xorist | 7d4df4a459ac14bdb81cd85ef4b11cf9de4a56eb062bd9e21fbf769e72709bd9

Analysis

max time kernel
32s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29-11-2024 21:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
Size

7KB
MD5

b3aa1f331e9be757cdb400d278dd8891
SHA1

c1b5956632dbf7e961e51330e53dd4ecdffacee7
SHA256

7d4df4a459ac14bdb81cd85ef4b11cf9de4a56eb062bd9e21fbf769e72709bd9
SHA512

ea316b5a9e6aae42ae16e8eb3dce6a085dc15fa422ad0966a6085cf81a1607844cc4665ebb4fb08e53b730422c22a43519e29e7519b0f3266ba06f7f3dcd12db
SSDEEP

96:leZhl8wdS+r3yOYW189fTwUVF0CWHyjk8P1LOmjXfihExjS1XqJTSsfs/+GeZUeP:kzdrr1FG1WDCgmjPZjzThE/5eRGMUA

Score

10^/10

xorist discovery persistence ransomware spyware stealer upx

Malware Config

Signatures

Detected Xorist Ransomware 5 IoCs

resource	yara_rule
behavioral1/memory/2400-8787-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/2400-8786-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/2400-9019-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/2400-9020-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/2400-9021-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist

Xorist Ransomware
Xorist is a ransomware first seen in 2020.
ransomware xorist
Xorist family
xorist
Renames multiple (2205) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Drivers directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QLUm8OR6vUIE1wP.exe"	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Windows_PowerShell_2.0.help.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmetech.inf_amd64_neutral_230358eeb58f0b3b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmntt1.inf_amd64_neutral_ecf5cff2236b273a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\OEM\Professional\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_properties.help.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_escape_characters.help.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmmcd.inf_amd64_neutral_49212f5920298e45\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ts_wpdmtp.inf_amd64_neutral_daa64ca27846aa23\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\oobe\background.bmp	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnrc00c.inf_amd64_neutral_53a58f4fd7d88575\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\tpm.inf_amd64_neutral_d5bb6575cf91cd73\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\OEM\Ultimate\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Assignment_Operators.help.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wialx004.inf_amd64_neutral_0a3a62ae6ed43127\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Switch.help.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\dot4.inf_amd64_neutral_b89cfac15ccb2fba\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmpsion.inf_amd64_neutral_6e65ea91a16f922a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp004.inf_amd64_neutral_53f688945cfc24cc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wiaca00b.inf_amd64_neutral_1aaa057d3d52ea43\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-shmig-DL\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Path_Syntax.help.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmdcm6.inf_amd64_neutral_b1db427ce3d2a1b4\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmiodat.inf_amd64_neutral_839e9ee1a8736613\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmpenr.inf_amd64_neutral_34624840c3163a38\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\megasas.inf_amd64_neutral_395276dd9b7a7448\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\OEM\Ultimate\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\OEM\HomePremiumN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_scopes.help.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_transactions.help.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnep00e.inf_amd64_neutral_edc631ff41a34218\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnnr004.inf_amd64_neutral_3319ff2548f89fd8\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wsdprint.inf_amd64_neutral_f91980f20f3112ed\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sk-SK\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\HomeBasic\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\unknown.inf_amd64_neutral_5eb6ac70dd1a3ad0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\OEM\HomePremiumN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\eval\ProfessionalE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\OEM\HomeBasicN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_format.ps1xml.help.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_functions_advanced_parameters.help.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmrock5.inf_amd64_neutral_cadd97421d121ebb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netk57a.inf_amd64_neutral_8b26ad5d0cc037a9\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\OEM\StarterE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_functions_advanced_parameters.help.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\migwiz\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_command_precedence.help.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmags64.inf_amd64_neutral_e68956e24e287714\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmtdkj6.inf_amd64_neutral_8087946c82068597\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\OEM\HomePremium\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\PostMigRes\Web\base_images\AppInstalled.gif	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\msclmd.inf_amd64_neutral_413d17c790177eef\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnnr002.inf_amd64_neutral_37896c5e81c8d488\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-NDIS\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\_Default\HomePremium\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlx003.inf_amd64_neutral_d1510a8315a2ea0d\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\synth3dvsc.inf_amd64_neutral_bccbc5fb46a05558\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\_Default\UltimateE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\migwiz\replacementmanifests\microsoft-windows-shmig\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_execution_policies.help.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_data_sections.help.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmhayes.inf_amd64_neutral_507db5d34d7acddc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmtexas.inf_amd64_neutral_7572473d88d69307\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnin002.inf_amd64_neutral_977d40799168c216\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2400-0-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2400-8787-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2400-8786-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2400-9019-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2400-9020-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2400-9021-0x0000000000400000-0x000000000040C000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099168.JPG	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21327_.GIF	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bPrev.png	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\whitemask1047.png	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\indxicon.gif	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14539_.GIF	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02470U.BMP	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR23F.GIF	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\SUCTION.WAV	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\license.html	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_thunderstorm.png	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21366_.GIF	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-new.png	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\System\ado\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_blue_snow.png	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.en-us\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15057_.GIF	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\DigitalInk.jpg	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\16_9-frame-background.png	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\GrayCheck\TAB_OFF.GIF	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\button_mid.gif	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_divider_left.png	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Games\Solitaire\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-new_partly-cloudy.png	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\button_mid_over.gif	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waning-crescent_partly-cloudy.png	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\settings.html	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00092_.GIF	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145669.JPG	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_left_rest.png	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7Handle.png	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\System\msadc\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01607U.BMP	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\JOURNAL\PREVIEW.GIF	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\logo.png	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\js\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099152.JPG	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Americana\TAB_OFF.GIF	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rssLogo.gif	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\glass.png	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\35.png	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Program Files\Java\jre7\lib\zi\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\square_h.png	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\Video-48.png	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309705.JPG	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR41F.GIF	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_divider_left.png	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)notConnectedStateIcon.png	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\preface.htm	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_functions_advanced_methods.help.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_prnms002.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_fd3c628d4c8fe883\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_usbvideo.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0ff02be6f0eea6bc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\winsxs\msil_system.management.resources_b03f5f7f11d50a3a_6.1.7600.16385_de-de_7da74beb436e47b4\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\PresentationUI\d7c71f43e6d6e92221717345e6156044\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\HelpIcon_solid.gif	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_3342e6899aa0557f\settings_box_divider_right.png	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-r..bilityanalysisrules_31bf3856ad364e35_6.1.7601.17514_none_85194071b6440c78\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_narrator-nonmsil_31bf3856ad364e35_6.1.7601.17514_none_8b63c5e0db87fde8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\winsxs\msil_system.workflow.componentmodel_31bf3856ad364e35_6.1.7601.17514_none_ea7fd6352ea9de2d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\inf\aspnet_state\0816\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_prnlx003.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_23540713725efb15\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_transfercable.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_1d937da73521876d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..iagnostic.resources_31bf3856ad364e35_6.1.7601.17514_it-it_dd4d05a3a853c1cc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4a6b77ab9aa530d\about_Special_Characters.help.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-mail-core.resources_31bf3856ad364e35_6.1.7600.16385_es-es_86596fc9e37f42ce\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Workflow.ComponentModel\v4.0_4.0.0.0__31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_nvraid.inf_31bf3856ad364e35_6.1.7601.17514_none_9800c896d59e2ea8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4a6b77ab9aa530d\about_try_catch_finally.help.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..edsgadget.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_b60543bd2d988807\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..nspection.resources_31bf3856ad364e35_11.2.9600.16428_en-us_6e3f17ef8f5a4df0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_netfx-data_perf_ini_b03f5f7f11d50a3a_6.1.7600.16385_none_4ec86b7dcdcbb974\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-recover.resources_31bf3856ad364e35_6.1.7600.16385_it-it_efc42da1d580cfbf\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_mdmgen.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_05a824ea7447f385\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..rtup-core.resources_31bf3856ad364e35_6.1.7600.16385_de-de_082571c4586ec24d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-i..l-keyboard-00010437_31bf3856ad364e35_6.1.7600.16385_none_f352eb09a3250772\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-p..gssystems.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_f11b6ff0e4527299\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-i..o5-codecs.resources_31bf3856ad364e35_6.1.7600.16385_en-us_ff29b0518391dafe\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-help-locatep.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_54016078a970a3f0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Drawing.resources\2.0.0.0_es_b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-f..-truetype-levenimmt_31bf3856ad364e35_6.1.7600.16385_none_e0843b84595f479b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-wlansvc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_fb1e4ffaf54e9f8e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..w-devenum.resources_31bf3856ad364e35_6.1.7600.16385_es-es_9b3f12be380546b6\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-secinit.resources_31bf3856ad364e35_6.1.7600.16385_es-es_7c6ca7f2f717b8e0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic.resources\8.0.0.0_it_b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-n..lientcore.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_386c00971060a77c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_wd.inf_31bf3856ad364e35_6.1.7600.16385_none_6fa340547abb81e1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_netfx-fusion_dll_b03f5f7f11d50a3a_6.1.7600.16385_none_d758b247c6e65f96\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\403-4.htm	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-f..lientcore.resources_31bf3856ad364e35_6.1.7600.16385_es-es_3b94663cb7696138\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\winsxs\Temp\PendingDeletes\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Web.Services.resources\2.0.0.0_es_b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-cleanmgr.resources_31bf3856ad364e35_6.1.7600.16385_it-it_46762abe7c82b9e8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-help-sniptoo.resources_31bf3856ad364e35_6.1.7600.16385_es-es_f5fb618fd264b811\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..-optional.resources_31bf3856ad364e35_8.0.7601.17514_de-de_6252687e84367fb4\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ntdll_31bf3856ad364e35_6.1.7601.17514_none_b6fce3b112cd3657\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_msports.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_92d1a7c00a2dc68a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-c..plus-runtime-txflog_31bf3856ad364e35_6.1.7600.16385_none_3b0b3a581d24859c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-defrag-adminui_31bf3856ad364e35_6.1.7601.17514_none_f73c142da6e47daa\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-t..workspace.resources_31bf3856ad364e35_6.1.7600.16385_it-it_9d6cb355bcbe0fdd\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Wallpaper\GB-wp5.jpg	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_wwf-cperfcnt_31bf3856ad364e35_6.1.7600.16385_none_1f7373be61daf614\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-g..ets-slideshowgadget_31bf3856ad364e35_6.1.7600.16385_none_253e8c58002c48e1\drag.png	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-currency_31bf3856ad364e35_6.1.7600.16385_none_c3b9072b536514f6\delete_up.png	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_zh-tw_bb9f7a833cb8946b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_acpipmi.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_db43fafcb97b6e75\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-clip.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_f7e05482e7498fc3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-printing-adm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_d465fcd71d6172d1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-stobject.resources_31bf3856ad364e35_6.1.7601.17514_en-us_f3729ef4613a25fa\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_MSIL\MMCEx.Resources\3.0.0.0_es_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..ic-module.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e84325a814020a94\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-scripto.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c9c3a700a67ca0cb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-where.resources_31bf3856ad364e35_6.1.7600.16385_es-es_fca32a72c675729c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Speech.resources\3.0.0.0_ja_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe

Modifies registry class 10 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TMBTQNPXFMFSJFV\ = "CRYPTED!"	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TMBTQNPXFMFSJFV\DefaultIcon	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TMBTQNPXFMFSJFV\shell\open\command	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TMBTQNPXFMFSJFV	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TMBTQNPXFMFSJFV\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QLUm8OR6vUIE1wP.exe,0"	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TMBTQNPXFMFSJFV\shell	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TMBTQNPXFMFSJFV\shell\open	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TMBTQNPXFMFSJFV\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QLUm8OR6vUIE1wP.exe"	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd\ = "TMBTQNPXFMFSJFV"	b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b3aa1f331e9be757cdb400d278dd8891_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt

Filesize
282B

MD5
69a98ef655778f1cb3764a923acbae80

SHA1
22683321e95c9a631039d15fc49ac5d3e639ac54

SHA256
2ff127d5bc4c7333c8f522aa4b456684eca97c06d452bf7d00b6a99b49b11b0e

SHA512
610fc09f40124e1a74ff303ddd95ad5809679be9e0c381e5d367ecf8e1e137c3da188142de7a2c5fe2b1225e12482245f2b5c417d43d73618108bfb1c32a5ed2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
341B

MD5
7794682d14c6bf299f92ab6c07d232c1

SHA1
6f924399d7967364aa3f405b17cf167c6fd599e2

SHA256
07abcef92a16433d94637f3416ada2b958df9e463eeaa25b952555547cc15d17

SHA512
4575e4a0d7416ba41bfbe5e06cfcf1c6f75a70d62a35e4d881e44be356f44e6f27b8d14d6d9006571b66ef20e313a3524ed021ba65ef4d19962b266867234dc5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

Filesize
222B

MD5
a23fed8efd162524f1591881547a2059

SHA1
761ea1bd1658242a67797a1bb95d47753aa9eb33

SHA256
6cbfe72a43dbda48e1d66a02ddaedda28f4a5412dd7fbb46ecdec29d3b32812b

SHA512
74efe5cfed57015465de1596c1c41eee4da2ab5f66f41ca3ca1a9eae39c5946bbf88a2a25ae9de760ded79fd222d0635b1811bd9f67931b526fe09da8a495d79

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\BG_ADOBE.GIF

Filesize
24KB

MD5
c985b8195b0c2d7712ffbc58b54a109f

SHA1
c806c54a4ae7cc466cae0ff495605c577f9d25eb

SHA256
77f50836dca60573265181f80b5fa5b3e75a702ce4249005df730314a4633067

SHA512
4877e250762e621dcbfc923e580e965256d89b16dc9065b2c64b25c06df2bcf002860457f69143e92844ec23c7ae89a9f46d60fcdd3a5fc86ee2d7095a2c02d8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\BUTTON.GIF

Filesize
185B

MD5
106853847c48204230f499e1a88242f0

SHA1
b756d458886d0d0a9932b64463da5f379206396e

SHA256
1798005ff017db4f7bcd701a968c957d0a009231627f7c4a44eaf27abf43ac86

SHA512
65bbd99d58cd58e1cf21d74ca7f6a6d16aaa1ca2ad453aef355d7067586eefd9c770c444c35426666272dbc3216e701db2a5759b8561ac0563730f8c6f7d0a4c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_OFF.GIF

Filesize
496B

MD5
ea84b2d7b8d314f6ba080d4eb4ddc218

SHA1
078314378d8d32e21ee38aab247a6d15c278e73e

SHA256
684fa0e11ec40d1b4bd266547df8d5e7010b9d186826ddeabda8ee5f8ab462d2

SHA512
712783a75977964b508e1e82a106d06fede571c5fd4ecdd119ac20d8ae9f0cbfa8888385fe384279e8d1a5289408731d4c6fb58168a3ca624246a82365653dfb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_ON.GIF

Filesize
1KB

MD5
c79800488a58bf15bac7a8899ccfd680

SHA1
b0986246213734cdf039822f847007d734d5e350

SHA256
735940f1d0cb5bc893e6bd519a0bec62047befe6ac5409bc1605a11d081c28b5

SHA512
7b8b4235e808777c25d6e05c9c19f06f2f294c6dd5c35d92328dc11d6959a6a883850bc090a2fb182f4da378e04a55a15218d8a56ac1b0ca57c487d645cc0122

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_off.gif

Filesize
341B

MD5
8ae9bc107cdd3f9c4274e2924c2c537d

SHA1
7b25c39705955b3653c9abaa62fee829d680a042

SHA256
4bf0e4521522a4a1c7034e22c84ceae083c6fa52d464f408a54bf10166bf6fda

SHA512
abfce3f318b177a32963c101792cef2eb482a5249c99a451cb0f4d60e4c27dec432850bf7707c3918f60ed4bf23b8d56950552fd44271aafa194cd4cac70d7a1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_on.gif

Filesize
222B

MD5
a14f96c6540f60421fb8d643b47f00cd

SHA1
a7b7fedf8567aaa48fe84d7e9c9ba97fcf4ca1ad

SHA256
73214496bbd0e55bf5bde74219fb0f86efb0a8d9814bb36c7ffea443ff0690f5

SHA512
bf03086d7e4ac072dac44ee6a95d40de251ee045f4a47061ca8ccac6e765b97171ba3ea7a5f250ea5fe45247f60f36c2f0480c889816ea689769c9931f6c1124

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif

Filesize
5KB

MD5
b0d96f6e1841e6fc1c653292774ec6c0

SHA1
c81d651e9f042d802e9feccc121ac0757e1b86e8

SHA256
e1e044ac614de5a8a424ff70cc7ff1ae9f62753479865edb5d0e7580764c7295

SHA512
34ae2d309360b8ed73ffa6e26970ab85bb93845f70ecdf3ed87b97c9691309c63550289d32aaed74568aec90d1b277a599eb1b6d7125e2f5fa3759e2f206ce04

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Country.gif

Filesize
31KB

MD5
0b9ed4b77f156d439014c80ee5e76681

SHA1
7eb250ab07bf4cf6b25d8cf327dd386d6e852f8f

SHA256
e7228596f7b162320947d357534178c360d210b0f67dd5f4fef84ba61cd2756d

SHA512
7bed71ae937f6d857483cdbab14257fbb9f653c4bc61b9f1dd5f1948c30665761365e620c48e47a90d93db2b881ba576fe21b930943cdb42b2fa1b9e36038d23

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif

Filesize
4KB

MD5
8b83a32f89d0f0847a529a2177326dd8

SHA1
bedc79a71e9a99302b41dc84533613891d1bca20

SHA256
6e4cc2af5e37e2e4a2c29a34af83aef6e2a107459ed41e8b2884f1b2a528be54

SHA512
72a68cf1a82813686a6398b35212826c05378b8c281fa65e75259f4e19724fd2c1f558fc854da3fb0d76cbc4345e37decd72787798c7a483408d5ea3e7f57e3a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif

Filesize
21KB

MD5
3777999d0f4cdad3bf98b09e5af5838f

SHA1
6e3bc8c871a463bf274c0d289a53d811d7ff8bb6

SHA256
be0c50252a2bd2c4a0afa63b1253a57643f05749908ab636927ba7e39ae7eafe

SHA512
4d95806815fcd3d4647e5577bf7b685204325dff348d6920cfa267b5e3d4367260170bb1e99c0706933648bb17322b2844c1f42f6312e7f995d4cb998dbf2f0e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif

Filesize
8KB

MD5
db399f5d2e4a97aa19beb8d8fe30ad0c

SHA1
d2cf0596858d58d3678fc80a6741f5c779493db5

SHA256
c71978b2b2debe10c51fbb7c23f5475971fccd4457b5fa4a3fae9354c5849fc1

SHA512
136cd65fdf5fcb06935f99ebb7e5fc2f5c4db05235261138b0a25cf15bd696f65a4b8e6b0e6148430f0d4f75e48aff960ed3219ab727cd19e627f15e9bbe4e31

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif

Filesize
15KB

MD5
f32dae7e2101aa637f930d58f2ceedd3

SHA1
031efcf036f7d51166c4e22e11d3a3aaf35060b6

SHA256
42591363e5a186465b6a4d65b97a04ea07148066d84fb56d0f6188e2ee001292

SHA512
61ff9bd229c60d87f99e340c99d8df1df0b181bab3be0496ff7aad465e853f0549a0c0bd8104071b3809349481ea3ae637aec18a964b0241b88cda6a3e463821

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif

Filesize
6KB

MD5
f07dfa599ddb9a7f9a2ce6e3ce248934

SHA1
d1f03de5655eb7bb9cd4cb7ceac178fc5d069295

SHA256
1e1a57b1a335cafe019fa7a387be6c49ca67dedf42654f14c32d386d5f34d1f3

SHA512
3b69cbc3d77b9f578c0986a4e19ab18bc64524fd6748b9da708be41f3c58b7f5de57e50caa207f0169aa27f959e1a8637b93327acf6d513f1683a4d6885ca453

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif

Filesize
20KB

MD5
75c9d4ff2579cd3a8a03402846045ba2

SHA1
46a63545f1241d15f5663e6dfda0e97093ec24c3

SHA256
6dbfb185e6a2e40db5ff236dc9890a6bbfdc7393a73e04abe9ed0b1099ccf392

SHA512
58ba5f050d5dcafe05b1b678cdb9cf8b2a669c035b9ff595e7d8a51e370b1b242da205c55b009c93b82354c0d4b676c276f1e0cf317b998074b7e08207c50520

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif

Filesize
6KB

MD5
1a3ec5b8af9961a68682e274b0ca347c

SHA1
f2830614c47cffb5fec7b64b1be765193b202412

SHA256
d2786485d71b42baaec726b0ad42ef23284e19e130fede897056dff52360d547

SHA512
d66d21f6aae7e54aabcab6ec111db6c9c333761689628bdd82e9cb04143b9aa01f80fccbc89b5ba19ed9e3a38c685dce151f3881246e5ba7b12f721480c197bb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif

Filesize
15KB

MD5
2ebb2704368d3dea7c794401c34ff1ef

SHA1
29b9fee49601842f4c538b4546f11becf05d38e5

SHA256
c8c0fe65acad4ab09e8ce7bbdae7db6618f598b2dfe1f8fe35ae1acfc5da6fcb

SHA512
99cdcf1ce5ae485db82ebf91d10a42d59a07ebae66060b684fd3956e1888e852247dbf851d6b89e8e09bc0016a7cba19e9d4894ab5ed2a92363c0a62dd3c8963

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg

Filesize
2KB

MD5
d67c91abdb89904cd1ba443b1e23173b

SHA1
f0acd371fd850584a758fabf39d4a927bc0f4af9

SHA256
7dd0ae3c9f7cfa88a151d15bbc79b2c48c2b4d59fb2a8216e306e7d14f9ea0f0

SHA512
0c820469ad5ba834a38a029c8333f63393730cc8c34425d6550617c7c887a8cdc86fe4e4d0fbb411485b59151609813ce0173aa4b48242e302d4a7d18bdb85d3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp

Filesize
2KB

MD5
9220c5e9e4453d5f86ca337d6d96fae1

SHA1
ee922e3a5d93813899ed8db7cae5208b8bde97de

SHA256
067f5d23def766ab0a668313a7da4ff1337abae185cd6fbe4a704e4c6104077f

SHA512
d4f547dd35f800c7c1611228658eab545d254b7b70c1d1206244635f15e8ee0545e7cb5f1f44cbd32fe48a49939a57dd95ebdac1ce498b5f995c424ec94655a9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg

Filesize
6KB

MD5
f1c7d8566d15b373840d3c4a30d0f728

SHA1
3e319fc14e4d928e8fc8a079886926a2c263079d

SHA256
4fdedd061d3dc5ecbacb9eacf11f8d324e5aea3132f6f46ffc585e9d822a94fb

SHA512
7354252394c9094d6cf45c6f90841a47f8cc12827c620bdeb562fc529047b664daff76e9f142cb27777c4ec73b3bd04ef6ac96fa247736c9c8267284d3c94a9d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF

Filesize
255B

MD5
61e9e9defa3e4b9e4ce4b558d4275880

SHA1
efbe515b2823f68089bc984c346962227736294a

SHA256
eb461bdd362b2c3a9073eb3e19db18db05c46295e9c1a7d7ac90b14b6881d771

SHA512
7d3435a6e6307e0e2dbf7999140ca6d383ff23f8aa5046f230c77e6cd4be31c44168163cfb2ae2050312b0cf5b3d8fd51415a6b45bc22a83fc3c009240a1ff67

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\background.gif

Filesize
323B

MD5
722e3e32e3954d7687fd1c10e8f8491d

SHA1
d072c7ec03377b512213c30e794c222bd1bcf3bd

SHA256
2873af817ea7289f332ef7dbef339478181ae1f2e80d344d54af37820a0fc82a

SHA512
135db45adc8d7b9fcbf4afd682aaf0f0eec1c28b892015b74532d9c72c134f41bcaa5a1851dafb15d9bb62de1088303be01aa56e507bff849cd804e08f9a6ffc

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF

Filesize
367B

MD5
7fbae95f28eb60954e9b74f6eaf2008b

SHA1
fc5face059f01d2a216639eaf236b2de4271cc07

SHA256
d0efab412f5ec0f0bbbb176104afac639a7b211ff7767fd53f9c6f1a39b29590

SHA512
59b5f812e2d32585ce81ab271c603839b868e67c93ff7ae26387a8da157794074f8eb51100b50d5c257994c8ff716364c81df60df4a693a71d5bcb8bc58cb997

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF

Filesize
148B

MD5
398d16be63903765991f03090b28ea19

SHA1
4b097b93568ec90a17ef7351570e2c59c28c8fa7

SHA256
c2975e5c0e88c5cc8c607d1add96bff47e9900e97c5bf1dd3d4e777b2c2890cb

SHA512
49c1b226cab4dee5b4c738b402cb2a412fa4ca60c580e5d2d3edbcdcf41a05272513f92c09cebbe179d426a686ce7c40daae1a9233b13061cf772f95e7d0e5e4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HEADER.GIF

Filesize
440B

MD5
394b8bf63369f6215b031d23b887a12d

SHA1
16b1bf59a2d3ee94569746a27a1a01db95096daa

SHA256
5567004418db78def8a96c71675df9083a4211774c2ed9c0bf904bad9f01e94a

SHA512
6aee54b5284440a0ecf67da54df2a0fef39be9ba35ba00ff43d1b64d8c9d6fc2cfdc284b44fa36b286ccc7faf77e73975acf4ee0b3e8e5b1fdaef836f8cbed9d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_OFF.GIF

Filesize
462B

MD5
abdd8158ab131469d744c1c45850d09d

SHA1
e6b9d673092e9ea3cba15ef0ea2ad0c8cc5cf3c2

SHA256
bb28042bb01c8133585abe674132375e3288e7ec71bdfa14638e7b22c4838860

SHA512
b1097f84c545ccd66cf4efc55b8917c8093d55a3d5f24ce38e58feae14fa5a943ca85300d1e378ff24c7a04d6f2447e70a8569e33e0d2faf3dfcc37f12b4d0f5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF

Filesize
267B

MD5
18571a4962f3088ccee1e2517a9d7f91

SHA1
628408e7d69c4051b08278e2fb09a6e351251627

SHA256
b39e9b370eded7fb386320507930843406fadfd1bcdd993e4294fac8a0060b77

SHA512
b192d0cdf7cbd573f71c952b501b65b27f87b2f55b57890d270a4628875ad080c3cfe481300f1d02b136fa39a42291890e297375f42cdf3d830fc0b2d3de8470

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HEADER.GIF

Filesize
2KB

MD5
fb0181c2dad146377dd61beed77b548b

SHA1
f81a9c299ff72396eb3f311f1adfac275e4d33fc

SHA256
1dfe56698ebbb16f95fc6f32616f49b6b5fcdb65c7cd6574864d1f01b33cbdd2

SHA512
f4782c08f68c2c56962fa8470eb38eddc9a68464c298e7903485adcc99872b71b30a2678b6a7e31f4ee2d14c64ac65adee8c568317ef4ca574d0bbe4b13ea6e7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif

Filesize
233B

MD5
baee5649604484a0239a42c4348b0905

SHA1
f06d58828cba9ee044f0fc275829b0d057407720

SHA256
9be8b900a22ebf9ffb25919d96c0635f361ae7c9f3e683634d61bd37acd2a352

SHA512
89f5dfb0ce213b3903155d0e4ff55de92053cfc6468e0047fa188cb8811f2ba6d54bc8984a655ad0067acb57309a775cc6ce1ca9a6888c6f887a6e2b70d1d0cc

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_OFF.GIF

Filesize
364B

MD5
6d22df39c22a72143c83295496c49b18

SHA1
26e51d41610a2a4ee7a1405215bf7af8920277a7

SHA256
02a274165fc2014628309012927f34f1fda0b87bd5d531d12e3cf0ea1d98e48b

SHA512
458da0eaae778eab5b430e05f34f46c5d1a6121d1c25e95cc5a019289e2c6bff64cb8a63bd544fc7c9bb09e3c277eaabbed0158b1d40e8f876232b1fef308073

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_ON.GIF

Filesize
364B

MD5
1359cb5e63f1d65a00d487cb4091ec67

SHA1
e9cff75349b4fa70c94a78de1151d0d579b33150

SHA256
596c3eec8f476ae10f99c2ad035286a6da9820d1ef167e8d3e6d471d174d080a

SHA512
0658dde53c8f4d570b9c72c6c2ed06434252b7e1e59342c37cf9e65d89baff0ebd865751547f12a700d0bad5182edb31afbfb2c492417663708fa1916a12b1a0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\background.gif

Filesize
6KB

MD5
ec94a4698f28f3355ec2f47bcfcee613

SHA1
6185e708f74c1c242a577a8c98a2cf803719b566

SHA256
236967c23b31edf5431701aabd612a2cfcdc977ebc2e6bc94afee0044ead2a7b

SHA512
b5ac1f7306abd153fa0f048469cee49808c20ff43a9c8c2a524973316b2f8ee185e288ddcbb77a91ffbc3f7349e890f65f2ded3d5d76186dfe6cbe31b1bf180a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\BUTTON.GIF

Filesize
428B

MD5
2a477e38b47622c2020b2bd5a47403c5

SHA1
2f62abd60d0e8ed828feb212a3190749417ef098

SHA256
e3f22b0e95b9010d29e4ac57eda85ec744c5c1d42fd28326fdf6ed84cbe93153

SHA512
7fbb02a47e204af497b5cb235ebe5ee9bed7b27f0060bdfa42fd3e638259947e07327e2a22dfeddf0e70e1fc5f2bb9be0cb65ba36809839150fba84392dfe637

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\background.gif

Filesize
815B

MD5
147387eb2c075a22410c3e59911b3281

SHA1
5aa1d4c25fc2ebb6c99b43fbd7447b305b67f569

SHA256
3101916eb5bc5dcae0a8cf57cc73b4839c92fe68c947baaf810a6bc19cb057da

SHA512
613956372978ec6dd9246f88216b183dbd3058234d1c001ae87e74c2423b0f8f8f45ce75b2a3b032ece268ab26a28ac32ecfabd4b6973ade8425f3a808768de4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\RTF_BOLD.GIF

Filesize
870B

MD5
065bf22e1f25c82b1d5d4717daebbbb8

SHA1
964c023fb4d3e01ef560fca75f9a3f23c38ad177

SHA256
d0ea4e63c5e600c266f13836a93bf762bccb5ae179c635f1e049f88b36e60f29

SHA512
496dad91272e908c57628384603aa79b68e0fcef584aa4b6524c879f5e130bacea882baf0bed1253f43d395e6a177b5c3a1aacc12913fdb173353ec4dd0a8aad

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg

Filesize
3KB

MD5
fa3c28bdfc5e9e7c3479be309d8b9321

SHA1
cf427f8399a01c92a8a2049928f12964c752c345

SHA256
966ed9419afd40b323773c1f3525861c612f1e18285b62f5cb92906f2e5613d7

SHA512
e83e9f293c7cc081ccea06abd9d0c884c6f05d20fc3fce7940e3a2fb012c7d4b9a560eaa784f544178ecf37717c724a8fa3b6445618192802efc1d9d0fbe66cc

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif

Filesize
2KB

MD5
e99eb7aa56f0f4f8bfabf5e717bbbc93

SHA1
9fc9ac54a2ec3e6d4032fd4f67ac43c67a72eabf

SHA256
f96f0bd34302693fde9185cfb59f28e5e8a2be1333caca0983726d155e04f8fc

SHA512
8e3d60496cf5a27248de87728a01d4a5402df85415f136cf02d1d2692879d6effc298c698931e6234b76bf7d6d31fd3115c3c430a7e48528d13812aa5e779649

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif

Filesize
19KB

MD5
d81df009f7c8d7512ab1b2c191c8a5e5

SHA1
999ce829e6b9226162781f2a1800021369a7b1e9

SHA256
839a71b3fc1609cfbb4e0ca5ab9b5aea772d9a2a4c2b2935507cb0c1fa4e5d86

SHA512
5dd88a2626a891f30e6fd537199e8ac9cf8b98cf5d2b629555aba1d3ec16eafb2acffadb23b7eacea47ff23ee245b681eaea223137b80ed41231d4874c210a3a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosefont.gif

Filesize
890B

MD5
0ff4e7465917b222b758118f8fd69c05

SHA1
1f10cc1f17c6ff8ca782cdb48d3352c564542ba0

SHA256
9ec680148faba4e87929234f1e3ca3f0ff59d237befbc0d4e7e425c16c0beafb

SHA512
fa81de71d8875da635eeac13d3e0130abc12e05eaed4e549e2acb7d713a8d493c84ee01e33e6d2d76773bba796067f41e8d69505c487a776a1431954f6759066

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif

Filesize
852B

MD5
a33d22a4fbe0aa2fd218f0734b06dacf

SHA1
89ef5c1845e6e8421648357b02dd2c95020e1dd4

SHA256
df8276c43bf8508b232ab4383a86105f8f9e52582514bb00cad286b3d45a9aa0

SHA512
c808ed16a1e651c7d45c4d9da8ac5225675b84e4cc289a20cab9249e10fae6e8bea5db66d6bd1937dace86fe1f7b79caa68a14bf6d8d16a4bddeaa3f3680422a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif

Filesize
860B

MD5
b189cafe189ba608504174113bb1c1b6

SHA1
77d76f49cf564d99f62dd52cf1f09f25e5c8b27f

SHA256
35eeefb2991af943f03c75a9df13da04cbaaf62434ecf73a3fb42ed1976799e8

SHA512
49a9c4657d1f5e27d21c18607af43b57d0fbd9df8ce422ae6db9be7f56a745939ab267e01a0ccb9f8f0185d834e6519569d5eeddc2d07bc98c789462b95fc15c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ADD.GIF

Filesize
580B

MD5
7689415e7a1a69fc01d16988a06ed338

SHA1
432605b913696690aef88ceed0a3755bc79824a2

SHA256
afe4a8457d58636d2e9920a0dc12cf273987aff0061568ac80a7012e3ebfc122

SHA512
696d668aea33fc24bd8284b74d3d9555054acbb3aac8a96d090217d4b78d8d276863584fb255df408d397ff44f5c6831b13944b643b8dbb81551bedd3ef2ec85

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF

Filesize
899B

MD5
98670c3d5a646bc986e6da48b81419a8

SHA1
dda593765866a638db3d1c3abb8f06ce1dfe8576

SHA256
1269b7930c190497b51a1ccc72d49d946d7a6fc0601f55602c0251e509a96984

SHA512
6a2fd08d334971c05f644a4138760eac176c6c61961125a7b3f88f425b9a76206a918cf4813e0a03c683d0f8a379053f866d59017d6e04d9709e2d1539190bbb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIF

Filesize
625B

MD5
7f168997d1537796ff8597de507a213e

SHA1
e50bdcb9545e4e821d10f54bb2ba517ac8a17f1a

SHA256
ae45329250bf93ae9a590369a61ee33def5047a1b7cc37e12b0e87629c2e6b3c

SHA512
8ad6d87927024c0cf352381b1fc6fba6b79e20451e0e070239df07a529b9c0938d111cf00a44d0c40c0eac1664d3e6ef11bdef6268c7245d8ef18a89c319bc48

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF

Filesize
873B

MD5
5ab331a908e7f50397fb194ed2144050

SHA1
f42c06ebd649b54af447ff6822dabf41bef3101c

SHA256
728a1783da4b02e0db76c0d086ad740d06e7c74bf150784d4d831127e7d27dd3

SHA512
96adabec63a19955e173b6d573cbd6b355c925f463b9649ec1a1c43a9c72aa666d22ff18c6a1a6c0da7a673fb03e7d7794b75331335d3230418f60fe4f72d378

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg

Filesize
5KB

MD5
326c53c61b1ad3d044b52af95ed99e23

SHA1
ab535f3225c19da14d014b7678a7fe94e535656b

SHA256
f8f4df2bdc34db3790bb174a690733c40c5159d2bc1b98187a18b8c90dfd3a48

SHA512
bbf85d2c82b2b1e628e14947207ed9590f5addfe93dc3f3182b0393e4b913d3a0938940663e0aea5fc687d33582b829afd5330449033916feb6b915254049f01

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp

Filesize
1KB

MD5
6292f6e7b39b2315e8237e79272c7683

SHA1
06edaa445e8e68a377f80ae03190b0476d6e2724

SHA256
9cafd8033ea2cf5f9354cdf211c6977807dcd387f769a873cf1f6cce8f1e275c

SHA512
8e6c32197e09fd742e83e96cbe505e438d08ff42ab306f6dc1d2c14c1641fd0614d12e5e116371bb8034662a22117fa2517bef8e4afdea2ac1b5f9fef095d040

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF

Filesize
615B

MD5
e1096c88a612a8d324f32b2b127c61aa

SHA1
8891dfca06d040e36643485bfbc63e8d3dc6fc6c

SHA256
6b8a6535b6d6a13e985943bee014903b03e7a05a1a9fae96e3f44d32ae8b9c72

SHA512
1d6c5e9f6079ee70666c2f6ed91d3d68bae773a8d686cae577cf468ebe8370f81e7c57815beb13f276e99a92231b884ef98d16b46e816ed4b72d81e812bdcdd6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

Filesize
848B

MD5
5774fd85a2c93ea3535f31fcd48c1d7e

SHA1
d16ab3ade58606ada1cc037ce3c30a1630be37d2

SHA256
83c5ec2440b806b8dafabf90a4db96aa864ac77a31fc67bc55ee449316e974e2

SHA512
ffd057a8ef1eedf4be1a7a69b50310214edc927d846749666b88e3061c91de7df587f9a8e10ea9903d5316c323a9b9d5bf822552ff159a82eb313f7719eb17ad

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

Filesize
847B

MD5
f054f67edd494c2143c89018030f4ee8

SHA1
d60e24dc4c96390d289c5e94a62dafa48c16c1b6

SHA256
5ab5800be6b2b8530c3a2362fb36b604b83fb0eafe70cc7b348e9bbb39112fa9

SHA512
59cc08238b89e90f41cfd482ccb8a249863c60df19f9b1e6ee3e678dcf1d5860aa1a0377c0822f375b8d824670b508f91751dd7f8ea363ac5ec9f677a6609b55

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

Filesize
869B

MD5
c79ef8b06c1100dafcc1c4f5ad2cc32c

SHA1
7731a3441eeac075228fdbfb4a7dbbb2c559f3bd

SHA256
bf2fb77cd3859f3f14e31325891e1199458b8d9dc8e6197b5adec1ea5675aea4

SHA512
90b21d363d4c0ddc9349fc344f454e7be2b84c7a8656844e0f95e3bdddc676f9fe0518b2e0e198bfade4a61a925667a4e995f2d9e34f175b525e9528c33464af

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

Filesize
847B

MD5
ac9f73a947d6c5fd49d7837c16c7020e

SHA1
0a55d4125f2791f7ac4c20a40f527ffae8c772bb

SHA256
dad9f770ba84b22826766990661ceab1ce6f01e9e2551f571f80c5ad1b835425

SHA512
1411a11fad90f52c463dae90f906bc43f6174b0e481c4990e1a6db06eb585f87f2df383337896d1200c97f0a8e3fe7f257750b634bfbb07708047b24f1b9efa9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

Filesize
863B

MD5
b5e606dfdd088b5ce6692e68c7fbd8a9

SHA1
e03364452a2f18be06441c04336ddba5fe506d06

SHA256
16faa09b618d3bff8bcbf0bb8ea08a8dabf45c017d504a67fc2f36f219e1d79d

SHA512
0033891fd2ec5681fcb06479efd17faec4a2fcd623d1a430b6fbcf2b9e9001e92ffb6ea18bef9025cd7c726962d62edafadd8daf53a0b8702def39577b77469d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

Filesize
861B

MD5
bc51237b8e418c36c41655a13b2f6435

SHA1
c23232d172e9258a111eb2791effb37167d908b8

SHA256
4e164e4acae0e3399c65cfde2567b489f203080b9bad426b027f9be549dff274

SHA512
b1e055c13f20798ab890d92152703b33f2a3f6f31af725dda5e47890fd5f05285d556f1f1af07c64c374ab2f5ba19fafd8c22ee79c1579ff36a848c01ccd20ce

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

Filesize
850B

MD5
310e03828e5fa41d2475d6813401fbbf

SHA1
9a4d816580116b3b19ea75e2ef11dc6c3162edcf

SHA256
ec913ca6f46c198c31333c06d6a23c1927d2ed614a9ac73eeeff0098056244f3

SHA512
ba4e346f80e2de2c82abd2ec14f984fe8bf1fc9134c4780e2e6d0aae4f56d8ca91231d31fcb95fa65b291a42109806adb9b68c335f8f85577adec99dcc4c830a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

Filesize
883B

MD5
968099b9226b5ebaefd8c6d9793a4fd2

SHA1
140a21c5e511f653d6e3f6cbf37d269bd96ba28f

SHA256
8828713f5c950e3e62d9a899ff2ed04ee284a2e09671c22736cf9ec29bd62317

SHA512
0c97b1676f623d2dc390963dfcf29207878b8a72bbca765b2a00613b493a4cba16bca5fe709760d8a68f23e3267ca56f55b86ad98a45184d3d25c47e4f675579

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif

Filesize
153B

MD5
e82a9f576d6f164c86d975194bf98c53

SHA1
eccfa932789541dd41482753fcd5d3d51dcd44b3

SHA256
4f29ba8c8d0bfc1fad50f6381c50506850ff6cefbe53144edbe56815eeefd34c

SHA512
607064621abad7cbb6f9c9d609f9f5d831264df1acd7b3f6c8598a50f0f1bd788469c42f393c335c7347c0defddfb80594b859641569f3a04fa56b1af950cf8e

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
3be22e87e91c5e8ebe3b619db4f5b41e

SHA1
143c54ee04e5ebb2cfb30685132d0118c647fa48

SHA256
dbdd0b4d38d823d439f961b706dd6b6c0a5874dce8b6dcd73fa372cb0b3c083a

SHA512
769eab2c48d32ead5f0d9e29b4bf1d3c96aa8c843f7841eda6d7e97293ffdb635b9207f7a7027ec10c3c39e8d1c036557d2279b71944a23a02974ffec3e0369e

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
8KB

MD5
c6518ebb694c8edef765c8ba026d3d3b

SHA1
4f3b3d3798a2fa00692d3e4aa20584aa09eb8663

SHA256
ba1cbd8dd7a0dbd3e7f123ed4e58e5dfa62626cda6512e5335dae056aa4c369e

SHA512
81d5871b79ec4bf541046c2041cb900a64afdc53995bb4588070f116df9e8b968b62a23ca25b4ea465e9488ac713c27c4c5e89b8f6dbb2ac454f9a55e0254356

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
d81529a4e3551c304148c6bae1556be3

SHA1
e798d006c0e891e243024b48f871ebfec90dfd12

SHA256
d61e8d1e9343b4327511936753e9417feef12edda874f687b72ca97950195899

SHA512
37ed095bfdd2a56b57b21330ed1a4acb63fc1f3939603b50a2995201f5175020ce1481155bb0b57887c6287f08edfcb9df31b54b8e2680cb4ee5673ca2e36eea

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
8f2343e80436fac6eeae9a8d0578196a

SHA1
196fb90ea6f4ced70efd8f298ab38f39aa876db3

SHA256
f9d901da19d07cfdf0bd74e049092067b921cebcfebacd2aa5e9118efd160e53

SHA512
392b5497f5b9825092527d89fda731a63fb064d779ffb505c2070b2a18a30c917e078fa2d8990b6271592933c43f560eef85a5ea88ec838bc0d67ce1caccaf24

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
172KB

MD5
c04907fc9dde039a7f70acb679d882d1

SHA1
c9e61e048a80a8bf74b6d6b218f26de5dcaae818

SHA256
06919ab188fe08deb0c00d505b321af2cc9b2f94314c062d6c5337dfbd4c7a34

SHA512
b738bf974759dc60a1d726e35274684ae425868e3da08c46e80579377cf8cfb0d27c19bcac68ffb140017d5aadb7407c75929a404f18cf881d584d7d27814697

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk

Filesize
1KB

MD5
f307c3073f350c9a9826f3f3a72eff9d

SHA1
8947636c3bd0732ff5a3a066a4b488d41fd50744

SHA256
6dde82ffe91509ca35e0bbfc0cb00d985b8977317426f147edaaadf8e02de737

SHA512
6d1250551550c5865d6e3a634528f3ba1bbbe1a560f19c06caa64dbd8e32af4addad4fe54cd87900c0999b704c3a8fe62d8dbac4f61dbb952452920c343ca332

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg

Filesize
21KB

MD5
42402693115b751131be13ccd773ad03

SHA1
65becc33596bbbcbb2ec404f50406abc2b793afe

SHA256
597a54c0c8a23870092fb0688c07184db5187fb96a2efa44c2d809f9065f172e

SHA512
974f6fe683cb52782dd269d7be3e2c3f71ffd3a95658bdc901294a1e23dcf6c3334fa272ef4f95a7cf9641533685800e613058dd5cd8da7ca745fd8e2c96e712

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\HelpIcon_solid.gif

Filesize
1KB

MD5
23880d9afb42cb65c5f963066cb854a9

SHA1
6a4c82e6ee3b123ce410fa2d4f2078149c9f2247

SHA256
38ac15ad68f79f9c141391dd6c18f63f0c0878752cafbf32497c64f266db3bb0

SHA512
d0e05711a364738367304cfbd4bec14260a902ff3b9a928275bc819ea19cf99920176ca701c166c1f444d43d2f4ecfc4039ff87b5dfd9f498a095a67519ecb1e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\alert_lrg.gif

Filesize
952B

MD5
929bc86cc6e8178678e6a56fd530297e

SHA1
7a1f71f12a84e471c12143dd697c3c9af4ec83c2

SHA256
a2c174d695b50bc58888e9dbd999229faa935b186380b598ac0d0eace26d5345

SHA512
002a5580794e0063843283c8096f29b5ead50b7268e541dfaafe3e8fce4c0bde65aa5b14480b92f6dd98919bfbcdbe5ed126cf2c30f892a08bcb96dda13c24fd

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\branding_Full2.gif

Filesize
1KB

MD5
93a1b8d4d17763eb1ff1b796b3f82383

SHA1
1a04994d4b4ee6fd72b7add91cccbba02e8e6997

SHA256
4d87ed016e2f7c0750c1168d1f2e683c41f4b378fde87e31a5594aea64818ccd

SHA512
8a60e03bc1e22dc8f6b2eb7756b10275820dba55b8462c2e6d6e565a69e637813a357608844f397aff96bd78eaf2669935c91b7932559cc43a25143a84fff7c5

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg

Filesize
8KB

MD5
ef3e4c44a818f92790e4fe6391e29d4e

SHA1
f4167795ad8eb3989dc7561fdac4f78e7b676192

SHA256
373cf40ead5c04ebe7c217f64b7c3c68f378f770541115c3ce653ace9c398714

SHA512
b20e8607b0a5ea1d4d1a06ddbe2cadbbb0f0ae7ccec2f323b47c4285e662cdc88f60524d01be5012d71047facc9f89b673f841bb9d10fa10a6c8611ad2eb025f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\folder.gif

Filesize
914B

MD5
48d0367d4af5e7b60d60af682f711348

SHA1
b88528859c1a838bf290f4620e404fb175fcfdaa

SHA256
7ee317dfb3ac09b0fcae91e6057089e92117a53104a0991460de2e2dc939ce96

SHA512
7100c7432f64d0b876448a2d123aeba12fd622bd803e98b58ce3bcd88b5a3303d2e713ba23d8538fed71c8372910cb6aa20c70266da1e5ffb317c5b6284f6953

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\headerGRADIENT_Tall.gif

Filesize
328B

MD5
407b8bc62a269d23107a46e96657ecd0

SHA1
7bea199d056bff812e8f401f5af9fe25a18880a3

SHA256
290adcbc1ad51df18af9fb26956df4daa1a8eb003d2638bd804057c638115fb3

SHA512
125c021d6043e47d85fa345a7dd6ba2c45a9fe858ef7887a6ddb9c2d15199bb0da91047c0e6260e381bb60cb3012795a4bbb7af1ce211dd574575ea011384e68

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\help.jpg

Filesize
1KB

MD5
5f644b26521f58149e92eb9448b4726b

SHA1
895b350af56865ee56e0ae5d52da6aa39b7c8372

SHA256
ccfa8c4ae0748a0339e5e3c9fc45d80d5fe1a9e2000128f9a732019f432c68e8

SHA512
0bcc1bdf9dfee943cbaf446fbd1844b163d9a0610eae4cee42ff352e88bcbd6edb830a430fd172cc21815b1bda77bed13d4f9d2ea68e8a98a19dc9c16cf65a2a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image1.gif

Filesize
162B

MD5
4284921a686976667d1985d042382352

SHA1
45d218f06c6ed1400676555cf07010f9f81e81c8

SHA256
c06f5439c72862de812057eac62e42f140c481240cf817bab61d5b1d513c9fe7

SHA512
1eba7db82ab9ff66325f2cba50dd1365c047d94c424ce45b8a767d050962980faeadc7a0fea3111477a12f5fc057f3c9c7505b834eecfb66450ae6e43c610d20

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image2.gif

Filesize
586B

MD5
1228ab7012b5e55c7a966c5eb47a4d5c

SHA1
c2de48931ce524a03fa8017d38fbf8b9954a73ab

SHA256
9501e97370b467b0598694c791f85dd37d5fc53067c56526caaff4e56b2cc8cc

SHA512
3aad787531db87dcba6aec481029ec33a49d661ea62e774faa6445218e3c7c7b80b764486301d32e8a9d99974bef64971abd354184b5f2c55085a60d5c1d4b99

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg

Filesize
8KB

MD5
6d12d9d39d1f99797e9eb96b8be022c9

SHA1
0011af6d258be6fed653858d13696d08a473a22e

SHA256
ea0cfca8da98b0517fae562365e400a0ad1ede1fdcb94d0e11fdcd2c1ba72a52

SHA512
9635e681f66e6c0f8bd7b766336cf51a8816cc292c455997a09420416b2773756c138d20f0490414c26bbd4c74a7a9bdaa1d24ba4861c5e920dec8ed369ee46a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\yellowCORNER.gif

Filesize
880B

MD5
a9e5b24bd2b36ce57bb7d91b87557dd0

SHA1
b5b612653e8fc616f8834f7a6d6ce8a91076e770

SHA256
2157e5f24c5b82a78941df31bf4aaca2103102ccf1a6346b5bd0456387570113

SHA512
e9b5e0903ca5451106919c7ed5b76613f2ecdbd9e95085d1b0a09f0ec06cf7f5f878f9eef2519067fcd2fbb22ac3925522ac84cdd469e8a79a4e226e44a5a434

Download Submit
memory/2400-0-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2400-8787-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2400-8786-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2400-9019-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2400-9020-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2400-9021-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads