xorist | 9103d39318bd1735df2eb88db26011c7d7ab6ba5c62a6703f8c71b6dd3049fbd

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-10-2024 22:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
Size

7KB
MD5

75191b0312aebc9d5fe6d03e8811a11b
SHA1

1665498c8373958239b5a1d524edca8babcdd203
SHA256

9103d39318bd1735df2eb88db26011c7d7ab6ba5c62a6703f8c71b6dd3049fbd
SHA512

c737fa9d0f659c16beec70cbaab390d09ca66f8a2fc706a366851fca47836af8da1e730ed26d5b969688921b5eaf35d6aa6c06e9965fee34c2f2068904215df6
SSDEEP

96:cSZhl8wdS+r3yOYW189fTwUVF0CWHyjk8P1LOmjXfihExZ9q8p8SAtV/p97pvpE+:5zdrr1FG1WDCgmjPZZFpkVxj2FMUA

Score

10^/10

xorist discovery persistence ransomware spyware stealer upx

Malware Config

Signatures

Detected Xorist Ransomware 5 IoCs

resource	yara_rule
behavioral1/memory/2520-8883-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/2520-8882-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/2520-9111-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/2520-9112-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/2520-9113-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist

Xorist Ransomware
Xorist is a ransomware first seen in 2020.
ransomware xorist
Renames multiple (2207) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Drivers directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BmC2VdM2jaV8BW9.exe"	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\de-DE\erofflps.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmnis2u.inf_amd64_neutral_de46607a02fe2552\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmtdkj3.inf_amd64_neutral_7e1053ab483310f6\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wiaca00f.inf_amd64_neutral_f7f7e179d99acc58\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\OEM\ProfessionalN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netxex64.inf_amd64_neutral_77b02fd738dca150\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\oobe\background.bmp	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_wildcards.help.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_CommonParameters.help.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_While.help.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\OEM\HomeBasic\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\lsi_sas.inf_amd64_neutral_a4d6780f72cbd5b4\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnok302.inf_amd64_ja-jp_708c81a8b0ad8846\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnts003.inf_amd64_neutral_33a68664c7e7ae4b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\eval\HomeBasicE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Speech\Engines\SR\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_command_precedence.help.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\_Default\EnterpriseN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnep002.inf_amd64_neutral_efc4a7485b172c07\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\nulhpopr.inf_amd64_neutral_e078ec466987bb3b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnle003.inf_amd64_neutral_c61883abf66ddb39\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\_Default\Ultimate\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Signing.help.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrtx64.inf_amd64_neutral_410e89ed86071c9b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\OEM\Enterprise\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_type_operators.help.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_remote_troubleshooting.help.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ramdisk.inf_amd64_neutral_798b5d4dd3f22a07\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\_Default\HomeBasic\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\slmgr\0411\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Switch.help.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Switch.help.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\circlass.inf_amd64_neutral_cf52485bed804e02\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\eval\Enterprise\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Continue.help.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_functions.help.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_properties.help.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\Networking-MPSSVC-Svc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_hash_tables.help.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Dism\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlx009.inf_amd64_neutral_d4b76afd08f308fb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnnr003.inf_amd64_neutral_c07c33bfb5764bdb\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\OEM\EnterpriseE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\Professional\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\001f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_split.help.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnrc007.inf_amd64_neutral_2df575afa0f7d35f\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnxx002.inf_amd64_neutral_560fdd891b24f384\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_pssession_details.help.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnfx002.inf_amd64_neutral_b6dd354531184f64\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnky003.inf_amd64_neutral_fe7ea176f20ab839\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Speech\SpeechUX\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_eventlogs.help.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\eval\HomeBasic\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmsun1.inf_amd64_neutral_6184912bd8e5b438\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_operators.help.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_transactions.help.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_debuggers.help.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\fdc.inf_amd64_neutral_bbcfca39fdc02275\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\erofflps.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\migration\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2520-0-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2520-8883-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2520-8882-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2520-9111-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2520-9112-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2520-9113-0x0000000000400000-0x000000000040C000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Things\COUPLER.WAV	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DissolveAnother.png	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File opened for modification	C:\Program Files\SearchPush.mp4	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_flat_10_000000_40x100.png	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EVRGREEN\PREVIEW.GIF	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\PREVIEW.GIF	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECHO\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR50B.GIF	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Program Files\Java\jre7\lib\zi\Antarctica\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387895.JPG	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_SelectionSubpicture.png	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101858.BMP	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382947.JPG	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145895.JPG	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10336_.GIF	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\TAB_OFF.GIF	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-border.png	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\bookicon.gif	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0390072.JPG	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21520_.GIF	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_alignright.gif	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\hrtfs\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00011_.GIF	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Mail\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Program Files\Java\jre7\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14531_.GIF	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Class.zip	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeAUM_rootCert.cer	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\THMBNAIL.PNG	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_VideoInset.png	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143744.GIF	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\js\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Defender\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\main.html	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR42F.GIF	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099145.JPG	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR48F.GIF	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR48B.GIF	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\info.png	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099187.JPG	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SoftBlue\background.gif	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\TAB_OFF.GIF	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02754U.BMP	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\winsxs\amd64_wiabr006.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_2e5aee62def0dc7a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-cttune_31bf3856ad364e35_6.1.7600.16385_none_b35ae2951fd8adbc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\ShadesOfBlue.jpg	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-i..libraries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0d92fa3d1a6ff94e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-ie-htmlediting_31bf3856ad364e35_11.2.9600.16428_none_34d4a6c78cd3b895\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-k..-plug-ins.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_606b66b01ec579b1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-n..rkprofile.resources_31bf3856ad364e35_6.1.7600.16385_it-it_39c7224786489550\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-r..-detector.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_9ec7947a2ac1be42\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-r..ilityanalysisengine_31bf3856ad364e35_6.1.7601.17514_none_8a744e94f47f8489\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-help-ra.resources_31bf3856ad364e35_6.1.7600.16385_es-es_a0a1d9207f1a0bee\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..ediadisc-style-full_31bf3856ad364e35_6.1.7600.16385_none_ce3a164d3f0fa152\NavigationRight_ButtonGraphic.png	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_Windows_PowerShell_ISE.help.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..rtmonitor.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b12fab6d36e5136e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..ompatibility-client_31bf3856ad364e35_6.1.7601.17514_none_bc2e2d6e7ae461a8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_4db0b909695af8f9\docked_black_moon-waxing-crescent.png	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\winsxs\msil_system.web.routing_31bf3856ad364e35_6.1.7601.17514_none_1a58be6d26032dfe\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..g-utility.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_261fc93fdd5e6808\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-tapiservice.resources_31bf3856ad364e35_6.1.7600.16385_en-us_e2cacf3dfb59980b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\winsxs\msil_microsoft.powershell.security_31bf3856ad364e35_6.1.7601.17514_none_798013fa5b3040fe\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_megasr.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f749ff2ca5956eb0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-e..-ehchsime.resources_31bf3856ad364e35_6.1.7600.16385_en-us_a8ee3dbfef0d2e09\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-dims-keyroam.resources_31bf3856ad364e35_6.1.7600.16385_de-de_108c69d8b234fd85\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\ZA-wp6.jpg	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..c-style-performance_31bf3856ad364e35_6.1.7600.16385_none_1d8aecb671a2bda5\720x480blacksquare.png	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-smbserver_31bf3856ad364e35_6.1.7601.17514_none_571aee68017b07d2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-eventcreate.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_a33b8f989e32776a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft.backgroun..nt.module.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_836a83fa126c10f7\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_prnso002.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_3dcbe551f9d56b44\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-h..providers.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_729fcacc780f7fbb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Web.Extensions\3.5.0.0__31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File opened for modification	C:\Windows\Web\Wallpaper\Architecture\img16.jpg	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_brmfcsto.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_bd208823387ca105\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\winsxs\msil_uiautomationclients..providers.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0407f9f70fbf2698\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-nshhttp.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5f14f7c59907b1be\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File opened for modification	C:\Windows\Media\Savanna\Windows Logoff Sound.wav	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..vider-rll.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_1303c8ce18b8ea25\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-wmi-time-provider_31bf3856ad364e35_6.1.7600.16385_none_49270c5b422d6986\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_et-ee_51a7fb335c52ac1d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-programs-adm_31bf3856ad364e35_6.1.7600.16385_none_fa083e6c355b8801\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-f..ager-core.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5294b65e14bee8ee\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-dssec.resources_31bf3856ad364e35_6.1.7600.16385_de-de_237767279b40558d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_netefe3e.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_a931ff25c612460c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_prnsv003.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_23d4c987ce8ec79b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..essionaln.resources_31bf3856ad364e35_6.1.7601.17514_de-de_d7f59b6f239c3e50\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-p..age-codec.resources_31bf3856ad364e35_7.1.7601.16492_nb-no_5d6c66c9a0867a80\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-dxptasks-ringtone_31bf3856ad364e35_6.1.7601.17514_none_0cb2f60328a1fa24\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..essionale.resources_31bf3856ad364e35_6.1.7600.16385_de-de_a0d8e556dbc33354\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..gement-ui.resources_31bf3856ad364e35_6.1.7600.16385_it-it_0dc4af13a4ed282d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..t-service.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_d41d213d4ad0cc64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_f0ca3430257ea13f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-s..vider-dll.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_2c9b21077d55e984\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File opened for modification	C:\Windows\Media\Festival\Windows Logoff Sound.wav	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-fontview.resources_31bf3856ad364e35_6.1.7600.16385_es-es_d3adcb49ef4c5651\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications.Hosting.v9.0\9.0.0.0__b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-help-gamesp.resources_31bf3856ad364e35_6.1.7600.16385_it-it_96f3d2049dfb9360\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\winsxs\msil_microsoft.web.manag..nt.webdav.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1a6d5b1372ac67d9\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-p..i-printui.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_932862e6fd034a60\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_wsdapi.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1adb73b5c6e50b6a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-consolehost.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_149f66175dfaa2fc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..-japanese_nec_win95_31bf3856ad364e35_6.1.7600.16385_none_d44488dccb1e4939\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\401-4.htm	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-lanmanserver-adm_31bf3856ad364e35_6.1.7600.16385_none_596faacb0e799514\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-n..rojection.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_135e1933af1da298\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JSEUQFSUDNERIDI\DefaultIcon	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JSEUQFSUDNERIDI\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BmC2VdM2jaV8BW9.exe,0"	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JSEUQFSUDNERIDI\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BmC2VdM2jaV8BW9.exe"	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd\ = "JSEUQFSUDNERIDI"	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JSEUQFSUDNERIDI	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JSEUQFSUDNERIDI\ = "CRYPTED!"	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JSEUQFSUDNERIDI\shell\open\command	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JSEUQFSUDNERIDI\shell	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JSEUQFSUDNERIDI\shell\open	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd	75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\75191b0312aebc9d5fe6d03e8811a11b_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt

Filesize
385B

MD5
354ce52b71e8bda8bc4fe983ce41ec17

SHA1
e10a9007c3110e017609d114aef31fe75795009a

SHA256
cef8415315eb254eb7f2767e356e4fd5ccc334a0af402c794b91d1a0975572d8

SHA512
a412be789ff8dc9052d54b962df559cec1fc48a905be143b31a4e242cb88f6f8e86b4e814712d4506790b69e51aec23fe43ffb32c72c9bf8d7f4bf46ff33a09a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
341B

MD5
a69cf8d603f181ce22d9bf0f38fce467

SHA1
6a986956b6a08eeb603c121733ffd329dacc7660

SHA256
df816bd4b4f2c3f07abba13722f92a2e083bfe0eb81cdc0d03f2fbb365fd8fb8

SHA512
d1e4c0bc1d4c771e1f5fe663c74ea91f1d4de0cb0fc040f03b60b944fd6974100703315b8e9fcaecfa468c4316e8514f9f06f6c1bec818a3b416ceca9c85997a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

Filesize
222B

MD5
109fac0adbe7081f657702ba0d0cb0d1

SHA1
cf6a13182327a9fce3bb60e16f440906de2cba4f

SHA256
f880780c4a486f642a6d8edc2cf5913697b75ab8cd6bc109c45c2db82f136d7e

SHA512
ead4656c82dbbc750d6fea5a6512ff3e2086a7acc83151b93220c6585dfcfc83b690044f981cbfaa8beb9ad4d0ba38c16bfff7a464e5932709b7fa207688dd07

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\BG_ADOBE.GIF

Filesize
24KB

MD5
d91b756e23ec330f59a070e274f2ef8a

SHA1
43471ccd7695e37beb5bc79afaf636b1730b0e38

SHA256
43967bf8ea2fb6dce4605bfbe4ca3daf110782841fae1328842dc5874d733eb7

SHA512
be70f7001393ffb53c4c1e9f511cd6fedd34c31fa350649094a3ca80478cdf5eaa67b4e87b3b9b82eee2764fe6a65a8d6c9ab8bc250cbb05312f7c9184d5c29c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\BUTTON.GIF

Filesize
185B

MD5
ad8682fca40a511d611119ea14e82f48

SHA1
49e955001f7621447f17160a588a0ba2f8c1a134

SHA256
2e06a0663cf992a1e9ee9bed21e0adfaa6d9d6fb495c7976744ad76f5bd6cff9

SHA512
343fa2ebff0300ecd1939264743728cdc4bce05880724d2d989740203b949b00e7d72e5edc05bc01eb2e061023522107afdbe5f98e43d22df9ce0799875f6342

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_OFF.GIF

Filesize
496B

MD5
5de190c2c3339251ef0f4a44bf225632

SHA1
7623da18a62628e30753ab8c54318a71611bd156

SHA256
29b5a66142aab9a478fb97cf395f697fb419f9cceb064e79866073d67d63bae5

SHA512
aacc939b3142267b70a6cb5d2a7c4daa670bc7c017c197531d36a72de79032b46ecaf642347ac30e92c3fdfaddb183983692671e7d794f641665aaa121f78f8c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_ON.GIF

Filesize
1KB

MD5
d8f7f1b43dcca13e7c2e85c5d77059f4

SHA1
c041edcff4262e42d5fabd924f3c3cdc212af30e

SHA256
986bd78d67b3c74c086af0f8c66a67486f7fc1483e7395195b72aa0f3824f43a

SHA512
901acfb942fa6cb6154f42734b43c5c9a55ece64ed5fff5424377a20d62a2c6446c552d22c9c30910ae60ca89fecf5217b4da0b70af37e08cb4c475f948191d8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_off.gif

Filesize
341B

MD5
08181b6964998e446e5d46003483f069

SHA1
fc5528ec8beee71347f1326220af28f85f7110cc

SHA256
d8d397b6a04325f2428e361fd53779df8ef3be0bce001cacf74365f1edd418e2

SHA512
b32202405dbadd16fd9970bb475322220df3088d0cfbb7ab1283e60907458482533a9e305ad293f385b069964c74b02864d3621fc2c316fa022c0d60659d8189

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_on.gif

Filesize
222B

MD5
280e7acfe2dad23ea7a08832212cfe37

SHA1
22dec24117ce872755a4b64a9d96720fa0b9e29f

SHA256
2cdd5323106cc15f254d21a667abba1521418d301e4d47dc46cd4a09350e91af

SHA512
2b69d7ec8a23efb3344be676f9b754ce1788f4f276fbdd41824ea68e4ccc1078bdd2084e5ef3c4817ed9d845b90931418b16b288cfa54aef5ec999dd98bb6eaa

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif

Filesize
5KB

MD5
3b228efb5d498db036521b7a8e5f37c7

SHA1
18296db693c5335cc5472530294b243c7484105b

SHA256
e1e51fb72a2beeb9172f3674fd3aeb73cb5dc327cd6bf74ec8d92eba1791f21a

SHA512
b762695e7c903657009ac601a60ed19dae505e1933b41603cbef034f34665e03b1ebc857da4cf5a907ce2fb8c5eb05ee4c70d46baa3908dfe4f7419de1975c56

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Country.gif

Filesize
31KB

MD5
32b54948a2f7fd944bb49842a21e2547

SHA1
a83780981bd941ceca23f38f66a6ecd49b62313e

SHA256
66acd8bc2cafcee4bc6adeae1883152d220429cd9108a0600ccf15b4b78e1cc3

SHA512
ef86eb26f0fae7b6390b221190567c53224dbc920930c0a6e4c4307bf3d231d7d58350fd565f14f87935ab194bc22bf69c714295e72e0d4a607e2b5ecc8a0250

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif

Filesize
4KB

MD5
9facbccf1f7d507806106f26a7ad3a2c

SHA1
ae170b0f61efacd56244a9ca7e39b9d0885bc97d

SHA256
ad0c61e63e28e7126d2afd658d0223f21cd7368040388cf06857cb1499b6c3db

SHA512
e8ee4265f7f3073355e9b4c0f8515d7142033cd9a280bf7d6996bcfa118f89b9de83409e18c54e07db0d6b69485ac89b46739d8e66a9542f5adea15aa64fab60

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif

Filesize
21KB

MD5
b4ac7851b5a1825d90c88c57555c437e

SHA1
550b2964d05aa5d07b89148049eda3b1bb60947e

SHA256
e1ffa4e2a917f5a484a32f193a3f96cc999a639cc95d31f4c40ffc9ae5e1fe28

SHA512
eb1905bdbd9146b7cc69e7b986101f421a85374296b432177a7039d829d4e58fcdefcfb64365d5de41e5f674e06625f9b94b6cc59b8c3e48335859755d0e4a3d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Groove.gif

Filesize
106B

MD5
f5e0fc2c1ac055f7a4d8d8ef79cac253

SHA1
b7d629639dd09bc8c5ad850a7cd1d2aaa96f0fe5

SHA256
42b740ebb89c71ee44bd3ffc7f0db53ebddddfe69d568a9e56bd911124e15561

SHA512
90126d91a080635cde926c91553041868da9e98143c3453d56a56f7d72d3c88074dc63067bbbf513769e90a28974a1e8b0ad018c22b8e8de3d6ac7496de0d4aa

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif

Filesize
8KB

MD5
42275feef2185bc7eaca97d0b3e90f47

SHA1
0af0f5494664e8ceacb2816e4cb88d823182002c

SHA256
458247f57e300681751440d9462b0e9c2dc989b302cd58608446ae8f3b4d6a41

SHA512
6b696760d8071512e494c198be8766d9736233e0a4b2b746ba2e0ee875c21505672c48c5e4246f1b801baa135eb0bfd529a5b37692d062e49b2651763d82c370

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif

Filesize
15KB

MD5
75579ae283d848f63a9640380c5d7441

SHA1
5b47b79847f0bd5454d2c116b6f33fbc3208a7a3

SHA256
7ce2f7a8058cc0eee1ae12a659de6ed5cc2fd6fd04c6e9b75566a51a5f3bc1fb

SHA512
19cbac1d746d8bb8c3abbfd12621af2aaa699ce2f8dc3cb07e92d557b9503eb6044287b29ebb6e0a3545f9ad82ece1a0ea87b396c00af6a5c53cf0caa972e736

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif

Filesize
6KB

MD5
eccadcf43807eb25aab9f36c8c8906c0

SHA1
7056dc4539bd7c404cad0691af8105e370ab0325

SHA256
789d2fd2afdc747367b49c9ee7aab24531d7cc2b0d8dc916584a5b061d853b48

SHA512
0caa1d8fe74cb50c72a8b3403bcca207819351793c96e862805a54f02cd7acaa8499beb55d904fd77f72304c865a0243fdf81b3209214c0a3f5e959b6a143abc

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif

Filesize
20KB

MD5
5f36b1d7637dfea02cd470d68cb79813

SHA1
a24974a537dcd4f248f409ada5d2208b0ac5c022

SHA256
e9e041d5a3dc80c793b5225588648befc769545e1c82f3b2845dd2c173916379

SHA512
9f3395cf08811b58e5483c5849c5b383faa0d0a432a4e6fe98c43fda41f74805cc6c73ce93c577db403266822ad0473a511d784879aa7d27413fabf032a49e29

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif

Filesize
6KB

MD5
1f1a27870cbbd32e31e9122ce45f3d8e

SHA1
8af7397792c9a71212208ff5cbb18fad8f2c3716

SHA256
9847a984f19cbb247ef00615427703530190f674ad273cd3518d82aa880fcce4

SHA512
58e3e2658c99f0977944b9af0238e27730e3d55a04d8726300d50e5d0f50ab530800a5304644c134c464fc0cac13b23adbfcf5171ae34a01904de8e0a40d5a1e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif

Filesize
15KB

MD5
b907b5bab387a2998a5576c67544f047

SHA1
ebe67b379e1a4bdee7429409e92e292e87df18ad

SHA256
5e3aafa356a75b7a7466672395841017981ad486ad416d52476b8bef580155a8

SHA512
8bf296b8989516680c2a3297789fd23713c069386ec1d6f15e37df3a617709d7fffdfe4abd51f8f74f28c3f650e6de75b0a3fe30da2b57787e50dd47340674d5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg

Filesize
2KB

MD5
59d36faf70f79f9546ceed8c92eea5dd

SHA1
a6cf05cde5d6853cc6c7de1d9f7ad9ad5acf61cb

SHA256
aa7433e90d1f152119c374d69f07036d6854c55694003e9f3f94fb040f625dcb

SHA512
9be5f57640a403bdab8d739d5ba40329be26e9442268499b4ac24d0635a5a96967a029786bddee5096a930a651f3cdbdaa5a53eb93f38ca919857de9c6556cab

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp

Filesize
2KB

MD5
59f9a9ce265c05d39800a9955cfcdfc3

SHA1
688ca001b1be85412639a5315b9471458bc4db3c

SHA256
7e96b914d25bc900b411543dc1f5d7c353dc7e7a36c7d216afc5c8efbcfa852d

SHA512
906e024a08fe8db50778ee4f4d169e7dcff8632736e621d9740eba6a301acb458a29a09a2ae1eed26bfd38cd6b973aa959968dc4ce0d7be2d564e0631c08cef0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg

Filesize
6KB

MD5
61b7b514e646c847673522c96785d93b

SHA1
680faac3dbe8f8d0be487e04bab7daf36f99d6e7

SHA256
6d2b7ecef67ac0ac227089779d36180c396cbffda640fe6f7051e424396a37a2

SHA512
47081b2ea634397897261511840f8c207a7a3705e5714c84e2305d7c78cf073ca964c039fda32550a1cc2ece90120c8184b806c2764537d690b1a40af061c27a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF

Filesize
255B

MD5
e403bba315bc9244317209ad45b19cc0

SHA1
aa9ff31233660b2a8633798d9baa1f515baafe64

SHA256
4b98e221b8b94615dfc6ff7dd01a154aaf3ef0cd335f86e61967bf38f286157f

SHA512
82e66f47d0a0b6a249c3c0e6e54597fdcd9d3921838ef91173c1829908135c44b6770988a9e1fddc6615e148ebf3461bfba717e0a63591406319ed51ba2f045d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\background.gif

Filesize
323B

MD5
3ed44a4c0a38e9d617695bf6f132c845

SHA1
53150de08ec9b4f384fc8690d445876e3f866632

SHA256
c409931e4525dfdefb6bad8603ffd9694501b2b4f4ae7df4a8f018df4a6aaeb4

SHA512
2bde323bf8c91e9a08a44013c968e9af254aaee340353c34161f24899e521910e1eb74331d596f064bd4903c7fd14cdf8f4a2626d5c01b379836c1890079a6cc

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF

Filesize
367B

MD5
56a4baa9bdcfb2fced9b53e69d2dcee7

SHA1
f7454236d99e0a517d0602bf7aee47d5f1e9a0f7

SHA256
af1515bc28f0476450b421ce81dd38895ce414d8cafe19b59f5eb4f8b4e75338

SHA512
fd095ee9474cd29861ee57e0fbf8dd9cee922ff326924784b0b17da838c0213369cd9da0dd8ec8af02b8b868c0d97ed8b7150ff63072f5ff4040f2e008727839

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF

Filesize
148B

MD5
67fd0b499ecd4b845749ba80986d7ba7

SHA1
10bedae33c2b0337f1fe3112e07ba3d33c36f9fe

SHA256
62bf309f5bdd803241f1d188f4f2ba6841c71f80f5083a0242dd0c5e0b71d676

SHA512
8c62b1099ecc2961127c2a13025a371d332f5c69f2be758d58e3c4c329875cf1375d4ec6be353314307884f19b091e6f18736d561ac9e9d777e826219cd61986

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HEADER.GIF

Filesize
440B

MD5
a59f791bd8c11ba3fc58d3d21761f2ce

SHA1
ea91fe34545ff18114595e3b7e08c2692fedb40b

SHA256
f02ddbc18fc4569b609234e0ecf2fcbd19877714e26cc6ed690e4ca2036db55d

SHA512
19558e372d10ee6d3845bbcd04d8841bc1576ed93a1d4ca8feee560125d08849763c517b216dd2795df5703d4270cbe27c97801de6c950f1b7b43045ca487f2a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_OFF.GIF

Filesize
462B

MD5
1c70ceb34efc6395483343250043fbc0

SHA1
bc0a4c211c11ce16c56fe752e378f4e3fe5de81d

SHA256
035300f10d356b30b44351bde1d82e9b3f24019b9fa0d8bbb846cd98c555f053

SHA512
d291f0d37c7c112335a728dddad271a876c8fec1a1c72cc2d5b60d41e696852fa1d0eba5fbe0771927e732e876ff51d856ebf0fd4df9f520d5a3aae6033f1dd9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF

Filesize
267B

MD5
b51714a7fd76109bcc0b118824833948

SHA1
1fae7237028fa84c85c290e35c37f7fc4d15a341

SHA256
cf32c88b12818d992e904b7f77b5b3e895e994ce82e6bf6c3ffb852fd4d1bec2

SHA512
0d895bbad90b39d287d2c2d0defbd45ffef50df514021a2115c5cc5e222d76af1c4aa5867b9c1bd162a8004f8aff683a3265a04a1ff9cc7f1ba065deabe6ff53

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HEADER.GIF

Filesize
2KB

MD5
a0de3535dc6fbc775e5e8c54fd478eff

SHA1
6d4eaf49630222a837efeb71a3862e0b5f80deae

SHA256
a2c28391d22c08960c1e99634a69a33c605c17a098a9e476acb07841ec4e534c

SHA512
7b99196a898ecb62b8ff03beb297973e1aa2691bd7c4e596f68e881544ad8d488adcc386c04db68c64d69be33bd1deeb496e7de743e5d75c91e5894f28122b0f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif

Filesize
233B

MD5
9f18916a3dc82a3467037a74815f7688

SHA1
7e84ed43406b839e043584621a85d3e22fb05d38

SHA256
b636dbdcad50297fdadcb851df3da23961b8f9cd1b78e218f828dd5e228b25e3

SHA512
f079d312515f27b3b0f2d01760a7701526bdba02948f386f44408c5d9cc42d091a038adb32e7c294444ce57e1eb7d763a938d8c54ddcc66ac1481190cbb5edf0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_OFF.GIF

Filesize
364B

MD5
2d4fae57fcc0ceef3d24cfa42a73ad54

SHA1
2c573110031c0d5025f20e4e678b31b44908fbd9

SHA256
c197e871f1083ecaf1ff2c13b23a16790379dd931628baef2810f31477986db2

SHA512
0a1a01a55821ed92f6e568d25ab4289d71cf9f6d2841f2e4b1556989399048376a79ae70e223a71034e17c528d28ec28a7f558adbbdaf5c5b6f76b2e4e516d9b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_ON.GIF

Filesize
364B

MD5
5de21c65d05217f549ecbe06387d33c9

SHA1
77e76f6090534a8d0189f63bff12081a439bbf56

SHA256
676bd1353a405eebb57c9309ae92abd43e708523567620cc0e2e78c5f8e469f0

SHA512
99db5d519e3726939b5dddc06b28d6499aef53bc6dffd4a0ca019868256b593a153044b79142f2bf1fc0fe9195f10f8f58d03398905b0dfee249443a4ed4a025

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\background.gif

Filesize
6KB

MD5
29af28f9ab47cc8e7fa558a48cfa6193

SHA1
d3ba0b8cbf0c30bf260c7ce55ee8fe5b6e5da388

SHA256
4a50d73d74ce002fa4e3453c03142c9844e26c6f136f26949c4e219aa4b3aab0

SHA512
4ff2a506b87a7b8a0cd8350761fc3b797e3c449f3130918edf27238d0ffc1f65e74a357fd9db4e2695b7018da7aa3623bcbfbc213e7bd98f6e1c20997d52431f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\BUTTON.GIF

Filesize
428B

MD5
1a076dea6291b97590f0e683fbef96bf

SHA1
4c66ad4364f39e43cdbec7197a0ec18dea708d92

SHA256
ee499a19804f2198eda9f76e5d79c448f0e29b70cbb538a3dd75699565ae735d

SHA512
bf1b7676b44f3610fd0b78dc00c73ec180d211d142c4a2440b608c71de9e7cc685b5c6b32ccf56412c453dd79c41c6dbfc169b4424eb590f4058a7a58d7c0591

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\background.gif

Filesize
815B

MD5
8f43fe56880481a41f0628ccef491e42

SHA1
1d95af93d88d27375bec24fc8f3572493761a580

SHA256
4c80f9fa0e64e800d7b7e7fd67db527a24270b27b4f838451ecdf422122e711a

SHA512
6f810c8940a2d74feda6e73face4b604e601f8133663ac9552740a6fc1561248ed579ff88d9834cf768d585271ba6396f70fb195f8c6a902c2522421885bfe1e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\RTF_BOLD.GIF

Filesize
870B

MD5
d9056b5966bde42af5112ac322f8095b

SHA1
e0c809bfd7d300db9c7bd67cb6c1b8abb8f8fb53

SHA256
cf424506fdad4b7953f82cb52645a699113e3f4682dcad696b80fb641381af19

SHA512
fc080b81de134b16a47f57f8de00a5ee9e99d6ccc05404146783b2b239b14f3da6a83c1865b51467cd9841fa3d41624798ec1510d83167df6d04e0dd2284d0a6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg

Filesize
3KB

MD5
1fd3b0a0561905265cba456a6d0323ee

SHA1
6bf9f1b845ab2bfb7d3b5bc8988a7d7ff290649e

SHA256
e24a1bc36f5cd4afc96b8a647c48a40ce1c56d1cd73537ada6f45e7197cc3392

SHA512
84575381330ca11fabd34fe520ab15130c0f3371b7fa63875d68fc750f264e608bee39e249f2301fa23a32bd5175ed492dae47b0e6af10267cce37d60f632d38

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif

Filesize
2KB

MD5
a6a1637ecb7612e41f717c520e4f73ce

SHA1
25bb183b35a7cc5a137036599e3d9e71d30319c9

SHA256
650441d90d6b4aa563eab4b15b63bd4606f170f8403142d851b8fcdfcf113651

SHA512
60637d031f3b38838fd12f076b23be862ecb7397270846c5e13ced0fae3f13f29ffbb67988c15ee8ba35c6048f87baa8089d39cd66c0180c34d0e23d7c084aeb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif

Filesize
19KB

MD5
077784c29ce168b2c265a993753ceaab

SHA1
65d780047173d2568f880dfc98cd8c886c660e70

SHA256
e19b1f0d77a0875d2488acd8d0ecbebc1adb15e6194acf6cf9cd0bcb9b75a938

SHA512
0a8c8ded513508f9cd05ca1d71dfcbe7b76e172d095d27ab0e56ca7ab08da52582008233994139eebc3d9acc3b4051f2940a1f921cb59fb27f093167ddfd6e79

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosefont.gif

Filesize
890B

MD5
c389b34a7a72918ef2b540fdfbfa6b96

SHA1
3661a63c85ae21a8d7e00eb62b80c1c34523dade

SHA256
ec82625d457ad7d3a0a9d25ac10fd6c91bf001f3cb965a6572b5ea18f681d9ea

SHA512
1983aa6d1d9b4b4feb507c2b0980d8867b79f834e39bc41aad77fb6fcbb101e85d47cbaca522ba33bc5c4f1329924740051898daf819fd08bd2d5534114616fc

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif

Filesize
852B

MD5
8f654c8f076159195fdf45582fb49555

SHA1
d98535fb5bdf73920491c612a0a05f1dad8b707d

SHA256
53ab6dea34352584bb3c8cc41d39104f1a5fd97167b009d58b82280477da8175

SHA512
b97cf75f955f9e5f687a3943e496430db747c7509aec9a0ba1050ece151987e16795e1494ff2bc8427826e601cb08d89f7dc3ff9968e2f658ab4774db9cc4b6f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif

Filesize
860B

MD5
8784f4e41d0b4cc0dea6daa1ef1b2b21

SHA1
1fe436805d377fc0ec8467650cc535629af74564

SHA256
a902203ca9b2391313c725e5115da6be663195afa727d125ee698f8c5796cd20

SHA512
eb442c29870d4375dc8daf7c0fe109caf051d70ecb7af8e85e508b342943fe8a10ec3905a34f2bd53b6940b85299ad4abfd77360db4ab90e4b6a3b3b65b2ab5f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ADD.GIF

Filesize
580B

MD5
349c0f22befaedbb2cc0ad1946c69867

SHA1
c83ab7ddbf77abca979210aa33016129e31ee781

SHA256
a54fdeb3a844ad95194347e44c238e6622e8f6f146f7f74c0e6c0dfdf26b78e8

SHA512
59086f5f6b094f4f6ac18a93d5e4991717754da1a5369dec52e917dca726663cae1ebb8d4eae11c348e9dd27f20dab5a8dce80c36641e48df4bee8275eb3f880

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF

Filesize
899B

MD5
67259c23f413067fb906d8f4cd0d439f

SHA1
193290c5dd8677384a884e134445a69b00fa1ac8

SHA256
ce7be9c2e690d0a4f5cb3881c67be1f3e66b334a4f6c9a424c5d89b46e778206

SHA512
c400cae14494daa661807122f6e21c0301e023d252fa48921b15868e3fe25c82b7cdd27e1bd2fb97897c10771e63fbb024626670ccc32439ce54b8ca26ad580b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIF

Filesize
625B

MD5
b79157988ddc123575c875fc2fe6cb39

SHA1
5798c0ab9d7cfef7e008ae1b44bbca070848e028

SHA256
1374f3e75a18879e0f485812a1706d761c64d982a5906d0a8adb590314ec8f65

SHA512
ce1f0c03ffc02667acb43112490882d9ba9186147521f0d1024a96b87cfc041216467dee58278934abbd25a3fe0e242e5e208ad2665181713fc9be6f111fd588

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF

Filesize
873B

MD5
5b348660222e0edef2e8aa4bc3cdf5c2

SHA1
5145b2098e5c5ed367109725fdba5b8a0b35b357

SHA256
c8d076bd4342e9e524a13b13bb4dbac76af5d991defe8b46c33452475b661bed

SHA512
5681e3c1cf5c7856bfe123431fca62c1c844987e85b0076f8c973065718b601fe794355a9d0d350c68eaf02f4caf67fa05b235ae308b98d226148e2aed01eff7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg

Filesize
5KB

MD5
cadea97cdfb3e575db0165eea299304f

SHA1
0a79ef7a0d9a34a27e039c559f602c2af15b3ee3

SHA256
32dbc0da2979fce2ea041a7a7529fef7adc6582eb13bd664e428ef2d69e1b8b1

SHA512
2b269998cc281a729909ec84c7103a0d7c4f724a6c874390d1d5e9d4ed84c66debaaad813d6b4791196c51366ef9e58d6b380ddbe0d0c431cd8244af2564a465

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp

Filesize
1KB

MD5
bbf088b9d580c8a7e163f2c2948d3e7d

SHA1
582703be21cfb2e548a0122873f1d46b8db7b735

SHA256
60e43e1529c1ca4debe5ca6fa14dd573763cda3715c4212df994c359b6b25075

SHA512
b46714d891e0197702285d0d2fae7058b896df2bb26e5dd0a60472cd37985a80bcaa0f1cc9086451649ae059f959bc2ba11b67342e8acc16a5309990ab8b0296

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF

Filesize
615B

MD5
21118987827ee279efdeafc4899a2098

SHA1
45c0779e734390eb947294ea9ae07e6dfd2f6b8f

SHA256
87bfd7b4558987ce7afdeafc8e861e6d45f2e3156bc8b1d9053d7b54152d9178

SHA512
7778f83f23682bb796690a98af06494277421d345f47ca69db97ef071aee3dbd230d2e1e21f2df9f19c0d1217120f2b49ceb4f766db050b05801dfac5e780e96

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

Filesize
848B

MD5
9444b628398b97e58fc6926cbbe144c1

SHA1
465714927ca70163de4b4078fbd278a869b9f6dc

SHA256
f14161766699111eb5354d95c2078587aa9868d77f0fcc3637d3e84cc32d182d

SHA512
eb28c546b58c86280e326dbebf1ff064f931d815ec770919b38a7c3f9ead4691a8d86df237539a29a3c9d046711d5da8ba4fd14dac051f21c675a89e5b2bf4a2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

Filesize
847B

MD5
1e9884906ebe670564ea52aa0fa3c0fa

SHA1
284ec463ca73c4b32469f6134e80dc78152fefa1

SHA256
e6fe114cfe065dcf855b621db2b5db390e4e2d611c219b2c87da3dd114f36182

SHA512
c3108e9ddb9876b8b170a3aed2b3ef2850087c94ec0fccd4590cedffaa2b3612aa5cd567f087ee250dc83bdf43cd1d0723c34b0dc42acc80865fe31c37593657

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

Filesize
869B

MD5
2d5ee90679e27e75ddcc3d29ea8d9b8d

SHA1
c58b851629b8236da2c39097eba3c35cf7ca417b

SHA256
801afb0a7a076e42cb1733cdb18a709c374db9885faa56e5ce7f9b39b6f9d1e5

SHA512
3c45f28b00b8ebd7467a83f4dec956f979cb49024e25e87e86401bb41173d45818c3d3c692d9b50806932444cdd561b1e7f21a04668bd12fd102d311f090eb42

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

Filesize
847B

MD5
e18d29d45f3a54ed6783e10a27fea9f5

SHA1
cc7e939f6bb89794b001b4da584cc7a04af66865

SHA256
80394fbc5a4975f7a3776af00c3372315d1f3f2f90415582d3b2c0bb630c2d10

SHA512
5e9e1fa0c99c6799ca08b63a1c1f691af137d0927e88b4c37c4067e79172122130c6aeacb2429bf2b2b5da208364346a08dde595132f2547781739cb9b1f685c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

Filesize
863B

MD5
10c730674e3cb861b1f890d89cbe7dff

SHA1
e8a2ba1151b1077bb145a74cd75d1e5030bf8524

SHA256
75876535b683d6ea61ec09a5aac7948197a77f08c22bcd747da3be98842fdba9

SHA512
b3cce5cc8ceb88df3eb6582021dd06db65e1132e0a579af9247bc0f8c177e4480d5dc8feeb8fe9ee783a558400e4f0a255e574959e2c139be7af4ae2428e6f4e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

Filesize
861B

MD5
ec44d6edeb9fc35f60314c9ec2e76d86

SHA1
2de98b6ae7b5e58e6fd2b5ec8e471e4e2bb30e9f

SHA256
f5847a6b476a6ac9f6b47304cf876be9e55d56885e6fe55c31daebd2d701094c

SHA512
bee8249b79ebc27a1a36cfafdc9e678c6936ec58b28c5ba37b2d20e5be0e18a1283b3787da7cc62eb562c494a68c033f2beb34fafce6831be703337204a90062

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

Filesize
850B

MD5
b666f832de3ce5a4863c1e5c4d9529fb

SHA1
d2b2131b1b802cddf72e2a79cd446ee82e028417

SHA256
b7d6649f66b5ae60d9403b94361bceeaafc93023395f8497dc33156f3cc866d3

SHA512
22e41278d5a2adc0de0f74d8685863c3d928924ce606c34b5e793931e73a338c43606e71dc776ed94ea9a7c65616cfb1d68d07a9595015b0596bb097abd8abd2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

Filesize
883B

MD5
889d365126f9bf49294e176366f0ddc1

SHA1
d62ffd9e0662a5c5c752a723128a638a8ac97829

SHA256
54839debf8663562d100cabe3615cd4355db5ad79db06a155d32876e21cea01e

SHA512
7e51c5a45bf558b76d4589f2154ac317c2818aef062813367179874850d73b21826447e8bb928ee417b1524f8b1d0a767a45e10b4104e81f66ec9ac3f2b28729

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif

Filesize
153B

MD5
794e3cfdbbaefd465ec7126c8c5830aa

SHA1
a0e343409dea6d9a4de42075d7442f3c9c988e47

SHA256
9e6217410afc3e159a9b2264f4ddb96d7c0128f5f689dbe93469e4cfe57fa951

SHA512
f39e00e9c842bdc24f83f7c8bf09b29127ea7dbee922327eacc9c6fca16115b98d606d665cbb900a50077b00290293b63f1a8b8e88a9c49ff83cd5750865353b

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
958382f1b8682415cfa3c684e477297c

SHA1
66fe6e8b2e447f6740a99ca3b93f2fd80498caa2

SHA256
c338ea3925336afec5f8813469dc597a7353012bb8ab5f645eca605c2a12e621

SHA512
964a3dbd5f8ebe90150fb9f3b8805d80d1d5b581ac1811c16783b4a8c950b4d80ce3dcd9582ad11703334bd5f68e95fd7b3249efa8ec0f9893a40e831c349ca6

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
8KB

MD5
36442848cbfe22dbb334e942dcb3c2c5

SHA1
9d63acb3bd7b0d0262cc4a2092893eaf8329e94a

SHA256
276fde1a484d2cd2b729c197be78355e5db45ae072795ddcc63d2bab513a9daa

SHA512
56d1cbea6ebda0c11c812852e5943440adfc4eb570d60f389e85c2cbae51a9fea64f8db67d0e15fb32c79a101190211eade659e7d9fe7bce8b3e9b926a46fb17

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
ac46fc45e0b07ec0724d0d9a6dcda9c9

SHA1
5dce99d503639e020ad1e91bdff0e7126cd317db

SHA256
d42de75f30e02c73654530dec3a3ed2122e22bb8ee12408fbcd75d1c20a6c5ae

SHA512
a93b144337f7d30589c846d0a8cff3b18fad81e58b7b12077e60b3419051853c6e82522f329945eb2c992307688c200231b14be0050fa8997be848fce0ccc73e

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
9bf65002fb7ad17332e2057ab658cfe3

SHA1
4095706d25c509150d5b32337d44a0fdcc494c49

SHA256
52eea01a990bd26ca07d9973d07d00059f62f6bcf6fdc494f14378d7c1c2aa33

SHA512
ec6b5a9bad7170fd228754aa497f63b6761de77f2fa960d1d871fa6e953beb1b123f41623e867194e74f14079fa894b48432d527f8264af87e0019580d0c4b03

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
172KB

MD5
86de0beb89431de11789813a018c6265

SHA1
dd5818805230894fb98b1bdddb4519949f3049e3

SHA256
a1738fb64fca8680ba05d664e6ae2d8b515b3b131ba219e445fa93318139534a

SHA512
83f1b3fda4712b47e5b77dac42e8980d879239e01e57925e5b3c3c381d13d4e4bc009d715ca60f3682013688c78504d10ecd4b056a0822e78432a6b8428c75d1

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk

Filesize
1KB

MD5
1ec7720aa8df8b1ccc34d0e7d5c81317

SHA1
48575ee1738a6baabb915692de56ab789f9b5bb5

SHA256
969e4dcccb7246bfbbf53703bb8b0a5df3fa194cabfa54ca0e0726be65beb923

SHA512
65776f9db7c479bfbcd9b009995ee58da50c8ffb30c75dd2298870f08819a3bb494e71e933a34e887dadbc07b5028661b0cce74ffee2a00c959c8d3cce0d61e1

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg

Filesize
21KB

MD5
696a2e4682f5d31c62193b9558fd35c8

SHA1
a08ead3fc04fff046fbd93f4f81b60ab05bd7c4a

SHA256
dbdabe9bafb1f547a3265b7b072e6881efbfcf4862f4ea4914a86d49ab14ee1a

SHA512
2087a8160be43d29beda8d71db7a94ffcb5b9eaf443ea486048c76bcb88f1171506973f07b65dfe2a72edcde0f1b1734329c4c6a03dfd9f03e3500041da0215c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\HelpIcon_solid.gif

Filesize
1KB

MD5
d3bb9bf59060285ac0b37269d65fe587

SHA1
a62fb2b3dcdf1b8c244c4f6dea1b7229d00f3f88

SHA256
b7e306d1494469d0e80777ff675d7668cbfbb871fdb129df529ac69bd772c22a

SHA512
89873ead0025fff3c9cc704bc0a44210fe59082d3895c08ac95175fb12da58acb188412246d5376c9b547395866e0f0123e44d816a32b2920d37788928b24b56

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\alert_lrg.gif

Filesize
952B

MD5
a1fe0ebc289aed0e1b8b55a5a315e25e

SHA1
49b3189b80c2c74b0d6d77549916f9a900045b45

SHA256
3274f37f05facd148084e0fe6cb754083a6d1d0c4e6f50ffc301ae63f2724324

SHA512
f2847bbb42024e3a61c4143992003bd7fd609e52a34eddea52b6060405e39ba5c4f44e182f720a919c85cf7e07470359833a1a9a82ac7184ccaf4138f46ec436

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\aspx_file.gif

Filesize
121B

MD5
9efa2168f48f4595241f4633809a4aba

SHA1
23c641fbdaea11e0a07ce119efe0583d57df1797

SHA256
dfe78b8e9c5fb8c320afcba47d05008497f4b8762738d739850f70800785b79f

SHA512
11884a114706a53b972b9221367dd0461fdf433cb04871534149cb7b01c5f88aca71fe1ba49622999dcbf343c8ba0e33ca2f146a6273ecf794fa9174bb43393b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\branding_Full2.gif

Filesize
1KB

MD5
e2c8afab75bfdc6f04e5c1ee3f88aac6

SHA1
426cecd3392145fbc52daf1b8e2150b56a155624

SHA256
3fa3fbc704a9f722525a8bbca2aa65c0e4dffeb639f10e734cf2370b1ce8758b

SHA512
ef891f64c440a6b1205e6ab564b583cfbecbb303e23164c244a321cd37a66cb802fba797877e89ed83ee032940eef24556903bf5d831ebd49479fca4981ec923

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg

Filesize
8KB

MD5
24a58c4cdb9075b5fe629da1d485dbad

SHA1
10a2d4db197095a8db90378d98bf3e0ebf2a7c8b

SHA256
eb811fbb55e54193db0a8ef9438545dd09c126f470216420b9bc01682933db08

SHA512
25daaf2214afe3a29f84dd3bd9bebf7a222a6dad1623c5aa46b6c198f4d59a1b11a650ced6b073c8e50340c32768c264cfb0fe667b2bd99b39795e90c6eac715

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\folder.gif

Filesize
914B

MD5
6a3e41b437c7d36fa312e1ef8bb1031f

SHA1
510cf5866f9857e793acb6e713237668d5edeaa5

SHA256
5bd6449a9fecca3cb068b518abb2023524c5aaa19fde898e098e67f5dd19d40b

SHA512
be27d80a2c76386ccb745df718d529fdaa3a6dd51e12dab9bb98d2d0a487711de91883b08f535415bc9ac7eadda953007916c0314d438813bc695d5bee3a7e70

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onBlue.gif

Filesize
90B

MD5
eeefd2109a72adbac4b1ee55c4848426

SHA1
89574d483896d3974a8b8c1827093b1034123193

SHA256
ab67fd1cd041602bb9018b0013f215d0e3fa97fcc978aa154b7ea5e4c6d09e53

SHA512
870e363d83e6745e27fc6d7cf68eea1d0234a803e87ffb35b05b081c11764c01f9f9d540407a25ac2eaf8f2bb0d13a0bb22425fd4e8e85107f972d69d620706f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onWhite.gif

Filesize
90B

MD5
f2a6c2f1b473c0a8ed4475c2fb2a1626

SHA1
9183827e5c624048fe6811aed957a9e4861b18cf

SHA256
8b0a9b26132f12d58f53a70b549f66b0da94e4c22373b6b83cc38798391409c9

SHA512
fd6d4b09cf32be44b4ca1a7eb95b8f437ed9089eaf2570dbc2e0050cb0fc960db967961713158bbd6d00349344c25aeb3bdfbfe278c906d3577210a484b5d83b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\headerGRADIENT_Tall.gif

Filesize
328B

MD5
20ce47b67ae6c80decbfc735caa4520a

SHA1
868f791a22e14436fec25a304c7c2a3b651ce507

SHA256
5543f80ee05158eaef3fa3bc5acf70a13c374e53a4126249d963606546a9b022

SHA512
7d6a7c69cac99427446898ab915baa118f3289bff9728b05f5a945deb7cc6f7cdcfcedecab7c6f2c3d10fc6f0b72eabd7fe7d37acb3255c2f8145c4fa903048e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\help.jpg

Filesize
1KB

MD5
a08c6ec4e542427ac1d6e5e56eec62b4

SHA1
b67e18dcadbb70671ddfe82cf83a22d09cf1e8ba

SHA256
851817efd454f78bea5a2d48838a0567687645b784ef6b27b69ee652876050b7

SHA512
98b3e5e8a72076abc38910cc2dbc43102cd53b6b4b36a50f290364de4e56f9ffb20c9306274d3df00417d7ee1b5ae12ed5a1cb5c28c0d19476f2c2b72351193e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image1.gif

Filesize
162B

MD5
9bf63a8421cbfe4d69342ee9dd66a25c

SHA1
e8b229ac6e6bc86b7abdab5bc6ab9c5459822481

SHA256
2c2cdb6c7aa3b869c60286edca5e333a3b5b0c302f67c0bca27934a5378d6180

SHA512
d174d199a824302d5561d4d1cb3bec16eb2b2da5448d66775f69abac61dd9f78b2f1eddfbebaa77292c2c364fca8bf557b9d175b371d13af64dca19376d0f305

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image2.gif

Filesize
586B

MD5
b4fb27305948b2a2d38da18af1a4ea54

SHA1
2d7cf7a3b794b03edf88624bf8bced05e8e8c2f8

SHA256
716e122d7e771cda7351cc98141a2a809baeed5d3a9efdbb27aa93f569cdf25a

SHA512
c74c0f024046495e5ca864d851e5d7896b214bfca80bf64d114dd81c4e36b5a1734f7a1a531b368585192e8f55ef9d8fbae902ca7f5c8190de5ff4cc8bced60f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\requiredBang.gif

Filesize
124B

MD5
56b5bed2479d77e8ac0d900cff674ee6

SHA1
f04ba203a3d99062e26574ce00916a6221cff6dd

SHA256
90a3d0bbc840b5bc146b82f24db797f53bda54d8a94245450de85cc0c3f48abb

SHA512
c1f943084a7ea401df870d2e5075bd9d0ab8085de0af9751fc4a99a3cc36a97f7b5fe9f2a92876d8ce8cd8543178bc73d53c2c44c557ae1b09ce92941241445a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg

Filesize
8KB

MD5
77e33241c12c95522afadb3f931a4288

SHA1
80996dc931cba7c512598774c30b78422d72d6f7

SHA256
7ec8a7aa7d851df01dd5cfacec192f10e663b03a3ebc7798fae095d480c4f8b5

SHA512
f0808ba5895b573bc71a0f80ec4882891906bc4c9bdd58f1ed4cd48d33157b0702feab31f30065784a58d500ccb9157ee87d11a39fda83d1d6eae66883f3d7ff

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\yellowCORNER.gif

Filesize
880B

MD5
bf46e9bda396be6f1aa9550049bb2446

SHA1
947caa537ac9633a123220e424029fb3a786eb40

SHA256
6fecb0dd8c9d7b54fb0843535ec81eb1b3ac59992ff1b9b231c6f10f4199a69b

SHA512
c38543feaec92b0a4f83c0753e02dcad681c30c40aa3b3e05122fb6dd70ee7727c2095914f06cc99088ef0e883ddd0304bc1ade0f7952b387231d1589ebe8ab4

Download Submit
memory/2520-0-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2520-8883-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2520-8882-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2520-9111-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2520-9112-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2520-9113-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads