xorist | 7a52a1d1e772dd1c96d99cf859519228235e245d240d891cf529c3ba698689d1

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-10-2024 09:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
Size

89KB
MD5

0ee053ab4b7a3f3d1c89a409cd518650
SHA1

d51c35fadebf4927cf2ca1f52636eb2a67536914
SHA256

7a52a1d1e772dd1c96d99cf859519228235e245d240d891cf529c3ba698689d1
SHA512

95d1ed6edf8a72a4452747c600a94b76f09a2ea104a7166178af58e122e654f6f3cb797b6dc026525cd1d23b8dd638ae508afe8b58a2d069293e70567471afa7
SSDEEP

768:brVDCBfXttVayxWxZ2x2EKLjYef+uCEPQfGpd3ALXRGO1bFsR866En+O+iPU+3:br4BfXt75M2V2f+ffGQzRbtFO8616is

Score

10^/10

xorist persistence ransomware spyware stealer upx

Malware Config

Signatures

Detected Xorist Ransomware 5 IoCs

resource	yara_rule
behavioral1/memory/2316-7975-0x0000000000400000-0x0000000000434000-memory.dmp	family_xorist
behavioral1/memory/2316-7976-0x0000000000400000-0x0000000000434000-memory.dmp	family_xorist
behavioral1/memory/2316-9073-0x0000000000400000-0x0000000000434000-memory.dmp	family_xorist
behavioral1/memory/2316-9074-0x0000000000400000-0x0000000000434000-memory.dmp	family_xorist
behavioral1/memory/2316-9075-0x0000000000400000-0x0000000000434000-memory.dmp	family_xorist

Xorist Ransomware
Xorist is a ransomware first seen in 2020.
ransomware xorist
Renames multiple (2197) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Drivers directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\43a357yO7m8vokH.exe"	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_neutral_0383c5de75359695\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlx003.inf_amd64_neutral_d1510a8315a2ea0d\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnne30a.inf_amd64_ja-jp_b2245ba886355a9f\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_hash_tables.help.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netefe3e.inf_amd64_neutral_b71dd3dadc5c3e27\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\migwiz\replacementmanifests\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_remote_output.help.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_scripts.help.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmrock.inf_amd64_neutral_2ec26aaad7a9d419\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sv-SE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Line_Editing.help.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_functions_advanced_methods.help.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netl1e64.inf_amd64_neutral_22118b1072f57433\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\_Default\UltimateE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\OEM\HomeBasicN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_PSSnapins.help.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Windows_PowerShell_2.0.help.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_pssessions.help.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\OEM\Ultimate\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnrc00c.inf_amd64_neutral_53a58f4fd7d88575\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wiaxx002.inf_amd64_neutral_fbe080a7dd77c4a3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\OEM\Starter\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\_Default\ProfessionalN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmbug3.inf_amd64_neutral_7617862a9cc286da\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnsa002.inf_amd64_neutral_d9df1d04d8cbe336\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\eval\UltimateE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Return.help.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnca00g.inf_amd64_neutral_6f76b14b2912fa55\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\_Default\StarterE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\OEM\UltimateN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_pssession_details.help.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Break.help.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\bg-BG\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\averfx2hbh826d_noaverir_x64.inf_amd64_neutral_da2ba9e8a30dad14\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmmts.inf_amd64_neutral_b7f0a8d5f67c19e8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netr28x.inf_amd64_neutral_c86d6d5c3810fc04\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-NetworkLoadBalancing-Core\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_functions.help.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_operators.help.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\xnacc.inf_amd64_neutral_13c4e272a96185a1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\eval\StarterE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prngt003.inf_amd64_neutral_8c9aae54a5673a35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\pl-PL\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_remote_output.help.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Dism\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hiddigi.inf_amd64_neutral_12aaf5742a9969da\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\iirsp2.inf_amd64_neutral_9ed65fe0bab06b1b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmpsion.inf_amd64_neutral_6e65ea91a16f922a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\slmgr\0407\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\_Default\ProfessionalE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\OEM\EnterpriseN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\eval\Ultimate\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\eval\ProfessionalE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_remote.help.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\brmfcmdm.inf_amd64_neutral_af49d2f3ffa12116\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\dot4prt.inf_amd64_neutral_e7d3f62d0d4411db\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnbr00a.inf_amd64_neutral_e7f3f91e6832ef5c\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Windows_PowerShell_2.0.help.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_remote.help.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Path_Syntax.help.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlx00c.inf_amd64_neutral_79ebe29715d2fa47\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnrc303.inf_amd64_ja-jp_b0dcc6693f67451a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmgl006.inf_amd64_neutral_e5693eb731048022\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2316-0-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral1/memory/2316-7975-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral1/memory/2316-7976-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral1/memory/2316-9073-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral1/memory/2316-9074-0x0000000000400000-0x0000000000434000-memory.dmp	upx
behavioral1/memory/2316-9075-0x0000000000400000-0x0000000000434000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178460.JPG	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_matte.wmv	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178632.JPG	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\picturePuzzle.html	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Program Files\Google\Chrome\Application\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\1047x576black.png	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bPrev-disable.png	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341561.JPG	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_FileOffMask.bmp	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_corner_bottom_right.png	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\images\cursors\win32_MoveNoDrop32x32.gif	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_SelectionSubpicture.png	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_right_disable.gif	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-first-quarter.png	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0149018.JPG	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_rainy.png	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Games\FreeCell\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_bottom.png	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21505_.GIF	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\DataSet.zip	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21421_.GIF	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Program Files\Windows NT\TableTextService\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\square_h.png	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Services\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Games\Chess\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\CalendarViewButtonImages.jpg	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tk.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\23.png	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR16F.GIF	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\IconImages.jpg	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\info.png	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ie\LC_MESSAGES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waning-crescent.png	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR28F.GIF	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Computers\computericon.jpg	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\button-highlight.png	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\flyout.html	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\JOURNAL\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AppConfigInternal.zip	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\TAB_ON.GIF	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\js\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_OFF.GIF	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\winsxs\x86_microsoft-windows-d..ctshow-dv.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ba9ed02a0505aebc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-wwanhc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4634c37dd5f72502\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-storprop.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b1428efce065d414\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\winsxs\msil_ehitvmsmusic_31bf3856ad364e35_6.1.7600.16385_none_d3b7e6bffb753b92\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-com-oleui.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_f6b6084bfe971dd0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e9ea273bf74e2d7d\settings.html	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..ndprintui.resources_31bf3856ad364e35_6.1.7600.16385_it-it_bb92604e3d64e901\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-r..tymanager.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_337a628028a370ae\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..ytools-ex.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_042c094993a50f70\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..languages.resources_31bf3856ad364e35_6.1.7601.17514_sv-se_f61f1296578b231e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_nete1e3e.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0f1f99a8ac7060f9\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_prnky004.inf_31bf3856ad364e35_6.1.7600.16385_none_3dd58b93065f62f8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_wpdmtphw.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0ffd71310712624c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..tional-chinese-core_31bf3856ad364e35_6.1.7601.17514_none_b7aa02fc1797974c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_srpuxnativesnapin_31bf3856ad364e35_6.1.7600.16385_none_4eccb2054ffdeb89\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-mls_31bf3856ad364e35_6.1.7600.16385_none_70b727c42461e92d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-p..ndprintui.resources_31bf3856ad364e35_6.1.7600.16385_de-de_29d825a7cbfe7e81\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-peerdist-common_31bf3856ad364e35_6.1.7600.16385_none_c44905442a4138e2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_wiaxx002.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_e54b25dfb19faf20\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-w..etwork-setup-wizard_31bf3856ad364e35_6.1.7600.16385_none_fb26c75d92790b8f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-o..inefiles-win32-apis_31bf3856ad364e35_6.1.7601.17514_none_ad7263bc576752fb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-mountvol_31bf3856ad364e35_6.1.7600.16385_none_0e4e6b146b2452a9\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-fsutil.resources_31bf3856ad364e35_6.1.7600.16385_de-de_c00f4179414eb586\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-security-credssp_31bf3856ad364e35_6.1.7601.17514_none_c5bf9b5affd21ddc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_wiaep003.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_ed42aa895aa64f42\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_8.0.7601.17514_none_da0c2f9edf5b1353\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_prnbr006.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_3f6d5a44fd3b2684\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_v_mscdsc.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_ddbef999316e22d8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-i..-wow64-setupdll000e_31bf3856ad364e35_6.1.7600.16385_none_47fb970acb88e551\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-ntshrui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5e647d3561f1a23f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-n..-security.resources_31bf3856ad364e35_6.1.7600.16385_it-it_dab6e92e70120a42\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\inf\aspnet_state\0001\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-calendar_31bf3856ad364e35_6.1.7600.16385_none_6a1946701e0df451\calendar_single_bkg_orange.png	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_wiabr002.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c86e288a27fc889b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-fsutil_31bf3856ad364e35_6.1.7600.16385_none_28590620099da2d8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-cryptxml.resources_31bf3856ad364e35_6.1.7600.16385_es-es_6c3dcc9d051bd1d8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-n..installer.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e73f612bab1da2d9\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-w..eservices.resources_31bf3856ad364e35_6.1.7600.16385_de-de_303d14892c9b97f8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_wpf-presentationframework.luna_31bf3856ad364e35_6.1.7601.17514_none_33660260677d7e6a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..-els-core.resources_31bf3856ad364e35_6.1.7600.16385_it-it_e58f769d7af57398\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..indetails.resources_31bf3856ad364e35_6.1.7600.16385_en-us_5a9bfb846ea663ab\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..rityzones.resources_31bf3856ad364e35_8.0.7600.16385_fr-fr_87b4bd6165256f75\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-lddmcore.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_25ca86d8ed01768e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c02a16e1ae17ab94\about_Core_Commands.help.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..revention.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_6a30f258cdf7775c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..panel-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_3aab8b9dac295615\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_netvg62a.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_09e8df8775ed663a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-bluetooth-mtpenum_31bf3856ad364e35_6.1.7600.16385_none_5e768c29117894b2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_prnbr009.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0a92e2237998ee3f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\winsxs\msil_presentationfontcache_31bf3856ad364e35_6.1.7600.16385_none_0da126f11187fafa\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-h..nter-shellproviders_31bf3856ad364e35_6.1.7600.16385_none_9444767151309ce1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4148_none_5090ab56bcba71c2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-w..lity-base.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8209e84af0c0893f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..howgadget.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c9675951dd42e377\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications.AddInManager\8.0.0.0__b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-taskscheduler-proxy_31bf3856ad364e35_6.1.7600.16385_none_d9b2cafed4f953d2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-n..-statusui.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_72beeac6a06248c8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-rpc-http_31bf3856ad364e35_6.1.7601.17514_none_a20056db9d9602b9\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..tivexcore.resources_31bf3856ad364e35_6.1.7601.17514_es-es_d1b313649d44cf6c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..tional-codepage-437_31bf3856ad364e35_6.1.7600.16385_none_2b05ce0ab4c4b80f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..ortingapi.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0bddc7d2ea263ae2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File opened for modification	C:\Windows\Media\Festival\Windows Balloon.wav	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..ditevtlog.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0d09bfa184af61af\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_fdwsd_31bf3856ad364e35_6.1.7600.16385_none_7d7ed99723796e06\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tulya	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YZOKGZZVTMNELNP\shell\open\command	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YZOKGZZVTMNELNP\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\43a357yO7m8vokH.exe"	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tulya\ = "YZOKGZZVTMNELNP"	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YZOKGZZVTMNELNP	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YZOKGZZVTMNELNP\ = "CRYPTED!"	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YZOKGZZVTMNELNP\DefaultIcon	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YZOKGZZVTMNELNP\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\43a357yO7m8vokH.exe,0"	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YZOKGZZVTMNELNP\shell	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YZOKGZZVTMNELNP\shell\open	0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0ee053ab4b7a3f3d1c89a409cd518650_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt

Filesize
8B

MD5
b0842e1cd78968a0a45184737b83690a

SHA1
e7f46e9cd4cff096ff014b5e761d4598d850d06d

SHA256
a4c72df3b84845b820d880457a162f7ff6a1c63bb7543c1a8eb7a1355a14b0a4

SHA512
5d4890d1deeec8d568108e83291187b8d3e6498a9befd43ca9b075783c03bc89d08a829bf0dc598cdaf6447d8c787d46958c424343b9088061f46531065539f9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
341B

MD5
f051b554ca14a42be20b02c1e6185c98

SHA1
735335f053a5de5425cc9eb67b8d04d16bcf4141

SHA256
f8756338605aa755096c225cb4523a0ecc862c1983c0176e63428b41390b32f1

SHA512
6422771669b22c58c34a615b25be5daa8fc2f8d8789060cee174584deee52c03f842a2c3b0085499667ba1050e90d5d595e8f0d5de5a386d2003187541d80591

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

Filesize
222B

MD5
b946ca5047ff67c6bfd86f607550a4c0

SHA1
2b61eb28a110ed2565fdbb96446e72dc69334743

SHA256
f52885dec383bd6fa48a24392f6d5dadd8d4dce45d44751234a3472a5ebf668a

SHA512
6ed312ffd098f84fcce371330e9c9be81058d387078edd43fdd763d25d332abda4e75731354bab17a50cf8d96674c29b0ea052ed543b17b3d2d705f8a810a342

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\BG_ADOBE.GIF

Filesize
24KB

MD5
02bb359395831882415c0f9dcabf1f02

SHA1
f9b66b1cb3750a4676781def8fc7adc9cbcd2b51

SHA256
eac4f78e7c02cd4aafd4a78fe5034a466cfdef7571c14bbc5855a2623e54f9bf

SHA512
e3911d45ce7dcef9bb95af8f008bfdd8ce4571f73b0f3331fe348e1125fa4ce2f63e06dcaaf7c4b8b6b4494ce7d772110ba0ec9dad60536a1d7080daa54c4b02

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\BUTTON.GIF

Filesize
185B

MD5
ba705ef4edc5c1b30df986f26f4392eb

SHA1
0cd418a3c83910f4200ef1274e95e03fbacffe5c

SHA256
095eb167070a07603e5d1516af598a1e1c23a59f8ca1b2fadb30f2253fdbd1e1

SHA512
3486c621d4674a781b00d197dc12aa1698adcd316685f4c938a04509f1a5729747f0673ffe2a82284e85d8487d7e2163126b1d9a752e65b70ec17969961b3a82

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_OFF.GIF

Filesize
496B

MD5
19c953564dd20e02a86c6882bd7720e0

SHA1
6f6cd30052082854f7f010c7df10606f14f063e7

SHA256
f9486680f674062032bfebe159975e58c89e2a9d27eb46f3b02f7a9e02a45f08

SHA512
fdd5a8ad51e87761badec67a583acd100136d818f84ede4dd30b2374c753e1cff286e608d6eed2cb530010156cd6ce1375539c0b42b274eea1d779a63adb5b5b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_ON.GIF

Filesize
1KB

MD5
838bf54a148805ab2794f9a6c059ae52

SHA1
3d42897614038bbaf04a95dfe174df1e0a407726

SHA256
7e246a801d12a82558518081a798b0a6695356fa31c44a9ddc9b2ea8eca58f03

SHA512
b6bc9f7578d894e49bded280e792ceeeadb53eef743b2731febd3b4f2c367810ab372c5eb8bcfd20644aa646879594583ad337641cd18d4ff9995ede6952f59f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_off.gif

Filesize
341B

MD5
91e5d81edb429241df4b0b7dade75ff0

SHA1
5bf426cdf83e6faa91cbbf9e08fa2b1003a43b2b

SHA256
d14a9a7e78200bc15afcd8ea8ac490ff93bd7af47db5bdfe0d4e7bf97fc82c3b

SHA512
c9482289ef3c0bddccb70fc9350910d0dfec744a5f818e16ad20af44c3f06b6834fb9969dbffc6498af6b1ba75072848e3555fecf3fe8fad8d84a4a557836288

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_on.gif

Filesize
222B

MD5
a5b71200fe524e366f8888a29ac74584

SHA1
fc8f29f755c8347f7b8b3e49fa70d0db665c3067

SHA256
3475f2922692249b2f4b0a1363ce660ed8deb385f5042802f89b42eb0bf0c751

SHA512
9d98cee8b015b1d67125e0e5b47c7124902928e4ee1689cd7a18c73b40bd51874fd5822b7f7f2f432a89fe1a806f01896a248c3c7456c7bca2c4a802755aa0a5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif

Filesize
5KB

MD5
3a0968d2354fd4bd44e8f532b3fe4187

SHA1
738d31bbfd1794c1abd92123ba04cd59ec992f40

SHA256
7cb37fdceae6a823a6a3ed4914dba22c4783a42d60940147f3f07118e71dc8a7

SHA512
fc89704a4f42c83dc439d8c9f72076a530ea16b404f6037b97af218411a5a009298161dcb1024afbb9cec331b79ffcf77430b571e07b7de707818c8bc3e47cb6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Country.gif

Filesize
31KB

MD5
3fbb2c7aacbe5857d055b879095fdb74

SHA1
5b3eb8df15738b67c87761b1bee1f253001889f3

SHA256
efa4455a7a18769e975503a2ff9361972e932351265f2a3c510d7b9d661e2be8

SHA512
32fb7ff6f6bcb3b3efd6b9c1d2197633f20842badc5d9a307c4d8971340987de3c0af7a62dd57b7c979b187a6d71cc8961571744c45665ddc91448db6b04039e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif

Filesize
4KB

MD5
daf4bfb2c2e22ce1d81bcd2536dcf70e

SHA1
ed47cacb5355ebb9362158e3529f32ca3808db5e

SHA256
712998d18e1ebdbfcf44b35fd92504b941ae247dd51bb9375f67ce54e70e71eb

SHA512
0d6125185ff0f2e8382319ac52725d85cb931cde98adb71be4ea02313a929b41d8e69502f2b1d7ab8790c6438ee4bcf26d5ecda09a63997bbeb0e8d2bf2b7548

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif

Filesize
21KB

MD5
033cebb763d1adff61be85d46d887f80

SHA1
f1a3be9aeda5b258ed64e63197b603f5f26a5e75

SHA256
101291583b80938439359d384ac758b5246ed5730037d1a2acf2c86cd2d2153b

SHA512
5500c78db62a374b22d1b3f11c24c1dbbbc80943ae1922a43a028fb6e92e52bae7911d76a8f6c3420ab9d21b32463beed6b7c7eb99a053642025476b6f2ad559

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Groove.gif

Filesize
106B

MD5
58b124f39f2787b2d3f73b4a4d05d938

SHA1
46818a84340113162d2291cc90892ff6647216fe

SHA256
cdca5ed7c32aa3ebd9c60e43bfc12dae398a2ead851e1d8749084908cbc0bd73

SHA512
fd685177cb7faf9082ed5331e39d1fdb93b1c361987c4c1dee6c8e8d9fe8884d51d9139098389fdc2bc73f7833dd5126409086fbc03fae6bd4e90c2eb374a307

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif

Filesize
8KB

MD5
71952b9b1643ca4e9c7b5fa7d61b0da2

SHA1
a7ed6f8d98886b8fe922dda909b6a5b563d2c70c

SHA256
dde811f46e1902e82db5ab5f176b75120a3cf1ffdf30c94549a0bfaa08398cb6

SHA512
0e7922fff938aecfdacd3ab0bdaa731fdb9e1b141d382f656f2d67817d5a448a606992e017f1a8c4d402ba0bb19505767b3ecebe9414a2ea61e7526e91eea310

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif

Filesize
15KB

MD5
85f882392fcf712f3ee06f0dc2714201

SHA1
8017aef5efac9dc40c7595d4d9cd5d2e801ff03c

SHA256
8fcc5a6985eb8e44811afa681f0d2a2232397e34196f204b7dad0c1ded73ca9f

SHA512
82a2fa6545f5eebca62f6502919681e58e0a3e5b8e3710fc3a1053bf4f827caff27785074b798eff84280a17f3e73d30e622ad0323fd41c8027a74174478200c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif

Filesize
6KB

MD5
ffe22620283d7945d086620801a0abcd

SHA1
963f8bd2cbd635a6855f4fa6007f6b8c48c2b960

SHA256
af21a8a3cd745c0c0e735a15440ecae14c359abebd689afe3adf225d25a32361

SHA512
1df84ce8b999a5e8a15b772f1cfb12a37d74cb93aac534b44012394a2d43adea27cb65b1ca9b50867b9ccd1e59110fcd6ac9cccd70ee9bcccceb2d5e52f094d3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif

Filesize
20KB

MD5
f991c3e214fd26d64e99b4e7b2a88216

SHA1
45f6ed9a520a5e340edb06f7fe14b86f540bda00

SHA256
8bf1098f9af20f1559d58b5c0fec3b2a510c3c4388f8b31dcbc5cde88663c547

SHA512
3f96b34d254a870491d42e7d1c494e43eeac508ce3a301e89f1a7768f66a95feb2d8dd0dbfa4b1492bc635325c8b70f2579595a544a180ebdc210cb8f2607b8f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif

Filesize
6KB

MD5
b6dc650e70923b5b5855c1a15942da84

SHA1
20270e0fe8e9c862de6333936e144a9adf697356

SHA256
5bc799572e95c1c0cd1e3123d3de12e9a06f5962a092a8e856d045147a9160fb

SHA512
04a0d16d6581750b1e200d2f9e1fd84b6d1951e8c2cf9db15cd784c47c6d77fcf90be1d41b6b131f305abec3005631e7038291b8f5d571f1e28130687ef2ee2b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif

Filesize
15KB

MD5
1c2587ebf91392c1f8a4a96b1b7b4f92

SHA1
d4992f2ff2049a74e239c40eed9f79275040d550

SHA256
6e453e0b3d5f04ca20cffb1a3a0a73ba88c0c147b694fe205da4cf47c1c9b7be

SHA512
b8eeab182d2132bdfd73dd07c9feed7c463fb3da4fff34573d766a647c401d8bd35e96246814da591c7fad009b8701d571dbf2595a1e465ff0ae69100fed83b9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg

Filesize
2KB

MD5
5c88e27c21c915bf3471e7197d2af402

SHA1
b64455a02ed4bc33abe77689c51d1458d25f1ea6

SHA256
7dd4b78a8db8889bc588ebcd0c6834a4b7e01a1296863554d772aba7376702c5

SHA512
021e61e660583274730be406bd2d4cac76996f476a85d54b3694cfe1bce28eba9777bcb26b89c22b9a1de5b01fe2f53c9e82bef08c094193fe6b172ddd99c592

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp

Filesize
2KB

MD5
ccd440b03bb81a9baf7610a5af912185

SHA1
74b2beee85b1ab2d7b6d13a8ec6534bf4c71c9af

SHA256
121cd9e98b2e3efb2ae67a651d406cc2b9fcfd60da8602ebb2d750a561c6405e

SHA512
5c6d4d4f6cc57ce79e156bb0fe90e77933d6a70873b644c56e88f16e240dd0a48253941faabbff2a9f43a63c840085ed5842920f515537d980a8405bedbe4b99

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg

Filesize
6KB

MD5
6018bed4b15f1fe002f5e9a300b7acd0

SHA1
d0ddd15336806ea470bf218a1cdfd34eb1f71926

SHA256
a2a4d1403b6bfa1663463cc447d1f02471e7487352ae248b26766daad1de06cb

SHA512
e4c3592c39968bbfcf928d6087db4844750b0c32d369966a8bf03cb60cca10a45caa075cb1d3107a5924e4a77e255a58d21df06a1f83590c0171806d1bb6f5d9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF

Filesize
255B

MD5
88fbcbd560ca313ca7d69f74578a043f

SHA1
be0de6ab0a549c4c19aa9f43a2e0c3606757669b

SHA256
90949e89e59f9f6450ddf68045c09d93c1fa84cc8cdaf9ce14e8aff3dd0a3473

SHA512
31ce066565db6cd93fc609896bd63cf11c97e9ba6d6fc77e5d3f8e674d401fe9bb97b9969e955c8ba3299bd5a8bd7497b4e16207efe69f869a1823dcbcc311c7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\background.gif

Filesize
323B

MD5
dd1ca47f9af8813d40326e648a5057db

SHA1
c13f9756097cca797b19cd2ce3b8cad76963469c

SHA256
87ae3f380df8698d3bd9172c58a8c9a92c89976973e0ca4eae3113ef376b6543

SHA512
d3ebbdef1eae63cf6d698275f3d3ba9da2329fb5681a3a94e320552cc951be150740762b1ec380c00b8794ebd701c83436758f26be1add3c0c944df793bb7e35

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF

Filesize
367B

MD5
775dc3efaa059a9ed4090df8ad637ce2

SHA1
cc283f6b5b477cb9044ca5f48e801197ed39ddd4

SHA256
b7d26729beb931e92db406329a68a7ca00614634d293e774dd2e3610c835127b

SHA512
c95ac8caa6f30362a4d85b4362a1d9d4d837a20e17e49886d2b6f888153b1c8bda89c8f2a8f5778adda4f3116e83005863e466f4a7599007a7bd39728217fdc2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF

Filesize
148B

MD5
4efa1ca44a4d3be38160cff1c6d61370

SHA1
50d29454476e3b66e2d2085e2dfe5cb2e5813ae9

SHA256
ddedba7f1735c30f90586c495b7529b0cf3a96833982f943319cb2969b86c0d5

SHA512
e0d07abcd11eb0fe9a9bb8cc209bf5f98ac1fcdc329636bba1de555e061e3c06c161011a98b2ed296f153718d987224ca1a1090263025b08345127448cfc06fc

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HEADER.GIF

Filesize
440B

MD5
7430efeb148b90276e1c1bc864d3864f

SHA1
380d560b292d1cafe27f02688c75e300ad2584ba

SHA256
b5a6792f989c98e5d9b56100b838095a8b6db5c6ba30b9f049366e105fa68d89

SHA512
3a7942a8dce127a10cd316b94758c270973040010397574506dcccc7fcc673dcc4492a615214a646c6993b7143035b27f03feac07bedf8c6799201642bb5b9b0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_OFF.GIF

Filesize
462B

MD5
2791dd33233e0943e93f3f6796c9602d

SHA1
846de00d859a8ce8ee012361783389edeb03710c

SHA256
6208e675795b7b17e6740dff15367308de9407d28c303e2bef66ffc6dd5d673a

SHA512
217dcdf467d2e4fb184693a029ab0bd73c3f3b46f7feb3b64c017d197a8aeed040a2ab748b7894db2d09e67533865a785046a61360f14d7d4dc94e88e9e08a2f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF

Filesize
267B

MD5
804faae4f35a4b8c67cb5ad216c6d41b

SHA1
7c8575752e396cda3a7661b31bbdd7ce55bcf6e2

SHA256
a91cf57f12f3f45f6ea1825f9e50f7be1bfd9ef70da7c4fddb3123a20a6da37e

SHA512
5add4e30215698bb82ecccb2a59fbe928626d308d7be025c4fe7f627b6242ad4a7a2fd2bc91f0e1247fa357f32d1aee947cb4fb53567b6b88f3f2006f8b4cabc

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HEADER.GIF

Filesize
2KB

MD5
d374f7fdf69170028107b9fd25ba9219

SHA1
865aac5ac607e8609a4c0d504d8b6e73b7873e8b

SHA256
bc8f94705373873fb8a9c36aaac43ff8eadab3257f530d12bedd2123c994335b

SHA512
d5ec3b983d3a126e5c7e3514cdf8c3ef1a705830af223d4bf753051b58ab8e08d4412c01ef486977ac3489b77c85003d6c05222182ef962b4811a5f035edcebe

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif

Filesize
233B

MD5
741eaa4161de0091288c48631740c33e

SHA1
c365ecfd84d6a9ea0ab60553e47022288ccf0a83

SHA256
8b1193412413d10bff102ec528b8950bf61f4e9c7ff9cd7804116ff5d7fa1941

SHA512
039ee8e17e62ac55f56142420a46dc8640c62403b7691acfd881065e4b59261abd20747d23a1debf7d05b302f60b7023c77f7d196e3bce88eebfba89a3e86219

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_OFF.GIF

Filesize
364B

MD5
4a31695c228db32cb7ab37adcf3589cb

SHA1
d5b2d4b245eb81e81ffcb3ba6501547ef9545c68

SHA256
d261e82498f4215d03e7fdb22a153f0951cb3a3b1045e3bb15e797fb4a4c197c

SHA512
41094fa2ca7ba9de4511ad9db53b2b404f8d0501edf478457c6bfd998dc12bed741b49a019eb584d78efe47680f28e0533bfc3c6490dedd24ffb894b1f150006

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_ON.GIF

Filesize
364B

MD5
653be8042e762392c104ffa04d0c487c

SHA1
45afdf4c0b79a04f324986aa31e1f32470241fe6

SHA256
7e28bc73f8a5388b56a27bd74437e77d0a330a2e7af666194e733183b0e50119

SHA512
76c6de3223a139c3782b4c3cf778568113586bfca60cac8632dce55916fee11a439c1a7bc8bd04b2f75e2e2d4005be097ca38bf8dc718ef1423854a495cb9337

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\background.gif

Filesize
6KB

MD5
edf703963a4d8f33edbfc7f0be75455c

SHA1
c2c03159a66cc5303a6d5af7f49e49ca24e0b0a7

SHA256
1a0424d773b330852180186c4c45bbef887f4ccabc275bd26dd5ce8b4ba4fa9d

SHA512
4e320a2e415408eaaaf81366db3cb9b9c4489db4fadc6b486f383ff2e8eb194607d0d7d5e49ab6464e332c23387000637ab38368dd870800327743aeb3c2b4f4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\BUTTON.GIF

Filesize
428B

MD5
a8037c31b06552e884d80e9ef35f7aa5

SHA1
172986b35531b5607e38e6c911412b1ea7e0a374

SHA256
fa37399d07310fa4c0931451e8f82eb79e7548410e783c66bb38a4aed2696369

SHA512
3eea70dc5f7d5f8dd46b41b35604ed905c55456f9b48f257197d0ce41a81579803ca01274752357bd380ab69a47e08f8828d6f8d43587fab79a9d9442eaee4bd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\background.gif

Filesize
815B

MD5
7ac9592409c6bb363ba19be83351a1db

SHA1
79fbcb40cf7ef9ddb07434c9e825765871acc2c7

SHA256
0ff3116ae3906e5ebd01f1531284c0a373fd8597cd3046bacfa45f182682c09a

SHA512
20b5548ec0ed34f30864d24e2fc999833f504cbecfce933f5d9cfbf5a93d39da34a6289295aff7ad7713a86b8e62329087b258c3ad56180c246f4575b311cecd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\RTF_BOLD.GIF

Filesize
870B

MD5
c203807f4608b9dc56d3c8f224aeaa34

SHA1
e9f038e9df061d7b3c16422fa62f1f79aa074e6d

SHA256
7ae4ef784bccb5707d415534f32f50ffca166d7ac8933af57c69f7bf2565f6a8

SHA512
4fff502d10a27055b616781c81664254b5a7793b7f4786e417d4ef2b7b4462bef20ea6c8afd495874d4ca25ecf63034a7d50cd4c78448fab55e67d5eafe3595e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg

Filesize
3KB

MD5
6faf95a8744e59b656bf85738d95fd9f

SHA1
64bc99f0514ae4e865710f988c4a3d7de52175b9

SHA256
8ee6a8c1b369f0eb5afcff1699eca9e358c106f47b1f7de0e5293d4c1e8ad229

SHA512
802f76ff7a02f3b669b63c20287554ef47527ee4616bf82d9eb93ae0d49babb2e543b02e6082f92cf37e786def2c39dae29423213d6d2c0e1ea68ac957eb0591

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif

Filesize
2KB

MD5
39bc94796d9e865db5443f34ca6b6c05

SHA1
f16fdd8b6051737ca164cb4db793cf0b6b9aaf9a

SHA256
eca0fed3251ac9828d19f5e6d197b78a440a71943ccf7a02735aef5657a9f6d1

SHA512
08a4c83a03a977e72c81c6b43022bb16c662524106c9c6b0996ae6caaf0bc2210f7e7e913ac8c5a6e58dd0c9815cdfa7b214fdd33838f787ab1c201e79962e8c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif

Filesize
19KB

MD5
e22fa9d9227c5a23ce208c01d77e3113

SHA1
dff498d857a8c63700bbcbc53cee44478d0d9a18

SHA256
2ea62a79b269664677c3800ef204156df099a1ba4cd06d6b5e00ada4c900973c

SHA512
a3fe55df2c1b5a3b8ca5c91414c1b8318621a245d43a197207c021ea4dd22a83d6d07700fcd34c5af792298203d03fa6d918211612a1cca5db4800a5ab47e10d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosefont.gif

Filesize
890B

MD5
012d25f9611b740687b5d19d4697720a

SHA1
51cbd61cd9843c1a4da0ef43f5da5896a05b6325

SHA256
9f569c5e0ab2a866d9ea006ca61515ec002ced05a397803e752501e9dd971326

SHA512
819a63cc7b4431f47f05991b792d41d207a9f62406e5864911ed2b6b6ba42f3bd3927386b50e8e22768a182a78e65f88c9cc3418d994ee9a0b4b3691d02fe20c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif

Filesize
852B

MD5
ba484c33ebe10000d69df655acb35d78

SHA1
eb5078350a811c8c31eefc77ac7838245cea0d68

SHA256
1e3fcab1e5b85f3681fdd341935a6c2a4cd17c48cb884bc0bd85639020c70abe

SHA512
69697aec7a364cf9e74fb7a3d8273cbba78d3c4ad943804e2611255184281d8041d03ef312f9df18f100e64b472b520fc6dfd5cd8cbe09a6a6ac969e59609716

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif

Filesize
860B

MD5
a34d23e8d484045c365cc23e0c8e1e5e

SHA1
cd963bf8b8aabe73a848a07418c84461f36ebcae

SHA256
c91c120c3ba73b53b06df4855483d2d015d0579fc9be676926facb05f4370fbf

SHA512
9f6d9d9ae48fe0e62eab960822e7e407844a63f691c4dc889198d794d85fa41362ed14a9dca50b6841c9f859e520b18821948c482a90273f8f6f9a9ebc48d7e2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ADD.GIF

Filesize
580B

MD5
94d8804b4fc2422e41673aa49fa20e9d

SHA1
ccec55de069899a0414fdb3802d5830f60fd1421

SHA256
ce5fb67a67a8997e1e4190ecb4e5832c6276e1dd1ff58d3dd3d6bb79246049c3

SHA512
1d517722f634ac05852cdc5cef0d1b8a78b6e2fbeefb2531573bdeecdf9f4bc07f7c0ca2e6fbdb3ca4ef1284cc6ba661a45ec8343d1d6614cee54cd5dcea8db3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF

Filesize
899B

MD5
0c882401617d7c1875a76b4c3e4a38ea

SHA1
ca679f621c54ba328f63d84e4907dcfef818a03b

SHA256
237c14b51d68838f92c58030ded302597a9f79a7c04e68ca590a0b64f21d95cf

SHA512
ebb3fb61253be7d1b1352083e663639a4d52fb23a6d2092306a45c54766e1e5e3f501304baecaa0c036f165332c6d78743d19e0395c9ba71d8f96b7e0de017a5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIF

Filesize
625B

MD5
e92775f1195fdb17f4a024708c97ff07

SHA1
845b26fb9c0a953dce1fbea8e6afdedafb03d7ab

SHA256
35b9f824eb5a650b38d60b19aa3f0502fdc2aaaeec209260d86d228d0bf87a24

SHA512
3fe3929df52cba30aff094ac500753960825e2dd00fe05b9735a0f3a1dc37d876a3c963e44b62d2ebde391f672d821c773a15c6883d4aa8f9966e4410a322b93

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF

Filesize
873B

MD5
ea8fe4aad55da46faba03d8aab00803a

SHA1
c38a90cf6b1fd7138b6692279b1f09f09440ea89

SHA256
cfdef3d8578e7d799fd686e5b32412cab60f0bd67227c2eef5e2bbad0bc95a9b

SHA512
3761b38d833f6193d7470d9bde7d838c1d7afb255fca7b125a6f662af7976b55329f355091fe65ecd894c947fc45d85bf27d41b1502adb85257a1e1c3384b079

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg

Filesize
5KB

MD5
f299b93e976703a9a07a0ea6de84e06c

SHA1
0b14cefb7121f08be19ad941fd936767a4b13b5e

SHA256
5db497841f2b0719e9181d1cc9a56f36ca9acc2c828a8e34a2a6cf11c9651bed

SHA512
72ab2711f33b3312df8496964d90dbcd3a5a7be057229e1e1f750b4af8b2269da8bd12f8c37c3a9d6f91e4cf1ae7adc7c51f1460eeb6bfda1ba5d75ec435302a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp

Filesize
1KB

MD5
0630328ccf23fa23535c824eed31c322

SHA1
18e71a47ecb691c4bb38476e929ae4f17f761eb0

SHA256
342f0b695fac42cae9efff7e7133ac698a80b936ee7090294ead77eb82f90093

SHA512
04a8a7887615efa181ec35128aadcd731dd10955ffbac5e36360d680a0db8bb48bf47efa25d157ce91c51bd81997415f3d5567f0a76b3e1d77380547df079eb0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF

Filesize
615B

MD5
f43c6afe89253ce0142b4e54e34447de

SHA1
355cb84774810657261fca7fd9aa5a26da530109

SHA256
40f3f9802a799e5aada1a1cd5248c00dfb73699694519c5bc6da1263d5f6cb67

SHA512
264667e65a132dc6dc138a187e318bbdf12509297958a03c9ee69c4d41649251a4226827eee5a021c0012d3837599e63336bbdd37ba4fb595508a8b84f5092a2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

Filesize
848B

MD5
164012d03aea2183a02ac5349fa20111

SHA1
c461f0bc43801c31bf98ae3fffa487361ef1c0e2

SHA256
75211ba147284f4fef3bb8659146f5414de314265a487649a23b130384943f72

SHA512
074fe38e43cfcbe06b4a3b974829648ae412aed8a618be2efac4e69ae713101d997f7474a25126e6fc4169b64f98e44b46978602521b150e6644181925cb41b4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

Filesize
847B

MD5
790e6fe62b2e13becfc148e5f28132c0

SHA1
ceb77ef3da4dd0d4f4efab0fa4d2c2647ca349d7

SHA256
965aa5c70946d8e7ae59be988f59ed11a6571ef343489829a0655995267fecc2

SHA512
8f8f7478efb42963b93a734031ee2e52bb5ee40dcc26e01a1f75c9c5335592f0072c01140d174e08500723fc74872108a421847f2bf8d272db408a57e933307c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

Filesize
869B

MD5
4557b3e134b549f5c7064a0b88eb3963

SHA1
f392df32cc9ae11d1bb7750976a61757f5133bff

SHA256
724bf8a667a2f59116ea4587ba2c7a7b3b614a7ac00b70e918c5ef8c8a1dc7fe

SHA512
0e560c4d1e39b709012112618c780000aa1630cbd45fa33c844399389c0dbfb668a3882b5690b7c09a7123a2497ebfd0ce6872282d63c9dc425ec44d696041d1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

Filesize
847B

MD5
3ab6961a658b9c77eb199a1b02de0da5

SHA1
9c1e35f16466f117672cd9aefa1c2e3b3605653c

SHA256
120154ee663f29d62c3b4cb86093bf8429d7db4169ed89f98d520b3f9ccb8170

SHA512
148a9227c6b6044674ac97973ecc8a3ecdac7704972991c112013e753384a25d756ca9543f1927261171c9a5e5147675c88231974288ff36a82821b2384494c2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

Filesize
863B

MD5
456aba96b436d2f30e81e11c6d84e2f5

SHA1
2024b287ca58b2b8ecfeccad98b0db6bb09988e4

SHA256
2ba9b376eb69446760a81431dc3485642ffa5feea7e7976a047ccc620abb3476

SHA512
9070cdb7d3473671a006330b73b18b36b4cf12357d00c0c1b1d336fb02663537c90445565da619be759987da4a60a94c7c496db52b57cc088f6821ecb8b2d881

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

Filesize
861B

MD5
aa21232521951cf9bc515c604147a344

SHA1
a3e6eba34062c3012170848d28ea5605249a0b7f

SHA256
3959f37ce20ccab7cc7e818efdedbec3196afc2b6eab87d7409dee0d5d4992d3

SHA512
b222ebf3eaef6702bb10f56f888e225ee139410482ca5e21fb50c1b4b33075a58d9fe762745a34c8cead0fe1af9a6ae71f3750db3eb31bbd3f034965261ae207

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

Filesize
850B

MD5
8c701da955cdf3a7500b81157ea20c8a

SHA1
40d40abee5ccdd9f3429f160230060edc5717021

SHA256
9d47746709fbde4befde1e4d21e16bb1c1718cbb3ac6bcbd64409705fa63cdc1

SHA512
81d25848eae63d4e5538d362b1bfbcc9cdcf13e087879811f86c853930254bc98fff599e5877afecaf22447b6b8aa977e5ae7469002d5e425821c9c420514bf1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

Filesize
883B

MD5
50917f1b77160d2e2eb43cd2704ddffa

SHA1
d0e5e8a27dbfc23d9c9cce3465995b05a444214f

SHA256
7dab5034ad5c3e94ff3023af0bb988ef4572383a3ea8ae954fc12531c5a3db42

SHA512
640a95a64bae6a351e33bc2da54d836269470600a28f60fb2945501786494bbd454c4ab109008ef5c7c6ba6bf7333f6dd16c6bc5e9638fe56ae70443ad7d13d7

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif

Filesize
153B

MD5
f9f6c9bfa95e2a113baad5ed9fbf8ec4

SHA1
2e7c1cb69f73a99efecc1ac63fd828af3174c807

SHA256
c3231021cb04ef64349560a33e1cee7b378dce95f71ea148f0192e975bc12c6f

SHA512
5732245de3e0292237fc9f361da8e09ed2e6647b2629fcec136fe1f10997d8fe727fd31c063c639a0279334dc1261b27acfab4ac7054fd9bc8fb2155149eda2b

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
0e99221993470b380c90a2a8003ecd9c

SHA1
1f84543700ceec74af88347408841eb2ac3eaac8

SHA256
6d3e008e35b049de7a04f5cbaf23fe6bb114d8b68651ca75a7a38219d4c46aa9

SHA512
728fa7a7785b172d4407d5e79a78268337785cb0af3a93fba8754054104162f9490b8dc961101533c8a5699bfc0be578e94ea03596ac517b1c9dfa7f5f5834b8

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
8KB

MD5
d77244b41ea6e8895084174cbade206e

SHA1
fbc779e4482b23201d105a85c738dee2c224f5f0

SHA256
8e3955d2783f9789687c4cf72e5fdf16ed2a4677c7ac842dac8d99c6314e9516

SHA512
c6ee538891c12a75f790fd9f606cc8faff91bc180694757a949d2f0429c3fbde550b0631e41410ea36cc6d1d74c29758ca42f15e8a0d6cb7089a7b4ea8ab60da

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
096744293a2d3e221a2554b63971bec6

SHA1
f0ab7f7459bfabb499f4dd8cdd234746656cffba

SHA256
f179ca47b3eaef26d2a68202edf9d476fac051cd1b5f71a4b30fb96dd8bf9923

SHA512
a7168cf7ce42b57b08afc4852ca07cd88efe5ff42cf4d4c86bf7eedfe3e29c40b08a4125c553d5ec7dd60ec05007eaf8c8a5c22aa15ce4b069e6b91694e6ad04

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
529acbe4b9da123f352f065bca0ffa14

SHA1
80341ba7ed6703c317f5e481c36047940ee4fa18

SHA256
e72d99b97492fe3ccbb1e91fd5e93cd5193f8e295192e96909a02eb1549e0dfd

SHA512
703322918e1d8d082342cbd08d16b1ac02daac9b932542b1d829cf88aaf404efff2a47c13e58cadd623faa75fd3f2234a064ab8fe35eccc8970df5ca70e8cb4d

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
172KB

MD5
c52147e1b373bf1ab49d0d6e631d4c19

SHA1
840e50a6e13fccc17aa46082a80b633a90e6b880

SHA256
01490332f616c0a478eb4958ff9c6fb6a6572a3290103f22f1050e0788c2a4ba

SHA512
1c4c99d4c1920912d0d7fe175a69d0855e48911a058b14351ad31ef0402aaa903387f776a944716ccc675d4e0a728853fb99b416391c30739e6cbd326c606bf3

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk

Filesize
1KB

MD5
530671297f10dcd11689ee301dbe62c8

SHA1
4875fe8272979b8d503dd7c5662c98d0b0301824

SHA256
d131a03733bd08b121fdd8894e186365c15c662e8f8437cdbe00c949081e85f5

SHA512
cbc4a651860d0e3f0445d1a4896d40c83bec5fcd34817eb6e6fade5bacd56d5f729a72d704749e7efe60674b964726acd0626db1332aa57b95a94f032bff85ef

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg

Filesize
21KB

MD5
58e0658ef04bdf9cdc7b7e0ce0ee92b2

SHA1
7031adaee254884ba3b9470ca52425939c5d3b94

SHA256
cb39a85d3f1655ab9a6364ebe3f93da7d4c9ccc922902e6227757ebff559f287

SHA512
1022b3d9498eb105ecb6eed08b691ac8649511d35c0be84ea6cb162d535ca3ff0d935c9fcf7d90815dc17b938ce3ee6508785a97050de9a85e665a44f940a4ec

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\HelpIcon_solid.gif

Filesize
1KB

MD5
2e008dd09779f81d85fa782a2d3de703

SHA1
7a0790f9dc1df6ae52ccc60f0f40e07165db03eb

SHA256
7d15c8d71b5170d3a305ab321aa4982e5d248abdf74afa0ed303cf759a866750

SHA512
83fb971be5318871fd280b44c33ded63d2dd498e3d8712db23af54fbbf9170469b3d445640155c7be04ec11601d3ad93d6803f33196642a7fcf2489b91fdaa75

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\alert_lrg.gif

Filesize
952B

MD5
5246efb2e362f7ad660643c155e59531

SHA1
2911a3d1ea2cdb977c62614790229a98da6f8c7c

SHA256
1444ead971d3b040f2508a382770e8c2adfd07c0281d1bb52f0cf44f70bba9af

SHA512
86fa681708249a5e5f856838ff2dd929793d18b98a1f2fd81d6403f3ad53b2b9e6112d4c93cf9f266aeed46cdaec020e703a16fb11aef77e06da507b44199dcd

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\aspx_file.gif

Filesize
121B

MD5
83901e0fcb58772438edef1d4ed95f20

SHA1
e2e39f1a7fd7ea0eaa72b37657cc67ba026f31fd

SHA256
001c69fc8662bb1a3f86197518aafe9a82073169c72c79577007083de257ad0a

SHA512
0877accab39270820da7ac3ee368440e4ada1e84067329e174269f0aaf245e191534a51b1773ac78df6857b47c46e58dd9f110e93e222f146c38858968766269

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\branding_Full2.gif

Filesize
1KB

MD5
8237e7345e793febfc71527cc2f11465

SHA1
030c72e365d784ba53780dade12ac77c355ead38

SHA256
2e056b75b4652f53123098fc5aac0beded6ca91b180d9daaf6d07afa165df350

SHA512
0f984e504a4c454f2ff0bd37218aa2d986dca50af15a1ee01ea202157a7d679af7e6872403b51e27eeb81efda9cfeec42109969f24272d13dc667dd3b1c95f15

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg

Filesize
8KB

MD5
2c04e59a3040b223c8080248fc3c4d1a

SHA1
8ac50f1645c72fe32e73ab249c6b89e7ba65fc53

SHA256
8caac80053827d235b5e5a5bf3ecc6253cb4a93375685de8e142b5d369972f31

SHA512
aff984cc51e73b3d8e500d8dc16e7e50ed269b05b1319d253fd9c3c67749fd08246018fa99767775e0fe20ebe9b29d65191103e598cdbcd65e6afc21e3ad07ac

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\folder.gif

Filesize
914B

MD5
739eca3528258690bacbcdcd20cec3d0

SHA1
ccc4c9673b4825e3000730eb2a45c33138014b9f

SHA256
317f363c5282e6bb2d3cae2ad94d561771da11472e5f5468867293c10664bc3f

SHA512
585e8bbf3577649c17a32e1a4591b7b70c01dc41fd6a5a1828c11ff1e93ceb8327aaab756de65b8255baeb612ce2803f2a8b825addc0732eddedaf7c3a41715e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onBlue.gif

Filesize
90B

MD5
435a7d0a8ffb995138b68ae1b83b0103

SHA1
6d58d94d2588688f35c0eb74c4f5ba7efc50c091

SHA256
eb363739f1a3552750c219cce7c3412ab5f437ae1ed6cac3b53adf5b0620a232

SHA512
1921f0b80bbcc5019cfc4993072bc7878d9399e84cb20614f807e18f45221c7d44d21fdbee1e30df8cceb0d0f68f0091e49bf1865eebb575ed757d820326757d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onWhite.gif

Filesize
90B

MD5
a4858bdfc6a8c2f77c7666b9cba76f0c

SHA1
3d6bc50e18d155c41261435546c028e9bfac5d9d

SHA256
524d28a45b8635deaef0e96cbeb656e30e3c2a3089519d3c0b87ebfe1960c4de

SHA512
92d56756f47453801b0645769a4590fcf2e03847f054f65d875c2c6e891c34b7b379719e8096a804a41bb5e9697fa19dd7e2af79ec1430430db5ae9214140b66

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\headerGRADIENT_Tall.gif

Filesize
328B

MD5
2a579493b50d3232891d751ab198b113

SHA1
27650bed8bbce3d8c2b79b4fc92280cfa7947bc2

SHA256
6cdb5078b0773039d5f1735a2730c14447343ba077da58783dd813ea42e98967

SHA512
7e4d914de42ce67fabff9468971372a9e1b5870a77d4eb73ee7947312c3cdb87f1fe7462c85944e7d95db3a3570a1557a9b84e96ba3ed2109b73a34e473344ce

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\help.jpg

Filesize
1KB

MD5
1d05806b41054bcd3d6472fe6f821090

SHA1
8c6d51ef20509d3867043f3b788bbd7c051c7d09

SHA256
081339e7041f7c0ecc6499dc14a7b92c0d8286692569d704df6563da388125c9

SHA512
1732624e1e878ca45e76f8c573776d2c536a1bf449eabcf7620f39aaffd31b6069b1ed0a2967a2ffb2a309adadff7bfdefe09f176c46cf11e5827e356866d934

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image1.gif

Filesize
162B

MD5
42ab0a080a9423afa6499e84068bbdd8

SHA1
df73670f4fbc13c48cfc4d3c6254ef6f71a91efe

SHA256
91cfe2abe0e4c71d8f9069a23a1923874a61d1ec252806dab395b9376b150b79

SHA512
d0a397f4a6362d1e8d869f9618407399e8401994aafb824ba3c664e8cc54e7d5bd5af7c463198124f9d66d4c25afa89ba4d7d75b939afe284f1bca6efea25066

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image2.gif

Filesize
586B

MD5
8ab0e44ce34b923c1379063db48c008c

SHA1
80c9d685c18d43b8c5417030b33edf49ec5c9651

SHA256
c710dc3e970787f6fdbdbbc8f4523efbbf48ee0ec9eda969271baf4ab5c4b11d

SHA512
027102191619f2486dac1e7cda14850a8cafd20d168309ac4ee3dab44f3fd4122a1812e3fd4bfeb9c344d9e7cfe5015b587b92a9b6d2d1162b7db058a93fbbb2

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\requiredBang.gif

Filesize
124B

MD5
35cc7c37dd3d3c13c60ab5946e79be8d

SHA1
7ae8725e7fc56fe79a37c97bc49225fe9c66cf06

SHA256
c31c505683ae458a592b58225d2670b1544b448f5dcfa9ede2177414b6318f1d

SHA512
15bcf2b06bd81bc87bfb1f9084ed3004d9b07c6ac9113fe3326098cc6f0371ca86257b9f705eacff877485718e3bcc0c2a1ddf201a7772fca133658b06c3cde8

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg

Filesize
8KB

MD5
8a3af5c8b24a87b73324089c159029fe

SHA1
b875493cfeca669fab395469d8478af2628d3ddd

SHA256
b6f91234d9f4636415e92f0dc6dfaf44a72e2e44816bfa06230127118b2453a8

SHA512
4d866e621401ea4517348c922e70206e530cbf023854cb96ed07083d37517a15a4a63ff288226390bd4655caae37a4c226a77f401e66d7386790691d915d6952

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\yellowCORNER.gif

Filesize
880B

MD5
bcc3b6c03ebe33a84d205897e3be4a95

SHA1
9eeea28105a1ecb3de8fe8a10c7343aaa03c5162

SHA256
0ae7a5498903310ef3e4298e4469eae5f5369080ad930298e4d7d376ef315eea

SHA512
04fb85b418a5e5b9f1101f9638f4fe6c77fdeb73936967f1e975e8de04f3760a1917e83f700e7de04b8763cfd4d401715e9fda9094f4e8f4dfa6d0113d191ddc

Download Submit
memory/2316-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2316-7975-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2316-7976-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2316-9073-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2316-9074-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2316-9075-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads