xorist | 63d887d8e0404ccc73aa5e77c21ab9379d779d8da1faf8debf4b8d34100ae9dc

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-10-2024 13:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
Size

8KB
MD5

060e10b04227a593886c4cd0928a3bf2
SHA1

054f9db834e37459f10b83f56691a5d6e7f28334
SHA256

63d887d8e0404ccc73aa5e77c21ab9379d779d8da1faf8debf4b8d34100ae9dc
SHA512

dfaffc84c27b4cbfcd42e614a1f28088e3302b65212008aceea30c4f9803ae31f88a00d1b3de17e5b4f42bcbbe096f7a8eee4f431746b9751b999b6c161bd5e1
SSDEEP

192:Dzdrr1FG1WDCgmjPZpintNGXqpze5rXoUA:Dprr1gkDCgSan/GXqI5rXoB

Score

10^/10

xorist discovery persistence ransomware spyware stealer upx

Malware Config

Signatures

Detected Xorist Ransomware 6 IoCs

resource	yara_rule
behavioral1/memory/2068-3-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/2068-7439-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/2068-7440-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/2068-9033-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/2068-9034-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/2068-9035-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist

Xorist Ransomware
Xorist is a ransomware first seen in 2020.
ransomware xorist
Renames multiple (2200) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Drivers directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Y7bUP6J6Vbfa945.exe"	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Speech\SpeechUX\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_remote_FAQ.help.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Assignment_Operators.help.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmelsa.inf_amd64_neutral_374f9d31af832d6b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\eval\HomeBasic\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\OEM\HomePremiumN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\System32\LogFiles\SQM\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_objects.help.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnep005.inf_amd64_neutral_f2fbc5759618d8fb\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnne30a.inf_amd64_ja-jp_b2245ba886355a9f\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wiabr007.inf_amd64_neutral_442d902f3f3dd5b7\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_prompts.help.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Assignment_Operators.help.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_profiles.help.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_requires.help.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmlucnt.inf_amd64_neutral_642a5ab3f2a1ae20\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sr-Latn-CS\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\th-TH\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-IIS-DL\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_objects.help.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_wildcards.help.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Comparison_Operators.help.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\amdsbs.inf_amd64_neutral_5cae6933bef20aa8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netevbda.inf_amd64_neutral_bab421df9c31cc81\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wiacn001.inf_amd64_neutral_b7a0b2f53d745b5a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Redirection.help.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\com\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnep00e.inf_amd64_neutral_edc631ff41a34218\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prncs302.inf_amd64_ja-jp_96eca15be06b1482\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_type_operators.help.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Continue.help.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_profiles.help.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Return.help.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmhandy.inf_amd64_neutral_386661b46df6da3f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netnvm64.inf_amd64_neutral_59c2a018fe2cf0b4\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ph3xibc3.inf_amd64_neutral_1da6abc36a79974f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\PostMigRes\Web\base_images\AppInstalled.gif	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Quoting_Rules.help.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_preference_variables.help.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\eval\UltimateE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_CommonParameters.help.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\es-ES\about_BITS_Cmdlets.help.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\OEM\HomePremiumN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Assignment_Operators.help.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\001d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_locations.help.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnfx002.inf_amd64_neutral_b6dd354531184f64\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnsv004.inf_amd64_neutral_fc4526bbfbd5feb1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wiabr004.inf_amd64_neutral_b1d90b3749c5e6a6\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\migration\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\dot4prt.inf_amd64_neutral_e7d3f62d0d4411db\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlx00c.inf_amd64_neutral_79ebe29715d2fa47\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_remote_FAQ.help.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Command_Syntax.help.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\_Default\StarterN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wiaep003.inf_amd64_neutral_c2a98813147bf34e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\_Default\EnterpriseE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Switch.help.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_functions_advanced.help.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\eval\Starter\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Windows_PowerShell_2.0.help.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2068-3-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2068-7439-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2068-7440-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2068-9033-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2068-9034-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2068-9035-0x0000000000400000-0x000000000040C000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\logo.png	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\settings.html	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe Root Certificate.cer	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382963.JPG	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\TableTextServiceYi.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\PREVIEW.GIF	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115834.GIF	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\js\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_down_BIDI.png	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-last-quarter.png	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\settings.html	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\16-on-black.gif	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00130_.GIF	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02743G.GIF	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\MeetingIcon.jpg	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\SAMPLES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_ring_docked.png	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Program Files\Common Files\System\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationRight_SelectionSubpicture.png	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_over.png	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\js\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-last-quarter_partly-cloudy.png	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400001.PNG	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_FormsHomePage.gif	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPreviewTemplateRTL.html	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\conticon.gif	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\45.png	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00163_.GIF	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR2B.GIF	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationUp_ButtonGraphic.png	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\photograph.png	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\weather.html	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBlue.png	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)grayStateIcon.png	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\GreenBubbles.jpg	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsImageTemplate.html	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_INTRO_BG_PAL.wmv	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\images\cursors\win32_MoveNoDrop32x32.gif	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Bears.jpg	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Things\SPLASH.WAV	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\SectionHeading.jpg	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\curtains.png	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Portal\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02749G.GIF	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\CURRENCY.JPG	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-crescent.png	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0313970.JPG	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Pine_Lumber.jpg	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Games\Solitaire\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext.png	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\icon.png	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..p-cleanup.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ff74d28c37691941\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_prnrc004.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b1c6cd594376ae53\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ie-datawarehouse_31bf3856ad364e35_11.2.9600.16428_none_290549f61579b5a6\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-k..container.resources_31bf3856ad364e35_6.1.7600.16385_en-us_5417aa5890031e3c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-medexptv.resources_31bf3856ad364e35_6.1.7600.16385_en-us_e1bdcb351b86ab2d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..disc-style-memories_31bf3856ad364e35_6.1.7600.16385_none_51190840a935f980\16_9-frame-background.png	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_pnpxassocprx.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_43adabf05ea9bb51\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-w..erclasses.resources_31bf3856ad364e35_6.1.7600.16385_en-us_ac657f04a78630d3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-eventcreate.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_16ee1a44d3e58011\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-help-sync.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_b1a1605efb96353c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_netbxnda.inf_31bf3856ad364e35_6.1.7600.16385_none_f1c768728ab70982\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..tion-isolationlayer_31bf3856ad364e35_6.1.7601.17514_none_5ff76bfa669f084b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\Boot\EFI\ko-KR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ftp.resources_31bf3856ad364e35_6.1.7600.16385_it-it_fabe7ede83c6599f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-j..buggeride.resources_31bf3856ad364e35_8.0.7600.16385_ja-jp_b96d8b2be9aa7dca\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-netbt.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_4fb8acfa080f64d2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..soundthemes-savanna_31bf3856ad364e35_6.1.7600.16385_none_8501e89d0b011992\Windows Ding.wav	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\winsxs\msil_comsvcconfig.resources_b03f5f7f11d50a3a_6.1.7601.17514_es-es_47128484920e98b1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\winsxs\msil_system.messaging.resources_b03f5f7f11d50a3a_6.1.7600.16385_es-es_d1fd6814dd9c63ed\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-a..ecore-acm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0cb3073d2ecf8808\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ehome-ehvid.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5671ae8f11f851c2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ie-feedsbs.resources_31bf3856ad364e35_8.0.7600.16385_it-it_4bd3f0a433144981\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..ervicing-management_31bf3856ad364e35_6.1.7600.16385_none_5e7ff93b6f0000b7\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-forfiles.resources_31bf3856ad364e35_6.1.7600.16385_it-it_652fe94e15af7f2b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-g..picturepuzzlegadget_31bf3856ad364e35_6.1.7600.16385_none_ce76f352fa54bd75\5.png	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_Command_Syntax.help.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-mmsys.resources_31bf3856ad364e35_6.1.7600.16385_it-it_92c063d64dccba44\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-recover.resources_31bf3856ad364e35_6.1.7600.16385_en-us_631964780b55e23a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..haringapi.resources_31bf3856ad364e35_6.1.7600.16385_es-es_6a392abf1026b979\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-i..onal-codepage-10081_31bf3856ad364e35_6.1.7600.16385_none_2790c80b27b0bcbd\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_4db0b909695af8f9\5.png	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-i..rolviewer.resources_31bf3856ad364e35_8.0.7600.16385_it-it_49af7f695f1e75af\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Activities\39f02628df6b23733fbe777a55e7ffdc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-smbserver.resources_31bf3856ad364e35_6.1.7600.16385_en-us_dcfc4adbad7e2f2b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_prnlx003.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_812e88067f43e93a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-ftp.resources_31bf3856ad364e35_6.1.7600.16385_it-it_9e9fe35acb68e869\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_mdmnttp.inf_31bf3856ad364e35_6.1.7600.16385_none_f3bd67b475e3e5c6\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-iologgingdll.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_f382f2ece63c31ce\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_wpf-presentationframework_31bf3856ad364e35_6.1.7601.17514_none_708dc5f1b43880b4\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_avmx64c.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_b3b5201f217348fb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-r..lperclass.resources_31bf3856ad364e35_6.1.7600.16385_es-es_6df1499b9dec880c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-mediaplayer-wmpenc_31bf3856ad364e35_6.1.7600.16385_none_00192601418cadff\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\inf\rdyboost\0411\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..atement_r.resources_31bf3856ad364e35_6.1.7601.17514_it-it_4203a96875a097b0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_msports.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_63ccbc6d4d0eb8cf\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-takeown.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e4deeb7f0f871d07\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..l-keyboard-00000461_31bf3856ad364e35_6.1.7601.17514_none_4567a10a7ad7dd91\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-wfpipsechelperclasses_31bf3856ad364e35_6.1.7601.17514_none_d0c392d2129a680a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Office.Interop.Word\14.0.0.0__71e9bce111e9429c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_iirsp.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_44dba2253e70c662\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\winsxs\msil_microsoft.tpm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_9770b2fccce9196c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File opened for modification	C:\Windows\Media\Cityscape\Windows Feed Discovered.wav	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..languages.resources_31bf3856ad364e35_6.1.7601.17514_hr-hr_f9c23dd1e77892d7\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-p..i-asyncui.resources_31bf3856ad364e35_6.1.7600.16385_it-it_c2f8eaa1930366f0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-tvencdec.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_32160da138c0b18e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-i..texplorer.resources_31bf3856ad364e35_8.0.7600.16385_fr-fr_6113292a0cd22f8a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-runonce.resources_31bf3856ad364e35_6.1.7600.16385_es-es_71441aa33259b227\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..almanager.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_0efc7b0b9140ddff\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_prnky008.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_3042f86eab69868c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-fsutil.resources_31bf3856ad364e35_6.1.7600.16385_de-de_c00f4179414eb586\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..s-mdac-odbc-cpxl437_31bf3856ad364e35_6.1.7600.16385_none_5d617cc7e53174c0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-rasifmon_31bf3856ad364e35_6.1.7600.16385_none_caa61ff64e821548\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\PresentationFramewo#\495f263cbca8e7d0462ee309a634e115\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..linetools.resources_31bf3856ad364e35_6.1.7600.16385_it-it_7cb291788a3e647e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe

Modifies registry class 10 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd\ = "IPWVJIOIHLCVWET"	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IPWVJIOIHLCVWET\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Y7bUP6J6Vbfa945.exe,0"	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IPWVJIOIHLCVWET\shell	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IPWVJIOIHLCVWET\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Y7bUP6J6Vbfa945.exe"	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IPWVJIOIHLCVWET	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IPWVJIOIHLCVWET\ = "CRYPTED!"	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IPWVJIOIHLCVWET\DefaultIcon	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IPWVJIOIHLCVWET\shell\open\command	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IPWVJIOIHLCVWET\shell\open	060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\060e10b04227a593886c4cd0928a3bf2_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt

Filesize
282B

MD5
69a98ef655778f1cb3764a923acbae80

SHA1
22683321e95c9a631039d15fc49ac5d3e639ac54

SHA256
2ff127d5bc4c7333c8f522aa4b456684eca97c06d452bf7d00b6a99b49b11b0e

SHA512
610fc09f40124e1a74ff303ddd95ad5809679be9e0c381e5d367ecf8e1e137c3da188142de7a2c5fe2b1225e12482245f2b5c417d43d73618108bfb1c32a5ed2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
341B

MD5
0230bb4a8cd865a47a39c8dfce7460c4

SHA1
69cd6e879224fa2764a5ba4be7751b41963aefdf

SHA256
7ce5cf23431861d4e7c92e3495523ad21e1f7e0a1a783d2832a56376a7d6e72c

SHA512
401d881bff82fb71190abf1e4025b263a8771e99fbea8fba1ecfaa5501525e9f7345170a9098647bdaa09dabf7e0de5947efcb820b429def2bf709195129d5fd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

Filesize
222B

MD5
cf51750c796b42cf35f0ca9dd01232eb

SHA1
6f63de5380d5ae4382556b46e21ceb673f4d31fb

SHA256
e6ec9eb2dc51997cabe901f61de590e2315afe4dcb318a5445a93d8c7bc46943

SHA512
4945655d67e1c9a22529515393e0872c37243851f67036e1a7cacad97a5dfd7c702eabcb453ee3153a3b292131e466a5135f8648bb806712083e13c6106597e0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\BG_ADOBE.GIF

Filesize
24KB

MD5
f3e7804c7630e51630daffbd6e384e0d

SHA1
e71bb7329b3dd3fc439e13cec5c7fd6318620213

SHA256
586d441b6888d893c636ad86b12029ae7bbeb3994a5bf87af6dfdaabc069cfdb

SHA512
d98ba17d1ee8943357c59627c87fae071a2da7d40dafc2f4a0f74affa6f075e75af4c92e00b501d06d0c152ba3e37da4d3ea540022ff6f67adceefb9a2067d7c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\BUTTON.GIF

Filesize
185B

MD5
c9708bce252d04ab12b88b9171940c1f

SHA1
2a34d8d2d0a3a5b54557fecb3e5fea121b4363eb

SHA256
940aeca35e7e9616c527977d10717ae2e11ba1d833fef85b64846a8e76fd821c

SHA512
f3e6ff7ae03529873af739d25f45f0064c14df62fbde2a10237c4e4b4d3e82913256ee11576237cac054404a9353629d7ab3308c177bf16283075ef032ead578

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_OFF.GIF

Filesize
496B

MD5
c08f144658d2667551ca9ac1db5d9f10

SHA1
e25fc570411b0d6b40449f21816800fe74558702

SHA256
19160f4bed11d7a1c80120a4b84e59b22271be0c827a235c8f159e8034ab9344

SHA512
8a18d86934aaf680bd03dcd335e2ac9bb5a504686de7d88ec8a2f014ead3c4a7d186bc2ee4e1092da850420f912a67f87391e3febe579c9fcad6e9644cc155a8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_ON.GIF

Filesize
1KB

MD5
71ab2bf4bd13f0c899350e08875befab

SHA1
09bcd0137a5bfe35781ce2c4e9963cbaefe89977

SHA256
f239faaf8a73c5c3ce0537e437f59b85b3550e34e0b9c08b3a9222bdc1c628ec

SHA512
8ccda421ef6d2f84bba36312134c47c33d566d5e652cd3137f0fbb11fe34da74feb10ca33631da172063bc95daeb8f953446385b795c954f5f30c60ab42b62b5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_off.gif

Filesize
341B

MD5
f21470eac1ffa5f34130d5a83fae344e

SHA1
d0af9fa2901c415c3299278f714574a322136bdb

SHA256
c003c5a375f28979326e7ced9642d6abb55b8106d894b515342fd57ce96471cd

SHA512
ce04d53f4d50820b02d75339c448e8da1192e415cddc935dde3a6732d083d6d1b67c2430c85129c87b391ace7a4428f2b87b3d9547f66acbd7554207566f8b5e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_on.gif

Filesize
222B

MD5
e57617c6fbea4e323deeb45455b68642

SHA1
f1a7d3b85d5d6bc42cf663d1760b9c0deab3b4ea

SHA256
b5ae552f3c1627a35efdcdaddb6e4290ed9c418c63709753bfc35c4e4c6407bf

SHA512
5e13f0842204751841437799ecceb419ad8322d757838ab385ef0d1505afb1b17b4d01a242b6552110ae3175849a7742c7285c0deb8f65327cc45ca9a4f11a6d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif

Filesize
5KB

MD5
55fa7bf407c1f9d489e45fe830044f90

SHA1
87526a27bbbbf9db329eee586a50a287a133e0bd

SHA256
360558538920837632c0fd44718f2b98aafa5f1ebe490b0909ac09ab7a137dda

SHA512
b2b91a8023a3d2b83d6443bd33a3034d1bb514769f04a0b2c946b819f1b24273d4ae2452e4064366b71eb5cc344218d0fd72efbc0cb55a8fc39f4e264767220a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Country.gif

Filesize
31KB

MD5
93e80b570a90680f7b90dc7daf02ccb4

SHA1
2b9b94047cc1f56661465156ed13c00638ee3146

SHA256
595ed2fcc844fd243ed2d965335877719d173fb99cf1cb198c91cdf2cdfec2dc

SHA512
58312516bec1796457e73f362c63468b5e1581bfe2d0f23d22b912710d3406e63cd5395f91a27bfcdf0a5a3de42d6e98432b0c02cd2ef54bfa72fc8cd56fe1e1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif

Filesize
4KB

MD5
66b2636a546c928ab817e78d11893504

SHA1
364f50e81db4f0e4e13e999a2deee8e08c87a6f9

SHA256
84f5a923a585c190c0ba449002df06bb713a7de3eeb0d7f5dc93e69591ff066a

SHA512
8de617a16ef2e56fff9e9211fb2f048dc60f2ce6b64f9648e48ad2df281a20a071b65b08a3db8967d921a46d28e3a930309b2651770937e2b323e1a3266f3928

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif

Filesize
21KB

MD5
dac413b3d49336bf096b1ba51fbb9439

SHA1
303ad8a6167a27bbdc1dd53d2fd2262511e462a3

SHA256
0bf965745d8fe16b0a23d41ad24594d0fa4544594e65c7980edf97af80b1739a

SHA512
eca4e80de4efc05a596a62fe1bdbb687f1372434309496fbf7c0431e1c3affd331d20c1f468c4a8708b13adf8fd02a081b15de4cc36f104782eb62abaca472ee

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif

Filesize
8KB

MD5
291458366022411b7f21d7cb99fc3778

SHA1
74c4c6d933a4639871fba6575d13bb962ad94f60

SHA256
12b29605a3950f1fdac508b0b8b66b071b3913ce6e48f63472f1bc38cfd1b9e3

SHA512
91b081fc56379a671312d9b0294b13f727e70e52db1cc2a773329c6b2bdf4bb20410ebd4dc871052bbf79a9bfd3dd7a5e1528696f14daffd2b39686d2151a38f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif

Filesize
15KB

MD5
47c59c9e9a4763afa18807d118c8030b

SHA1
667af7138333cf19af1fa7c9e3a659e188c1c990

SHA256
7437feb2ae21adbf7b92a399e79c9c765aa6a10ecbae0392003e3a6507ed4077

SHA512
cf0bb4369d216e9738c9a08f030a6728fb209f5ba3fde420cfa941d712d0e195aa4836448f1114763e4d57607b1a5d16f7aaa053746944c37028513aeed909f5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif

Filesize
6KB

MD5
4793c0c19f6647044ad8f72b97a47fd7

SHA1
7e996bd0b617cf4dea9bc747b0396eb35b4b2469

SHA256
b2eca0f19c6749180393f04734f6f43b6228c31e007f1bd1504294b8363864f2

SHA512
6e7998b78872f9cec16beaaeb76e33343775694c4c102e8ca250248c18cce9d66b3166955636c7357cf4d6991882f78b44cb760424ad1b1318e29513f7970b87

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif

Filesize
20KB

MD5
a706135beddb03fa7f2401e2fcbd7cf3

SHA1
3e3179d88cf31ae7f9d22f0a6d5fb294affc725e

SHA256
6ee834e1d295497a45d8fb26031feb9802067d1e61d61ce80923d73805909c14

SHA512
591f91d147b7e27b0a29e9a7a8eb4a4e56b0d123b88f3375d9c645b4b67370af997248b80ca833afaf7beba4e762f71c532aea89729c8358957fbce419fe1856

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif

Filesize
6KB

MD5
c20cd742bdd08411c1a1cb478092157f

SHA1
e4d1b19d99c133b8370b244a137c82fa7cec9510

SHA256
91cc0e45fe83437f7cac9d2abe5dd38aafb4b201ce7f87b3f7eb75e7bb07b9ca

SHA512
00e8a0d3ec8a7f11ee874c26f3ae1e13fb54efd8a8279f1c060fc7fc0ca3ba292e736a01949499476a2ac7b931014feccd126603d74b35dc55d282148a9b1f67

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif

Filesize
15KB

MD5
d785f7afa2e3c62e1b9df6d755ea1018

SHA1
3dcb9911f48d5cee0c8618d23fcc8413ca2eda44

SHA256
f7e7d4c3a345bbeb651323b114375f6b5dad0e371ab0474231dbb70f8ed9d3c3

SHA512
f7f9ca8d8ff083d07414da7ecd24f4ef2805d57ed448355eb0e6bad426a556a7276c4b36c6433af1cb34c1f8819c25fe789ebd51c61a82707b917b0a591da0fb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg

Filesize
2KB

MD5
d17db4602f77a919baaa52cfb56e6eec

SHA1
bdf4082937e09ddae8a9ad3242fc54f9f1f58d33

SHA256
c2ecfddcf785508d8bc8d69ca471b665c1af389e68fdbff1cd89d8acda9fcfbd

SHA512
4ef28833e7f35dbd178fc688d6913cff74ff7effc6dc5bdca34b82f11f77e9c2b685c7fd973b7fcce6a401cf660a8aea079e3e51d8313778ad7ea211d274a9cd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp

Filesize
2KB

MD5
9fc156d8102c826cdb6356c98dd40de0

SHA1
4f195e3b9fb06728a59bd3199c6056e075bc60e7

SHA256
faa2014be137cf99cc0aee256cc98ace81e74f5cdeb1ebfd8840705ae24e57be

SHA512
2abff6fef56821c58d6a6f438f92d6874383287e6837593360039149b535d82b0b90da10320acb62992ddaf017dd70946213b6fbe96007f01d1d8823e9e27561

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg

Filesize
6KB

MD5
0f4928af3cdb03d3e36714c8057b7181

SHA1
44521bf2f47666a3e35d02feae6c564352426971

SHA256
84ea9e551a1da2142bd78c384dc1b01dc21ed3c517f2b579a3755da331c66e67

SHA512
0073cc84c606fcf06ba6366e29dafce45dc072b49ca381c2d14d31d5b2ba8900ea678fb1725b9dc217f0a45191280f78bb9ff1bd025e27859eccf72b28414a11

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF

Filesize
255B

MD5
096de6d1c841ab507811d10a89eb2ddd

SHA1
bbfe6e521cf36c5d08e2aa74df555fb618335c63

SHA256
42ae7314b04659e884f9135f768978d5bc8bbea2ec9201e8d39a8ed1da9c3626

SHA512
f039dd50a3d5f8e7142fa2c0ea14630f8c87f2577f620b02dd9cd2029f675b06b98b52372b9b215642a1c622e3437960a5f3f84cc2c73673bb42e2aaf0166806

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\background.gif

Filesize
323B

MD5
85be49398f750175c430730330230703

SHA1
904c327ecf4cc139f0cfd7325af5ef8f0bc7168f

SHA256
184d1d9b2e171cd291786a15b9522e381ed08483bf3cb7aa6358e2d44e8266ea

SHA512
d72f6d44e3e9d1ca919bdbe066783cbe54905e9c53f09c6317fbb7557b6a808ede0a9a9f375c26304cff3699219402c13b9ea377e545d1405745d9328c1c1355

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF

Filesize
367B

MD5
dbeb5ebdac08075d0bf14619cb7e91ea

SHA1
234c42d1321949f5ceb83e3fdd73c3aabf5407db

SHA256
0354793a8d28d12dd7489a59cfa5473f4a8139f69d0ee681b20ba9587395fd5c

SHA512
dc74f44c6cf1869c3a4e79a11c5d5b8125c0b8a96b164b1fe5eedfc510965fa70c9018148e6d0e105555f29000e1e9171e369efc0961de0d94663bfb6a50a302

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF

Filesize
148B

MD5
ef389fd691f75c25407e6a2ee442e0e8

SHA1
d097c5b95c59fb7a4ec5cf8d774a87a912f8de0f

SHA256
ea969b516b6f5ff2ffb31cab73a62b4673f71b1012f6ea13bf3a795b565c4aaf

SHA512
25dedb489ffca264aae79ddec8191710d045e82dbf51d254afddffc4be9b13851daf1a6d598b847d825b8a4f17f3ae33ce28722b2383d10e9e43bdd3d83c09f2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HEADER.GIF

Filesize
440B

MD5
835dbf52ef810cafe46b2eac59d606ee

SHA1
76b2a58af431c74a8a3a643765ebb95a76f3c799

SHA256
273d5b8b2e103f18405314881a6dbf74b630de876b270b568410f7efc352c859

SHA512
c2eff35a5e187aef42058a4887679d9aed59b22f347c28b4430d83e9ad8c7cd4a85b8a486f335308d0980c6e6c33fa20de5a2e1454770ccdec5c822d796207d7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_OFF.GIF

Filesize
462B

MD5
f7e18ce92eb4b6645ff70cf6fec0c741

SHA1
2f920c0350a84089f3df8705b0afc39283a51fb5

SHA256
f7fd5c7f893bbaf0a484b8d4b144d749343f6afeda15c05fc0ca75afc4ccb970

SHA512
893a1eca511136996296ba08f319eb5bb25a1e54a9eb05f4b316b1feafc96cbcde6a218b274f74f2b09e279270f02cb527234930da93d7521c95beb0f733bb11

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF

Filesize
267B

MD5
bb868e02dd937b4afb0de735b0542598

SHA1
d6e14d3b68255715ef3150d782c428ec85e1529f

SHA256
12773812585a1fce118053d63d090f449179f7e0e3293a689841e4667e4388d4

SHA512
986daaabb8e0447feebb0133da8bed6a1e88f7e05e72ac50790ce0b91fee8756bb0f8c7aa711f92f92dc11dc462086fa539a5b7b89af4935162f2c3db43b2bc1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HEADER.GIF

Filesize
2KB

MD5
7aa13a4276bac78aa28248085c41af0d

SHA1
020bad1e7415d2a8c8d9c9ce0cbd1d485bc9a9ae

SHA256
c85daf9ce21f610bc2e4844f3794c600ee0fc92951da29d436cc0b4be2f815c6

SHA512
7979485909edef4b16275bcfa6a1450a24d6e2af09a247a99207ee196ecdd7fce866beb47b12da2f612e8c1cecc54b15cc4903882720c1773503a168fbeadfcd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif

Filesize
233B

MD5
e5787edd5c4db3d9ee1dc8e2b1853059

SHA1
6ab80e4f841d7151ca61f42744731871aa1e9c4d

SHA256
82f128384ccd1191498378b5a037507ac532a2d50705eab70747b56dd9b1e2d2

SHA512
42f440af945ef39c49470dca786dcd37a0441aef0ef1a01c07419741dc2fba8618989dc771fea0793eb58de6ccf1a44b59856e1a8ecc25f3bd48ab09333eb697

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_OFF.GIF

Filesize
364B

MD5
dd018738badb5d4fae62549752e2829a

SHA1
7b9f4a1b7bbd607b0b882edd714fdae5a14b8e19

SHA256
5145f92bd4a7a0494c1f316e506fe9ee7b8bfad38387c7ed897e7f958c370ac3

SHA512
35c5cc020204ec283457e199417f9378dc52ecbce9779268137f54ac3cc8f0635f19ea27d0908e05fd41fbc629c4fdd6fb2c095a2be58b6133f5658ae9efa872

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_ON.GIF

Filesize
364B

MD5
9011b16686063a6a4fb629450e42d26a

SHA1
2a3701fabe98c6d1848ca65d17eec70c15d5caff

SHA256
a54fed019e9cb617b38319b005a1914e90e838018e3128c8a7fe9f8bf81762a9

SHA512
05a8f988add5e68c0eca8916d99cdb6e3a94c0f9659a0497997c81053a0188aec6453e1468752bb50d67de9345de10347ba3fd5160939a03f7785fe9e8c59c3f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\background.gif

Filesize
6KB

MD5
c846c825508eeb9fa43d6b511f240184

SHA1
f3cb7c54dac76c5dcd9f4145c5c7c815d1d93160

SHA256
b65dc0b41f40b5fac1161dc3c35e3380640a3f4aa5f757e8e09ef28c2cd0fc23

SHA512
b54edad1534987e5160409de35b8dff22aab33dc6edbb6d2b4d47147a270a613887f75b647fb0211567ace1064fe108a92e8bda1b53630e088dda1249bdff23b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\BUTTON.GIF

Filesize
428B

MD5
3b40c4d06730b1559101d7d8582d2829

SHA1
d3f879af5413c239295d22565da248fc34822be0

SHA256
41d489aa15d7b5caa8bd0cf250b14e00cf4f5512fba6fbadaf717ecb6444b468

SHA512
4c3cb1e379a94fb47d0a6610b1cc51e9c1fd5b469acb85d789af0870bbb5c68807d430e992263069b9ff2ad9e2d5a6cfe421b98d4034ebadef66fb91f7d0b3c5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\background.gif

Filesize
815B

MD5
65fd7ce4b06bd158d9c1ece56422e8ff

SHA1
df46e9d01fc0cf9636c2ca05dac91552b81a4e84

SHA256
d2874d7912042c57ba2fec094fb9d18fdd88ac59cdda2178e481569bd2629e43

SHA512
c8cf75209e32aacde9c7a5f36c7c5ec06c5ffeb06d23a4fd0a90c86810d99a7cdf5a94bd994a433b49769eda3d16b4a7d2662a801b4b10ff33b29267a5c4a195

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\RTF_BOLD.GIF

Filesize
870B

MD5
69b5cf2db1e58020c8c0d3a8e6283d6c

SHA1
9fe8c3e1e199d853debf667446390360b39c8b72

SHA256
6158401ed55c885fed3a8c56e41872d531ae40034288e89af056aa29f946d468

SHA512
2b2874248aafcf5055c9b58aae8588155c7f8cf3cba6da045f5ec20e0bcb05025c61ce0ed1e29dee19c538a66263dd75cfd533cfe3cfa492eb7b019bd3a5cb1e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg

Filesize
3KB

MD5
61bfaa5434e08ee4b2b8706c5ccb1f53

SHA1
bc286750dea1e0a6dc469dd9a4b4d2fb3e1f383f

SHA256
2cb5779381752eee07c8d5db438f6ee5a37c27e2d77467d4d31ca9d0f6a6c0e6

SHA512
9b857dc33e885dc31fb18df2cb33d5a90955c782c972bf4f71fca52292bdd7b735b1d8a0133566130bfa0677ca0916c38afb30022688189372508bce229ea0ba

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif.EnCiPhErEd

Filesize
2KB

MD5
05fdc2ea355da23f1711f080fcaf77db

SHA1
309fc69b56fb217249c15800da3848348147f901

SHA256
2dde5fbbdcbf094cf777573db6244449d436d063428bca5cfece0d4a3a071f32

SHA512
3c9b17ec74783b71b49e568ce6520f585edef89d698690e33ae44e927ff173df15ed7324e82ba87032b10739bce32bb567db23a010536f54d4d931bd451c89cf

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif

Filesize
19KB

MD5
80e46f73fcc93068a5d184406aa36861

SHA1
5243bcabf755fedb06e413c0a0b7c5b646bed9d9

SHA256
020f033b0231e02200c802fa188727b46532edd0f2c6205fbeadb3d1b04cee0c

SHA512
7e0bb71ec899652e2237c77bfe456780b2aaed581660e8ae9606248972aeaa42dfa99f67cb1fa26f54f4c2f4c5d9956b9ec0a9be5dfa3c2b7ade7cd617f357a5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosefont.gif

Filesize
890B

MD5
3d65f04bc3b8bb35b09baa15ceb667d5

SHA1
210f6974ec44bb34c75d37bb1eea53cb2358c771

SHA256
0d40777c591d88bdbf01a1d4456030da182b4bd2ecc9d64b656ce5539dc9f63f

SHA512
e1611b93372fe167c5223b07c09afdb406725d10cf0480c98fd6160ef194e87f35d1aa7262a8335447bf0d7fcd82102561ce3a07e2200434bd90dd1a89ae05c1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif

Filesize
852B

MD5
6b8843e0623551c34e9175f930400f9c

SHA1
615c180791a81b1a58761d722f780f78720c64ea

SHA256
2568d31580e183d293322114f7fab8cb581861f39a6ee445819ade5fb4d5b43e

SHA512
dcee4c910a7c8345404e221716147fcf4d373b26a324430086cf8f926193c754d2ad07a94181e03ebfb41ab316aa4e4bd1969d34fed3c225dcd8289f8a7c00a8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif

Filesize
860B

MD5
de243cbd697842894fb1fdbfe148efd5

SHA1
0934d452f730bbc2db005f68e8cf36f06766b6e4

SHA256
f3117bf7694a8855dd002084d73929480f39bebb06da493e34b9682551738675

SHA512
44bb0d658c862216e51d123622dbae0593c6fe416bea3f9bf75a49665c9d23438d5f0c191c25354a6c947b202521826bf0eb19a23e0071c3eb09df8ffeefbabc

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ADD.GIF

Filesize
580B

MD5
56eaf3cfc9081410cea916e42e01993d

SHA1
b5d7c55ac8cacd42b13a6c02368dfd1f2ddc0655

SHA256
e8b044600a5c4dfb3d2ecd865c7bd70a521255c643c74472388bca795f24f37b

SHA512
82bb827f5d23fb8c9f4ab9d929e8b422f7bf2433906ce1ce891bdefc70fd538eefe98d2ee6e1a502c08f34ecee36c971c8dcbf7574c8ed7f80200d36f916a751

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF

Filesize
899B

MD5
c9f4535c4415e838bf946c488b30cdc4

SHA1
3cbd385ea98d0e6b7eb081c1a08a6bc8a08c6627

SHA256
5d253461741f548734b19a68b748cfe5dd60970319a6a054247bf3f97d0e1678

SHA512
2c665bee987b03e72c9953523e8d46409afdec28a9c4fae8948bfcaec7d9107ff4675df298a4cc8a714c4c0b44f266d08f51acea6bffae07395d7be1adafe86f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIF

Filesize
625B

MD5
e765b6464e33c524910ab1c0b4f16f3c

SHA1
b7e339914a440d973407dc307a6f11e61a651342

SHA256
18fb00f71935b303a4a8a5021db8203fd0056cc89f6ef84baae10321d6fb61ce

SHA512
4c83ca3f57920f52f8bb145c67b4ab1e2b64253f7782566a8a9094ae56c8d8fe2f8335e33cfba7310e00289d483986aae797f5568f254a15fda87dd71553d910

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF

Filesize
873B

MD5
e9a7204aa77ca231a53a512d9335ef61

SHA1
841430f1cdd0d59c934cffe0f51b17729c0dce4e

SHA256
93ce8c2d94828dc254dc8944dc96b876bfdff73d255e6b08e688a9a40835e222

SHA512
52248dd84647cb4e79667fbbc5c9e0157987283dddc4b79b187bea0e3ff49fcf07fde4ecb2fa79b063b629a1e068adaf200b173b188197f7da225739e18ec8bc

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg

Filesize
5KB

MD5
0f1cc6817b44a6bdb3044e53734a7067

SHA1
9e8ee2ade3134a7e02ff95bd45ef215294f00804

SHA256
338f09becef9a67dcb4e0c5268749e1598676192b9133f233b78e3e4db12d8d9

SHA512
083ccd1af0441740676d6b85ee8954e0da0f2d02b372ae875307e22810206127a7de290c452d732310781a38245e77c85d45d152d3743306876e6f0c3a523083

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp

Filesize
1KB

MD5
de19cff243cbf7696e24a4a5319edac0

SHA1
9ff48006ed0817541746da7fb9b192d075346ee4

SHA256
2ae440c7e15280531033308c254238bc4f1a35bc5d0911894251edf98c6f9abe

SHA512
3627d407823e018eeedc503290223df59b1fb7fa9b734e862581b9851c341359c783de88f013cfd1f74f7f00ccec0e62b8260bfa96ecf560769b1b4eb3d63485

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF.EnCiPhErEd

Filesize
615B

MD5
4fc93680fde65ab1eec39cb6bd22e85f

SHA1
8a2370595b8227af47ea4792a00b245a13c39d51

SHA256
93d8dd497d22a901f4018244b25cc07786534f2df97a43d58fddbb4e5d422f00

SHA512
5799dee6b8dbd23f154dbb5b40495b3d3a9d02fcc91ede350489244aa74d87c82860e4849a1139aff43e12c5e2c2d0cb0960fcb17fe34be419fe1f63e9ec30cd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

Filesize
848B

MD5
1d3c862bc56edf4f2aa1595d78b10926

SHA1
21a18afa28a9790e7617c7c2e9e204c611e57d10

SHA256
9df9569550206bd31044556db4ecba1c5aca01f5a49d75793477acd9f0d3c375

SHA512
1d7139c8c513303950730148b68c528dfdc30c4b81384b1a99f80d76ad0c4de263b238b538048784cd2f689f2357480fa55a4245221c9bbc87f4167ead53a5ea

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

Filesize
847B

MD5
74a175b5a8dd39345952787de58b6241

SHA1
9903a4f03d4432fe1b85bd59d91a5067dc2ec0e5

SHA256
27b2abedcd8f1485a03ddfba4fb4586a38279cb37cd3888163003e7122fec1f6

SHA512
780c699040a18f12ccb30dd3f4a80aa5901ea460f93cc8476432b091153d581cbb8b63fc453e7739ae214ab02064f94cb6c6307ba764fcf2d9277a25009ef80d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

Filesize
869B

MD5
369f41db94d9ed2c590900d46588a88a

SHA1
1897b6d899de27324870a5225e30fd6abb46c72e

SHA256
38df5e1d7b2531329cab71f0fdb25674c96974e82aa94027117effc067915f92

SHA512
cc3299ff7f5aa8ed5ff4e9fb79215368509ed311a0d69e5f83409eb1947ae6495c6089212d3f123b438722b216861c83573dfb02a8022068ff8e791a9da6a95b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

Filesize
847B

MD5
3098002aef1ff9971e648a523a66fa08

SHA1
21c1b973bcc8906693e87ccfb1170e9ee5794b44

SHA256
33d1adf163cc8bbd0d21f2790b030a398c5547f1cf1241c0b5d370c2b89656b8

SHA512
da8e29bd04e14b78fdba12ab4c4f749f9f767a925b2e6895ec31407c29f5ac8aa6b1030937644ec6b5b82ba5ab0de3d76d5bfa2568b4a06346cfb9bd55b8b264

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

Filesize
863B

MD5
2ec4860c754dea1a421ef222d5bbdd1c

SHA1
88bbc7da5093f5d0c11e3e0a9b5785cd179e4c6d

SHA256
62a113dacf5498feed976cc8e541280e642997de8debff6ad0b022e14b290914

SHA512
1be61c4acbc8e64226c47d4e48e7f61f69013e923c3fa618801f7f0d670e446534c2a18315610ddee8007543eda440a55a282b1be3245cf61a805f7774351ef9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

Filesize
861B

MD5
ec768ba250ea79521de302423e1c5c71

SHA1
7ce62008edd5ad0bb92237b6f09c788a6e8b7ec4

SHA256
4714ba416f11b559da3387eed1131d90097cbfdd9d6c830944d82b5d1e5f1276

SHA512
57a6386e4809415c1e25656252d60680dc94df5fb0e3ec98c5a6b6ca23259647071bc4931c051cc09b9538833bf2a16b3f22a1dcd199ee0a52ae97d37219d55a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

Filesize
850B

MD5
018e4ab147073d71271ea8991fcb8c08

SHA1
5c9c822964613d966c82d4fc88d3f6d14d68c467

SHA256
90d1f3071f5f219e68ac7728af54bd70206febf595b6569c0fc5cf4e47c3ab59

SHA512
30f7ef8720df6bc05c554ea323f0eef3a858774b92f870625f16e488f5507574962589b9a15e395609bd373d72862318b70e77e17b9abde68ed639d9740116dd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

Filesize
883B

MD5
12fe1537c3424d59c06c33b5bbda6791

SHA1
e428ebfa78ba07f33d6a86049b6ce43fdec7c9e5

SHA256
6d0517aebafc31295c1777a3b54b96b8523c851993c01a10f965018af0bc3e07

SHA512
9c0f3ebf6cb8db0c06d935eab78f0557e457ada7ba97d8f50cbc959f703291cde851b94729a20869e281acb7dc3a9ca814a0397f939abcd8a4f85c25de20e5df

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif

Filesize
153B

MD5
20128b48c80b7fb904ef375645c19ef0

SHA1
4af7ed6a6537f3cc8d8dd728e07c08b66f57b983

SHA256
c944e323c410b56b1289bb69bc5e579632dc34ec2d40f73f10cdcdb19a5fbca8

SHA512
b7cbee89b87e64fc48cb3494c42133878eeab3d3fbfb1d02004f07119b5cf2bf517a57ee2f4d0d0a547f79a3972b8401c430523801af6e8d6a78cb70c420730b

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
eb9b31ae8e15c5293dae12a997cdd7f6

SHA1
2c94de4cd4e4c8761a56ca4eed004d6f822a3068

SHA256
cbba6e8f129860a52874f90c7f2f51c40596f8e364385f18f7a760ca38ab5b3a

SHA512
42deb4595c51531425d25e413c4fb027127783e88f1beb57afaa21b1521bf8495a39af733c1894993bd658884bea25607d7233a20d29fe24163164774850cc63

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
8KB

MD5
ddb25fa92923b1631fed8429a1afbb85

SHA1
f63edfed9dcfd5ab15240a50c8a1b5963a571998

SHA256
1a446588f56713d5606496a3d97b57aa7afcd29cba473855217adecccff08927

SHA512
e8d7331f1af44303b7188a616c9daa5768d6c4f91ebfc57e883848a474b4f8776aa0c6b7c3c8ca360af8218edc3dd8737506cdc086d7df9db916eca477ca0eda

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
5f5a67cadd479f24b57ace711fec656b

SHA1
175147d6d4f0b0cf169c2b71328859aacdc2ac5b

SHA256
c80b0d8e57a3fd2a59eb77b87110d01672ad7e1a53509db161042bde263a9840

SHA512
08726eb79d0b1a8f44efd4ebaee3a514e88f6d30b7c08163c701b3331b4c3ff323f86a12105044b8ccacaf3249e836943f1c9662feaf7fec9f04d747f6c3816c

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
9e63e1f143aefbc86784ffc4089a84a3

SHA1
1221d541a195dcf2ec5bbc6d4f7d7546f040b073

SHA256
4aa2faee9b39adec68b73e9663b068b5038cde27cdd0ce653127ee7393426b72

SHA512
95428f05212cd7631d49a093f9091596fcb0ed04446933bf2b0e9218ebbe9613b4c22ee7d9bff1fd4f55ca3aad22ccd376cfd63954e0b84a196c43a2a2a19bbf

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
172KB

MD5
112a380d724ba3b9aadab18995c06edc

SHA1
7caffef04d3d2a8dd26a91562f8bf8ea20db2a7e

SHA256
e74517922a517f3de42f95cdfb83df3df8a2f547ad1a029e811adb62ce3510d5

SHA512
8c707269c4014fb71aa79e4b5eb0f4e03a99522ee5fb139c66343c9fc2588cfc72abf2ea58fb303a2bd40fe2181d35eb57bbf0ddb2297f9515d23c5b5c129a64

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk

Filesize
1KB

MD5
1f28d36e9bebc7ad49e4ecd1c2f99abe

SHA1
c80cbfddfd54eb762dcf56b97351c6debc40379a

SHA256
7875407b5204fa43bbf3cf100c64af625d417299fdd0bf4245e6262fcb754ad6

SHA512
876e4f36906f192e43cc95e967f822f9c312382d49ea7476e62c480fe5e25fa776049d7f5ffd880472380270a35b5c80ac3a730ab493de8904e908018afd3cfa

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg

Filesize
21KB

MD5
e43b3bdd228fbb62003002b421273a76

SHA1
e6553c45f804714b35a0c51edecd81b33441c4e3

SHA256
500c6e62793dbb2d33fcdf2476a081b0069225b08975263bfcdb28862a8a9282

SHA512
ddb9736ae7ba2e1a8923703289f1fb69990857593b140957ec7d0d289d62dcaf4c708675e6428e4061ec1b3f18b95870d82e985ad39d3f99020b2956129072a5

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\HelpIcon_solid.gif

Filesize
1KB

MD5
ba826622aab68b6885fd8d9a734069c2

SHA1
21716b5f39c35d2c5c720a278bdeca1991425ce8

SHA256
0cdf4395658c424ec20d7026c52a4e2412590b894e890d94b4a06619f77d1bc2

SHA512
8e87acb0892555796fa68b09bf6876702c777c6c55eb084af2da0ef64c2f2289467a7228300117bf9e478ff5caa78cf6ec43cbad7cc102dda4f0ee18b239dc40

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\alert_lrg.gif

Filesize
952B

MD5
4e210e77165cff0d657d97106d39d176

SHA1
82eaa0d7bd47ebfde1e491f144f5ced3870cd807

SHA256
b411b056c3fd7681e1bf5889bb7312b50078016156caf85e61e87cdd18b63576

SHA512
c98f8ff153ce68a36cca20576375787dbc9a45fcdbf7fc89bf61ffc6a026f7286b50267db8eea9bb2e0974031fbbcb0d7e9d08e32112694d77a5b459158b5248

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\aspx_file.gif

Filesize
121B

MD5
bc60d114ab69b8788b87dbbafc5f6ebf

SHA1
4b567a2ea842cc00af56e4b1f429b0fff35d2c07

SHA256
7bd64e2c1dff6019282bca56a03456ac11d508fe2d32b7fd8d624d40a90ee738

SHA512
2fd55da2a543702cdd05375b78f6585610bfa15af00e87a69348cd602128f8a095184d5224fdc64452348bc4ac03b483c69457176e0a1f6710496d46ae9e7fcc

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\branding_Full2.gif

Filesize
1KB

MD5
29613b0a4a221440c8d314c4bb5a3a5d

SHA1
48889f06ed6d6b9f18cdf92384a9e50b5caa6dd3

SHA256
fcaa8974ddb5ef419bd6c8dbafafde74dc9e81d79110813f9a735b8473db3350

SHA512
217430fb51f2536e432192ed28cc7772a0e7bb9ab1d8acbed59983739cf86b02e9cf9f76d5d0bccbc47ecedc812591f599df5cb09cf9881b17e6b3117b62a68c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg

Filesize
8KB

MD5
7b81dd0ae180dab5d2b4b58cda07eb10

SHA1
9170bc75219f5b02d83fcf9975a499b4d5b46369

SHA256
9045af7f6ccadf7ec51c55cce778fe021cda8ef9212f4e4f74eb258394562721

SHA512
394bc468efef721d791a15df5c13be11c0631455865b9590ce5acac445b3bb2320d8f81050f382e2a27ac6515536edeceae6088cbf79fec9bd49875f978191f5

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\folder.gif

Filesize
914B

MD5
a310e80d3d91cc5a5f21eb385f531dc5

SHA1
8ff8d9c3ccdaf604b9917dde9ff6f774168d0c62

SHA256
0a9e0bf4f25141637215c00ca62986cda34e38c5cf234fe944c8dfe4c9b95b3d

SHA512
f5f4286ae14c911c086478b0092a63710118782d5be7c9645b2eb1ac2eac7ba41075c55b11782e3faa4daf6d1199867dbbb8b38b1272c0f1587b71e388c63a01

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\headerGRADIENT_Tall.gif

Filesize
328B

MD5
ea1be1362f7dca878e1120f6e661f9fd

SHA1
7ef0567f2c96bf15ac3b8b0cab35e5baa5305a18

SHA256
17851ac7e35e204b366f987d787596c8645ed81932b33ab2221876500ceaa675

SHA512
a529f7e1c0c56a77113256c288f0b31190c90808a3baf2847340e5fd6eb0d380f9d2f8ed6e07a0d494a5e34881c46804bf7cc213f35a7dd9f6cd4024c00e4838

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\help.jpg

Filesize
1KB

MD5
8a1839024d8d2c576c0c99ec568cb842

SHA1
4dc527740f42d64829bb96b4f91be336d578865c

SHA256
ca0559126bccf501240f2aa36944c21cf3f23820b7610e1606fead901978e32f

SHA512
a5425b8745948df9dd27c09fb66b56535e7df50ad2c4a74fa83ed089da9df09f3b4d1a9e4f89f4682b713a7d553906e0df74efa551285213ef49148482c3ab66

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image1.gif

Filesize
162B

MD5
f96e78ca550f3aff07b909d4191889c7

SHA1
7e526ea91d8be7829353a16eac9b895dcf8a681d

SHA256
6dc6fa3917e9f35bebbc804526f9a801f4575697f6952ccdb02d32313b46e1ee

SHA512
f6cc9cb3e5b26ab925be63b1b56f424fe133a1d05943545c8db62e5a95c4403374dfc652477c2e693cabd44b80123ba60d777f2aa26391e23a74ee84a909d9ab

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image2.gif

Filesize
586B

MD5
8d22209fea2e1e61912bfe9a76fe299b

SHA1
1fd26ed72db8fb7ab17f4e4fe122ea5408033302

SHA256
15b360c12f48c9a9dcb81c7960d8eb13d7081c737804cb7cb50f8f6367a05f67

SHA512
82ca1474631715c40f625624addf1dad8c319532b4d9f8c79a964cf3ba89acfa42ed40996071d6dab4c4d9f0e2a8c9e57f88937ee3048662f296ccb0a42115a8

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\requiredBang.gif

Filesize
124B

MD5
ee86ce6f5f520e6e986e2e0e705c9f8c

SHA1
4511a5d08ce55cfcca3f1255d45ac4a193900694

SHA256
9785659155358d5dccc3841835322418dfc8380a0230984f6701f92849bfa0db

SHA512
9079ab622962a145c60e33ccffd2d12a62c4d048820a9cecfb19c75f0150bd164a8b6606eb884770d80859d30da638fb2862210653b37e5ad446f052d69fe135

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg

Filesize
8KB

MD5
7b2bacf9e2a9cb324f60c3bb796b80ce

SHA1
011903b08060a4685370b5e8c125d456e5e5a7aa

SHA256
5b95026d577b84c32828b57bb93723edb884969740e04ee6e19984c987371a9c

SHA512
7d8b30dbbf64404f5aa960478481199211f6079bf4538d1ef3533b5befd5471061941d583631b2f5e2b62f79efd514b8a003d8640fd4965366506ab0d7c99526

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\yellowCORNER.gif

Filesize
880B

MD5
7aac66b87e52ef41c62a144a61511e6c

SHA1
ccd8055d082a636e91facd708556a41c1da4eb6a

SHA256
47a65a7a61c0895acd801ba4c1d0a74649f18d276fe363effc944c61f0d02e60

SHA512
d97e1f4fefab0211797dcfed286432f65c39c15a88bd22d810de3cd4119c35486bfcd1bad34d140609ba8c993b6b7b5881ee029419dee7e0b4469c4f158cf78e

Download Submit
memory/2068-7439-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2068-7440-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2068-3-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2068-9033-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2068-9034-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2068-9035-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads