xorist | 17b4d01d32c64a62e36496829da323fe308437048ca87143de7365fabd4194fd

Analysis

max time kernel
58s
max time network
59s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 03:25

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

e8e07496df5370d2e49ecce5a47c1fd2.exe
Size

181KB
MD5

e8e07496df5370d2e49ecce5a47c1fd2
SHA1

caa07048b079f148d704a49a0d44cd299a3db380
SHA256

63b541a11d8389b13c634665ba72437270cd8bbbbc3df7dc43acfe201a5a67e5
SHA512

8734843f2c9b1ed9afb5304806ce5adfffba8f8a93d6a1e1f0e9a1e2ec6c87df7435b54b3231aa583e5f08435ff470e2650c953fdfe4cde0461e5c00fa1bac94
SSDEEP

3072:Sed1DM5u4n7pV1HiBDqSe/01R+8UQrbUQrYc1rIzDu:3fDM5u41HiBK/s+4rXrYc1

Score

10^/10

xorist discovery persistence ransomware spyware stealer upx

Malware Config

Signatures

Detected Xorist Ransomware 6 IoCs

Processes:

resource	yara_rule
behavioral19/memory/2516-38-0x0000000000400000-0x00000000006F6000-memory.dmp	family_xorist
behavioral19/memory/2516-9285-0x0000000000400000-0x00000000006F6000-memory.dmp	family_xorist
behavioral19/memory/2516-9291-0x0000000000400000-0x00000000006F6000-memory.dmp	family_xorist
behavioral19/memory/2516-9900-0x0000000000400000-0x00000000006F6000-memory.dmp	family_xorist
behavioral19/memory/2516-9901-0x0000000000400000-0x00000000006F6000-memory.dmp	family_xorist
behavioral19/memory/2516-9904-0x0000000000400000-0x00000000006F6000-memory.dmp	family_xorist

Xorist Ransomware
Xorist is a ransomware first seen in 2020.
ransomware xorist
Xorist family
xorist
Renames multiple (2558) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Drivers directory 8 IoCs

Processes:

Tempsvchost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\ja-JP\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\SysWOW64\drivers\de-DE\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\SysWOW64\drivers\en-US\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\SysWOW64\drivers\es-ES\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\SysWOW64\drivers\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	Tempsvchost.exe
File created	C:\Windows\SysWOW64\drivers\it-IT\HOW TO DECRYPT FILES.txt	Tempsvchost.exe

Drops startup file 1 IoCs

Processes:

Tempsvchost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt	Tempsvchost.exe

Executes dropped EXE 1 IoCs

Processes:

Tempsvchost.exe

pid process

2516 Tempsvchost.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

pid	process
2516	Tempsvchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Tempsvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Bdx48saERp3j6l1.exe"	Tempsvchost.exe

Drops file in System32 directory 64 IoCs

Processes:

Tempsvchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\InfDefaultInstall.exe	Tempsvchost.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_try_catch_finally.help.txt	Tempsvchost.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmdsi.inf_amd64_neutral_e77f438012239042\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmusrk1.inf_amd64_neutral_19cdebd3e1182874\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\SysWOW64\Dism\fr-FR\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wudfusbcciddriver.inf_amd64_neutral_adc3e4acb1046b4b\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\SysWOW64\ko-KR\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\SysWOW64\migwiz\es-ES\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File opened for modification	C:\Windows\SysWOW64\shutdown.exe	Tempsvchost.exe
File created	C:\Windows\System32\DriverStore\FileRepository\lsi_sas2.inf_amd64_neutral_e12a5c4cfbe49204\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\System32\DriverStore\FileRepository\usbprint.inf_amd64_neutral_54948be2bc4bcdd1\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_debuggers.help.txt	Tempsvchost.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_parameters.help.txt	Tempsvchost.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ph6xib64c0.inf_amd64_neutral_a43df8f7441e1c61\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnep002.inf_amd64_neutral_efc4a7485b172c07\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wiaep003.inf_amd64_neutral_c2a98813147bf34e\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_locations.help.txt	Tempsvchost.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\_Default\UltimateN\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_type_operators.help.txt	Tempsvchost.exe
File created	C:\Windows\SysWOW64\ar-SA\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\eval\Starter\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmiodat.inf_amd64_neutral_839e9ee1a8736613\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmlasat.inf_amd64_neutral_bc1469ba40fe2114\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wialx005.inf_amd64_neutral_5304c93e2193f237\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\OEM\StarterE\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\SysWOW64\zh-CN\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File opened for modification	C:\Windows\SysWOW64\rekeywiz.exe	Tempsvchost.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_remote_jobs.help.txt	Tempsvchost.exe
File created	C:\Windows\System32\DriverStore\FileRepository\brmfcmdm.inf_amd64_neutral_af49d2f3ffa12116\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File opened for modification	C:\Windows\SysWOW64\esentutl.exe	Tempsvchost.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\_Default\Starter\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\SysWOW64\migwiz\replacementmanifests\WindowsSearchEngine\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Assignment_Operators.help.txt	Tempsvchost.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmzyxel.inf_amd64_neutral_ed1f16b3d0cae908\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_neutral_4616c3de1949be6d\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnbr003.inf_amd64_neutral_dff45d1d0df04caf\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wdmaudio.inf_amd64_neutral_423894ded0ba8fdf\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wiahp001.inf_amd64_neutral_aee49cdf3b352e58\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmnokia.inf_amd64_neutral_a8e9a41983d33a0b\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ph3xibc11.inf_amd64_neutral_bb18e5f134c40c68\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\eval\EnterpriseN\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\_Default\ProfessionalN\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File opened for modification	C:\Windows\SysWOW64\dllhost.exe	Tempsvchost.exe
File created	C:\Windows\System32\DriverStore\FileRepository\angelu64.inf_amd64_neutral_3d6079dd78127f5e\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\SysWOW64\pt-PT\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmaiwa4.inf_amd64_neutral_6e97842bb8d9e6a8\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmbtmdm.inf_amd64_neutral_2e4da8629fc5904e\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnky308.inf_amd64_ja-jp_d90af802b607044a\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\System32\DriverStore\FileRepository\transfercable.inf_amd64_neutral_82f4c743c8996d67\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\System32\DriverStore\FileRepository\windowssideshowenhanceddriver.inf_amd64_neutral_184a2ef2a8f57c33\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\OEM\Professional\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\OEM\ProfessionalN\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnbr004.inf_amd64_neutral_a78e168d6944619a\Amd64\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File opened for modification	C:\Windows\SysWOW64\ipconfig.exe	Tempsvchost.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_script_internationalization.help.txt	Tempsvchost.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\eval\HomePremium\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\System32\DriverStore\FileRepository\averfx2swtv_x64.inf_amd64_neutral_24a71cdaabc7f783\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\StarterE\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_try_catch_finally.help.txt	Tempsvchost.exe
File created	C:\Windows\System32\DriverStore\FileRepository\circlass.inf_amd64_neutral_cf52485bed804e02\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\SysWOW64\Recovery\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\System32\DriverStore\FileRepository\atiriol6.inf_amd64_neutral_bde34ad5722cca75\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\System32\DriverStore\FileRepository\disk.inf_amd64_neutral_10ce25bbc5a9cc43\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\System32\DriverStore\FileRepository\tsprint.inf_amd64_neutral_c48d421ad2c1e3e3\amd64\HOW TO DECRYPT FILES.txt	Tempsvchost.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Tempsvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ncihmbejmpladfin.bmp"	Tempsvchost.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Tempsvchost.exe	upx
behavioral19/memory/2516-38-0x0000000000400000-0x00000000006F6000-memory.dmp	upx
behavioral19/memory/2516-9285-0x0000000000400000-0x00000000006F6000-memory.dmp	upx
behavioral19/memory/2516-9291-0x0000000000400000-0x00000000006F6000-memory.dmp	upx
behavioral19/memory/2516-9900-0x0000000000400000-0x00000000006F6000-memory.dmp	upx
behavioral19/memory/2516-9901-0x0000000000400000-0x00000000006F6000-memory.dmp	upx
behavioral19/memory/2516-9904-0x0000000000400000-0x00000000006F6000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

Tempsvchost.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_h.png	Tempsvchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\flyout.html	Tempsvchost.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\js\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_left_disabled.png	Tempsvchost.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341645.JPG	Tempsvchost.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Computers\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\trad_dot.png	Tempsvchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01750_.GIF	Tempsvchost.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02829J.JPG	Tempsvchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	Tempsvchost.exe
File opened for modification	C:\Program Files\Windows Mail\WinMail.exe	Tempsvchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_blue_partly-cloudy.png	Tempsvchost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECLIPSE\THMBNAIL.PNG	Tempsvchost.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SPRING\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\icon.png	Tempsvchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21390_.GIF	Tempsvchost.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_down.png	Tempsvchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD10308_.GIF	Tempsvchost.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\css\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Trans_Scene_PAL.wmv	Tempsvchost.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Program Files\Windows Journal\Templates\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File opened for modification	C:\Program Files\Windows Mail\wabmig.exe	Tempsvchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382925.JPG	Tempsvchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf	Tempsvchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif	Tempsvchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD10289_.GIF	Tempsvchost.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\prodbig.gif	Tempsvchost.exe
File created	C:\Program Files\Windows Mail\es-ES\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataListIconImagesMask.bmp	Tempsvchost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonSubpicture.png	Tempsvchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\2.png	Tempsvchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\6.png	Tempsvchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif	Tempsvchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_Groove.gif	Tempsvchost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToScenesBackground.wmv	Tempsvchost.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\requests\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Stucco.gif	Tempsvchost.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\ja-JP\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\45.png	Tempsvchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02077_.GIF	Tempsvchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	Tempsvchost.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HEADER.GIF	Tempsvchost.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png	Tempsvchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\background.gif	Tempsvchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsMacroTemplate.html	Tempsvchost.exe
File created	C:\Program Files (x86)\MSBuild\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\16_9-frame-image-inset.png	Tempsvchost.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21421_.GIF	Tempsvchost.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Lime\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_settings.png	Tempsvchost.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Slate\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-new.png	Tempsvchost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\title_stripe.png	Tempsvchost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationUp_ButtonGraphic.png	Tempsvchost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT	Tempsvchost.exe

Drops file in Windows directory 64 IoCs

Processes:

Tempsvchost.exe

description	ioc	process
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..-mdac-rds-shape-dll_31bf3856ad364e35_6.1.7600.16385_none_2c0460a5d6cf99aa\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_f35f9773adf74c06\Bears.jpg	Tempsvchost.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-p..rtmonitor.resources_31bf3856ad364e35_6.1.7600.16385_it-it_e1bbd91348b28fbd\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-e..ntication.resources_31bf3856ad364e35_6.1.7600.16385_es-es_af29a5cb947bb312\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..l-starter.resources_31bf3856ad364e35_6.1.7600.16385_es-es_7ff30646d8c5721f\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-wlangpui.resources_31bf3856ad364e35_6.1.7600.16385_en-us_75b8a5c3d25e2a01\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\winsxs\amd64_netl1c64.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c0290a272487a6be\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ie-htmlapplication_31bf3856ad364e35_11.2.9600.16428_none_3bb1024f1e6bc086\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..onmanager.resources_31bf3856ad364e35_6.1.7600.16385_de-de_8f95e98467a98e5e\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\winsxs\amd64_net8187se64.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_26a869f069f08dc4\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\winsxs\amd64_wsdprint.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_b7256a767543d30d\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-e..rtingcore.resources_31bf3856ad364e35_6.1.7600.16385_es-es_02b53e1d98470ee8\erofflps.txt	Tempsvchost.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-s..g-jscript.resources_31bf3856ad364e35_8.0.7600.16385_fr-fr_1109fb9951b8f80b\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-wpfcorecomp.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_e2ebaa32abd84c8f\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-dpapi-keys.resources_31bf3856ad364e35_6.1.7600.16385_de-de_9bf0da4150b60702\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-r..tance-adm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_a3356af4d9adcae1\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-b..trics-cpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_9c8da1aa88db9946\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-j..buggeride.resources_31bf3856ad364e35_8.0.7600.16385_es-es_8a689fd92c8b700f\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..s-service.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ff2f11062d6c5d92\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\assembly\GAC_MSIL\system.workflow.componentmodel.resources\3.0.0.0_ja_31bf3856ad364e35\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.GroupPoli#\06d363f8e85281d0f70f2c88d1a0e667\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ipnat.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_6f0da6cf6309ed22\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-s..ativehost.resources_31bf3856ad364e35_6.1.7600.16385_it-it_24d0deee1ac49b0e\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\assembly\GAC_MSIL\MICROSOFT.VISUALBASIC.COMPATIBILITY.DATA.resources\8.0.0.0_ja_b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..ngsupport.resources_31bf3856ad364e35_8.0.7600.16385_en-us_ad729b320c691eac\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-sonata_31bf3856ad364e35_6.1.7600.16385_none_201752c112c5078c\Windows Balloon.wav	Tempsvchost.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-g..ets-slideshowgadget_31bf3856ad364e35_6.1.7600.16385_none_253e8c58002c48e1\blank.png	Tempsvchost.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_6.1.7600.16385_de-de_181a1bc5e35bb95e\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\winsxs\x86_netfx-shfusion_res_dll_b03f5f7f11d50a3a_6.1.7600.16385_none_7a97f0ca887d1f24\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File opened for modification	C:\Windows\Media\Calligraphy\Windows Hardware Remove.wav	Tempsvchost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe	Tempsvchost.exe
File created	C:\Windows\winsxs\msil_msbuild.resources_b03f5f7f11d50a3a_6.1.7600.16385_ja-jp_0f2251f715f14f5f\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\winsxs\x86_netfx-csc_exe_config_b03f5f7f11d50a3a_6.1.7600.16385_none_5bfb623d555cccb6\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\assembly\GAC_MSIL\Narrator\6.1.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..cingstack.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_8b317f4ba16d3507\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\about_If.help.txt	Tempsvchost.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-help-gamesp.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0a4908dad3d0a5db\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..-mdac-rds-shape-rll_31bf3856ad364e35_6.1.7600.16385_none_3239c529d2d1d90c\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-speechcommonnoia64_31bf3856ad364e35_6.1.7600.16385_none_5e9e78a6dd413413\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-w..ystemassessmenttool_31bf3856ad364e35_6.1.7601.17514_none_d9bafd47cdf9833b\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-e..gine-isam.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0e32b701c9788fec\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\winsxs\x86_taskschedulersettings.resources_31bf3856ad364e35_6.1.7600.16385_en-us_f34361298f0b5882\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\Boot\Fonts\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..iadisc-style-travel_31bf3856ad364e35_6.1.7600.16385_none_f2a7c66510a5395d\passport.png	Tempsvchost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_scripts.help.txt	Tempsvchost.exe
File created	C:\Windows\winsxs\msil_comsvcconfig.resources_b03f5f7f11d50a3a_6.1.7601.17514_ja-jp_2a37215727b5d00e\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-ie-setup_31bf3856ad364e35_11.2.9600.16428_none_1f77d330a4790dae\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..oledb-rll.resources_31bf3856ad364e35_6.1.7600.16385_en-us_774f231c5b0ae344\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Entity.Design\v4.0_4.0.0.0__b77a5c561934e089\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..-platform.resources_31bf3856ad364e35_8.0.7600.16385_de-de_9953c1c53c7a8c94\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-u..re-atmini.resources_31bf3856ad364e35_6.1.7600.16385_en-us_4dbe3af629c49981\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-opengl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_9ee9341436547754\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-deltapackageexpander_31bf3856ad364e35_6.1.7601.17514_none_c8049b9e4ba7658c\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-iis-bpa.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_251746b074c94113\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\winsxs\amd64_server-help-chm.reliab.resources_31bf3856ad364e35_6.1.7600.16385_de-de_75c5fd0bb9b184d9\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\winsxs\x86_setup-uxwizard-clientimages_31bf3856ad364e35_6.1.7600.16385_none_48ada01d8ff36e68\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-n..35wpfcomp.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_67ecd7388fa46002\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-n..meworkapi.resources_31bf3856ad364e35_6.1.7600.16385_de-de_04346e25ffbfe92d\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\winsxs\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_tr-tr_9e98e8587a93bcd6\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..putername.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0202957a15d38086\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-netplwiz.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2dd66c79c7e4f8e2\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-isoburn.resources_31bf3856ad364e35_6.1.7600.16385_de-de_27d3aa8ba7b1db61\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..ac-sql-cliconfg-exe_31bf3856ad364e35_6.1.7600.16385_none_6ff39cfbb8057a05\HOW TO DECRYPT FILES.txt	Tempsvchost.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-whhelper.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_70e8a62da42e1401\HOW TO DECRYPT FILES.txt	Tempsvchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

Tempsvchost.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tempsvchost.exe
Kills process with taskkill 8 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

2292 taskkill.exe
2332 taskkill.exe
704 taskkill.exe
1668 taskkill.exe
2504 taskkill.exe
2288 taskkill.exe
1980 taskkill.exe
2784 taskkill.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tempsvchost.exe

pid	process
2292	taskkill.exe
2332	taskkill.exe
704	taskkill.exe
1668	taskkill.exe
2504	taskkill.exe
2288	taskkill.exe
1980	taskkill.exe
2784	taskkill.exe

Modifies registry class 10 IoCs

Processes:

Tempsvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Boom\ = "SSTWIPNUVDUSGRM"	Tempsvchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SSTWIPNUVDUSGRM\ = "CRYPTED!"	Tempsvchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SSTWIPNUVDUSGRM\shell\open\command	Tempsvchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SSTWIPNUVDUSGRM\shell\open	Tempsvchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SSTWIPNUVDUSGRM\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Bdx48saERp3j6l1.exe"	Tempsvchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Boom	Tempsvchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SSTWIPNUVDUSGRM	Tempsvchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SSTWIPNUVDUSGRM\DefaultIcon	Tempsvchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SSTWIPNUVDUSGRM\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Bdx48saERp3j6l1.exe,0"	Tempsvchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SSTWIPNUVDUSGRM\shell	Tempsvchost.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

taskkill.exeshutdown.exeshutdown.exeshutdown.exetaskkill.exeshutdown.exeshutdown.exetaskkill.exeshutdown.exetaskkill.exeshutdown.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	704	taskkill.exe
Token: SeShutdownPrivilege	1380	shutdown.exe
Token: SeRemoteShutdownPrivilege	1380	shutdown.exe
Token: SeShutdownPrivilege	864	shutdown.exe
Token: SeRemoteShutdownPrivilege	864	shutdown.exe
Token: SeShutdownPrivilege	884	shutdown.exe
Token: SeRemoteShutdownPrivilege	884	shutdown.exe
Token: SeDebugPrivilege	1668	taskkill.exe
Token: SeShutdownPrivilege	2688	shutdown.exe
Token: SeRemoteShutdownPrivilege	2688	shutdown.exe
Token: SeShutdownPrivilege	1512	shutdown.exe
Token: SeRemoteShutdownPrivilege	1512	shutdown.exe
Token: SeDebugPrivilege	2292	taskkill.exe
Token: SeShutdownPrivilege	2136	shutdown.exe
Token: SeRemoteShutdownPrivilege	2136	shutdown.exe
Token: SeDebugPrivilege	2504	taskkill.exe
Token: SeShutdownPrivilege	2880	shutdown.exe
Token: SeRemoteShutdownPrivilege	2880	shutdown.exe
Token: SeDebugPrivilege	2288	taskkill.exe
Token: SeDebugPrivilege	1980	taskkill.exe
Token: SeDebugPrivilege	2784	taskkill.exe

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

e8e07496df5370d2e49ecce5a47c1fd2.exe

description	pid	process	target process
PID 2212 wrote to memory of 2516	2212	e8e07496df5370d2e49ecce5a47c1fd2.exe	Tempsvchost.exe
PID 2212 wrote to memory of 2516	2212	e8e07496df5370d2e49ecce5a47c1fd2.exe	Tempsvchost.exe
PID 2212 wrote to memory of 2516	2212	e8e07496df5370d2e49ecce5a47c1fd2.exe	Tempsvchost.exe
PID 2212 wrote to memory of 2516	2212	e8e07496df5370d2e49ecce5a47c1fd2.exe	Tempsvchost.exe
PID 2212 wrote to memory of 704	2212	e8e07496df5370d2e49ecce5a47c1fd2.exe	taskkill.exe
PID 2212 wrote to memory of 704	2212	e8e07496df5370d2e49ecce5a47c1fd2.exe	taskkill.exe
PID 2212 wrote to memory of 704	2212	e8e07496df5370d2e49ecce5a47c1fd2.exe	taskkill.exe
PID 2212 wrote to memory of 1380	2212	e8e07496df5370d2e49ecce5a47c1fd2.exe	shutdown.exe
PID 2212 wrote to memory of 1380	2212	e8e07496df5370d2e49ecce5a47c1fd2.exe	shutdown.exe
PID 2212 wrote to memory of 1380	2212	e8e07496df5370d2e49ecce5a47c1fd2.exe	shutdown.exe
PID 2212 wrote to memory of 1668	2212	e8e07496df5370d2e49ecce5a47c1fd2.exe	taskkill.exe
PID 2212 wrote to memory of 1668	2212	e8e07496df5370d2e49ecce5a47c1fd2.exe	taskkill.exe
PID 2212 wrote to memory of 1668	2212	e8e07496df5370d2e49ecce5a47c1fd2.exe	taskkill.exe
PID 2212 wrote to memory of 884	2212	e8e07496df5370d2e49ecce5a47c1fd2.exe	shutdown.exe
PID 2212 wrote to memory of 884	2212	e8e07496df5370d2e49ecce5a47c1fd2.exe	shutdown.exe
PID 2212 wrote to memory of 884	2212	e8e07496df5370d2e49ecce5a47c1fd2.exe	shutdown.exe
PID 2212 wrote to memory of 2504	2212	e8e07496df5370d2e49ecce5a47c1fd2.exe	taskkill.exe
PID 2212 wrote to memory of 2504	2212	e8e07496df5370d2e49ecce5a47c1fd2.exe	taskkill.exe
PID 2212 wrote to memory of 2504	2212	e8e07496df5370d2e49ecce5a47c1fd2.exe	taskkill.exe
PID 2212 wrote to memory of 2136	2212	e8e07496df5370d2e49ecce5a47c1fd2.exe	shutdown.exe
PID 2212 wrote to memory of 2136	2212	e8e07496df5370d2e49ecce5a47c1fd2.exe	shutdown.exe
PID 2212 wrote to memory of 2136	2212	e8e07496df5370d2e49ecce5a47c1fd2.exe	shutdown.exe
PID 2212 wrote to memory of 2288	2212	e8e07496df5370d2e49ecce5a47c1fd2.exe	taskkill.exe
PID 2212 wrote to memory of 2288	2212	e8e07496df5370d2e49ecce5a47c1fd2.exe	taskkill.exe
PID 2212 wrote to memory of 2288	2212	e8e07496df5370d2e49ecce5a47c1fd2.exe	taskkill.exe
PID 2212 wrote to memory of 864	2212	e8e07496df5370d2e49ecce5a47c1fd2.exe	shutdown.exe
PID 2212 wrote to memory of 864	2212	e8e07496df5370d2e49ecce5a47c1fd2.exe	shutdown.exe
PID 2212 wrote to memory of 864	2212	e8e07496df5370d2e49ecce5a47c1fd2.exe	shutdown.exe
PID 2212 wrote to memory of 1980	2212	e8e07496df5370d2e49ecce5a47c1fd2.exe	taskkill.exe
PID 2212 wrote to memory of 1980	2212	e8e07496df5370d2e49ecce5a47c1fd2.exe	taskkill.exe
PID 2212 wrote to memory of 1980	2212	e8e07496df5370d2e49ecce5a47c1fd2.exe	taskkill.exe
PID 2212 wrote to memory of 2880	2212	e8e07496df5370d2e49ecce5a47c1fd2.exe	shutdown.exe
PID 2212 wrote to memory of 2880	2212	e8e07496df5370d2e49ecce5a47c1fd2.exe	shutdown.exe
PID 2212 wrote to memory of 2880	2212	e8e07496df5370d2e49ecce5a47c1fd2.exe	shutdown.exe
PID 2212 wrote to memory of 2784	2212	e8e07496df5370d2e49ecce5a47c1fd2.exe	taskkill.exe
PID 2212 wrote to memory of 2784	2212	e8e07496df5370d2e49ecce5a47c1fd2.exe	taskkill.exe
PID 2212 wrote to memory of 2784	2212	e8e07496df5370d2e49ecce5a47c1fd2.exe	taskkill.exe
PID 2212 wrote to memory of 2688	2212	e8e07496df5370d2e49ecce5a47c1fd2.exe	shutdown.exe
PID 2212 wrote to memory of 2688	2212	e8e07496df5370d2e49ecce5a47c1fd2.exe	shutdown.exe
PID 2212 wrote to memory of 2688	2212	e8e07496df5370d2e49ecce5a47c1fd2.exe	shutdown.exe
PID 2212 wrote to memory of 2292	2212	e8e07496df5370d2e49ecce5a47c1fd2.exe	taskkill.exe
PID 2212 wrote to memory of 2292	2212	e8e07496df5370d2e49ecce5a47c1fd2.exe	taskkill.exe
PID 2212 wrote to memory of 2292	2212	e8e07496df5370d2e49ecce5a47c1fd2.exe	taskkill.exe
PID 2212 wrote to memory of 1512	2212	e8e07496df5370d2e49ecce5a47c1fd2.exe	shutdown.exe
PID 2212 wrote to memory of 1512	2212	e8e07496df5370d2e49ecce5a47c1fd2.exe	shutdown.exe
PID 2212 wrote to memory of 1512	2212	e8e07496df5370d2e49ecce5a47c1fd2.exe	shutdown.exe
PID 2212 wrote to memory of 2332	2212	e8e07496df5370d2e49ecce5a47c1fd2.exe	taskkill.exe
PID 2212 wrote to memory of 2332	2212	e8e07496df5370d2e49ecce5a47c1fd2.exe	taskkill.exe
PID 2212 wrote to memory of 2332	2212	e8e07496df5370d2e49ecce5a47c1fd2.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\e8e07496df5370d2e49ecce5a47c1fd2.exe
"C:\Users\Admin\AppData\Local\Temp\e8e07496df5370d2e49ecce5a47c1fd2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Users\Admin\AppData\Local\Tempsvchost.exe
  "C:\Users\Admin\AppData\Local\Tempsvchost.exe"
  2⤵
  - Drops file in Drivers directory
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Sets desktop wallpaper using registry
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2516
- C:\Windows\system32\taskkill.exe
  taskkill /IM explorer.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:704
- C:\Windows\system32\shutdown.exe
  shutdown -s -t 6
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1380
- C:\Windows\system32\taskkill.exe
  taskkill /IM explorer.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1668
- C:\Windows\system32\shutdown.exe
  shutdown -s -t 6
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:884
- C:\Windows\system32\taskkill.exe
  taskkill /IM explorer.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2504
- C:\Windows\system32\shutdown.exe
  shutdown -s -t 6
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2136
- C:\Windows\system32\taskkill.exe
  taskkill /IM explorer.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2288
- C:\Windows\system32\shutdown.exe
  shutdown -s -t 6
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:864
- C:\Windows\system32\taskkill.exe
  taskkill /IM explorer.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1980
- C:\Windows\system32\shutdown.exe
  shutdown -s -t 6
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2880
- C:\Windows\system32\taskkill.exe
  taskkill /IM explorer.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2784
- C:\Windows\system32\shutdown.exe
  shutdown -s -t 6
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2688
- C:\Windows\system32\taskkill.exe
  taskkill /IM explorer.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2292
- C:\Windows\system32\shutdown.exe
  shutdown -s -t 6
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1512
- C:\Windows\system32\taskkill.exe
  taskkill /IM explorer.exe /F
  2⤵
  - Kills process with taskkill
  PID:2332
- C:\Windows\system32\shutdown.exe
  shutdown -s -t 6
  2⤵
  PID:2928

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1960

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\HOW TO DECRYPT FILES.txt

Filesize
294B

MD5
2efe72d837aed462e887ad524a404ebd

SHA1
44f65243eb459429e9d211db025e6cfc0ae9a67e

SHA256
35ee67934b321d71018d810616bda2b0b1687ca155a9a1654f82417d9b241e89

SHA512
9c49721f11d486212f42764e8fc857a65a3e80aabc7901ab0df6b860b8151ab1a8cd6b8e6cf6402f907aa12f28d6c4e900094b9db05927d850b255e8c51a4a46

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
341B

MD5
18dae81d6188757aff0bb5cd8db1acf2

SHA1
b424f6fa01a505b4b2b63b5a9eddcc1118b1f3b9

SHA256
982903208613c73959b691bd447d9c051bf8203fa6cd1908e3c741b164bcc11a

SHA512
49c6e2ad3892ef4e2e8bd9781bc7f09155899602b76346934be75afe2c3a72e43ff5527f6916fc6da34ba0e9ff8333f167e9eb99e26b80c3174f15470d118af0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

Filesize
222B

MD5
87cefb82e0c0c8de490420228457e396

SHA1
da019e578d776573005db4b33282dd1b0b9a1707

SHA256
9b74ff61803ba2db58a442814e1b079a2b19590a8a23e6c9724468e94c3697e7

SHA512
a7de442e22dabeaab1d1813022c501d55cd1b40da0273f8777d14975337fcbb46a982729bc5578ad0494dac550298b7fc9e71d290fe306fde43244c6300a30e9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\BG_ADOBE.GIF

Filesize
24KB

MD5
dd267901fc9b2d13f272b569ca981f55

SHA1
52bba02b91956301ce96eff538b14abb2fe72487

SHA256
b668671fabe95bd8fa99e14c155d8bd6d57b18d12ae0576881195577ba995d4f

SHA512
28a6c31ffdcd253fb2da59662c87930c2774020b39bed4e7ed9fded27b40a31ab669eae78c127c4b7c96824bfbe8d75a8e44bd538d94de4b447ecab00403b760

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\BUTTON.GIF

Filesize
185B

MD5
7fa34541619d37be4f0d2ed9342fd8ca

SHA1
b1dba7c212e36a8fd518308787b661ab7ba66e1b

SHA256
2486eb734ed2de398ccde861d201036860b7bbd26f94243ec692cceb3c0804da

SHA512
12d4da96ff5e89683b5d67bded100932cd265e86a787ff2365563eb77b25df528e5714be5497c0f320e5ae0a052f50366cb12408cb153e28fee5bee7addba722

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_OFF.GIF

Filesize
496B

MD5
9262de6465e67e232093f1b69c6308f5

SHA1
1c8ac6443c46975afb12824a191ea3991e82ac2e

SHA256
e2f5835a7b30b9d92f34178436a979eb0c7c597e42366da14c6743570b5c4e7d

SHA512
4d0424ed55caac930d9f02e0c6b7a69d0f6d3d17e76430a1e6e2deef4e07a40017e3377f348194db29293a79f07c9a369a7a800ddcad9dc982fb4427ed8dc346

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_ON.GIF

Filesize
1KB

MD5
23764a6b4a9412af319c5eda693f6f23

SHA1
634a9dec011deb1bf7f2fe9538993fa5bb1087f6

SHA256
ff05d2c86af5a5e3ce3a4583e6b78abcee64f4279b27e4e8581f1ddeeb4b4315

SHA512
6b943546ce9acaab30349265d085c8c3f77ae96c4e516bc5ee68b62ea14d42f0fa61302cb028358dc3f45c3c4ccc205b603d55bce38d025d096ea87722e0bfae

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_off.gif

Filesize
341B

MD5
cd5af548414f41d080df08313fb849b0

SHA1
f56d0478479fc5379e1d136f235950793fb8c730

SHA256
890310e10b9e252cfc072f580a1a4ac250e7ebd86a86717d26be294fb71abb9f

SHA512
024a50788ebca411fd3a3bc80d2faaf2cf401119cf1ccffaf0d06f4f3e7e840e47b68a18878475b721dc0257f1bbd3af1f2c21d1e6055ccb1a211a704a317d8b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_on.gif

Filesize
222B

MD5
473b80c4bc025e928153a52d7521d4d5

SHA1
b697417dd29db6217148359c429900558c2c1c2f

SHA256
da8858b39bc2118c958a437911df15a147dfc36a5a09cf2524e83b93e13037e2

SHA512
aa23f43b3df33a814e86996ccd8f0c051e3b945c586493daae307827d8c37a4e7ddbf352765d85e043ad1223c9ee9a89ff19e1743d76c3eb85e744d855dde50f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif

Filesize
5KB

MD5
7c57732204c9ae51038991d4bc23984e

SHA1
b1b5686453f759fd6bd006027298ce0efe926bd8

SHA256
ea43998179bad0fcbd951eb9e7dcfeb2bad5ba73146df11141f1a91b9a8261ff

SHA512
84b58a93f97a6d1866bcb8835bfad37f28d371c8db8f30669b7685b01285556ecc548e30796a89725893b47b7374031e53a8e116f82eecae199e05724b5b3ab9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Country.gif

Filesize
31KB

MD5
bfa5645f12b664a8c4a19873dacb7891

SHA1
518eccf24ad3d4862d43ffa85baf0ceb2ccc9fd0

SHA256
64f8be06ee33e3ac44c03d367b3a903ff016cc7d978e52fe8b1c3b9fb5945a50

SHA512
123e74de5f063e48f9eb009fcc2c18ba247209b9db94b74e267c7738d023504a41e6db599a3dfb11a9da2cac8e88f03a2cfa2d1a3ef3d0cd2247e3e41872d61d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif

Filesize
4KB

MD5
bf23aaaf4ac0ef0c6d29187155053036

SHA1
f35e77988728501a7695371f342bf7f5492de486

SHA256
aef7531ca1b1c41269f845949d2a33de6adfe4ee0fcdca9129fb11d37897c37f

SHA512
dd10bb54f8d70060fef2227c1a4bfdff5e178e598324a55f24f46ee57c57f069a8ce6cc45adab9a802bdd244243577b195d8511d1277ef837530debd7c260357

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif

Filesize
21KB

MD5
d31084eeb5e748028faf01f67a60643b

SHA1
99db7519c1c7edc14dec8fd453f698ad8a3dcdda

SHA256
98cb91a681d204a66740fbb9868aee363df4307e367077ab887fcb03485d64a8

SHA512
30c9d6c6070e395b8df8b27e460c5047647f7e214de9b43bfd51a67cba99f03149debcef45083424516b9d797caffb214f1131bc1cf319a8a25d0a9a30f5a362

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Groove.gif

Filesize
106B

MD5
dca47a4816b9334dfafc73ac42f8412a

SHA1
5b94865a1aeec4a0a0116ad7aea41ae8b50d363a

SHA256
c52e6c9d36b1b41cefe234549b2f96f7a65e8281851c8112607052c4c0ab3b82

SHA512
1ab316f2c0a1cac59c298e77260867642156488e84d1bad53507aad68e464490c0101b6ea0408cb8e1d38c27fe820fcbd4602830b134b497ced52a9c5e8730ec

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif

Filesize
8KB

MD5
ab12094e7f872f1e7b0e926ca89da5b2

SHA1
f4af21df4859564188b66026c2591f53f50b2e98

SHA256
27dd924dbe93065f82dd434c06ba059185170a1ccf22c2b568e4f5ac33e9539b

SHA512
3f843f5fa467df7315a860d60d2d937970484602a282c282403a769fc02aa476ab060040a5d7cdad8d1a2fc6bba249a214d985c472b3368d4eb26264cad9f276

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif

Filesize
15KB

MD5
2e8dc82a584dd87bee445d490cbce817

SHA1
ae9ef7384c22b231c1283ba96a848a8ca059cf46

SHA256
a15b3f04e031ba60201b262d5516d4f16df3fa5017be2302d7f60e7a72e55bd1

SHA512
d272b0d201a9abb01605f31ffb9e8d345613c2b900bba3bdd99f4703cf2990d583093c5b3f8e86fe256d3a8dcaab9695437ffcd1814db5f4855c39eb4813b51f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif

Filesize
6KB

MD5
eeb0af363dc6edc8fad362e743b47936

SHA1
93e4fa04a75258b611693326d3383133060e8528

SHA256
4de94df4aaccc940cda249c329ccfd5489bdf595b887e2ba665671428d76faaa

SHA512
70748623f5073d0687a79459f94a637b45878da5d9e6bce25fce049d36e3855dae3f840253f3a570058224dc4c697109e6af53afe6113c2ad8871409ef561e0e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif

Filesize
20KB

MD5
fc0f397f9ed2fbde4d3c82868d84f592

SHA1
b923563bfa7a687d2af4a754e6a611be1c87671a

SHA256
0922cd587ea1cabab2726f8b2402ada0f389fff78dc55635035feeb218313cac

SHA512
bc1ea69af54f5c81ee8ec485458347a27141a7ec3872fc63720f6357f68a99746291e350c3c74920d147eb53833d8104f08e2fce55960dbea0f3ca97ae9c648d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif

Filesize
6KB

MD5
7e8e32dda4d20382a8cc6e92d330033d

SHA1
6fa9837e64c9208c1415fcc205001871169a5b28

SHA256
70d44907de4fe1b01d15a4b8d27811cbaa0e3aa6333a2461bf70affc15b68c32

SHA512
9e70f8fa92ee1dbb392cd0cd80bb380877502d5afacfbd2d587d0e29acd617b264d2aeedec78e98c3031012df227ff71764c485aa8b8a9b23c5a26d2aa4eff30

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif

Filesize
15KB

MD5
421a25d5fe24ef64034274056f0a4758

SHA1
ec9a767dabe20bb26da3955e69aa0ae5a8968368

SHA256
f4d56c3e6ead47049942110404d6697d9c074913649ffa111baf10dcb5c987a7

SHA512
e945fee0c83fc653ef98b5b9e857df272d1d9d599799184850a0aee6eb9a24fd9633b185f6ddd7ec4179d172ecef021e64641b9409917164e48137546595c9c4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg

Filesize
2KB

MD5
5ad43b1349f8908a8cb047d5af02bbed

SHA1
ecb458c989c3bfd571358abcf4587a792205b488

SHA256
f4f46e26f7306ce4df20c08423d8b37668c375a208547ebe08f740c9a93f067c

SHA512
1d9032e347033b1adc55239b8859fd9ff4500c109414ca5399e5c9ad1b7f77e55621617ee1fd55f81581c68e83e084e6db3e68ea5d972f9f854a62812b32b529

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp

Filesize
2KB

MD5
0baa41df5300cf3d169dc7c7674e703c

SHA1
491aa98464b5142920026768b6fa6dd5ef1fe8fd

SHA256
b1dd0f4261ae43ba437e6c5c569372165358dae0d19382094cf7c59b6a3d0c17

SHA512
e89f9632245a028f0670a646bc9445040aca1f4de8253c302c052a71a50f98e81cb19e3b22770953d2223c92360dff4493e54a4f7509b317e28a9b6423720ef2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg

Filesize
6KB

MD5
1d840894829a3404e4bd7621e8a458f1

SHA1
5b1f0a1dd735c2d08171a5ade21130ebdfdc29a0

SHA256
72526b92f525eb5e878d0b2097945c2d820a3ee17e40f0b75f9b5b488db37866

SHA512
4d2ab0d1f6a1f5cf40bb5e9af0d2e50487e6188d1ce1f2570fe85b57e2cad72daa0ff6d67d9a8537f95bca800e3de3153083f4f6e6704dedbde27d0125ac23b7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF

Filesize
255B

MD5
48df60fea6f30037d3de7330157aba12

SHA1
313e4b669fe319d075995fec9f17391e760310d3

SHA256
56f25a02278bc29561bec799bc3791293284883dcac99afa3114c112d9b6bd0c

SHA512
a639d22f6f524232fb50df254cb5ce9b8c4b70686424f9596646e9ec7f7825a9e90585a08c5601b78a1d572791f1c31801a1590d9cbdb2c04886de783caaf4e8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\background.gif

Filesize
323B

MD5
07df3b3b575cc49e5573cdde9f5dcc9e

SHA1
e6a516e5d5345f9a6d8c9ccd6b723a047e7a6b4c

SHA256
6be3af459f07154a136fe3aa491331a939a437a22dcf6504f5ee02c2c67e1a5e

SHA512
23b7bfc185d09477a7b21c0f5f07c6b2ccbabe377c95d30074abf8bdd9a1606fab5dad47fc7c6f26e72aa182c0cde78bdabc60a214b34e9c0e469090ab426ce6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF

Filesize
367B

MD5
0a2977acc4e3560744244b7cbc497eda

SHA1
1cf8fef49e96008cf9403fa3bcc090cf26d154a9

SHA256
1d6e2d40d8962b3b96d5c50482c7f09b48cea06630a8e79b9b6551cc347c8638

SHA512
8f624cd51f49f1a74edd5465c7c3f4307afddd3fa6dedff1f1c0847dc10041881d5c4b0d75ec39da6499566f8e143f8d1f2998b4d25a9f2fca0b5d27891706e5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF

Filesize
148B

MD5
983b4875e0028e8f008c6ec0ab8381f0

SHA1
381e4d70353b3a167a432879265a116bcca3e962

SHA256
274a750cd51f8786bf5731ecfadbcd4fabbcd38cc501b483b0e9ec1d0de18344

SHA512
04c0794bcee45558bb9f7d86e06cd85c5c98477ccb65151c81d9bcba39d2d5ad39cda2228bb08f6ed53ead64fd07a897120e08d8c383701cb0cce6bdf4e59c6d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HEADER.GIF

Filesize
440B

MD5
94ab1d7d7d835d2622b8e944fde99909

SHA1
1c5e12d48e18257b503bff391fa744dfcb93b589

SHA256
f9d0526b2b694d025cf67d99254387c2e0d3848786d7c1ed0aa6bb36fda11e08

SHA512
4e6598b63d021c7bf33d6a0ef229944b5f41cb98289390593503957ef20e8051124c097fc82147cf6f5d5ec00c3c9fa343b506bf0bc46cf5a3451dcbcd303b75

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_OFF.GIF

Filesize
462B

MD5
b92eea701474e53118121e86c4036bce

SHA1
002fe90bf7e448af7f26bcccc130cd1625c53583

SHA256
50551988f7bffd873929cd3591e8b1431558955e6ea0ad6dac706bbf1f3a03d1

SHA512
a9ed6060494b7cd43955899026e5c2e4f98f6be70055ce7a98492752b56cddb3483d58ad8064dcb84b5d58e31c4d3b7848f7588b69986cfdc3e2edd47ed1490a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF

Filesize
267B

MD5
c703c338fe74b0b88f22f0775a325c39

SHA1
8f07a7294797faf2d259b98573f0479bb0d8d85a

SHA256
e0b3214c217ee99ca5992236e599e59f3c5613b9ffc05f4b094232261948a0dc

SHA512
da5cd0c1999bdf854e4f818d0e4af89b7b57d4ec22cb254b3ea6bfabf7f3ba80a7658406d86eca57135cc5a0bed42a8d3dcfcedf7765f8cfb1c9f2a5cf26ff73

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HEADER.GIF

Filesize
2KB

MD5
db4f6ca1582690e6f6efb57613ba5b36

SHA1
5244d1dec5cda976f848bfaa7f7be38e0c7a6b19

SHA256
63212f74691529483a97c1e24fde1e092a9354b0de65a90140537004c029ccfc

SHA512
db1aa0f2320056e21cd3c4f09e84789fc06643cdde12ee2a50f5f046df39b98289a96cfd963f1bcd8397a711e510fa1c27adf41f6408d11ec2e030675dcbaa4f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif

Filesize
233B

MD5
e92f23ed957ddc116b912df99f7d37e3

SHA1
f8d412e5a30529b8dda23712026d1b062843ae73

SHA256
edec601608772c6175756eaccf631b5142c0ab858ca00b9ab4b2e390fa5b8db5

SHA512
880124f9adce776b824fe43c01e98761287de5b8b0b3c5fde8ac2131a86d00730f587695f836a5f968a0cfcdee0f3f13a72ccef9571ec8ff6f9417ccc4519b82

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_OFF.GIF

Filesize
364B

MD5
bb39d747337310f374f2eb9fad53b7d4

SHA1
980928f38dcebcd02f4d24aef644309369d1a9ac

SHA256
8af7331b547bd25ee1a6a76cb5ec4f3d4c8487a1ef9d934a4c2c43a3f0cddd3b

SHA512
fe58dbca88cd5320897b05c45846f0a1e7d84d7232ec906a9b0a3616d2140eac06309e8b76a1982dd36ef04fae89ee2497380d6eddddde8f2123464172f3dd06

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_ON.GIF

Filesize
364B

MD5
49709e2982d15fc59dd453762943cb78

SHA1
e6a2568f1a0941420e63f30ad2fed295a7aa80f9

SHA256
5411026d13b25b541d98554422a112ec19a9c525d3b915c28de0e8ba755b14cf

SHA512
89a6a5e8ef720186b2dbd41f152562f31c5db321e555d599e1bb4604df920ab9b1e8cd98f1aea02614b2da91bbf3503e4a12fa989481f70fa6d20c24906331ac

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\background.gif

Filesize
6KB

MD5
0a0386e072d54f6f575c4490647921e1

SHA1
88d3dd8d7636eb87370d2660a7f7525500ad2993

SHA256
a0ed803c79be15937007195fecebf222e256fa7f8aa9d93a72fd4b3293f8893b

SHA512
acfc3f04c9a0280d00b33451cbea5918236f53098ed805f3c3d5bb6e15f20d1f596f0e6b192e9c787562e58babb9136247051bc67d072d961eda321ed9732f5e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\BUTTON.GIF

Filesize
428B

MD5
0c5300cb08265748f1061fc958240e75

SHA1
2df61123d62e92991c725fc5a21b90f67b264cc2

SHA256
19dde572dede505071d1b92443a6f8547a8a47faa64ae7862d5df406aa3651d1

SHA512
48e75b43066a3d9cc4912f9c7c3a8157b8698fe15499a2d706a99a27df8b81ade146eca729bae97283d81a1e247302a279852810ea62d9de473ecbd7a11adc80

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\background.gif

Filesize
815B

MD5
7e8046c69886eaa56355bea6824878cf

SHA1
fdf50bf8bd76e3c6b5d086f263e703a6348f15b0

SHA256
3220c8a9c345b211339721c1c8d42ae619d3515c42d9af1608e5ace9ed709174

SHA512
df1e4e13e5fd0de2f8bca7bac1939561ca131ff0fb356323b2ad6059f2e834bdf4d68dbb970f645a3cbb40d9fee58ee4311b16847f7a59f8d9438c6f6b16de08

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\RTF_BOLD.GIF

Filesize
870B

MD5
e9265f3141870eb134a036c8aa958b75

SHA1
dc01b4fe82cfef423fe448238259921a44b5c336

SHA256
fce5045f82bbf3d23e070b64cdce17071db695726672a8c6d40965b473eed8a6

SHA512
fa10e77dc55d067beb0d826c28ea7015946e7238d0137e85c8898e52b646d0ce1701b633b0370cf8e63206e4c17cb19d0489423c7c94a5a713bb48f9df3a44bc

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg

Filesize
3KB

MD5
b2af7ea47b87d65c87882ddbadfa8007

SHA1
9d80a199d967fbaa241f142855926f9e86c27a8d

SHA256
e4f4e4ccbe43fb4c44e52fde90c54df0090c1ccff517323b151e6fe4a2f835be

SHA512
7ce9377ff7402bacca0567f202619e7684d2cd09e3aa7ab901ee03de64a465ecc9285430dd42289e177cddb61340a6c84ff827c2fa9305154bc5fcb1fed90ba3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif

Filesize
2KB

MD5
a1ffdb4a65e45f547055139c5c597925

SHA1
0bcb6798800e46b15257c2e98ee382982211808b

SHA256
52b1df2cce3df9619e1673df58b8bf3a69acc1343e27d63b325cec40b9584878

SHA512
7cbacf8faa5d727691d6eda1abd67ecff51f53da4e6e722719cb4aa94abd72bdee6dca9911d1c53e3f2c5d53c8aba497fb30d7d7ea2586a48327b819fdd12381

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif

Filesize
19KB

MD5
9ee8f0948ebb035fedd89f64887da142

SHA1
12531d6d282df98fd80c478379d282776e264ebd

SHA256
2f828d2e3ed7813ed93c2dcb7b6c8e7d714ac0a9890fd8d700ed6b214c504122

SHA512
8eeaa59bec3b973e86651b3997e32fa86dbb88dda9844108de2fd688ca8eb4856646f30319b41b56d02a8eb5bc4fe3f9b1b98be5456ea5296c3d80be38cbd8b5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosefont.gif

Filesize
890B

MD5
9f71b43e541891706cc6837144ce1b1a

SHA1
639837ea20667a90400e005bdf5145781580d3ec

SHA256
4ca4cfa3db7ea35e35d7698dd1a95913ee708e8715d3068313fa03046b718ed2

SHA512
b82e4fc6327d7e0f57244caaaace3b6c7da2d319a0a202983c1488a6c5cdf554830c2fc304eeec2aea5ddc7382772b32f35ef30cf5357ae455cf71a5c5d349c0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif

Filesize
852B

MD5
2b530f1909ef6508468793ca346af87a

SHA1
935d68ce79e38351351d09d5d7841c1bdb18180a

SHA256
35c942a98d878de8e4eefc1e6e9e308d3c6716fbfd2f595785b6b6223289b97e

SHA512
039539c55bd6458b0bd5dba7c0a6fe17d2615fa49a018f7b39a42b42311cfacfa528b2abd59aff85e508d1ec51086547ef3965bab59c5d1d1f9efd0068d7000f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif

Filesize
860B

MD5
4773860ef2e8e093a305df240d32e441

SHA1
9754d448cb861565ac1b7187f3699f37f81844cc

SHA256
df6bd1ea4ba526fe89845a5b7088c2725951906037be3ece95a1d0065a8afae7

SHA512
a7164d72a593d89ef6102034ae89484b0131cfbeb004ca93664ec46178478fcfc50b9584ca4ffd855000e37643273aaaeb8d010972a7d0ee07edd54c4f22567d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ADD.GIF

Filesize
580B

MD5
0a1657a9cb30b999813f9c7e4263c9d3

SHA1
df186e26264921e7aa16b73b00417ad904cc5b1f

SHA256
4c36e153968d37979e51810188cd1d57f9f98251638afcfabc66af8f5b804a51

SHA512
f57432591a91fd5a44f66688c4ea59f73ecbee3a7d6f4dc9c838d16c361cc49ce32257a4448f18c8e30d8f905415d9a8c9860dc9a48f3830ad79d8e9b4a313f1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF

Filesize
899B

MD5
ed3efceeb3c5fd9ec313e318834150fa

SHA1
fa85130a4a31b320a5b71c16ee85f5a3f4ea9dc1

SHA256
ebafe72a269f51fd6639b895e320e0b6bea7fb308ec2b9f85cde4fc04132e143

SHA512
371c960fb85435f60bc05b09036ecb1c162f9588e8c1eed39231357c648a3a92a7fe647f3df71feb565c711c74322b1d9ce74b8f71d44226a33fa617791eb16b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIF

Filesize
625B

MD5
ce0ff34a7234703bbbc75d035fae79f7

SHA1
a435a053fe6777c7081664337d03188e7a4044d1

SHA256
ad55192cf2dc42053b1a31e55fd94e69ed0207049fa091e19af1d3bd4a1ed4e1

SHA512
efe53dff066bb6a8f9a1b796e0a4a83c655622c0181ac151a6b29d5e0fafeacd1ae38b554b954767077fc1277fe15d1e7c9b63160b89cd2387f59e238ad71d8b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF

Filesize
873B

MD5
cbe377fea6402a0b4a890ff1658fac7e

SHA1
1988481befd7adfe5e81326b7062dc3fb39069de

SHA256
c49d5dda8ca6f54a2593a7dd3b8b42d61d9dd467934dad4447583423d2d04ddf

SHA512
54b8863a543ab8d0f720519b9a1263163887e3233ed763a027e727aaa091e8c4a582f902b43d2ce656cbc5de94381da2728d0380a004315d0d6179ad6ebdb1a2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg

Filesize
5KB

MD5
d11cc5e046c8cbf1454cabab853d76a4

SHA1
1ee024df29955bb743f360dbaf194f825b9cf4fd

SHA256
2e9da456c3bd22655a6e23102bff3b81b1bfaf055223f727242d241c0d6a41ed

SHA512
007c341fc1609f76a8b4b4ba3ba821f92685c2e29a8b008971d0e56c4cf2c147cfbf8679ecf0153e208d93579dbc9aad92067f2e1e6c97b195b45bf3f5222433

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp

Filesize
1KB

MD5
c81a127276890a5344c46b3bfde49d30

SHA1
052ef19dd587873d7b73081d048b2246a009b44e

SHA256
d1580acdc73a7e4a77be4f33cf7244426c4baf4f485c3b3d864ceeea63f8d286

SHA512
69675b5fbdb74748e13687e897cb9b7b647390f9b25f5e1a7fa945ae8c9762fd93551d2a5e5e7ea26ad1a646480051c6d40635e3d777edee78d5c991b03523cd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF

Filesize
615B

MD5
531ae1c03a97556ee11aa29ce41f765a

SHA1
ff557c5af3e4b508615e98e15bb9e98c4d1840ce

SHA256
694cd38dfdf1e890f9cea2506457e025b8c753dd7f68926146fa2c1f42ec0fe6

SHA512
24b153c2b1807c143df68eb4ddf063150f3b8f7db1d841e1b2d5066f580156a51fa69b3a77d8aa581ab9937d7190bc8a380ea874798e74a8d56673b415552e37

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

Filesize
848B

MD5
96bb151c67c9bf58b86b83d37e2eb39c

SHA1
0e4d18e769bb3f53b0acc3faaf1202005ac1920b

SHA256
0ca47f7c5d37efc7d5542620d6d17b7b515506bcc8f4a4e9aa5008673554dc76

SHA512
2bb69c57e96493658dd1f9d1681326334d0cdad4248c6208145ab83f17f47240928cd977a8a745caf9b2035aa0d8f1a9d185d4d9b9b2280ffb59ccc7f17d8ac9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

Filesize
847B

MD5
0fcbc6e2d85f1997c0804886e5411872

SHA1
df521fec1b914ddf0f7a3f8fb44e7d93c8fd0f6f

SHA256
f2bc07b7406d3daf4bc0fdafe8b0ad8b18a9aeb34a57b6171de5ee4ad99d3040

SHA512
a089fafb0d302dc1eecf176ddcd6871ea75a05cc312dfd9336fd0b295a9587f6ac9ab9cdcd72e76b8fceb6d36af5c893234c50c68cafcb34b783ca3dc2c88f19

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

Filesize
869B

MD5
9209096d26a7584a446dfdada57b7a67

SHA1
523bc3b4e8b96796e50583ffe7fa1aa27886c4cf

SHA256
dce670ef8b5133bdb8aabb6a879781b9659b762d0f0bd8aabdfe2d98547ae295

SHA512
d429bc57ae8ec9f186916eb613c0047ad4d0ae5fcb5808a752bf6e4e765ac5504d07999ce2e2d4a4196611a3530fc750473329ba65e4e45a352971825945c8e3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

Filesize
847B

MD5
6b360522c0a6d1ee55a67d089ddf0f29

SHA1
1e2e5b665bedf137cc4e58f827fb7e9903cbf39e

SHA256
b5a34b6bbad13d49c6f5e0793ab5bdac864a819861c8337c6d314290f707f171

SHA512
4c3cdfd62e13c996ae66e21d110452f6c40f1aece8ea8761ae3bc6790d6e9cd63059844354d3d85b3dba8ea329b7da126809c380f41a8ba8a8d032bf7aee44c4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

Filesize
863B

MD5
4b1cd6066e490abe16e551f1a42ee64b

SHA1
9c45228bfdc5625e52e89f2b5a6376aa8a090026

SHA256
910719ba4e9b4ed7eb4ccf15d9871ac6005a45a89e97ce1853efd7df792a5377

SHA512
69c151fea024d1e638b628ef2aaa118fa517ee66ed761b1fcf606730125452f766f4c86de05d0998a60a73c29305e3db75b3f375c462c87b9c42fe79799c4136

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

Filesize
861B

MD5
41991d08bd78f990c889d6db5a53003e

SHA1
1fe11ff2c51d62e580cdcd31e4e701c35607d456

SHA256
3068f98d266e2261cab19df9faad1d43dc768699b7a1b84ac7837d21870c0b09

SHA512
5fc7e42dba9cb4f8dafedf5f97e1cafc74e55d249132dbbe7f714803bf8c27cd520a7f1d360fd86c9d7706b92aaaf7a90ea4f52ce61cc1b106864089d7dc1615

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

Filesize
850B

MD5
67685085388206e7db1a49b9d4d6d82a

SHA1
d046e3c3a38e4638f4618be3ab164b61d2644223

SHA256
f8b3624d659d696e22f893628d1f35e84ef2b2afd7ec80c580110c174dee3f3a

SHA512
0d2880efd1f05ad14aeb899a8ef4dd9a24bd96586992cc33fc7d17c0e5292dcc73a68f97754f5d316e8c62ca7240cc81872c259e6ddee7447a811fa709471bb2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

Filesize
883B

MD5
6082b4e9de8e9d5e8f12ae41269f727a

SHA1
6db11244432f1852d5681c685562aeac7830edcb

SHA256
a995aaf5ca5e61648038fd611aaf5d67bfcaab564e922d81a86167337fed7d0e

SHA512
0c6d0baccfdcb2d999fa39239a3a8768035d4453e8269229ae57a41ac38c68509e9fbd08ddc8ce938c90f327acf2f64540dd607640adde0ec3f4aadc02c30f6a

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif

Filesize
153B

MD5
f1b3fc5195c30349ce13afc21a40a06f

SHA1
1f51ed442a823175c935406748cae8c6d618027f

SHA256
2d6962dbb761594623f60e895127dc123f9e246f8845c9fdbd4dee8f945f6069

SHA512
6ab381d3d462308e2dcb73d04732340ca137c8464677d9ec0db43002e406d847f588e7ec15a164d93b557aacc06f149e92ad65de2d419f81f5a75703920f8ca0

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
fec64b0080be113f3a329fbb2185a7ef

SHA1
9babc7facc8b38ab97344d61b735febde815b5c5

SHA256
6b1285f0594ae2551ccc66f1ba35ac410ecaecc58645ed375b7b56cfe3a98b56

SHA512
26a81b6de96119f0323de19933805086f6f58eea7b0f44eb8a5b35897264cc28cd2f8e35d38b2f4469afe4b1a782f1a4e8903abcf663e2326afc97df8a05166c

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
8KB

MD5
1d6c8d00aae68da0789330109f33c6a3

SHA1
5b6a622e617269a8fbe591f988ce9b6aecc3baa7

SHA256
f6eb04d8760c6d01bf408c45507fa182d2465800e46c2dc3cf8b71b59f511a81

SHA512
827685142c40781f9a4e0ccf68dbe4ab784a05cbeb1c7df1d6dffdadbc2a8de4b09e47eed31aae62e195081f6698cc27b520127b489dac11bb2f38d283faeaa2

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
f344d4dba1cabd6f821a8b6260e44b0e

SHA1
30368cc2682f144b87713686ca60caddb989d222

SHA256
b9fab55ff249d16a87165233fd38a1d34214dde7003f8c5c319deb81cd514e36

SHA512
545686dfe13a4ce8de9a434877c238535fef6d1f4e9e03e75722e96803cf487efee20e1923ec74a27608cf1dacd3b20067a9aa39213f32494505f4c81f06d8f7

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
7a0f570f1b04a822d4af7097b552861f

SHA1
1db485335ec5f38905a82a322994abf5881e3e9c

SHA256
586e03ac9aba339dbe88a0160a41ad292ae5865a393731027ccbb58334b43dfb

SHA512
7c6684f7143f82e71a69589f90d1a7af704786463f7d4624e27206dd4918cdab3dfcb00f5a24b03d37aa14b46d20b11161c7069c0138c011cf9ae08473cfc2cc

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
172KB

MD5
8a1a404d61b0c743b8ae97c9c849bf85

SHA1
adbb3e748b098560abb944ad8a862c26d4eed194

SHA256
3500ab5c93050534edcfa67ddaa080caf02ac1ddb7de820fc7bcba460f3f1c87

SHA512
b343073abf4890b7ab81b18657c04a9773744dad0f6e412eab975aa80f70d054fe210cd60e77aa443fef8a2ed4965cdea0b1048c81612af5e0534085d56592c1

Download Submit
C:\Users\Admin\AppData\Local\Tempsvchost.exe

Filesize
19KB

MD5
e40c6c092f093bd84544c46b75136212

SHA1
4e572fb842cbe318f6387d254741045f7bf5b230

SHA256
0eff6a71d9bd1549d4c12bc984ed722b9139f75615d4adcb49f9ec240afe9d7d

SHA512
d4f2c0f2f9dab7349036f73310b8a6d07e663ed664b9b14333f463d14cc9aa2c35759c3714419101787b3d0204d522948f893d649f6edb0e5efe8a847da9117f

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk

Filesize
1KB

MD5
d26083f769cf85ce320f62a2be371418

SHA1
425a4e8f050f6afd72115eae9d0ca05ec5602bda

SHA256
0391844bb9a47e9d00e29cf4bb8e3eee6cb1aa7dc0ac2e5f6e3800d6440dc65d

SHA512
26ceaf41d533d98564db6be827454849ecae324dba4c98345314dd04c8369a91c318637e7e0d6ecb9a5b3f69d201adc1be0e29a527e35c2a85ca0c7191710f91

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\security_watermark.jpg

Filesize
49B

MD5
c14d68797611f380bdd91c2ee4dcb1fc

SHA1
33226013b3898f453f0662f5cf2a06a8846466ea

SHA256
74307ffea174c4874e84e7ab40f3e0fe9940b303943f82a5e6253091056bb00d

SHA512
53f5b10ed55f115e26d43f36c054db0654aaca77956fcfc538c3a55d4c602410785c1d387e581aa64710e8bee398163cf2fc3bc6ba0d0ad28ef51cfaa20259df

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg

Filesize
21KB

MD5
3717e294bf32cef11f170bfd6358d1f9

SHA1
3038e4d2da3273a8d3c9417e47308515c0d07d1e

SHA256
e1689ac9b81cafa33998c3dafc3f773ef1580173be08f11705f28723b9e601f1

SHA512
a43ebf78153a07f5c4df809727d5a4e4ae2b45d4a67ee60199c2fdabde12c9094fa306e86ed17ff0b19bb2eb4fd030ea76c86aff9dac38b86a0d6e3e0d283bdf

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\HelpIcon_solid.gif

Filesize
1KB

MD5
333d615b962a856edbb59ad0fcb7b27e

SHA1
6cee1a1089910c52d0b5aa7a4dd29d5103a2fc69

SHA256
a8e9bc212948414d29515240329207cc22d3672a0afc0ff234cd06aba6a4964c

SHA512
66a0747444d4d5f3a941a4fb7c9325cfcb25522007395504560311b41b8c8f04af43f09aa365e261a2cfaf8f62d11189388d700e7af385f4c114083d5709f2ef

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\alert_lrg.gif

Filesize
952B

MD5
a257ae0e33925d4ad8a41ea4d6ebb876

SHA1
efed317c1e5c5fc02cd29cf6a9e48ed71bce6fad

SHA256
bc3152c6868f9864a33659ad773ea4e8f5caffd9a34fd2829e1795258a3ecdd5

SHA512
ead5bacf05bbf73770838e54000547f1708b8eb7959b25421c584dcd71dd9c4a0053f45900d52755b61e579835394a6ba79c858c5176d7321d8b90ab06f5235a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\aspx_file.gif

Filesize
121B

MD5
98dd607a669919361f747fbb7a47c712

SHA1
002ce46c900c64ede0b1c8160186f2800feb8e3d

SHA256
6eda0990cfee043b9382ded6e0dfae4f6e4321dff8cae138c64f8b7f00d56dc6

SHA512
9eba15904ce14a96ff62ad5a03bf927f124e1fb8c525a2de8ec0e2c3bd93c7c7ca5c0867fbae9c8081aeb35d0bdfb659f7d488a62f6f8b596c16b1b194a19cca

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\branding_Full2.gif

Filesize
1KB

MD5
dfeda6cfcf05d0fd48d2892f00f097ef

SHA1
89c3937ee224d27f31af79e6773b8d5417755ae6

SHA256
974c9ca27dc6736ca339e65f7775d1c8551e05108bb6d97d92c3451ca991f973

SHA512
32b419d2e8fdc14b1bd6033475a7414e3cb419f1f1ccfb13cf8d9c02dec67b2d456b87b4e3c8d018b64bf6d37f71d0968fd49e57b1bf46b6ac5d3c22cc07f216

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg

Filesize
8KB

MD5
99d73fde86fc47e6c535ac5f10311e35

SHA1
562618cbab46da52af2fd59b23f3792a7e24468c

SHA256
bc0764d4d45ab57c8b3b84bf23b6d42ea2a764066f3b210a66cd89bccb3d1904

SHA512
fddd08cbd2acd5865ff677a3100314d22609ebb240ef860075deca15cd90ffa0ce14861d38e4e56e6fa872ee759a5c88cc0e2e719f7b0c9220fcdafd914b6428

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\deselectedTab_1x1.gif

Filesize
61B

MD5
1d3e3654200a3855c1fed467386bd564

SHA1
59299952f8d64d6dfdbc81bcd5f11dd28e069d72

SHA256
c056f3fdf7f5d1ab521b1d90f6568ce402aaedfface03470b65a1754c9c199a9

SHA512
5c97a90bad5fe3211b7d75ab4532009d8e2300a93c937595254cdacdde0efaed41265e4b2ddab7f804b4494767ad4b9764c9b2fa5f0f8bd9991e7d705cb8623c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\folder.gif

Filesize
914B

MD5
8eac0ec9ab95a16d67c01372822206f6

SHA1
b461a7b6e7c1e6c5f7b6f9f30588395fafc8bcdd

SHA256
d5b6069c5d8eb2471b5daab07224fb4782beaeee76755da1a36d4454e71516d0

SHA512
4dfac9d520d8a7c1b04e687a10c4be2f941accd3ef8c9a4811d8a84b78ad8426630d7475e7b16f8bbfb06bb01e9f93c0a35af92eeff9c74555398252a440b53c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onBlue.gif

Filesize
90B

MD5
6d125cafce26d3dee20e631428a81a78

SHA1
9eb4d460a2f3716ebea2a83415a2db9a52e65999

SHA256
5488de1b83ac81a986b29a4c4696900367ab8f55bdceac4f6607834eecc37eb9

SHA512
e4cbe061169f70d206e7266e942139d336eb9ad1e8b15a82cb38b5a62bf1b89d6fe9586a095ab81d7e33606a5853137015bbb36641091245821466026e6ca83a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onWhite.gif

Filesize
90B

MD5
7b05bb093991e39277442adf3e32c060

SHA1
59480193ebee5e1a829c98b252d56ad929afaeb0

SHA256
d2f92bf5a025d3ed33b296cee1aeff8765d1287474122baa70fc368c1d7f3aa0

SHA512
856b540bd7b8388da0f7dfa00ac88afad67c516d58a4335fcba5398a88a7836df2e9cd319554b2a3c5ae8d1a79d4ecf53ad867921549cacab1aab1c5ac468360

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\headerGRADIENT_Tall.gif

Filesize
328B

MD5
5803eced3d1c20b86108920207db1ef8

SHA1
48e1ba14b2029c0a7c6bf3f4ef84238e2a918079

SHA256
9dcae8f12a6faf5b1cf1aa790dbb8e6a9307af8770d7a49dce05523fa14f1fb1

SHA512
eca6d1ece5e367157d41227229a86997ac76f3dd822bc890518362a54be83f151dcac6c1e12c44c65f7b77cd9b447b83b5861f364779409f0be23115a4d5c004

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\help.jpg

Filesize
1KB

MD5
861c6c0a45151493d6602a391cabbe72

SHA1
581949f56083c887f82ed67de5adb7cc01fed64f

SHA256
8b37301d4cb94ebd50a659f7e734e66e6b5be31c713b819f192ae8f532782861

SHA512
3f921e1d1dd3c7a8d12c87dcd2d2fcb4d6122e109d767368482c899e5c1601edbbf874923a1c38dbe96e2f6ad61e8076985857b935d8efe49bcf1be1f64475ff

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image1.gif

Filesize
162B

MD5
7284c6d1ac8752859b6253dfe278cb3f

SHA1
eab374c8f943ee98a89ccfb3e8fd5f0288f5982d

SHA256
b332e638a13dd5a09ac24d12d042eec5128a535a7f405f1834f3edbc49e0650e

SHA512
0de716de80bf2c5fd9cb468898f954947d3e3c3b3011499e88a605ecda3f162cb8575f5d78495bda903b4f458a79ef9d2c6c224c91cccc9c95ff287522cfbead

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image2.gif

Filesize
586B

MD5
a24c7c47ac991d4879649107b26dbf08

SHA1
0dd1ee909ed32236d5e2868e26187076c6b24571

SHA256
49231955e9830bd6b7470bb78c0bf56ea6a41f8f73559ca34008c6aa1249a2fd

SHA512
21b06adc8537e1e418c87fc6331e2456102501a881292657c7348ef124c21f7745f8a3d0945b678c7b67acc75aa50ce51649b2c363eddafdaa4ed17b962c89b8

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\requiredBang.gif

Filesize
124B

MD5
2559bd03e2f2391c94bf6aaffb47b18a

SHA1
98c6423ebbbf262bc4f700108dba93e7afb221cc

SHA256
0827a735e5234c95a94b647846ee6cb6ff273cb297dd78c15f17758350589d6e

SHA512
b680ad7ead5a0bfacb7e62e93b3ccb52c393a3ddf6cb770e29c295436066ff9c081bcdf388210fd9bddbce35e8282e39e166f36208df41d46cdf12700ccc1fdd

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\selectedTab_leftCorner.gif

Filesize
65B

MD5
265d255c861ceca1c51afc43bcc59997

SHA1
5763fc795427713b72319aba062201bf2160378a

SHA256
c8320ab10e9c34ca32dab78628308d315323c0e0959d4071753d1c4f33c9916d

SHA512
6152438eaf457236375d8da32ac7dec0a74b11ff9fd66e096483c626d4883877b8bbf830190bdeea3931a04f7213aeea460cfedea079478d444fa33d8d1b76e5

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\selectedTab_rightCorner.gif

Filesize
65B

MD5
a5307772b89c661fd285a7788d484c72

SHA1
ce1b7ab3b8e720bc45ebc99c0b33718205e245ae

SHA256
3b4b395fa09e5b7c3a3234fc6bda0798841608a8cd0f300c4d4aa93baf8038ac

SHA512
81c0b723e9b94db204bbcd8763e4d457799d2a85ed76631aa660350352a921cebe33cdb82ad3a02bb7fb8373a27d8e47a1b06e926ebbe5ddba03186eb1a03250

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg

Filesize
8KB

MD5
6e6959aab2ae07e740d996e389ebcc78

SHA1
63ec7e084e0250a9de38cd28f96ce30036019b8e

SHA256
bc4db6d8665f6e81b31ad715b88493b713098c4d23fe17d9e3adf8df0fe5ba40

SHA512
6d270509e776314d0c9874622d7dc6a85f9374ed070bf19dbd4466486d92fd90599c5e3c9ce6428307878fd027cb2b3c6dc87fbcc5a14d1f9059347ace01ac93

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\unSelectedTab_leftCorner.gif

Filesize
65B

MD5
8e7cbd8b583c6bcd24135bcb62e46b03

SHA1
cd33012c7a7a3cb0fa9f7b6b56bd781b80b4f6ee

SHA256
de20764e8f93dc820da2733d29244cb1b9da250c705089432479df72e8c2d3dd

SHA512
012eb2a3f265369482215860fb42a555fc854d8a6e8c7fd045bf0ca68f48d81df5563bde02c060f324f075dc7fe3d0899e27d105b6daa15b69716f5cadd2e0fa

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\unSelectedTab_rightCorner.gif

Filesize
65B

MD5
bb59186d7739d3e885fae242e255881b

SHA1
a5e8ab8821196d3ac2fd1e46041b9edb06a8ef52

SHA256
09327ade0bf59d34a0dfe0dc0586bcd72e6ecb0d3d3a878af1f8f3b65eac5863

SHA512
e9cfc4ba1bb6b505db93250368f457e1cbaae1de5ba575c673767f1674f584fb9f6bad9900589dfc489ff767351f21484124b7828357a0ee680cb372620b2949

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\yellowCORNER.gif

Filesize
880B

MD5
78e808f7b1cadbb3ce9b0689836b8c5f

SHA1
4233a84cf60ac95bae40d9cda62db32849d35916

SHA256
d3a074bf3b73fe913ded4177522930d6fa0a3110d0787245625f0f5ca41de2bb

SHA512
71027d9fdff72760de3aaf412e4c73f716f1d93c7978ef0e8ff97123456f112d660d2d854cdf50c854408bb29784850bb0e00b93ba7c421e0337a22f09da46c7

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe

Filesize
32KB

MD5
de48aef1ce17546a84b0995e14b277eb

SHA1
87a43910a7c13b7caa5b26338a6b36bf27942444

SHA256
00ca13d6dad70b2f65e3d2ab77e3c0f1642104a1bc08a8ecd1e86fbc875e0c84

SHA512
0fea582ebff46fa0219e5257c97a388aaeb9351351aeb3cbb068c9c047ac6010ea4b42c9cf78515d12e7ce6d4821efffa649685019917e4bea7f3da81a66678d

Download Submit
memory/2212-4-0x000007FEF5AF0000-0x000007FEF648D000-memory.dmp

Filesize
9.6MB

Download
memory/2212-1-0x000007FEF5AF0000-0x000007FEF648D000-memory.dmp

Filesize
9.6MB

Download
memory/2212-6488-0x000007FEF5DAE000-0x000007FEF5DAF000-memory.dmp

Filesize
4KB

Download
memory/2212-5556-0x000007FEF5AF0000-0x000007FEF648D000-memory.dmp

Filesize
9.6MB

Download
memory/2212-2-0x000007FEF5AF0000-0x000007FEF648D000-memory.dmp

Filesize
9.6MB

Download
memory/2212-24-0x000007FEF5AF0000-0x000007FEF648D000-memory.dmp

Filesize
9.6MB

Download
memory/2212-0-0x000007FEF5DAE000-0x000007FEF5DAF000-memory.dmp

Filesize
4KB

Download
memory/2212-9905-0x000007FEF5AF0000-0x000007FEF648D000-memory.dmp

Filesize
9.6MB

Download
memory/2516-38-0x0000000000400000-0x00000000006F6000-memory.dmp

Filesize
3.0MB

Download
memory/2516-9291-0x0000000000400000-0x00000000006F6000-memory.dmp

Filesize
3.0MB

Download
memory/2516-9900-0x0000000000400000-0x00000000006F6000-memory.dmp

Filesize
3.0MB

Download
memory/2516-9901-0x0000000000400000-0x00000000006F6000-memory.dmp

Filesize
3.0MB

Download
memory/2516-9904-0x0000000000400000-0x00000000006F6000-memory.dmp

Filesize
3.0MB

Download
memory/2516-9285-0x0000000000400000-0x00000000006F6000-memory.dmp

Filesize
3.0MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads