xorist | 5103d7f1f440612cc2d47a6eb0623ba6e3ef972e0ed11b4414d447b39aeb9259

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-11-2024 16:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95c9c8a661ecbf7a55c4b7c43cda7ff0_JaffaCakes118.exe
Size

1.2MB
MD5

95c9c8a661ecbf7a55c4b7c43cda7ff0
SHA1

aef02da80b9727848838ed2446a22ea86fec8c91
SHA256

5103d7f1f440612cc2d47a6eb0623ba6e3ef972e0ed11b4414d447b39aeb9259
SHA512

23d5ac67183f2971a5ddebf108be7132075531718457ef52e2c3e8b15aaa8eab05cb2b686ad4b7ebd641bb306394155092bc5df3834362be18d266e231aa70ef
SSDEEP

768:k7Dviojm1hAJFeolguCMBadnpGuP16GJtT:k/2U1lHb4ouN6GvT

Score

10^/10

xorist discovery persistence ransomware spyware stealer upx

Malware Config

Signatures

Detected Xorist Ransomware 5 IoCs

resource	yara_rule
behavioral1/memory/1140-16-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/1140-9011-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/1140-9012-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/1140-9025-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/1140-9026-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist

Xorist Ransomware
Xorist is a ransomware first seen in 2020.
ransomware xorist
Xorist family
xorist
Renames multiple (2188) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Drivers directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\SysWOW64\drivers\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	mog.exe
File created	C:\Windows\SysWOW64\drivers\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\SysWOW64\drivers\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\SysWOW64\drivers\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\SysWOW64\drivers\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\SysWOW64\drivers\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe

Executes dropped EXE 1 IoCs

pid	Process
1140	mog.exe

Loads dropped DLL 2 IoCs

pid	Process
1672	95c9c8a661ecbf7a55c4b7c43cda7ff0_JaffaCakes118.exe
1672	95c9c8a661ecbf7a55c4b7c43cda7ff0_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dms4sut3ZNms53q.exe"	mog.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\de-DE\Licenses\eval\HomeBasicN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wceisvista.inf_amd64_neutral_3500779911f7f3ca\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wsdprint.inf_amd64_neutral_f91980f20f3112ed\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\OEM\UltimateE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnne30a.inf_amd64_ja-jp_b2245ba886355a9f\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_aliases.help.txt	mog.exe
File created	C:\Windows\SysWOW64\Dism\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrtx64.inf_amd64_neutral_410e89ed86071c9b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netvwifibus.inf_amd64_neutral_9d0740f32ce81d24\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnep00f.inf_amd64_neutral_a5f6001b957bd7e0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\SysWOW64\ru-RU\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_type_operators.help.txt	mog.exe
File created	C:\Windows\SysWOW64\DriverStore\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\eval\Enterprise\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\eval\ProfessionalN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Parsing.help.txt	mog.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_preference_variables.help.txt	mog.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_trap.help.txt	mog.exe
File created	C:\Windows\SysWOW64\winrm\040C\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\OEM\HomeBasicN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\OEM\Ultimate\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\System32\DriverStore\FileRepository\angel64.inf_amd64_neutral_6bed16c93db1ccf3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnca00d.inf_amd64_neutral_0600b2ba575729f4\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnep003.inf_amd64_neutral_92ed2d842e0dd4ea\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-OfflineFiles-DL\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Assignment_Operators.help.txt	mog.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_arrays.help.txt	mog.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\de-DE\about_BITS_Cmdlets.help.txt	mog.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmtdkj3.inf_amd64_neutral_7e1053ab483310f6\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlx00b.inf_amd64_neutral_89b555703683b583\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wpdmtp.inf_amd64_neutral_28f06ca2e38e8979\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\040c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Language_Keywords.help.txt	mog.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmdcm5.inf_amd64_neutral_0bb09f3e5a59f3a8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnnr003.inf_amd64_neutral_c07c33bfb5764bdb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\_Default\Starter\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_remote_FAQ.help.txt	mog.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_For.help.txt	mog.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_remote_FAQ.help.txt	mog.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_WS-Management_Cmdlets.help.txt	mog.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmatm2k.inf_amd64_neutral_64a8fb018ead55a7\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmbtmdm.inf_amd64_neutral_2e4da8629fc5904e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnky003.inf_amd64_neutral_fe7ea176f20ab839\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlx009.inf_amd64_neutral_d4b76afd08f308fb\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\System32\DriverStore\FileRepository\cxfalpal_ibv64.inf_amd64_neutral_4c42ac5f00413365\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmnova.inf_amd64_neutral_b52d8db82d8c3be9\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\_Default\HomePremiumN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_requires.help.txt	mog.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Windows_PowerShell_2.0.help.txt	mog.exe
File created	C:\Windows\SysWOW64\DriverStore\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_amd64_neutral_dd659ed032d28a14\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\0007\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\System32\DriverStore\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\OEM\Professional\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_scopes.help.txt	mog.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\_Default\HomePremiumE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\SysWOW64\IME\imekr8\dicts\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_debuggers.help.txt	mog.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\0010\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\eval\StarterN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_script_internationalization.help.txt	mog.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000015dc3-3.dat	upx
behavioral1/memory/1140-16-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1140-9011-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1140-9012-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1140-9025-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1140-9026-0x0000000000400000-0x000000000040C000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)greenStateIcon.png	mog.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21318_.GIF	mog.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\UnreadIcon.jpg	mog.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\UserControl.zip	mog.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\triangle.png	mog.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\settings.html	mog.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Wrinkled_Paper.gif	mog.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\TEXTAREA.JPG	mog.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\TABMASK.BMP	mog.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\base-docked.png	mog.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\8.png	mog.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_65_ffffff_1x400.png	mog.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT	mog.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsFormTemplate.html	mog.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Interface.zip	mog.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif	mog.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_MediumMAsk.bmp	mog.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\setting_back.png	mog.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\15x15dot.png	mog.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	mog.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\epl-v10.html	mog.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Program Files\Windows Mail\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\ParentMenuButtonIcon.png	mog.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_pressed.png	mog.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR47F.GIF	mog.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_output\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\TAB_ON.GIF	mog.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR20F.GIF	mog.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\BriefcaseIconMask.bmp	mog.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\3082\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	mog.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\vlc-48.png	mog.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\requests\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access_output\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\search_background.png	mog.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Garden.jpg	mog.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\THMBNAIL.PNG	mog.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\settings.html	mog.exe
File created	C:\Program Files\Java\jre7\lib\security\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF	mog.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_VideoInset.png	mog.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonDown_On.png	mog.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\43.png	mog.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt	mog.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15136_.GIF	mog.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Program Files (x86)\Windows Sidebar\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\button-bullet.png	mog.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\Passport_PAL.wmv	mog.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\GAC_MSIL\System.Core.resources\3.5.0.0_es_b77a5c561934e089\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-fax-common.resources_31bf3856ad364e35_6.1.7600.16385_en-us_aff85da884c1c36e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-iis-managementconsole_31bf3856ad364e35_6.1.7600.16385_none_ee1d395a09294464\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-themecpl_31bf3856ad364e35_6.1.7601.17514_none_54f35b041d144465\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-w..ewall-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_d6c694821c5618c0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\winsxs\amd64_netfx35linq-system.data.services.design_31bf3856ad364e35_6.1.7601.17514_none_57f64808c4ad1ed1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\winsxs\msil_system.data.services.design.resources_b77a5c561934e089_6.1.7601.17514_ja-jp_c2cd124fbd8fe089\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-rssfeedsgadget_31bf3856ad364e35_6.1.7600.16385_none_ab6782291b0ca7be\buttonUp_Off.png	mog.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sysdmremote.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0743e6fa5b05a465\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ehome-epgtos.resources_31bf3856ad364e35_6.1.7600.16385_es-es_29826b65facd5de8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-i..rityzones.resources_31bf3856ad364e35_8.0.7600.16385_en-us_89134efab9cef638\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\winsxs\amd64_prnca00c.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_1f38a8d85141d004\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-rasmprddm.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_d786c9d638c838ad\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-newdev.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_1564d79270d6651c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-u..-core-tsp.resources_31bf3856ad364e35_6.1.7600.16385_es-es_6e0196326b6718e7\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..elsupport.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c8b14f4212bb6712\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-display.resources_31bf3856ad364e35_6.1.7600.16385_es-es_f738b35ae7fc9409\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\winsxs\amd64_srpuxnativesnapin_31bf3856ad364e35_6.1.7600.16385_none_447807b31b9d298e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-t..-coreinkrecognition_31bf3856ad364e35_6.1.7600.16385_none_53e1dd9e49047bb6\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-dssec_31bf3856ad364e35_6.1.7600.16385_none_5a3c2da65ddb680f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-n..ion-agent.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_b84244e51975b866\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-securestartup_31bf3856ad364e35_6.1.7600.16385_none_c922e7c7a7c903d5\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\CustomMarshalers\678932d0c6c5ff6417c634eea99931f0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\winsxs\amd64_netfx-shfusion_res_dll_b03f5f7f11d50a3a_6.1.7600.16385_none_32eab9f37400f61e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web\da5da08245467818759aa44c4eb948e1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\Boot\EFI\fi-FI\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-dwm-adm.resources_31bf3856ad364e35_6.1.7600.16385_it-it_19862df907590cd6\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..ntservice.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0ed9b0b44700e5cb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-snmp-adm.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a2ae934ba06cca16\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-mfc42x.resources_31bf3856ad364e35_6.1.7600.16385_de-de_1987390f017a5bf9\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-s..tore-main.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_af15d02a5a7fcb4f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-wlangpclient_31bf3856ad364e35_6.1.7600.16385_none_b87b9d5131eccecb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-compact.resources_31bf3856ad364e35_6.1.7600.16385_en-us_29b7d82b94f046f3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\winsxs\amd64_rawsilo.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_a026d78a5b0b2e88\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\winsxs\amd64_server-help-chm.iscsi_init.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_3e6d766787efdb75\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\winsxs\msil_microsoft.windows.d..otingpack.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_5e0447f42bcf99db\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-uiribbon.resources_31bf3856ad364e35_6.1.7600.16385_en-us_33ca509b38470ebb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..-mdac-oledb-stub-rb_31bf3856ad364e35_6.1.7600.16385_none_f1293e82d1d4041c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-dot3ui.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0cf656045fb19cc9\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\winsxs\amd64_prnod002.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_e49b0017c31c4dbd\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-irprops.resources_31bf3856ad364e35_6.1.7600.16385_it-it_1c622e88915b630e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\inf\.NETFramework\0C0A\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-wmpdmc-ux.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_e4b25cd32e356f5d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-p..leshooter.resources_31bf3856ad364e35_6.1.7600.16385_it-it_1172d366ebaa01d3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\winsxs\msil_microsoft.powershell.gpowershell_31bf3856ad364e35_6.1.7600.16385_none_c733b6c1d1d8ad54\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-i..rolviewer.resources_31bf3856ad364e35_11.2.9600.16428_en-us_28ac906f194ebaac\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\inf\aspnet_state\0404\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-windowsfirewall-adm_31bf3856ad364e35_6.1.7600.16385_none_e6508032a8d2c091\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-w..ck-legacy.resources_31bf3856ad364e35_6.1.7600.16385_de-de_a2a13bd60c8180bb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Net.Http\62765bb26133f581e10bb7c866f35c83\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_3342e6899aa0557f\settings_left_hover.png	mog.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..trics-sensoradapter_31bf3856ad364e35_6.1.7600.16385_none_6fa6b9c88f2a3ba1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..layer-vis.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_2ea33660333d4ea6\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\diagnostics\system\Audio\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-e..ardplugin.resources_31bf3856ad364e35_6.1.7600.16385_de-de_f9195b60fdea3e26\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-getmac.resources_31bf3856ad364e35_6.1.7600.16385_it-it_a1aad48480a13372\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\winsxs\amd64_prnep00d.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_96efb0715b3ab4ec\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\winsxs\amd64_prnlx003.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_812e88067f43e93a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\winsxs\msil_microsoft.web.manag..nt.aspnet.resources_31bf3856ad364e35_6.1.7601.17514_de-de_8b9e99b408da8463\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..ent-accountidentity_31bf3856ad364e35_6.1.7600.16385_none_44d0906fc7b835f3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..soundthemes-savanna_31bf3856ad364e35_6.1.7600.16385_none_8501e89d0b011992\Windows Print complete.wav	mog.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-r..izard-mui.resources_31bf3856ad364e35_6.1.7600.16385_it-it_1af6befccca22aeb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications.ComRPCChannel\8.0.0.0__b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-stobject.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_2242e72b1e80255a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	mog.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	95c9c8a661ecbf7a55c4b7c43cda7ff0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mog.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd	mog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd\ = "CFLABCYXEHTPLCP"	mog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CFLABCYXEHTPLCP\ = "CRYPTED!"	mog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CFLABCYXEHTPLCP\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dms4sut3ZNms53q.exe,0"	mog.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CFLABCYXEHTPLCP\shell\open\command	mog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CFLABCYXEHTPLCP\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dms4sut3ZNms53q.exe"	mog.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CFLABCYXEHTPLCP	mog.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CFLABCYXEHTPLCP\DefaultIcon	mog.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CFLABCYXEHTPLCP\shell	mog.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CFLABCYXEHTPLCP\shell\open	mog.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 1140	1672	95c9c8a661ecbf7a55c4b7c43cda7ff0_JaffaCakes118.exe	30
PID 1672 wrote to memory of 1140	1672	95c9c8a661ecbf7a55c4b7c43cda7ff0_JaffaCakes118.exe	30
PID 1672 wrote to memory of 1140	1672	95c9c8a661ecbf7a55c4b7c43cda7ff0_JaffaCakes118.exe	30
PID 1672 wrote to memory of 1140	1672	95c9c8a661ecbf7a55c4b7c43cda7ff0_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\95c9c8a661ecbf7a55c4b7c43cda7ff0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\95c9c8a661ecbf7a55c4b7c43cda7ff0_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Users\Admin\AppData\Local\Temp\mog.exe
  "C:\Users\Admin\AppData\Local\Temp\mog.exe"
  2⤵
  - Drops file in Drivers directory
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:1140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt

Filesize
288B

MD5
520c33eb1996d5f944bf2c0c20d22990

SHA1
d0957414458c49b914801432034da925012f0b07

SHA256
414ac5be57488b7cb56b3e9ad509ee2eb73a510bdb3892973a9d42bfdae427e6

SHA512
c689a9b2fa329ac6c02f939ea011187322adc2fc20a9117f872a27ede4e366f8bab23b55145436bf49cc9b4161f49ce442affa31777e694d540dbd3106ba27d6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
341B

MD5
eb17a0f559c8c2086014fba9733409c4

SHA1
3e16c9f19790bd2b7bce306c746cbe74d2145f3a

SHA256
ef780e290bbcc56e263a39c123d285decb9bfe9dae8389e91306c0684bfd0795

SHA512
7ef37bf6de98a3515947fef1ff19bd5e339a5fb79ff67557265c7255f724038b84951f0608d6cbd11a65d89cd76c0d4c2ab9225953ded6206db67889afa38e2e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

Filesize
222B

MD5
6668330c550ea58081cb08e90b9a32e4

SHA1
98dc4ad4df7ced54b04cd2dc468f7672db2160ed

SHA256
53929a1b416a50f0569926fcc7f882b5d9054a82c5f351a4d540df0826d9dd80

SHA512
7a7a752eaf4939dffffb47c18fa9b8166460b94216fb71470db013b6c54eb22385760620c909b6dbd44b5b7b6e2fd18e6513be6e2b50c6dfed3cc2d194ec4f95

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\BG_ADOBE.GIF

Filesize
24KB

MD5
a6a537b66537db9ff229f56a10c2ea67

SHA1
3d87ca7136a3a0fba8a66b6fe2a14a2607709c95

SHA256
11071bba8f898a8b7a4d6bacd37103fb70748bc6ec999fd5a941ec73f4d5212d

SHA512
cb59c37883a646023bbb18fb52487127a04c9cac5bffb2038016adb232cb43e25ff05ae5d18f2cf3c08a8224b3c28c269dd2bcf508e8a6bd686c508829f2585e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\BUTTON.GIF

Filesize
185B

MD5
2906b6c171d6d79a84ede2722ba572af

SHA1
640d1374c98be1ada826a3b2bd289d4db4c58643

SHA256
87fed3f5663db6e3d48424f63b903670c2735f2b7cac1dc6e14898c7605995df

SHA512
7a81aca71f2155d88281d1478bfea53f4a1c9acb25186e1d59f399623a9f8b762014937493c64bd72411345d4eebe794f515223fcd3b14212204610a2d2c2b4c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_OFF.GIF

Filesize
496B

MD5
6c5e259d581f1b07fdf7264395839674

SHA1
4579f1ca1eab8b1898a1c108adf05ee3f2af4b8e

SHA256
221e1fb01fc4d3519fd7f65a9a2c131497a0ab66a83c54aa6b16dc392196554e

SHA512
8532d621d896fffbbe13467a42c1279f41c5cb281e03a549ee2a7153aaa05c6a185d984a6b6c3c41e7caa8fb27af35bd9b78838cae8a773be97482b487e6c467

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_ON.GIF

Filesize
1KB

MD5
edaa486ba8d524758158502c8db5e60c

SHA1
68f3f3bbb0ffae362994f239b35640dfe4b57f98

SHA256
b5c8ed229e1bcc1c401573276fb2702ade93a7d3cce57cfb92d0b992b1365c9c

SHA512
1b79a8e3fef144ae0f9ae4216d764f7a3ceae6cbea2f5c56b1bd9e2cf9420013efb617ccfb4d06dac0529927ced05b4ba0cebf197a97d75ff27e0c3775128432

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_off.gif

Filesize
341B

MD5
fe0656fd860eac859a45583829f25f32

SHA1
5811a45547ed34b5d45acd76c43fa604b158ad6b

SHA256
4d0d4852005f5bdb6e981483a6874865356396dfb36da4ddd7d2e1cc775ebb05

SHA512
06cba66af15b36d944bc1dbfed6c2214e32ea5975ad5472c2d251ce110bac2b1d9a25fa306207ea09c63de0faf3f1cc799e68dac62d0e2189010649476d5a7a5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_on.gif

Filesize
222B

MD5
56181148a3435f6f8ed1a5fc0db40438

SHA1
99385be4a17ce9e2c2ca962e7880eb0e4cae5c8c

SHA256
6b3f19cbaf42c427c1d826d75b97e90293de5d2701f6c016be2cfb777958ba56

SHA512
859d7dfe2ebbadbe04516ed3a19833e1c727aed1ca36233b950456561d70f3ee3135535dff934fdd6935256b0236e4f72bea7e1270a66c0849955d5006d9b678

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif

Filesize
5KB

MD5
1de6d81b3e249393b67b132d6d120172

SHA1
481ab1643b93974014b22907a8263c44104a687d

SHA256
e647e69317a08eebe73016afb69bf6dabef74343ab82f8ca65d8feaa7ce22861

SHA512
4b70233a2ce748f60e1999c49f74937b3ae28747e438f02e06af48b43df5befeb9a7fecdd02fefa0474d756b236bdb891efb96ec32e495b9ae94c6046457e147

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Country.gif

Filesize
31KB

MD5
71ca21a5dbbb9af0d7cb2deac9952928

SHA1
59469717f9df1eaac4667f40d8dc294919fa644a

SHA256
1e008682dbb963c0e190637bf954862924d79b9d7e7b073715abcc94f6806eb0

SHA512
341445350bf9693443b926bd1046411e62e11e133a442a35e8716fa275160cff2695ba990eb9123d12bd0d1aeeb517a2e7fe37bfde810c8694103ff5012f36e1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif

Filesize
4KB

MD5
eede3a8234e00e50d0b877c1860a927e

SHA1
09c2e33cb50639fb7172aeb4e87cc12a65c54c95

SHA256
42d45beb64580942c4c1f9fa5f9209a1af61a32c08144714ca0fdcc951895569

SHA512
4ffc862b9c0e3a25075fded68e8d79aca8ab2604b38611c5c746b0dcb4050082f495f69dc555d0b26effd51345605c56f5064132bb374598f8bb7333002d76c8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif

Filesize
21KB

MD5
09ac001e75e9cd0d78ae2f039c262ccb

SHA1
c640bb9341770bbc521202fd142a47447581a25b

SHA256
3f2adb2578cdb621cab02e4e7a797107d69b8abf2dc29390c963ca8391e70f3b

SHA512
2856ac2700b0c1bd57d75a8534f149c686bf7b5a30cdc6489f7557cbaeea8d7da49d76113b6562cab9200150a64a06d3695a7519b96d155b72fd4f97fc3ea2da

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif

Filesize
8KB

MD5
5af5900afec66f404404e91f68ac37a5

SHA1
72bdd977397255ef745bb5ebb079ced3e1c166b1

SHA256
aa764802ac716ec4be022c0899aa0c7f2834a7af373500dcb685bfa22db0b7c3

SHA512
8252652c6e6d422c50be6ef529026bc0de99ed8189de95bd68a4e5cb338d3c07709bd19cc7a44648a127643740688677e564d8381ca63e83a71ffd5e5bddc73f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif

Filesize
15KB

MD5
596277b8a20406ad6362549da2871872

SHA1
98c1be4affb93bf026a3e49816c7bd240bfd204e

SHA256
77d1e2272ee1e9d18dcef22dbff55c8bc476544854ba5ac54ef906bf6f31dc2b

SHA512
5db29a01e5bb8a75ad01da35025cd1bbdf3edf7eb4383455e8d75f45583809a03a8c90eb24505368f02372adf374560084e2a5b2a69aaa7a80c2e3874b555274

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif

Filesize
6KB

MD5
44cbab13c375f254806264e37fb68cb6

SHA1
8b26641ec22f861b0549fa6654fc45c6afe3d067

SHA256
5942691736e5918f938d20e027c8e2a40950e47cbf5f1e7a453364de47458567

SHA512
32af650e514a4c65b1204ff008c3099d4f5f598322be8cf435132ee6e578174b9bddc0680ff765699bac178b4e02739d44bd923b46581b4ac276b06060eac539

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif

Filesize
20KB

MD5
9323df19153feae4b7dddfc777ad3173

SHA1
714cab090d1a7ccc6a0e3d402907b1955d6dea30

SHA256
da6a42ab0a9e1441c5f1388b0cab094f296c7b342b7d0c7536b7f487e1095acf

SHA512
55dd2bcd3ee54219ce25c545ad0eb24be380631b60eb42fa0996e6f343256879cda0defeaf4bd815008a50fa0ecee410cdf6dadb67b1a09437c961a5c3f3d9e5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif

Filesize
6KB

MD5
4d216cd7085f21a3e815b278a7a03830

SHA1
8dee49a6288146636b67fccde75829b5acd7222f

SHA256
43ca4e7cb1c459eae3b6c7dd8acc330676e7291d8a05127c9160630fec36a7fe

SHA512
8485113183bbca35e03dc5bb56d44ad5080fc4f30e2d22dd804a1d3be77604f0f020626e350c98e668005733b4ca994feda0c25d0ee46445e446d7319dcb4ff6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif

Filesize
15KB

MD5
94c2596769ba36ce1d39c010b0bc2a9d

SHA1
ad953100f7c998b44cf4b471498ee26d8de15b13

SHA256
c8090e5e449c523cedea30ce0a022028aae64dc56f12c39948d9c2331a0505ad

SHA512
84d8dfa44816163dccd08dac0cd1dbe4703dc76ad661959c7747e6deb2342f9557b39995e68872b8bc030c6e50b1fbae7fcc2bc2073b39d62328f9e072004c7a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg

Filesize
2KB

MD5
186ad01f2035eff8180a5a71d1c9e5fd

SHA1
1b8c989701eff2622fe154b20838ed6c2115825a

SHA256
af75b4fc3e87ce12b0350c8aeb6f4f748b3af5124cbff3939968c55ad8721397

SHA512
231f1485f2ec36fba1ad3ac168ca0918d56ac103dc4d307ff86ffea10a6278ac38dc6d3ffb63b8c90a852273eb9a58f366bc576fd987e66e004edf2e47673e43

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp

Filesize
2KB

MD5
96e43971d423cdd693d27fa5cfda6da4

SHA1
76e90211066658bbeee367b10927658da6e54f84

SHA256
fcb9bb4e6df23dc2e22c4f0043bdc26a37c485f7a0d5bf4da06942ba6eeac6e9

SHA512
6aba665e501aff2f71f1bfe2d37df9226f0b7c25c7370d833b763aa2e2c4bf04401c520e273285c41093228c126c7da4c181a871b38274b5d095dcbb4430a405

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg

Filesize
6KB

MD5
6a3e2c54251f9d1ce61c4dc121b64ded

SHA1
cc656fa50ac3346c4b7843cc989978df4cadc1f8

SHA256
659971462045053b0bcd35ea506dda2b9ebc4affbd0c916dc8e79a2f810a55f6

SHA512
ce2afd5ab3b9155ffbbfdb975c9cf7e61b421d8e22fc925a1ff452ca7da92d70f6b7b9031ec3f894c11d1578982c187ef178afce6118a07ee8bbed55480c8502

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF

Filesize
255B

MD5
7e0ab98f03c56011bb43d17fb74f4d0d

SHA1
e32fda5e0cb83c93abd585b43bec2e9dc93e520a

SHA256
4a75155cafa8b074ae7fe69c2ecca94d1f7e7c6f01a4c2245b9363513ea84016

SHA512
e8902e1af9a12eec749bbe0634b32b4928d3503003c92cad19c0db843b8eb543fbd3f7646bcf3a65b194468496661ba23d0855780536a280a821091ce01785a0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\background.gif

Filesize
323B

MD5
4ac83d0ccf387c99d5a0a99a6cc2c7fc

SHA1
7ede4c8bb1d5a21a9f0c5d58215fa4213b87ea8d

SHA256
f6e0081e3ec5843bdf4370d4ee3c67ee85c8d278b8ce1fa75377e32adf79f909

SHA512
62c9d298dde43ad3a041606b15194f2af4c16861309083061a63b0bff09b334541fce820fd938fbac79a20ef9ada9008b921a82aa1d998d52906409aa6d17365

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF

Filesize
367B

MD5
2cef54eadfaea673311519ce7ff5f04f

SHA1
33eea6a9e05ba042acb4943dca24be19879c8f37

SHA256
21177ba5c15c9a0e05652a4f63959e5daadbdfd4e0704171ec71972d1d7bc7c4

SHA512
f94f7063d4a62eb7e00cbe31506e8ada5509e203d5b34ec6027e3597fdb9dd5bf0d2571c473f6bccde9f785345eb8594a0251b2dc7fe6f7d7fb706057e5d57be

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF

Filesize
148B

MD5
68063fc79030405dbb51a363b7c99206

SHA1
291978385c99a256883f615cf3639bea74d6610c

SHA256
616959cbc4f3c003f4d9ad256e55f968c35b58a0686e31b302b252c679e6d825

SHA512
e17d33cb1d5faa5f8b5e7516f913832b182a21277c2e8d6f750d838e21171826594e08136a1388f34c07f7937c0555c1482a18235a4f56538359226395fdeb1a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HEADER.GIF

Filesize
440B

MD5
1462f42c1c0f2dc9c0a2ed6e9210b594

SHA1
397a6f126947b392aa53747cdd67b6ae8a1392d5

SHA256
44ca34f058a9044565804c3bf4419f35484ed29cd38acd076ed0e10ba3987b91

SHA512
da752f2bf95fd70f1f0729d556a7a4ed4223462e01a3401db2932c0cb9c741815ad83285a9e3643210b1aa9b086f9067ec144f0cf1ff19e4306b2b058064edfe

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_OFF.GIF

Filesize
462B

MD5
ebb563c0ad6677675b7c16081c74d0d9

SHA1
c5b4636f687c00ebc81a6de44447bd9797d27ae4

SHA256
400b4d93b03bd9e19accfca3ef9bf2882862cc0d954bc9508963f6a574b8d55f

SHA512
24ba7a0ee596c70c2eee1b25d15864c00efb01a93e41273b2d95f99a7dfbd8130d4cce36cfb38e246242ecd612b0b87d1f666478606ab5f904e7239ba350f275

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF

Filesize
267B

MD5
8edaa3fc749687540a8a0d2fa93cf0d3

SHA1
bc261e38a4a2221e28f37d20dca26e1a611dc776

SHA256
9a7a75ff1d3f0c06062b60061496f2da809a09493229f96ca95cd04b34e548e9

SHA512
274d6b3cc00eb2ad751d5e69deea8837065575984ba11bc37ca9bcb361aeb7a98023abd024459d8e2b88f580932677208b5f4756fc3abec3d97da2d7701b8952

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HEADER.GIF

Filesize
2KB

MD5
32ac91a43ccd37afbca853a38ecf8201

SHA1
b82a8f7a363624cf5ba324464db8ae069007f3ce

SHA256
3294361f1b798512e6762598af48e06ebfc53d577ef55ab67a48c02d56c36120

SHA512
85e0e32e8d833885a452e46550ba6ba7a188c04ec98ec89d0bf60791e1e48b80a05fc92b97d29f46ff783869cad76e3ca1b573dd885c48151e6dd6d0fe2ca09a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif

Filesize
233B

MD5
f71d20d77b85333ec71dfeabfe9830db

SHA1
efdea0ae77fcea19d22dd6840afa54201eb5d96c

SHA256
20a7c8181c38e3b84e96c2a5437f66666f1fbaf0da34c13fe6ef592fa5c97b02

SHA512
fa5906876bcd878bfd04a5071d2fcbc2163720750b665a1d2bf992b960d88df8bdc4b5b9a562f6e9ac8cf6878860acee5f73fa00d2ed7292f8e7bbd9cfff9dfb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_OFF.GIF

Filesize
364B

MD5
00cb57e2b537589e83316319f8ebee80

SHA1
4adec8f21457770ddf1b9b707082e5dd04c81174

SHA256
846d0d5cf953d8098c49ce80c1493b2ef6cd0cf74145ea7ed29c0b70c25ad5a3

SHA512
d21b04af88c3237baee785e8497f8e13c3fe2167fb505e3f39986e517157757be13e7b4d516bc91e0b7dc9d02f3e8fe8ef44b388068c1ef5c3edd92ec3805c3c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_ON.GIF

Filesize
364B

MD5
dd01a0f3e806435eaf3765c89b5a2954

SHA1
fe3fcbffb8308f66cb94150d9977e32486905b2f

SHA256
ab1adba24464efa1d8bf5875eddf2b5cea53a28842d776e3756cd278c91ac88e

SHA512
5bcefaf86d927ecc9d9a536fd8f3477d714dbc59d2ceca22959361399d5e947c489b05715d0decc5741b7d4065d73bdc6e12a19d92550b7330dc4508df1de181

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\background.gif

Filesize
6KB

MD5
368e6c8b4fa629759590c4f32a018329

SHA1
6f6a69697385abacca2ca1cd93a31c460cc32d5d

SHA256
7ac7a52563eda81d40a50acbb8bdea56bcbb291cf91dbb287a2b4c29a114781c

SHA512
f4d1c33fd35c61149398a8b8128b4c23d3ca390ccd4a19e90e129ad9f5e4f7f0db81f864c8e244162c9e5a164baacace56768d6c301d03f246fb7e30f329c7a3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\BUTTON.GIF

Filesize
428B

MD5
07b99ae26c5ee5bbd4be8046403a45c6

SHA1
ef5354193d796f5bc5b74d61d0f23a6b95048003

SHA256
35f9e6208512cb13e9ac0fa46359981213b71ddaf0c19678f8f325c8e9dc3097

SHA512
9919bfd69bad142308bc84e0bd97ce7b86aa40bf91e2d6ba2e2eff661f4e11ce5c9f06270613a1aea3c2d3233ce4f968c653d63b7f58cb09d3deb7616c7e1b97

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\background.gif

Filesize
815B

MD5
15ddca2e7483329ea448164f6d452556

SHA1
7eaaad016297b8bf8677450ea8dae1c420b4800a

SHA256
bf43bc79800bb62914993a722fe7c1deaad8a33d667a4be847a7b3148fa22df1

SHA512
a7ab5c7ec5eee59fe67d9fdc185de84423d708e8de03f1fc0a5237af4039d7bfc5474b816cae141e5a682396f88362cea6c86a8057da9a891de37febacc56db1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\RTF_BOLD.GIF

Filesize
870B

MD5
07fd782ddd7e9d1cac4f2c495373767c

SHA1
7ec2babb94e6a855651a689ff5a7d72a13009608

SHA256
f2d48f0d443aaa6c21b77efaf1a6fb8264b56e7f72647db79e6ba31bfe67b549

SHA512
a15b0b7f95e263c868b204314fde5f8e485a62cb9b41557b486c1f22c351009d5d2b4f148f56b50fcd2c1f444f8772077c798b8d3715d74c9506c84cdc216cc5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg

Filesize
3KB

MD5
99b31220f73102c343137f891d1049f7

SHA1
9664ef974824435debd3ad402f418362b4d96c5b

SHA256
16ce6a7cea925c59950c48cc34de57dbbfb699f44920d58062007a2a35bac756

SHA512
cdb4236e28ef6b18eb5cb31788dabe07bf5136b9b1c443d656dc7c0962a9acadfec998ee6807653c3001bf85b84006b46ebba2fb9cc8bef14c4b0338db165825

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif

Filesize
2KB

MD5
6e16ec2852badb87a361475b790ec36e

SHA1
804f495f9df5585db56b34c85720034d8ce705bd

SHA256
2a70ab57d98e18344fe3c239b01aa70df28ce118981c7c428be471589db2bdc1

SHA512
a36c02bccf7eb8466a19d6641bd247d68c94eccb34dc4ff961d005c6fcdcce58412c1633f4b4a6db453899e2b3922dec2a3f8c3cbc0237b602dcc42b5322afb4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif

Filesize
19KB

MD5
e8e29a175a220a6931d95e4b2ac23474

SHA1
02cfacccd257d2fe09285840967a3f122ae58886

SHA256
94b950825ed0362cd3ad501060589bb73eb6d3786737327ff088f7cf2537fbe0

SHA512
d87786cb5186648541a05c071908fa09f2bca15e219150d8ef0ba69adb9505b83bc5f02898728aaf656877c6601908ca48b354a8490a943b9b47d2329f92223c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosefont.gif

Filesize
890B

MD5
da36a3728bf762541ed3582e9727d1d3

SHA1
7b3606a9e705e22bbd0bdfc16e3abcd4977705f3

SHA256
f778ec054269d15e4348a86195a02e4458ee62fa5210eb7c7b713170d03eef10

SHA512
bac82a0c1d6194d209f12b6a9dce104fda5272fa5af72b55e5ba1a43c781f87bb20e965becd25796371261426972c08cd9a44f4a71787f99eda2505280f6f280

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif

Filesize
852B

MD5
892637ab0daed76a4f7ed6f696bb2d86

SHA1
f73bafe633572c571d84e4a4c7af842d3e7bae5f

SHA256
9cdc3dff09a1c81b46303dc4121880d4d734c1903be93a8837b8e28291e8455d

SHA512
08b91f0b701edf59c2875548266d9223d8dc9188a39ae74e06d4ea45856dd59f5d63418eb89fa74729130d2b5f973d146e6505bca1d3317869d031963a8048d0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif

Filesize
860B

MD5
e32151c02117eda4c1043a5a0413bc72

SHA1
8dfdd7e45c5ed8f6b2a906930d2e1c1c32566e98

SHA256
e8c981b3d6ca34b5fef8de66f7928def91052f5312f85b5e84558efda084ca46

SHA512
b15786c7054dca7530da8a425bbbbb9c05b5d6a972340e95b2e204ebe7f6ce97b6dcec2550204466457ba720e32a2b657d375f529cae19a41e269a4dcfe7b331

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ADD.GIF

Filesize
580B

MD5
5e4b98e8b6e016e9bb27b2761a30ddc3

SHA1
53881fe566d5efa057c5b9a10d8a824a1708f8f0

SHA256
dae96b39e95a44df8241f48f82775b6b744c637500034e6114d74b60468efcbd

SHA512
601f38e0333216740168418254d1eeab22f7a25f41dd31708b06e679e87eb3ab255d78e2f8989b575e21bbdb4b2d16a376e140248f79e5b30beadabc3484398a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF

Filesize
899B

MD5
4e7bedaebd0a03233e4043fa615b1ecf

SHA1
9a2246ef90c340218c342802e89ee4b67d29b6bb

SHA256
29b6e98eb7d074efa9af0bf0e3422c754b3f49b4a2a7f3719366ff43624777c5

SHA512
fb1a462c78f6a9ee434f13972e9ca9aa89567e4bd239cb10f9fc1fd24f27823d77f2a0d4d758c8600eab4263de4bf02224435da2de301cb359007a3cf4c69876

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIF

Filesize
625B

MD5
551ec11f5f29ae7d98db5ae6d5a2ad72

SHA1
1bb78814d7c0ccb89a0fe02578f643064c1c362e

SHA256
645ff07541c580cda0a560af90c5a5891e50aed9145c50754e4b26b6ba29f6d8

SHA512
482285602dc281828ea9ffac4fe9d474109f0bd0ff76ce718fed33bfdd1169e59a85b20918eb3491c597b1763dc48daedad82579f24f9d81cb879abcff72be74

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF

Filesize
873B

MD5
0a5c044dc28780fc559c029f11cec9fb

SHA1
472203c5d666791cb26596fbb2f1f8cf8bc7ae39

SHA256
3be659a03c67fe1bc8316be7ec85872514d04ac74f8d52b56e717b48517dd537

SHA512
d83fa3191efb474ebcabc66368effcd9b9ab1d3fa9d799386331669cdd0964850718c399f78734b137cfb0f8fc8a3d46b6e7dd9e0eaf43c4693d46a59668a282

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg

Filesize
5KB

MD5
935fdff437a3608f48da5515f1bc854a

SHA1
612a5f44272bc98c9624d111db9239939a79effd

SHA256
e7fb853770e21563449e380f2c6c21b4d55468be0e364148dd253b5f5b99a660

SHA512
95924b4c952642705850969171cfcccab7b397815236bd3af9a1238589c0a7f04d284a542840a81b2331d4eae37dbe5e3419534cd0bef3a9be9062c030470bce

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp

Filesize
1KB

MD5
0c09e19c73c060bfd63644495af7c96b

SHA1
27e45f98e16c68099fcfc2655e1ca3f61c0dc071

SHA256
63bad24916ec8ed1c1afba3fb5a822440d2b36fe511ee460791ed5d733211b91

SHA512
2fa4768efcdbca841c403022937b46669e7f689cff1b1f3cdca6121136b0586255561ccd1c7d0138e03bf09d83c46663a74b2a8ca27c398d9ad7999240d90f3d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF

Filesize
615B

MD5
d1bed6dfc605fbfba3efbacb7225bc2a

SHA1
b34f750fd013d791bda06500bf57aeda637a4814

SHA256
58ba82323824352ef656a0aae91bc1ef31c1201f6a8233c8f0d2fbe7873e1a1e

SHA512
99cde3473616106099881e9f394ebeb6fdad53be33bcde032205bbe1d50838193812882cb6cbfbcc0554bebbb5bc1ce938c9041a6b11f152344f09829bb8b782

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

Filesize
848B

MD5
4539286e32de116702737cb5dde25d75

SHA1
1002afa92b420f1f49f7721dfa12218b43255697

SHA256
b7b2cbcf78a966058b01f844dae6228e8c5e60d3f5a5d87bed55a9669b99d37b

SHA512
f1743cc56c2991855174c5c7bb6e63f086b81163248d98efea4dca7fbf21e1de4ed7e92fe4219c3f66bbcbe34a4d7d7d49e5ebfc996ce55f0f79e64f159797b7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

Filesize
847B

MD5
6b951e00a35b54892d3b6f0a23afc5af

SHA1
ac65bdc7994f076227acb077fb1088a9c6f3541d

SHA256
5fd1aa7dc1fab508ceaf57666f5aafef147ae2e2f3f710a34be43e8b81481e53

SHA512
f41c171a311d5e1b22ce1a3252cc6813063ab5e04a62ae30a47645f3f2235f4976e841ec05ce603da977d8c3d4cf653f70a6b52075f2eb308d93173ff7929698

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

Filesize
869B

MD5
5448fec9f16641f14d8243d1cfea7efe

SHA1
90e200b5ab789bf2e3a10020e90d2dde7e9ba5c1

SHA256
b128478025f3d794843d0b68b108a507b07f4924cc13937ab66b765be31ed238

SHA512
577682d3dc308b234d3a4d69b1496888fe9619cb5a139b12ff5290f66ad1d44ac7837294bb26aa5ea0811747086a48308a7e911418a338359a97fb6903ed9f57

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

Filesize
847B

MD5
745a90caf626da6d9ea587773fba4a26

SHA1
8612d249e86d2df71eb153b25dd61aa65531779e

SHA256
fafa3d2d5dcdec3c693dd6b198c67021a114cc2f1f19b0009a57bfc886b669b9

SHA512
6a840bc6f0fcbaa833017e34ab5712ac733f520b0131a9c5bc99426979b6544a25ecac6406b32786751785fd29cf7339ae673eb8bda05eb04564869f25f14173

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

Filesize
863B

MD5
b64b4cf240fbcdfacab4947f9d2b4f6d

SHA1
c339320b456113b686b1aaf8c33955063238efac

SHA256
cda0ee82a3769a733b6900df84d81d063be922a8a63f03befd221ba1d90e2de8

SHA512
5c9dbb2c31f4ac11b4e1b3c42aefb8563a195c460420e76896fb704c6e8c895447cebfa9f61625d6217955e0e2efcc747f2d75c6828939be1797b4a1be91d171

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

Filesize
861B

MD5
3e04af2657bea330c741b48047ebb107

SHA1
17936a33e4b66374cda077dd026932298c7bf447

SHA256
74e6af95c197ac33d843d6cbd4e6c40c253a2c657a6b0d69159204a2137042ae

SHA512
67c0bb76b98e1a782c322d2c34b13357b20b53a62d75e3c9ffc86b093778d576b0d75cc0fdde53f58348a469c64b699ca379f71ba4e8b2f53ce556ffe7702a8c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

Filesize
850B

MD5
fae784e3d83c04a9a8a4adbfd14faf13

SHA1
2f75df0b5ad72a38df86637db83ad7808758d0c0

SHA256
b3535632164183cb975a3aaf96b110cdacf1c037c143c937bd1d94c91783b774

SHA512
83e9c80b9e55b96804cbe4ccc8ec3731ec3f325b6d8eb68f348bd0db0e93d4d56b14f093802b10d6499caf93d82dc388193289739df2dcacc38885c50b60313a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

Filesize
883B

MD5
69e2c4383f8d26500c208d8c82557ce8

SHA1
c05f27073aa2aa0abb128df4bf44d399e64f271c

SHA256
15c2cd1533909bed1f0a98c0edae466e9ec074f4efb9d2ded9700b6637e7d1fa

SHA512
51a5f46a9f1c467af3deec1c5bb086e4094acf8becfa2f008511e4006c744bc84039b48226ed955574aa578989126fb3a6b30a462fe8c18e1a61231969e5c28a

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif

Filesize
153B

MD5
7213bc191203b23264f0f6496fc14ae7

SHA1
9ea532bbfc2cc7cd1e483a7d93663c8925d0e700

SHA256
9d4b6aaf7a70d54a847878c06a7c33aa147b2a277fcdd5c619192624f86856c0

SHA512
46cac91ec2c9d59d0dd54165ac6f769e1b1569f28413bf20ea0f4495b54d04e65d01ace2efb9d8e745fcbb3e328abb33ab87f58ccd59b08a3027adbc2488a7ce

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
3aa4b3b763d1c3a80cef54a721168ea0

SHA1
b27d9b512e0ef7b6b177f47ba6e1970b3d6b2822

SHA256
38055bd36dad1f1964312b07d4f505144a35f1eae74ccc66a2a4eef62c1aea5d

SHA512
0c2334cb4faa840c8863874c830f7e639d62d3dc50b03fba61599f0c0e6928e84776f5801f23fb01693a0863fd0205d415f8f56b35414ec3a426ec167a1b9f52

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
8KB

MD5
b7c651531bca846bdad7b5679526a10f

SHA1
3246ddf4ea0670c5bddd5a49655eb9354e5e6f3d

SHA256
7d8c0b690efb30fab200972008ca0f7961e4ba87bceb74481478fad74781f8e2

SHA512
4d67fdf279fd65307326d5e9df3425f77f72e9041b82bf270a7893bffb83424e9a5eb269f3c10fdbf1933b623b6c4cb03f80255fda98bb5494cb4214c143d0ef

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
07852da03d38f45e881cb10f049ba209

SHA1
092b33d3cc7f98fa46b9fdba5a18e2476a5ad3b7

SHA256
d7914731ccb7fa7289cfd0e15fb4ace3144d1c71efa142adc46375483be8d979

SHA512
7ca8c0acd174ec400b34ee0e613dcf80ae9746fcc2af56d16c8e25ff51e5f46d6226be9ae76bbb333245c8c2fe07afc21fe609ec4478ba25c521b5c699638b1f

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
45d6acec25d45734455938ecb5794760

SHA1
61b55642f46ca493b9f1cab98ccc16c434334de4

SHA256
f8cdb66af97c27557916f37ecf1d1287a58537312a1cfb1ece03572ed6b51be3

SHA512
c28d62860515c9ab5a19c335a224cbe4a6ca7d788b5c2617d047f0c0bd34606db51d85168f726807d4889b3b9f3db0985964d95b54d535319bb0a1acf6767e9f

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
172KB

MD5
92b8a46271940168f63dbf79d763789d

SHA1
7993b74f92846cc384d9635aca6e5f58de76c9ff

SHA256
540da8f1218b64f7001c2c67f9da022ae9b97bbd4ee357bb983781a121df2219

SHA512
fd69c418f1fb87568ab7a9b2f7d1bbdea2ab8f8a89187f74f8659b547e99f5d1a761317a3b4fc5b1df1b19852ab0c2b358ad4f5b80e2e20bccc4a69844fef02f

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk

Filesize
1KB

MD5
b61bdc82c4c63f9a04e2ea4f6b7dfca5

SHA1
bc58c8ec0c9f3530c6da9372fc0cbdb2fd19bed9

SHA256
05c6b8ce5cb283d778297f6e7b193da0a18da31e223dd65f050516fda94fac0b

SHA512
1c08a13627c12e7e114d876ad989edb8a083a0c8635d6db727897a91bb43fec31327cd288faafd1242b25a97604dc6dddf919d67b9bb41fdfed2f7804e70cc85

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg

Filesize
21KB

MD5
4445c7cdca85d7d2dc3a0e23196bddbc

SHA1
986b80848f6c267eb0d1aded62d87a0a90ea068a

SHA256
3f948825553a62620840bddf9e2ef561fe27bc543d7869ba0057af9bead40e35

SHA512
134497802ee9b1174fcd709b1cc9f217d6f083d7180d3297eca45c7225e16802b0600a2d37aa71393126935621291fb0e773caaaa7fc74566e9541d1892b0760

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\HelpIcon_solid.gif

Filesize
1KB

MD5
c67045249c7d18a71efa6f4ede270a20

SHA1
4a1bfe7e124a56cfd41f75d0e036581825780f85

SHA256
6bcb3516e9ceaca2fd5a46fefbe33119579181c2fd99ada67c7c5b1900f87f9b

SHA512
b56104c78743a0ec35db435ef95af658190f7824da28b9a65e0d6f8c39445309404c4b20586db237d697e9cf3a5c927968041012613490777647a0d97f974fc6

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\alert_lrg.gif

Filesize
952B

MD5
26132a20cdf2b406398a16c1e520afcf

SHA1
9670d94bce85810476a21a47aa800046a46505bd

SHA256
16c743b2c3de29cba451659b27632cfa3e2c1888b3eaff475eef65f24e44c4ff

SHA512
429684b4e3668ee03e4b45b12074b9ddc440591732cb6010c1164a83fed0c4fd22518488dc8e3154d6600fc4e3b67ed66a7be87d1d265894c860dd81641bd76b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\aspx_file.gif

Filesize
121B

MD5
bc60d114ab69b8788b87dbbafc5f6ebf

SHA1
4b567a2ea842cc00af56e4b1f429b0fff35d2c07

SHA256
7bd64e2c1dff6019282bca56a03456ac11d508fe2d32b7fd8d624d40a90ee738

SHA512
2fd55da2a543702cdd05375b78f6585610bfa15af00e87a69348cd602128f8a095184d5224fdc64452348bc4ac03b483c69457176e0a1f6710496d46ae9e7fcc

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\branding_Full2.gif

Filesize
1KB

MD5
3de1f7380e480193a82526260901967d

SHA1
78046c58d190f78e8f338a777e4afc4dfb3bd6d8

SHA256
9a28337a3f9cd2141e7655e1f27d83983703c418aa90ced9a9b58b0d8ecaa9cd

SHA512
2b69092ee448ae83580621fcbb591aadeb787892db1b10ac812ddeb2cf6e20bcff1b542ce045f6c1e7998be15e03f4dffa557d18d2f0c6ab59bd207984975a33

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg

Filesize
8KB

MD5
204e8db0d037a24abf4752942e95c06f

SHA1
30d2bc544c18b96217b00a32f016b29054b2e5a0

SHA256
453b1ff0aab5b82f096b8df5c770356da9f44d34f54bf96b6eba2b424261084e

SHA512
2805eea3b767bd7fab0ff47b920a37a49eac4535284c2a6c774374b72243c367bd6b52ef020d8aee306a17909cf7e5e1a66bbb9305fdf0314e0d84ad4a9c417c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\folder.gif

Filesize
914B

MD5
7524a38c82121080b2c336ecc8019b7a

SHA1
83be0a561687c17003eb8f702d3009b82fd884f0

SHA256
b0e49e0bb9055ea1bd204ba3ed561b21fad5a5cc491ffd8f2e96c0534bb9000f

SHA512
23de3c3ff39bc49bb41168fe0660912e9d0f384091dacf1f6756806c06170de8256a54a41b47342689b4c19ae57ecae0ec13ac9442cd505f82afa01ad0e33564

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\headerGRADIENT_Tall.gif

Filesize
328B

MD5
74ce574cc58fcefa9fa0efa942b74b18

SHA1
5ff49d78cad41fd75278419ffaa33acea1dbc640

SHA256
b18ef565aad0f7b192c13b3e2ee5d655cc3a349c9008d7f5b80010966c6a4830

SHA512
e98eafe36bfc133a168e8bcb16e0149fe79cb3c02443689dcbd115e9e7272d5fd99f26afc681ea396dc6b3e0e7849a681664c93672c0a91f9b19791d25ecea3c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\help.jpg

Filesize
1KB

MD5
1b6345d286568c4654fc75698db2c9a2

SHA1
611bdd40ab072d1a363b8a92e98242c275525ded

SHA256
938a519cd0a27e6612c7ab88c542ca83fa593ab66e926f898a5fb93fb17e6b25

SHA512
8b3995aaf0eb34b86d19c714cfac4ac233ee7f38ea7a6967a3c4b192094abf7510101d0c93b594bde20231faa9d31ba8e01a3f9634f4e99f3f5503f668adf3d6

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image1.gif

Filesize
162B

MD5
f1d8929fedd24827e11e8851f798da5e

SHA1
c843d0b664cb9559d0b82abd4910e27db312c4e8

SHA256
0765ed2bdb01e143ce740406c889220ca570d2c7be92b6bec9ae55494418c163

SHA512
1e3480940ee1df0d7bd051ffbcf30c112809b1e876d708573cd3dfcb0e1183f4182c0116ce93cbdd080a89d5e3279a27adf72436582bd6b87bda69f625285366

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image2.gif

Filesize
586B

MD5
743693c83a38b55ee24df0f350dea790

SHA1
7e8df727559718e88dc030f98f5c6fa8adb402d8

SHA256
ba3ae0e9aa98a9ab57bb0f683c3f1a87e28a23f2d5b25adc53fb3e122c0aad7a

SHA512
5d86ea75993235860917291b4f6b28d0b4bb7274ce279f71918ea97819297df3bb3d862432d010a300e4be79218cfd6f8b7a54e6d50dedb1ab76b1d7b9264797

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\requiredBang.gif

Filesize
124B

MD5
d02b7220ce90d7c8e3ae38ae149598a4

SHA1
df318bf256425ce3bda38b10def747d53191efca

SHA256
6cb21335331e38eec2b27103ac334247dfec496ef6558453ba3e0369aafa8781

SHA512
7f6240b48497867909c118770621739c30ebc4f0d55b644c42e4d92816516ca0821abaa727adb5b183fda05bbc3ed71201f049970016ffb1763083f072a85e4c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg

Filesize
8KB

MD5
d0f17bdc7b58ef56d185e8ec3469feb0

SHA1
490e119031c25e11426f146a405e17512cd74c28

SHA256
50ccfd9925ae9a6f5fbc90fe783762f98d3a757b8e2c3512f1e70f92730bee57

SHA512
f557b19d767af172d0ef043f89bcd8f560fb7545791fe5373c8acb42654023a7514ecf712ca3e0b45bdf07f6c41a64e0ff3069ea0e07a266fa79682aaa47701e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\yellowCORNER.gif

Filesize
880B

MD5
941b94a87f6302ed1726af7b54b008ca

SHA1
bcd232e57e73608929d7d7446d83d339de2b5ab3

SHA256
6174abc23a5d9476a60b596d9e97ec38cf7513e166190ac7393efa207eb7e092

SHA512
8389d2fb5ca57d5eae278be47ad71246c45b256179f51901a11ec03a57ddf3b6e42b9bcdc1dfcb7d0142f8395130e78d0b1ffdc180242fe094cd19de078efea6

Download Submit
\Users\Admin\AppData\Local\Temp\mog.exe

Filesize
7KB

MD5
7ca237df45877c5c2885b323bc311eb8

SHA1
2c09e1d0e5d7cb2eefc193bde8030ef4f978ec41

SHA256
1832ec5aa127ca1549892560088ff1177a872f83a253d4f9b508e6e40ff87c09

SHA512
59fcc6de1828cbe5f4869dca176a1a1edebe2390f9e47178e0f158eb13a7b340392457619d4552869c5c83a08283059dadf721e9144575f5615835fb549ca3c3

Download Submit
memory/1140-16-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1140-9011-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1140-9012-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1140-9025-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1140-9026-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1672-0-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1672-10-0x0000000002010000-0x000000000201C000-memory.dmp

Filesize
48KB

Download
memory/1672-7-0x0000000002010000-0x000000000201C000-memory.dmp

Filesize
48KB

Download
memory/1672-3210-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads