f50c99dd6bfc77fe844dccf875d349781ef044ba4c4
SHA512a40597141e860e48bf58f8a6f9d41edb8ea01a6cf3baa82d86242898c4b44821471722b5bd12c3b42ac15f8c989ad9697c724026555d8585c9ac25792418e495
-
Filesize
328B
MD5e464aeb5dfe85b1a1ccb00ef09935905
SHA1f89e3586da1385be7826f4a3163bbe75ae84594a
SHA256ab393467312bd56b428392b869cef5ad1778ff3af8cdc4c58d636600cc597078
SHA5123efa2c00c0b96e566a3aa9d5b0ab04a75116655a7d8af0e45795e26992e31ac8f8f5f696b76573c2b208232ea53b8b8b33514d957fb9a25ba719733c641f77e8
-
Filesize
1KB
MD56e7f2dd48c147b13d485f6c839d41846
SHA1ab257d2d00400f165c3848af78e984f9cb6bf767
SHA256f7e05c4121962c4c052c81b0b8c0151afa4ae01eb2b52c37f4c626c2f9a22b05
SHA5127f36fbfad0aeeb038ecbdd3bdd182cdecbfd624db8f7c69e58f569e35e29c592db66dbed0aab025ecaa9c1f7cf6c6df9957195207288c42feec72f6de0814789
-
Filesize
162B
MD5744e7b23d328c836034fd5ca01423ddf
SHA1b1e81e0d03a722341145e2e4e17dd69dd2285010
SHA256727ea69cbf7f5d1e7bfb12d05ca3adb4ed647b548a41eadcf7ea66508aecdd4a
SHA512f7c9facf0e90e8a091465fe124389b89793c55b7eed21bab610da5a606d57e9009ce9c394b60ee6cdcbf118b628cdf9f37d58d49c0a8370c3f1a95edf81f1ad5
-
Filesize
586B
MD5f1d235b8ead9bae3004d2828c13c95f6
SHA1d88007a4623301884d63365b7f5f5576adea7e92
SHA256feca6b69af4912dd3b1f04dfc091bd73070f2f29abcdc38ef69f185526f5c769
SHA51207af1cd5cc2e753b056d2ef70f1775f40b814721672229f243f6cfe0f2a3a0ad7952ec1b903e870c355f135a65d0a1334403e3370c72d71b0fa6e36cbca97577
-
Filesize
124B
MD50cba4e5e16ab58e7b932c885915de1d2
SHA107cdfdd0dd483b5200e3e8a838cce317365534a9
SHA2566ae30d8599094052b05af2e94519d3f0f8905a425ed9e6538ee3b65980f9bce3
SHA512366d986db2aec0158a48d079f1f12dc30d7cf1db717cf1608d95d971d0d9850752a87e938533f3062a8c15126c5fc3a13249a0d2b44b58fbbbfcfc997cd08e73
-
Filesize
8KB
MD526ba333e7a7d012f740b211ac508d149
SHA1ec4b64c6de7c16249ef9aa7ad2c28cce782f7140
SHA256315291cc7a3b5aa1fc7eed56347bdd68fdff3cd77240ee58ad07b73388408de3
SHA5120acaa61a8b6f6984137d20389a7c6085afbde06df45cff2fb112bf9884280b7dba6a38ceb9cd92124f53c1d1a9ffea0691a371525da4048c2ba8358f57f621bc
-
Filesize
880B
MD57344a100eae6134cca920134ba6f3d1d
SHA102659c0b1d95addb9498beac7faf7d0acac7e34f
SHA2568f6ab273a64fb63622e6c307b270f5d5c9c6ce9012b385ed5e5426801899eba0
SHA512d61814141277177fe26dd04f86bf736d705cd655db9342031945d1a89f5a39913f3d2d1ac2a7826ce1561a544dfd6a8bd0f24cc6459ddafe54f8f49da1274607