xorist | 8bba419144d0b59e342a7f339f9880f76706bbe564d3dbb72f8188c87663b7c3

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-10-2024 16:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
Size

7KB
MD5

0b7fa305b57066885d7d70c96d51aae0
SHA1

95deb2721b418f05a0b6a4cb4fa94c8c52f2fb73
SHA256

8bba419144d0b59e342a7f339f9880f76706bbe564d3dbb72f8188c87663b7c3
SHA512

c3dd52b3765fa4d286b73b4f21e782986bd950e3d47bc5289e8a59ab6526288288e2b1df1efa9a9b3f4cbf8ea7850fdf361da50b4fa814f4bb1a4772382ec8ea
SSDEEP

96:1hZhl8wdS+r3yOYW189fTwUVF0CWHyjk8P1LOmjXfihExqahzNWINBXlqPTlMUA:bzdrr1FG1WDCgmjPZvVNVlmlMUA

Score

10^/10

xorist discovery persistence ransomware spyware stealer upx

Malware Config

Signatures

Detected Xorist Ransomware 5 IoCs

resource	yara_rule
behavioral1/memory/2376-8076-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/2376-8078-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/2376-9084-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/2376-9085-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/2376-9086-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist

Xorist Ransomware
Xorist is a ransomware first seen in 2020.
ransomware xorist
Renames multiple (2208) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Drivers directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4HLS0rLX0ig1ci3.exe"	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\sisraid2.inf_amd64_neutral_845e008c32615283\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wiabr005.inf_amd64_neutral_e14a0514f37611d8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_hash_tables.help.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\System32\LogFiles\Scm\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_providers.help.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\XPSViewer\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnsv003.inf_amd64_neutral_1e0c4fbb9b11b015\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-COM-DTC-Setup-DL\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\tr-TR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_objects.help.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnge001.inf_amd64_neutral_cfffa4143b3c4592\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnin002.inf_amd64_neutral_977d40799168c216\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_functions_advanced_methods.help.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_scripts.help.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnms001.inf_amd64_neutral_9fe8503f82ce60fa\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\rawsilo.inf_amd64_neutral_8eb7e6403ddbb7a8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\_Default\ProfessionalN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_data_sections.help.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_scopes.help.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_operators.help.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\com\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmcm28.inf_amd64_neutral_d3fa0f62d3d7cea1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_pssession_details.help.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\brmfcmdm.inf_amd64_neutral_af49d2f3ffa12116\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmatm2k.inf_amd64_neutral_64a8fb018ead55a7\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_do.help.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmgl001.inf_amd64_neutral_9209e816461a1a73\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Comment_Based_Help.help.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WCN\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_remote.help.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\averfx2swtv_noavin_x64.inf_amd64_neutral_86943dd17860e449\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmminij.inf_amd64_neutral_7c300346e830b2dc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmsun2.inf_amd64_neutral_242c76ad2e288fb4\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\rdvgwddm.inf_amd64_neutral_dd691eae66f3032d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\OEM\UltimateN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\000a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Variables.help.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnkm005.inf_amd64_neutral_c03c9e328608873e\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wiaep002.inf_amd64_neutral_0a982dec66379cb0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\_Default\HomePremiumE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\0015\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_try_catch_finally.help.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnky004.inf_amd64_neutral_5db759db19acd3ae\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnep304.inf_amd64_ja-jp_27c560b15d9928c0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Comparison_Operators.help.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlx00c.inf_amd64_neutral_79ebe29715d2fa47\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_functions_advanced_parameters.help.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_If.help.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\61883.inf_amd64_neutral_a64d66bac757464c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\circlass.inf_amd64_neutral_cf52485bed804e02\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmaiwa4.inf_amd64_neutral_6e97842bb8d9e6a8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnep00b.inf_amd64_neutral_2e6b718b2b177506\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\tdibth.inf_amd64_neutral_6ad685957123daf1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmgl006.inf_amd64_neutral_e5693eb731048022\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\nfrd960.inf_amd64_neutral_cfc8c0013e9ede68\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\0007\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\_Default\HomePremiumE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnbr00a.inf_amd64_neutral_e7f3f91e6832ef5c\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_transactions.help.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\cpu.inf_amd64_neutral_ae5de2e1bf2793c3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\MUI\0411\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2376-0-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2376-8076-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2376-8078-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2376-9084-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2376-9085-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2376-9086-0x0000000000400000-0x000000000040C000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_out\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0295241.GIF	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_all.gif	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Publisher.en-us\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Places\LASER.WAV	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\clock.html	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_LOOP_BG.wmv	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\RSSFeeds.html	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_few-showers.png	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00163_.GIF	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02208U.BMP	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR2F.GIF	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR12F.GIF	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\CAMERA.WAV	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Program Files\Common Files\System\msadc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\weather.html	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)alertIcon.png	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_blue_windy.png	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Things\HORN.WAV	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287643.JPG	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\CONTACT.JPG	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_justify.gif	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\curl-hot.png	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\2.png	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\OutofSyncIconImages.jpg	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Scene_loop.wmv	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_windy.png	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdater.cer	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkTSFrame.png	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099156.JPG	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_LightSpirit.gif	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsBlankPage.html	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\blackbars60.png	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport_mask_right.png	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\INDUST\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\button_left.gif	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\header.gif	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_h.png	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport_mask_left.png	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Games\Mahjong\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\settings.html	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_FormsHomePageBlank.gif	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\AddToViewArrow.jpg	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115843.GIF	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\ParentMenuButtonIcon.png	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PIXEL\PREVIEW.GIF	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01255G.GIF	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR28F.GIF	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\alertIcon.png	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_CopyDrop32x32.gif	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Program Files\Java\jre7\lib\zi\Atlantic\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\winsxs\x86_microsoft-windows-i..timezones.resources_31bf3856ad364e35_6.1.7601.17514_en-us_857cbbf5e0089eab\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_networking-mpssvc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_1fa45e6858570eef\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..httploggingbinaries_31bf3856ad364e35_6.1.7600.16385_none_d80e847a4e2f66d3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft.windows.winhttp.resources_31bf3856ad364e35_6.0.7600.16385_de-de_f06f5fc570802050\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\about_Path_Syntax.help.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-icm-ui.resources_31bf3856ad364e35_6.1.7600.16385_de-de_9377df51142611e3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-shwebsvc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_3015f53eb3129398\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-sonic-clickme_31bf3856ad364e35_6.1.7600.16385_none_560dd693a7476c8c\ClickMe.htm	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-windowsmessenger-adm_31bf3856ad364e35_6.1.7600.16385_none_dd951832e07a56ec\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\winsxs\msil_microsoft.web.manag..nt.aspnet.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_635fb7e3b4fe8f88\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-imapiv2-base.resources_31bf3856ad364e35_6.1.7600.16385_it-it_659ccea935343c09\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File opened for modification	C:\Windows\Media\Delta\Windows Ding.wav	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-g..howgadget.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_f86c44a49a61f132\slideShow.html	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-n..kexplorer.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e393513a419397ec\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..entsnapin.resources_31bf3856ad364e35_6.1.7600.16385_es-es_7c8cb8a7a59e4137\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Web.Entity.Design.resources\3.5.0.0_fr_b77a5c561934e089\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..re-server.resources_31bf3856ad364e35_6.1.7600.16385_de-de_3ecdad5a3a111e41\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..essionaln.resources_31bf3856ad364e35_6.1.7601.17514_en-us_dd050cebcad7bb4b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7600.16385_it-it_2422baad6d9fba76\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_prnsv004.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c4d5677c05314922\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-v..e-filters-tvdigital_31bf3856ad364e35_6.1.7601.17514_none_4477e7eba20ff0b9\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Services\v4.0_4.0.0.0__b77a5c561934e089\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-f..rant-heap.resources_31bf3856ad364e35_6.1.7600.16385_en-us_6785b3daf24750b9\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_server-help-chm.file_srv.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1e84b6e9b6e20a44\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Office.ContainerControl.v10.0\10.0.0.0__b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.Commands.WriteDiagProgress\6.1.0.0__31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_prnrc00a.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_25aca87d57204fcd\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-dot3ui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5993ed5d965928fd\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..iagnostic.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_026b3a93c550c52a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-p..ecounters.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8ba94e0c25823534\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-desk.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_fceb1721ccdf6e64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.5\1033\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-mmsys.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_04b709132ef845fc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_wiabr00a.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_c3c177998e8f59e7\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-i..gbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_047bb2a03200e655\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-softpub-dll_31bf3856ad364e35_6.1.7600.16385_none_3f88f8e5989e4b4f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\winsxs\msil_system.web.routing.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_bd754b0c8c152ac8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\about_Return.help.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-rasapi.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ff2b168c11b3c27d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File opened for modification	C:\Windows\Media\Heritage\Windows Error.wav	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-e..ardplugin.resources_31bf3856ad364e35_6.1.7600.16385_de-de_f9195b60fdea3e26\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..p-listsvc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_eb7357d6e70b38e1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..nager-adm.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_d5ad7e45630c0c80\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..direction.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_759b4c9d445c02aa\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_netfx35cdf-cdf_sql_files_31bf3856ad364e35_6.1.7600.16385_none_fe222fceeb381997\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\diagnostics\system\PCW\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_c7f0e16b547f887d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-e..ebargadgetresources_31bf3856ad364e35_6.1.7600.16385_none_88767a95b8bbf001\Gadget_Star_Full.png	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-wmpnss-api.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_6d96e26761ab112f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-c..rdefaults.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_537e43faafb23f38\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-help-privacy.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_937068febe569533\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-cryptxml.resources_31bf3856ad364e35_6.1.7600.16385_es-es_6c3dcc9d051bd1d8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-wmviddsp_31bf3856ad364e35_6.1.7600.16385_none_a6ba49cfd6917b1b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.5\SQL\es\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-w..figwizard.resources_31bf3856ad364e35_6.1.7600.16385_en-us_4b80620c8fe50aa1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\winsxs\msil_microsoft.build.framework_b03f5f7f11d50a3a_6.1.7601.17514_none_972483844038ebd0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-autoplay_31bf3856ad364e35_6.1.7601.17514_none_a8a9e59f4bfef126\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-i..odepage-57002-57011_31bf3856ad364e35_6.1.7601.17514_none_3b7302d236956600\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-security-spp-pidgenx_31bf3856ad364e35_6.1.7600.16385_none_5d67c67ddd564ccf\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-eventlog-commandline_31bf3856ad364e35_6.1.7600.16385_none_c0aa8bc2de239cf9\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_de-de_af2bfcc66947d224\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..-ux-sppcc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_68f0d2d3230e10d3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..onservice.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1097dedeb6339fcb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe

Modifies registry class 10 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd\ = "DOWJKNRQHXDVACM"	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DOWJKNRQHXDVACM	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DOWJKNRQHXDVACM\shell\open\command	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DOWJKNRQHXDVACM\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4HLS0rLX0ig1ci3.exe,0"	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DOWJKNRQHXDVACM\shell	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DOWJKNRQHXDVACM\shell\open	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DOWJKNRQHXDVACM\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4HLS0rLX0ig1ci3.exe"	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DOWJKNRQHXDVACM\ = "CRYPTED!"	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DOWJKNRQHXDVACM\DefaultIcon	0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0b7fa305b57066885d7d70c96d51aae0_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt

Filesize
295B

MD5
8eaabc9bb342fe08225621bc22402ea2

SHA1
245258b3a82f2364e4ae1384e21caded9392dfad

SHA256
48547410b1b9c9fe9cb6bde9833c394fb861581b820034c9a3646a28c0377a73

SHA512
fab6c8329db029886da9c3d3c898131f5426ab7b3e15150b017f0f01d108a44f1414fa03527e8db2aba139f73fce320ab79463def1eca19f1df6d220b008e37f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
341B

MD5
c23bfda9a5e6ffceec2ee11f33224037

SHA1
a2fad593f274ea977325414d23d2b143aeffc435

SHA256
8d0323a82718c396401c8de09daaff941adb2a0df00ff2cd43ce42d3675e08d5

SHA512
347f41bd276302b6e05a69d2622ea41cb2ae663bddda1ba0345ea2fc5d57c4e5feac1acd29aeaadeaf87ca50bf3f85dfea94903b75d2b8dc996c2bdc1d9b6418

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

Filesize
222B

MD5
c2b9083d882cad1b317e94820fef107c

SHA1
5d60e4f5ebbbdc4745e793d34fd3c4f3fc35c0f4

SHA256
19061e37da7537c68a60daef64379eef0d2d457e128f8072ea4a0b2ce38b8603

SHA512
ab8f2f6569be38dac523f28f64328071f7026512ce2511cf209371b2d4c4d1b7d2363f7479b874426189b8df2816e417c84c25dd4e5b1dbdcd732db6e0e1b687

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\BG_ADOBE.GIF

Filesize
24KB

MD5
e1317227e3afef82ce36d82c9c489c06

SHA1
d60d46363d343bd568f1da46ec2d46e3a88c457e

SHA256
a0cb74077d81424da8584e320f9fb6881963dbc2b735467db6402146757a8af1

SHA512
928a8415298ebb10dfacf0fbc765d88c7be43a0c9204542c0f484dea6689ea258ae62b967781bdd3867ca7fe0dd2ea91600cabfe0ca1b1b4e2ecff0cccdc3833

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\BUTTON.GIF

Filesize
185B

MD5
9da1bd533a744d91228dc47050115503

SHA1
cb597f0ee0002f5f6bdcc7bf27554bc7713cb731

SHA256
7f16a94d2a3834a5069d76199871f96b62d54867827c519a647f4aa5933f850a

SHA512
994df55d840b081014953166e59be98c4860681fe2738b9299c28593299cb00203f21fb6c7e5eb1b20408f59b3a7b92f6d87e7edcb161fe0dcd77fe1b6cc68fd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_OFF.GIF

Filesize
496B

MD5
4b83cd7520c711b97a572e308532d754

SHA1
77bad355b6a4314428f031122008ddfc52ed7d84

SHA256
1635fec175035c7707c002a73e868f924fe50442eb687a0e3f4d008b2decae91

SHA512
d0c3457112d053e78c2e58bd66c4e86663640a7be587b0f901e75751368e2b255abdc142588dfae125cf577ef88e0d153183933bf76a472dd6e33615cff2ec74

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_ON.GIF

Filesize
1KB

MD5
e52e2bbb254fecb9db92842faaa2a508

SHA1
b83be14ee4c66290754dcf0239d2b134b8ec151c

SHA256
c31950609dd3a86524aeebc5167a4ddd2aba8e008bb21de383adfe4c4755bc58

SHA512
7b6982d67787ce3e4c52c34cc11f495008b5966ec1643b187315e2ae3f0c35dfa4ce04c3f012b2742f04836924d90b37d4a20aadfbe550dbac756926cc6917be

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_off.gif

Filesize
341B

MD5
330ce211e108034089d37fadfa01116a

SHA1
308f66c00842b6af64eec870eeb315a604ce7832

SHA256
1b6fd12d7190cb84dd696433fc3a53e9a2ee72cd52e40dd201a780f33dad9959

SHA512
0528574445f03ae844cdd1f4a7cca1de613ba476c988a820b918b718116cf6bdb7c493b0032bb204d0c663e11ca51b5fd7668329d601c235b43e300e45f9df2f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_on.gif

Filesize
222B

MD5
47f5caad089090259a1d909c46fa56ea

SHA1
8c025ce94d34055903d156129c957df9c6e8608c

SHA256
1b9a939ba9edc600352f9c7df5907516b375f1bb8242ca6c26a765ddf1e30327

SHA512
654610355deac5d8fee36abfda389136b387709a6bc2651020808842feb27bcb385280b5aa5a7be8a1b3053a9edbbdd2a5b224521a7bb97305c7cb282179bd4c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif

Filesize
5KB

MD5
6e1feee0248ca6e40fbeb69176ac0fd3

SHA1
c3c1d4b2afd97ffeb843bcb87b802b8ec9940bb9

SHA256
1cd6329a77e623e37065f3527e3e8f070670ade93bd87044045d97dc2bd1aff2

SHA512
96fff8c07a4737ad6891141236f588475af4bf508dc7431c76df5c8f3a0c9cefb82bf94ddf2cdeb9cc85a0b11bd7d84bd5663d9e1e90d5eb1746a6321bd51a0c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Country.gif

Filesize
31KB

MD5
a91e50415cf5f440043d7c9988c000ff

SHA1
f8c5bf2e4bcc45d3f811470d2d84fe7eef4753e7

SHA256
c3ad3bda19b3e55f98abd4332a34ead06ca1db2d030d50c44835b193d4c72f40

SHA512
e8dfb19a0e72b4a009f02119a1f7802af9653e5c55379197a43a0db125db6a56007b5d4d4dd050e3571281f0fd7d8374092702184114227cacaa7e78e33621d0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif

Filesize
4KB

MD5
6729256aa06725b6a697c1cb71a1b328

SHA1
a39b8408e6a780f58145ab068e1bbb1b6c8663e1

SHA256
707b626ecfeb2a8044af816a7ea64b5ea1b419fde7dea4993960c3a0eda183fb

SHA512
2680979aca419c5244d7fa2825b123afdeb039b58bc17ead19895858d79f597091a8b29af604880784dd49185647001779d9d0f25988002851a8bc54e0cef41e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif

Filesize
21KB

MD5
e809a7a60b948e6317a4fcb96443a306

SHA1
3cd4bcb40a103cee74ed01ce7017c025de69988f

SHA256
20211a6e5a29bc2d8bc549b158e125d41b22f5cf13b6593f4960429e3c3eea4b

SHA512
8be3fbfcbcf0ee5a6911fa45c886852066e710bfde61600a2fb0eb18324e162a58a6adfb3e5c0001266fa12c42cd8d380ef397e310e8b5420f122f2a06ebf89f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Groove.gif

Filesize
106B

MD5
7101c70e9700860fd88dd20e4c2061f4

SHA1
9d3fa398c2f1121345878fb26b6bf62ffe48f7c2

SHA256
f47f70f2a1e33923309dd1a88f932f59af78cbeb10d7a70c9a7991fbd68a944e

SHA512
041bba818cbcd1dbf21621f505eb32ea31fa71d8c5dbd90c6ac02dd2742e137f62333b725fbf819cf974651aa9087e92dd8e0695b5d95c9bd11205744e8b1aeb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif

Filesize
8KB

MD5
7f2bbe6290be267dcaf3a8d44b883fef

SHA1
4619f9b14e4b7fe9ecbd124c5b0be0d2d9229437

SHA256
32c58adbab5fc3dfab3fe1b406f743e4fb8ad2e5e1fae99eadb66807477bd56e

SHA512
e6c35dc76c79fe8d8bdb337403c937d7435074e181b73d4b42b766b74bca2b218f490ff4dffce0ef79aee18391897c4b1c6d2f4c7d1d214d526d5c89cba98152

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif

Filesize
15KB

MD5
db4239af72ab40b5efd4823e683dddaf

SHA1
2c414bd61d18d3e14f7fed4fd6ff2d33b329346c

SHA256
45b5103ef8e1df6149814b6c582032980cd684f967ca373b3793320dc0305a64

SHA512
586b541d8173df16901d9efe8a01aec33164405bc02f17b265b4e6724b3b35154a518b415cd71e882d3f5b1399b2166ff0d91d95aa3296374f46c14bce423554

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif

Filesize
6KB

MD5
ec870dcd19ff9f25fc2f71dbf335c52c

SHA1
41af81e18955d8e612d49c376c15e8bfd8d8112b

SHA256
9f4b19b54a9b1f2d4cea69874b27051d6b0ad3bed078a308dc118b8dbc122f53

SHA512
77f3f4f5a7e3e1b60990a2a3fa4a115b3d8c18edb47913ee0ab750c27206d834152796707fcbf93f08feeb98a759bb5277d976a091fc0d4dbc2305b3d0b83199

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif

Filesize
20KB

MD5
ec9ed6d780cd9d60a38062c717bcdd73

SHA1
3dcc1193d175e600cfe633a06336387048661efa

SHA256
39578a7d8671a320808507fde6783e17fcc9c9ad5e90667ab5ae21ed03dba652

SHA512
311b7269c0e1d91c1cb8d8dc40bd6399b22b306df2f16c5098563bd32be0da02d5090da946ff785b9d7eaceaa6ab30121ff0538d3033d96d12fcaeac7ea479d3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif

Filesize
6KB

MD5
057081cac4b612cabe2f46052118c4f6

SHA1
bf4de7f86d65bf2054ea861192813f65ef1f3812

SHA256
aaff9599ce5727a3fb36ba481e5ad5707a0be8ec2fa5bbe7f5f73833ecab7c4c

SHA512
7d327828e6a136ab9715903d9080f8303f5ac300b10c2df3f6d0663504c7233a0170a128ab657e725651bc085b12d95d1cf6d23b4d523c60351c1cf686b1a371

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif

Filesize
15KB

MD5
908a394f38799c9ab4cb8df9815533dc

SHA1
77633abfef89576a5ac8f9b1a1d4c7c4c621505b

SHA256
4fbf057d6fdc2bce60e2f873d95b3bfb632fd8e6ac07aafa963dba645d8ea934

SHA512
625c7521f376cd8ba47fb42883208677818e042bc77224c563e864f72411bd361a79dfc212f4e4c1569712fc874d3e6723bf602b56ee1c583f6a5d2e7dfcaf6f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg

Filesize
2KB

MD5
aaaa9b7a39919ad19ad6c12bc144c1e5

SHA1
022f427e3b6db978b48057e513e476e131bf6ac7

SHA256
941bb094bc050070d69332225599fe98f5acc9b79d53172663956f955f8ec4c6

SHA512
2dd60f26d5fd7a089e2f820a9856fa4348a8141b0a1624ec7d19bc5e68dabdcc7f5aeebdafc1365cb883c6df640e707f0e1851316344021fe529c33192408513

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp

Filesize
2KB

MD5
9f25458725258842b547c15df5c779ac

SHA1
7de9377dfd72a956328a8107e27ebefc066dd8e0

SHA256
ca26a51bfb0394af4f0b8bd398d5049125cf65e93bacc7c8609720ee5fc1a6e9

SHA512
2d4249a1cf9089f7a6e7a34bf4e2c8015bbf87b83926bc8a376988a019e272266549d2b4c6b06fd40120a91806d902d3b29e82226a058db7f13994041b11d5b2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg

Filesize
6KB

MD5
d7887b5b77b2ae42048b46d01d8b5071

SHA1
e54a85cc05db4fbed3a8bc69829b49157035594d

SHA256
0157754c398b4ca5412863b44b46f1e32b7568830e7c301bfd4436acf4178abd

SHA512
a4c55cfddd79bbc95604ba777b24af8389a1123c02015c3e1f3d11f6ac968bce0bf34da33e1783f919bfef38ab791fcb39d5647cbed6d1ef9de3c67ae7a41804

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF

Filesize
255B

MD5
bbbe52ec33cd5f5bd024b26252a0c48d

SHA1
c28d66b5be5c586194dab7c5ca68a13a01713227

SHA256
583d21ed2d8c3a58213df2cf7acdf6b1dbe0cd65dcb131ed78a68d0a1146a07b

SHA512
845deb5ced201e0b2af0b3fcc1414e53f8c88d8bfe995fe0484674f5a8116810a41affbe0b30a68d66e4fcfff68414c0d9e05c3482539ed26ed6de9b51305f7f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\background.gif

Filesize
323B

MD5
fc688c461651b9d96d22632c1aaedd26

SHA1
4d4b91d330dc01cb973bfed4baf51551787d9b34

SHA256
524575d8bee3f367dc9ed77186be117aeede4ea2e09862a8e25341daff990930

SHA512
27982c8b6170e9d4b2ecfeea8206aa62bab158796f17a29585a96c1281d5d25343a71b99d282926146d5a8ea38072423b7450702ad7e353b4a4cebca320d194b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF

Filesize
367B

MD5
211cbbe6c6273e19f0cbc4d871067366

SHA1
ac82f164b3e677ba6e4e9788d2bc0a61c56f5398

SHA256
05bc4b577c95ffd215716a92e172c6f53e726434f606f3da9f421307222a41b4

SHA512
ddf0d501b740007896c87bbe769f3c0f24420b67df622c0c19223b60c9d6a85e8a8835a59dcd8c74a1d5d75f50c9d6493779ddcc95f743e632455ee4654ea291

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF

Filesize
148B

MD5
36593c2698b57ba6f6bbb5a751ec9af2

SHA1
e52f0c2961cf90256a42e0dcba0210edab805cfd

SHA256
ae649b14b0d3f99615d9497479df10f89a9b9fa6c7405461e35ae1d325d9dc4a

SHA512
0f9bcaeab48b734f33b1094d92c4d254c5e92418670e39793f7806f7b66ecbd19ca5007fdd6f58e814ca0b89a390a7480958efe8356fa5ba76c31ddbde4962e7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HEADER.GIF

Filesize
440B

MD5
95472d1e15d623951d348da516270165

SHA1
c28016e8fe09a3a7814606513eff9a75bb9775ca

SHA256
f9e97c316e930f6588ef8279ad46b387b26d5437dd4a1f4b5fd29eeff9849fba

SHA512
49efaa9dc21d843ea9ff684fcfb4379478c227dd309d26d9c07423efd19372839d68625c4bc54d367b27c28d88eea1fc0de605625a5e6fbf62cfcd055d752b9f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_OFF.GIF

Filesize
462B

MD5
377f900bc42a363e22c1a056a982ec37

SHA1
09991f871e4a15694b36386bafbbda3b59db2dc6

SHA256
21dbe1533c3ce3cbd3d5641217b512e4b0f2d065648cdf5e56ccbef0d47fedd3

SHA512
36fc390ee02273d6c051823005d9cdbb5b6b6091657e405a3a1715042eee567cd5720b175dc4d149bcf1066e34034877f7b7b5de815bbcf871c7bbbfd2370b58

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF

Filesize
267B

MD5
2aba555d6819337c1eeaa02115e32c3e

SHA1
7c4479822dc5f944cad8b4a857c98e5c24534b86

SHA256
b7ed9d4a3d404175389fc327b2f59317d4ecf204577b58e676c362af1bd4b7d7

SHA512
0aaf456650276ccf862f60b813e22e34efc36540a49d82e130fb289cde4618135ef3e0a4cf4b6454e03002c7eceb86ffc43f5a3c731b0c7d6e4997cf464ba73b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HEADER.GIF

Filesize
2KB

MD5
c77d658db222dec00951225bd8ba065e

SHA1
fc17a62f694e8bb733f3b5e13f94760070980ae2

SHA256
457c11630dd3877f0464228f653093058836f278cb0e6d7a56a389098b57d700

SHA512
5f6f47e083b63334a39a85506cf93308257deae0fd8e9ad37f533a5403da674db6f8a2812a36023ba7c328260402957e2e13339edd181e3230920ac5963e5d35

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif

Filesize
233B

MD5
967cb043fc7adc4ade41ecdfd1767b3b

SHA1
e29b0cc500271208ee8716a1d8966dbb2b19dc3d

SHA256
98e23be92462e352ba833f4d91d87c9aa0509b4e6b48648b38302d974e0a15c9

SHA512
7fd7bdd7fd02e477693056500bd5b0440a6f62302e9d2928e63f05c837102309ec08108345257133f6a1e09df30dc8ecea3fac3eab1955e1ffd7093aca97ffa0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_OFF.GIF

Filesize
364B

MD5
03e493fd3cd13c95e0800e815b226074

SHA1
9557cba9e8582212e0cb00ca1f1dea065f827b93

SHA256
5c5dc6ef84fca0be3f6361169e4f2d668f1a25c307c2278edc200b6f361819ed

SHA512
0e4682efa9c1a413323f562db92b5900de51b2c7921e0b6ce10bd97a430e869785408b8d78ae15a7df2e97d59720daa7eff00c41ba5d67ba430ec2f512e51fdf

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_ON.GIF

Filesize
364B

MD5
844857c3a6d9a85402021216d6be2560

SHA1
51e22b460f6907738e334ca541e53b3950912f2c

SHA256
810f3101a6506c3001a460afad1f09ae993a3985d40f1f217e483b24093c2213

SHA512
34224486b910bf74f74ca8b90c048f4d7d03e90d4f3cd155fd7c23fe952045b8af40a72bbe7adcb7b58d9c4e07680af868fcec93e7e5603622cf4cfd733c0bb9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\background.gif

Filesize
6KB

MD5
4e349d85bc507afe2b29481aa3723700

SHA1
1d332c6219786b162ce7d9f7931fffffe9072165

SHA256
2abba814c7a1eea9870c6034b13254810c516550772338e3ef83c9d2edefa0b4

SHA512
d892a97ca14e80fd5aca94111f3eee2c1dd5cf67560d07b759fd83bbdf6185355441e944a2329abe6677206a934bef51248014624efb49a9e93d0009ec0faa65

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\BUTTON.GIF

Filesize
428B

MD5
840d871598714db0502e0832da6ae461

SHA1
7b3b058eef64ef2a03b153f978c2ede27099475b

SHA256
6fbf8ff1e7e00365f3d2070337d9e6c5275de8f543eb25a541aaa4d6cd3e9652

SHA512
7759fde7b94512ab24e7768a2d0c5bb717e2d2cbdba2fbaaade00f083d26bdec9610cb07bb12fe61f5c13378baab172018fa046be87d4c19dd6373997e26e4d3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\background.gif

Filesize
815B

MD5
1613e8aba8bf283bb4d250edd755802b

SHA1
25abb6ea2b39913777c5b400d17b964f2a3453f6

SHA256
eb28ae51939487c32bbc5496424e17d8597cb0e8a9874d65f871697db1fde578

SHA512
13c6a14f51fdbfd1ddb716f66cdaf28dae7315b223c8c52195525cedb4956f4a509e6584c11c5f311fc11051955a3d2aec0f8d3273c9bbf0579835f3bddacc53

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\RTF_BOLD.GIF

Filesize
870B

MD5
145eab9802e9afbe7dc446a6c086b555

SHA1
a3bf870295534997793c3fd94b25bf7c00424c74

SHA256
1c4d4080f9537cc1557eeb643d0c91e6e55d9c05a049d2332b5052f6b964a562

SHA512
d22932962111ddf0c0d564ac8111fe5fe7d623db340c809c96154f3c3f617847e631e1b807d88288d1a59f51981fee603457a9a9d792eeb146fba06f885f0e52

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg

Filesize
3KB

MD5
6913656fcc69be778b32d71d422c2f84

SHA1
a98c6f9c1ab90c3ed484bdf63c468efd2d6ece1b

SHA256
753c8e2fac4215c7e85df8c9b535ade9694d8826a48ba8c6edd0744430529756

SHA512
b1a49ccacf8a8a829529960e3466866788891407972abada654c12a231bf6b1a044cd465f50db5c46f3b2c4f21052a0b70d6f023f67de57fb7b0680e7ff6e60b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif

Filesize
2KB

MD5
d073c5a442f215f14065e1f832aa1439

SHA1
92f494fa4245878cc690749bc0508bb659535e65

SHA256
272057679ab66d7cf2d86486d9014509a41978f6cdae82a3a7f76a66b952663d

SHA512
af7d334dbf4bb4cb0fc01f489c6b0897c2a616738ee4f9e41e1fab2df447f78763f936e74d3a248c86cd9e4780703ed05f3cc9bfda72af16fd3c3914b8a6cf97

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif

Filesize
19KB

MD5
8fe61ae3436932e699945103dc5d8cd1

SHA1
a3b3fc9cfddcaf1df2c9e2873ca425c9da9518d2

SHA256
5063188684e4bf953ee7d3b103828b81a4c29044a0aa8df7789212e5dee803a6

SHA512
b1dd4a3592c5dfff0e10118b5dddef914bf9a18f29af12bbfe17613c863cbaf4cce6c7ad4862d9ce6c84da7d75fa654b3f8f25bf9cf89f5f03802fef7df78b2f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosefont.gif

Filesize
890B

MD5
8eecb7c84afa18f50be5b279253a7315

SHA1
4ea4c9822d6d6bdc44084ed2cbd80a1ace867559

SHA256
e1a9db9e0400f412082b57e827ac1035f4f6767d272ac4fc4b628c78626b6b1d

SHA512
49ff104045c14422204c649ac735f812c4d7a7903d70da430eed5ae0f71549d14a62133519f13ef08764e744cb18d4d0faed57224a83e3de862fb2f7a2220881

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif

Filesize
852B

MD5
2f3cabe4f44551fffc1c40e3f8e09c81

SHA1
d71b72db7f380eaa5445faa729e9a8df188b70c2

SHA256
1572f2744742419dce8cdbf7e1ead5be0fe493e451952cee1efa754d330ee052

SHA512
30483f297e02b66d8298233c241cfcf40eac8dd2f39372ad0dcac5caa68b6be62d60c37bd4026b038e74a5276b97f4d40317c26be5a182ed9a0b487bba7c660b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif

Filesize
860B

MD5
a2a47cb98c1191668a7220ce250a58e1

SHA1
bfa4756c9669c314d93903855593890aff0af37b

SHA256
7eeb420959f07088da8c33677ea61f318f169070bb519d97743bcc87eda8be07

SHA512
8c75cce460e058ab33fb342d92e53ca6e802ce35b465b3d45e25cd4e26c16ce661810b215e8989ec7f30d4cc6794aa0eeed9034c19b35017c398a2b0123d78b1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ADD.GIF

Filesize
580B

MD5
88b6a36d7604d5356773e8746c48ace3

SHA1
a89146daef7aae7e2e46bc9a90703263d63c45e1

SHA256
917ca43b52cbaae250d26c37e351b7621d8f6f806bbcdd93cd43fa95179d079c

SHA512
17c4ba91bff362dd47755303bdec0024163ad24c1c3d975a6b68cbd9a712f88c5e034d8c6e4aa83afbbf85cb97993e6fff1f59005adc7b1318a44051e9284bb0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF

Filesize
899B

MD5
3d1ba4d495ebc7563adf67562838528a

SHA1
462954058f9a756ab5e96b9682b0a4716f670119

SHA256
d1805167eb32c22a0650dfb6dc78f14a1fabea71ed1574a30315b90724b8b942

SHA512
326a572d36a40fd82442f997475aeed835dc64d2e121e7e90dfe4f88519f982ec8e2a33000cf941f5ac4a4ca27d5c4915443c9ea270cc46bd1a021278b07b80e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIF

Filesize
625B

MD5
1d125f28643533986b389897bff2a02e

SHA1
66128ec3790f92690d6865037be72948d22b1280

SHA256
2e8bfdd32640ddf5c4662bbcae72cc904123d62f4ad0dca34634f9b8a3e80251

SHA512
c4b0487b662f571c18dd495ef8afde00083be796e8269bd6331f69c67dada2aa6bb6a76812e3738d5fe795f6456e608b12b1a7a164ed1b66341af4236edaedfe

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF

Filesize
873B

MD5
90ce7d2606be334cc3d771d4292dfa35

SHA1
c3d04b7dccfadebda3d2281cf1f226fefdbbbe84

SHA256
4d9c705bad35df2f573340ac91097814ed029dbb1c27fb9e8e6ecf3bea9bf9f2

SHA512
7bec724f1f8fc911aa535a0aee4577af773453c951041bdffd60d9f40495ccc5cb2239f6e0cf5c26e4d1ea69b4579c9d7185da6f3398aba89b6b7e4251782d41

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg

Filesize
5KB

MD5
ff337753030ba775d23d167d49c1b466

SHA1
df4ba76ccb87ca0783ecf58a7d8eb56a3620b4cc

SHA256
93a599ff8786889611300430fadfea692a0256a0aa1cc26adfe462f5b159ec6e

SHA512
847557f7b6f5a9cdb240ce9e8c3f3564307f44a8462d19983edd29e7fb0adceec6d79e49c3441c49eb64fe1da78b79373a686efec1e850d564bad924686e8226

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp

Filesize
1KB

MD5
872f5711022edc110d460e3a7d9b924a

SHA1
20affb1778648dadbda3068c92bd766cfc7ec545

SHA256
8c5e887fb69725215d0e887683fbb9bf6b530b2149f3c7b75e6507e1b5387b97

SHA512
8a9bf11b69a2fd1cea401fe3de4c423797394a7490e6857d5489f3ddc5612d7b70f7f729a74a019ec07a24995443fe94a6331e97d62a3ccb0b7b49135d839858

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF

Filesize
615B

MD5
35ebc7c93bbc2a17015e7da1a66aa4d2

SHA1
adce90a9328ed681476a43e67446a98127000032

SHA256
6ad5a2bbe95cbb945f35240919c0591965fd67a5dd76d3255e2c9873f0c39ff3

SHA512
4522c4f6c7c5b41703382ffffc2ae1941a437d88d6e996a6fe27bc684db78775c815c187f267a1ff4a08831813141a99e1f51a7cd40510c80d0a333f84017649

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

Filesize
848B

MD5
86a9e891fed148ad1e7b560936ff2061

SHA1
b0b1f0eb27dc8f7c84048f4696ff0b4476a17be6

SHA256
f0c67938898e840540b2f1d667036effb343c022d0188b9b61a28cde7b05dbb0

SHA512
fc06c2aa96583e63d44b82b98315a81c334f265e08ef062e6d5ea837967658bc9cb1e319df14a90f1d5755b4e40cbaf0415335fff6545b4d4bc75e1228bcadfd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

Filesize
847B

MD5
fec30d730212c0bd9a105d024e735e44

SHA1
32ca7292bc96825d20ee0d0f27ffb2429a2621ba

SHA256
e0bf9ffafbb8d40c15654e87dc8df5ba83b7318f749b3bf39ce032bb334d6eaa

SHA512
39891b713bfb46005f9e5e500ab432025041fcc1ff41cfab2648aeab49d2ca7ba8a9306a327962b8170ba6831094e16e918aefea8f564bb4f604067a30e3d528

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

Filesize
869B

MD5
558c229433660387f9ec76d12e121254

SHA1
af70b6aae0b6134733d2e00a9e5484b0b2000727

SHA256
8e39e10e794aaebcdfb171264f248f63d7365a9f9d40b8f8a1aaf461263cdfc3

SHA512
44f534c9ab4256c68ee124c565dfb6c3ec21d345be68e6b2bfb4ca7355e8a508296d66039b491b70808920cc374f5c9f344ea4b930060ce8b166443befcb32cc

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

Filesize
847B

MD5
0bd4f64af4ea71353cd8ed3e1df74be1

SHA1
35f71dd57b3f9bb9879bb66a14fdbee3f893af60

SHA256
de24555bac92254d06a4403d2073a4ee6d66b06a18687d0f8cad650774495f88

SHA512
7cdc3c3e556e7f63811d1d63863b0131b5df5c14ab82d2af035ea24be9b9c7a8057c22f16d42f1ac581aa17c3243b8e622229dac4bd9ec37f4684737a4882e2a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

Filesize
863B

MD5
68a18612f1f2c5a8ced9fe8c19df7741

SHA1
734ade05d04ff108f285995ad698ae0928888c25

SHA256
74c5d46e651c0482d772554971253d936a42cb2c4ef4cadc5147b61a6699cd60

SHA512
f6ced318dd38be7c30f4d38c45e0b83aa300c02660d21acb2dd891e9e25926450caace014b920c1262e6d9c6c020fd7ed775bb6bff3eee30be64e4f70e1e7fb9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

Filesize
861B

MD5
b91f746d4d8e8576609d7fd737854364

SHA1
14ea7f047155f4e943e668d412667c42b60a149a

SHA256
14fc430769bac082a9789ec5ae8f0408ab9d3a9aa51921bf618134389f8ac89c

SHA512
ad0673b788c17234f96f69cd055d677e4b825907ceb511a999c8e4106a23382330da6aec1ebbef4a513946cd5bd63e196e06d19240ca81c78ce857f17f4efc3b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

Filesize
850B

MD5
3722f91b84ffa92c99ca576a35e3d6cd

SHA1
47375f9be3557f6d50486ae4ad64ae718f383503

SHA256
5e265521a3317f6b98bccab57cbe961e46a4b303183831e93ab93227b18b838a

SHA512
8363c8690f10379b2c1cbacb1c7efd2b63acc3ce95908fc153ec88a77d4e02426fbdc7bfb844e80f482f3347b7c7d32da5e7b20a3405778a84918f3ca08ff6bc

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

Filesize
883B

MD5
d1497f54cb20ead5d5e999f8d1358ee2

SHA1
54861746ea9c9b6c522617dadc8fc6c17a465544

SHA256
8d7542da527bbe42f2e5a9fd71bcea16c6bfff632ea189c681e70a1c573f4f0b

SHA512
25ebbf8ffdabec5eac7e5f0ea590fd0890a294d6eb19279f68ab32b9a1fb75ca02004fcfa40ac382f5e137796759b12d68d51e9e137f69f16586504d5255d922

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif

Filesize
153B

MD5
791b2b2fec523edc1800226477564dfe

SHA1
f250e532206be9ba19410b9b738f24f5eb23f776

SHA256
ab90d689e4adeb28ba9c57eff1d92378266ded600f520fca4e02f0d840e2898c

SHA512
8a6051eb6660ebdc0e2312d9fbdfa9fc06740b53610a8e177598cd0d8d8e40bfe724ec9ba818955b0f28db5b5bc220d8992c63b82612f504b217b7d3ed37cceb

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
9086ef5d8b84d6c4b0d6e58dd5f3faff

SHA1
4ba03903171ee3a2e78c2e98e92a2abe3868cdd4

SHA256
795b797f51229db9505a7830630e22a2550f1caf8cf77388b3e9f9a19caeb415

SHA512
7f91a267ff8640709cc123a3b39b611903313df7363b4f5b551edf5e8c79911bacad0cc1b3934a0435d081f64985e652faeddcbf6b62a45851237127227f1f8e

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
8KB

MD5
552d292648103d8d0da0876dc4961c51

SHA1
78678b730537e4a52b427041cc73ecc451b954ae

SHA256
6ec3823b6ea2a5c59632d4b5dfdfa0d449636c0275c91c3fbc0e75ff2581ab5f

SHA512
5620cf2e80b8295ff74673f441b653b28faa8981f83f7f45c3da4ad9f6499d4a108dd6074a87a67acc7ea30a1e9795082f9917413ea70516068ca5e62865eadb

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
3a69e4f8a798aa7dad3e60bd7be73717

SHA1
0fb4ee2fad86fdfbf960979e0fbf7f89a1fc1b99

SHA256
14c5bb27ab6bd79c10737779fafa79c8e1dad778bd020653de01249a3f35df1e

SHA512
65a9aa14fd48bf848ed22f5dce0bfcf0d6625b405fae358f69e9b833719ea7e0ff4e39125da19d4677b9886f864cf5ca0b4dae598aadfbf82f7497b084734526

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
45a0dedee1e658454996979b577ea727

SHA1
4d6ce32f28c6c3120f3756d2df0279af8211afde

SHA256
67e08e328bdd0ad4d03480b3bdcdf4df3933fe234a4d35ad79bf43e8011bcdc4

SHA512
21c585b4c5668df65926102b5957a097744067a49bd5392cc3c4098890edc98155b1c484054db006a4279e7c497a1c7affbb86d4bf464891ce3fa47d4709c793

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
172KB

MD5
0760bffadea84e0ddbc6fc0f69b4add4

SHA1
586cbd9522bb4f4a65025b644af84c25bfef3fa5

SHA256
ce86ac0e387fdbfcaca4a841ccb3391ee617cdfa8ce0fe74f645212df2f72474

SHA512
cad7833a98314301dd135387bab72d692d292baab37293f30510507759250811cfd8e64edfcd479600ca9761d1882a116fbb3c6b1e531d7b7e9f806571d31f23

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk

Filesize
1KB

MD5
b0d74cd1d1cbc73a9ac116e16dcefacb

SHA1
97d1ae72b7443cdb4271ec61cdb26b09ed8a1f52

SHA256
0325a1243c0da7fdcad3f288f6f10b896de25004a8a5b3de46f14ac369220a69

SHA512
8da3b94b1368367393f17d3df8ed17fea07639603f6903aa61b0cf3032b2befea83739ea9fa03b8804b6210fe1249afe9af429cef3ec701de479d73993efa8bc

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg

Filesize
21KB

MD5
868c5c65c252d75d03abea5e0f18c788

SHA1
3986e615ef9c872da19432accc5d06d59603ecc9

SHA256
e0081b757cdae2f14fe5563bac88bdd3bdb3489e50a3a196cc0041eaa7ac1e17

SHA512
c4e9001f6790ddab04b811db384e65c871238476d110a0b8dbaf41a44dd33305ec55559ecc4417f5db07ba16eedbd4ea3d65537d065b8c2cf3a132eddfa02274

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\HelpIcon_solid.gif

Filesize
1KB

MD5
3606ea9c73475bab71a00392731b1797

SHA1
b6974ae6183cdc2448ae667c637bcde1c4349eb6

SHA256
f760241dd6808cb41562dee627c35741e42553577ec708e11fd8a70bb17f9285

SHA512
1a04a48e24cf58a91ff79acf406dafb8a8dc71f6026ac4ffb39ef3b682c8981413756709600911fafa9705889847646cd28d29ff942ae43b683292f6c097bc72

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\alert_lrg.gif

Filesize
952B

MD5
e925f869a5a98befa63d709f04e91d44

SHA1
9f0e4ad234eb9b046dc4618fe918a9230a83896f

SHA256
851d8e2b118a1170bf22af6e42b8f611c6eecabb846bba33cc1f69c989915501

SHA512
899746507a7c06fd17160066c6899b1dd1533acb0ce8afce62ea33c01e9471c70c6e9b24968290a9fa81d281ed7bc0269fde404a621515cf6399365a69bdcd49

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\aspx_file.gif

Filesize
121B

MD5
1d05be427ae345acccfb1f8715dcbdd4

SHA1
d35eac92981aa9042ea4b11b6ccf294b4ede942f

SHA256
55805fbde22fa3df7ed0ba1f77f1c37b684963bd355acd5d5d29fc4aa2c22cf0

SHA512
708295255cf3de4bbaccdcb7147e0ed2ff1f81b5424e5613819170aa64f49712aea6233815929767938bbc7f05dd965426768093064c1c581f6bdfb1f837c561

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\branding_Full2.gif

Filesize
1KB

MD5
a73feaa4264602778fa5729073d70809

SHA1
c1530e975386c56aa7baf59002ab1bd7a587f189

SHA256
d06be6b21c8b19189581a71f9c5ce51ce8e2748ff820bd295bca93e581f0596b

SHA512
4723895a20f356605ae51971806e085c190620bc2f3cd70ba642038380d15bfdac6e2861a4ee381305cefd1c7c2a4ef6d3eaa3f11045054169c9d6be449ca30b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg

Filesize
8KB

MD5
db2e5d4fb8a9363d8e00c1e4ba434f1c

SHA1
e49bcb1e2adc78508e3f71afb891c8c74bb37f5c

SHA256
1a7539e830eefa5de03584a726444e1dd4113fc96abcc91e57799a161c62dbb5

SHA512
184073cdb85f21dba8982ea19dd7c3b0b398ea932c565c7b1c7d8da4e90f2f8c0dbdb65101900755966e7843d96ced022b99aa46f22cd972a6b75bababfd0e90

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\folder.gif

Filesize
914B

MD5
894b4bf36e4c06c5add0121eba5511f6

SHA1
b86457313b7c1f7ab314c4eb2338f1c35741d069

SHA256
b0982b49318d4032afe56c1c95071adc6c447cbb851f6dd365bd4c8a1baca067

SHA512
bfa9a40a96d8310be37697e0d800b1f6f8441ddbff8071dca81bcae897b14c4c9807cd1a63f41d863b9d66502a982c8d337436d27776c13c30ab56c73e76d991

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\headerGRADIENT_Tall.gif

Filesize
328B

MD5
29f2df090e146426fb3218710e166a75

SHA1
e2c3839b47dc0f763428e24ab1a115a517d21afe

SHA256
9e6441ec514845b27ab6dea1f9f0b3c8131b6ad25e62af2dfaaad2b52b7b6dac

SHA512
b5c2a97744b861de6e78b28d38505e202eb88e9289c43b9338f478e26896eb4e3a8507eff2fffa0d4b3e9f970e81085a830621705db55d6024b8b3820b8ae49d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\help.jpg

Filesize
1KB

MD5
12a6e1c95b8adabb96d06996d355c006

SHA1
741f94aba7369298a9bc0957e163779c6dbf8ac5

SHA256
6472fcd7eb175c93fb6d85da4eab82cafcc62c4416f83f643799bdca0e36ea9a

SHA512
efd95ead29c73cbbc660b6c09bf7c3a3a6dbd3630c615dd4aafbc1166ccddf2a49cfdb85c9b8bdea15847e17763d63c07c1ac283c2ff90665a879fbbf69ca155

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image1.gif

Filesize
162B

MD5
4e5c35248f0fae7d6acc063ab2c4bf82

SHA1
28962a2a254488485fe14375678cf73308c087cb

SHA256
effd790ea02f3735fcbd7c2b0f8aa8f84ae17a0d700869a0e2b025bef11a59dd

SHA512
c20a949d8e4b726167b27a46f730ded64814afc3bb5286f73d03f99b76c63200fc5f27347b4416e5b6bd99ff583c85ee73e66db6ecc936ad21668649ad75bbdb

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image2.gif

Filesize
586B

MD5
595b42a1fbf886b83e26d6d4e5213252

SHA1
2e11abf56776e788ea49c45e895a13acaf4d6d84

SHA256
4d012597c9712ff5372c650529ccba02dfa3459ceb55cecec20e393f8a5de01a

SHA512
70bb08d28cad63086064fda506bbe609359d33172c6f354487b58f9a5fc2cfbd5c80d49418acb084d66e02949a651f984ce187c9f0ab0cc6cf32bf73796e931f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\requiredBang.gif

Filesize
124B

MD5
202627ff171d3fa3d6dc398fade709ac

SHA1
60b14fdc1eb46f4d9da3bcfcdd3a33dffc0e3b34

SHA256
088b7a18f154d7ba58a3e712f8537e5cadbc5a1df50175a4ea881fc8cf57cf11

SHA512
bf0b7b52bb06d1d17be99ef4a4ff363bb666237cc39d1c89fc8778d2ef2ee8c7011e170b5c43de6174b56b50ded0cad353faca6690b6d6d348291432aed9fc54

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg

Filesize
8KB

MD5
0ffd3cb6ea3b36f7179119f81e0b2ee3

SHA1
6571023e9815190e99ff6c25a6ccfbffcff01e83

SHA256
3b535fe2f330154483dab7abbada5eb8f015afc772070c8c588e0ab74912aa8c

SHA512
f518284ed0fd48cee7aab0ff727e06fc183cc8d4d13c5a9f68b93c333df2096e5fb0fd93ffac6e7ad0fca335e955cc637fc1e57b7d24556a415d642caf7c00b1

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\yellowCORNER.gif

Filesize
880B

MD5
3ab182cbab8372dd4b9c8a4b732e9e97

SHA1
85c7aa86e47f9889fa2bcd10bd2c04102c460f3e

SHA256
bb90a783ce6eb805685bc7d66085eb07873e25e66343e35588be2f0f966ac40d

SHA512
f7c9e189af7bb842b08d51ce596a30cfe8cc6383e30af0eca822bbd78977a5c96c08b3aa5802f06afccd5141aa7a82a30f639ad91cdefe2c9e87f6a2b60f8c27

Download Submit
memory/2376-8076-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2376-8078-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2376-0-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2376-9084-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2376-9085-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2376-9086-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads