xorist | d74eb60d443188ee7e6d32620da2746a2c870c7f8d04390d2cfeb25f07185a7d

Analysis

max time kernel
91s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
29/11/2024, 10:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
Size

13KB
MD5

b089042ca0da14d87fb124aed96f74a0
SHA1

bf6fae2e3ffd508af0f9f1a4853cd7c73131c996
SHA256

d74eb60d443188ee7e6d32620da2746a2c870c7f8d04390d2cfeb25f07185a7d
SHA512

51cdc5e754f19efbfd42339025765c3502c581cd4214a5074242a3f5b93ea94e62d95cfc059407e41fc8caad3e38860bc266e8c3f33a8f7ec375c4af4031ef97
SSDEEP

192:4zdrr1FG1WDCgmjPZg5NYpwSgMa27OYYaOCIX5jj2J/e8drXOUA:4prr1gkDCgSampFgVg48DrXOB

Score

10^/10

xorist discovery persistence ransomware spyware stealer upx

Malware Config

Signatures

Detected Xorist Ransomware 5 IoCs

resource	yara_rule
behavioral1/memory/2744-8879-0x0000000000400000-0x000000000040E000-memory.dmp	family_xorist
behavioral1/memory/2744-8880-0x0000000000400000-0x000000000040E000-memory.dmp	family_xorist
behavioral1/memory/2744-9056-0x0000000000400000-0x000000000040E000-memory.dmp	family_xorist
behavioral1/memory/2744-9057-0x0000000000400000-0x000000000040E000-memory.dmp	family_xorist
behavioral1/memory/2744-9058-0x0000000000400000-0x000000000040E000-memory.dmp	family_xorist

Xorist Ransomware
Xorist is a ransomware first seen in 2020.
ransomware xorist
Xorist family
xorist
Renames multiple (2209) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Drivers directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\78ldJ46l75Z3Cdn.exe"	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\migwiz\PostMigRes\Web\base_images\WindowsMail.bmp	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\synth3dvsc.inf_amd64_neutral_bccbc5fb46a05558\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Reserved_Words.help.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_History.help.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmntt1.inf_amd64_neutral_ecf5cff2236b273a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnrc007.inf_amd64_neutral_2df575afa0f7d35f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\OEM\UltimateN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ph3xibc0.inf_amd64_neutral_c24bcc939e6dfc23\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_environment_variables.help.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_For.help.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ks.inf_amd64_neutral_2b583ce4a6a029a1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\_Default\Starter\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\EnterpriseE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnod002.inf_amd64_neutral_a10c656b6c7c053c\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnnr004.inf_amd64_neutral_3319ff2548f89fd8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_debuggers.help.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlx00x.inf_amd64_neutral_808baf4e08594a59\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_pipelines.help.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\_Default\StarterN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\xcbdav.inf_amd64_neutral_cf80e4da1c95e6e2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Language_Keywords.help.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Windows_PowerShell_ISE.help.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\rndiscmp.inf_amd64_neutral_4ca64d28e1be8fa9\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_amd64_neutral_7a5f47d3150cc0eb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netxfx64.inf_amd64_neutral_3336ecb2950fdc45\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\cdrom.inf_amd64_neutral_0b3d0d1942ab684b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnrc303.inf_amd64_ja-jp_b0dcc6693f67451a\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\eval\ProfessionalE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_methods.help.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Command_Syntax.help.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_eventlogs.help.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\msdri.inf_amd64_neutral_86bb50f34c49ae71\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Break.help.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_types.ps1xml.help.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnky004.inf_amd64_neutral_5db759db19acd3ae\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnep00a.inf_amd64_neutral_92a4c727cdf4c2f7\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\rdlsbuscbs.inf_amd64_neutral_351e56205fd4c200\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\IME\imekr8\applets\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\migration\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_job_details.help.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\zh-TW\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmbw561.inf_amd64_neutral_fe42c0ff14d5562b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_escape_characters.help.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnxx002.inf_amd64_neutral_560fdd891b24f384\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_preference_variables.help.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_script_blocks.help.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\winrm\0409\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\nettun.inf_amd64_neutral_bd24fb174fabec97\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netvwifibus.inf_amd64_neutral_9d0740f32ce81d24\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnep003.inf_amd64_neutral_92ed2d842e0dd4ea\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Continue.help.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmgl009.inf_amd64_neutral_bed6224f27f5c478\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\_Default\UltimateE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\PostMigRes\Web\base_images\Failure.gif	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_CommonParameters.help.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\OEM\Ultimate\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnrc00c.inf_amd64_neutral_53a58f4fd7d88575\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wvmbushid.inf_amd64_neutral_6708ad28050a6765\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_join.help.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Core_Commands.help.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\XPSViewer\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2744-0-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/2744-8879-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/2744-8880-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/2744-9056-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/2744-9057-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/2744-9058-0x0000000000400000-0x000000000040E000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsBrowserUpgrade.html	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-gibbous_partly-cloudy.png	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03014_.GIF	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099165.JPG	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\STS2\tab_off.gif	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationUp_ButtonGraphic.png	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationUp_SelectionSubpicture.png	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21300_.GIF	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\UnreadIconImages.jpg	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\glass.png	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\index.html	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\next_hov.png	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21421_.GIF	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffffff_256x240.png	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02071U.BMP	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03041I.JPG	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\drag.png	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\settings.html	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\SplashScreen.zip	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Program Files\Windows Media Player\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Library\SOLVER\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.PPT	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\row_over.png	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\flyout.html	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-crescent.png	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\37.png	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02738U.BMP	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\BREAK.JPG	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Americana\TAB_OFF.GIF	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\J0115875.GIF	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Stars.jpg	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\THMBNAIL.PNG	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14844_.GIF	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Games\More Games\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099186.JPG	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\split.avi	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_selectionsubpicture.png	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\GrayCheck\TAB_ON.GIF	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\babypink.png	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\huemainsubpicture2.png	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\MessageHistoryIconImages.jpg	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageSlice.gif	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationUp_ButtonGraphic.png	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\settings.html	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384885.JPG	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\ViewHeaderPreview.jpg	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\flyoutBack.png	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext-hot.png	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\winsxs\x86_microsoft-windows-uxtheme.resources_31bf3856ad364e35_6.1.7600.16385_it-it_a2a11eb372246469\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..ediadisc-style-pets_31bf3856ad364e35_6.1.7600.16385_none_d0d7ee773d711005\Pets_image-frame-backglow.png	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_6.1.7600.16385_none_73076dd9cf3a9dce\Windows Battery Low.wav	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_prnrc00a.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_25aca87d57204fcd\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_vhdmp.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_e8e047bcc59e0184\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-devicecenter.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_fc3e8ef154c20882\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..n-playapi.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0ff325000a68d0e1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..atibility.resources_31bf3856ad364e35_6.1.7600.16385_es-es_2094082834165c80\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..ultimaten.resources_31bf3856ad364e35_6.1.7600.16385_it-it_1cd8423c61339c71\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..disc-style-memories_31bf3856ad364e35_6.1.7600.16385_none_51190840a935f980\background.png	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-t..ied-chinese-zhengma_31bf3856ad364e35_6.1.7600.16385_none_bf4b6db34317721d\TableTextServiceSimplifiedZhengMa.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_MSIL\System.ServiceModel\3.0.0.0__b77a5c561934e089\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-a..leshooter.resources_31bf3856ad364e35_6.1.7600.16385_de-de_bdadfd83b0b6c2d9\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..tional-codepage-864_31bf3856ad364e35_6.1.7600.16385_none_2addd390b4e226f5\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_policy.1.2.microsof..op.security.azroles_31bf3856ad364e35_6.1.7600.16385_none_48aef4ef4511d002\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_server-help-chm.connmgr.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_2d0a8eccdd4b2925\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\about_CommonParameters.help.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..ultimatee.resources_31bf3856ad364e35_6.1.7601.17514_en-us_f04371ec21c4626e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_ds-ui-ext_31bf3856ad364e35_6.1.7601.17514_none_ce73310d1634318a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\403-12.htm	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-garden_31bf3856ad364e35_6.1.7600.16385_none_f7a4bf1e15863e21\Windows Navigation Start.wav	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-scheduleui.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_2e13a6d8da3c0da7\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_mdmusrk1.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_a1d2e2d9caf6cfa9\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..e-diagnostic-module_31bf3856ad364e35_6.1.7600.16385_none_501611cee0eb67c8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..confg-rll.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b7ececafb7115d51\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-o..s-service.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0b87e3eafadb992f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-http-api_31bf3856ad364e35_6.1.7601.17514_none_53d2426eb3eb6414\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ipconfig_31bf3856ad364e35_6.1.7600.16385_none_a82ee2a7319fa8f8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-smbserver-v1.resources_31bf3856ad364e35_6.1.7600.16385_en-us_242b7f207b3f852d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-wlanui.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_b1c047fbb97d6dc6\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft.powershel..ershell.composition_31bf3856ad364e35_6.1.7600.16385_none_ba655d23c4e8149d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\winsxs\msil_mmcfxcommon.resources_31bf3856ad364e35_6.1.7601.17514_es-es_54e81c58c964bc09\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Engine\v4.0_4.0.0.0__b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\alertIcon.png	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\undocked_gray_snow.png	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..calmediadisc-styles_31bf3856ad364e35_6.1.7600.16385_none_dac1eab162daeb45\NavigationLeft_ButtonGraphic.png	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_prnky007.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_bd86dfd1c4d5e0e8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\winsxs\msil_system.data.services.design.resources_b77a5c561934e089_6.1.7601.17514_de-de_eb0bf420116bd564\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Data.Entity.resources\3.5.0.0_es_b77a5c561934e089\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_averfx2hbtv_x64.inf_31bf3856ad364e35_6.1.7600.16385_none_2973b7e011e9c731\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..ation-api.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0878a76ae05990b8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-zipfldr.resources_31bf3856ad364e35_6.1.7600.16385_en-us_6f6cab1d97fd59a1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_prnrc007.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7ced3be0bfd4760e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-cdosys.resources_31bf3856ad364e35_6.1.7601.17514_sv-se_a38cd28420bd9947\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-w..networkconfigwizard_31bf3856ad364e35_6.1.7601.17514_none_3712ac6ce5bea376\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-rpc-local.resources_31bf3856ad364e35_6.1.7600.16385_es-es_f77bed28d763294e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..-kerberos.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_7d2a6bcd29d3f281\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..up-notify.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_be60478668a10bbe\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-i..pbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_db9c255fd4880b2c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_mdmcm28.inf_31bf3856ad364e35_6.1.7600.16385_none_d130a4ccfd6ae450\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ehome-ehdrop.resources_31bf3856ad364e35_6.1.7600.16385_de-de_259677fdbc3d1d62\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..disc-style-stacking_31bf3856ad364e35_6.1.7600.16385_none_d0d2b98d4629a41f\1047x576black.png	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-themeservice.resources_31bf3856ad364e35_6.1.7600.16385_en-us_bd5d3f940c611446\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\winsxs\msil_system.workflow.activities_31bf3856ad364e35_6.1.7601.17514_none_2aa8f972b1acd31e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\about_functions.help.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-t..diafoundationplugin_31bf3856ad364e35_6.1.7601.17514_none_7a6b897811df690c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_MSIL\MMCFxCommon.Resources\3.0.0.0_en_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..providers.resources_31bf3856ad364e35_6.1.7601.17514_de-de_2637f1a2904d46a6\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-display.resources_31bf3856ad364e35_6.1.7600.16385_es-es_f738b35ae7fc9409\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-fde.resources_31bf3856ad364e35_6.1.7601.17514_es-es_905a42a357358868\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-ieinstal_31bf3856ad364e35_8.0.7601.17514_none_055d8a4166e66f09\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-p..ooler-ppc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_faa03e0f3146e084\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-dsquery.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b2cf5a1182312160\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe

Modifies registry class 10 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OPHTLBAPSNHDKWE\ = "CRYPTED!"	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OPHTLBAPSNHDKWE\shell	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.KAAAPEC	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.KAAAPEC\ = "OPHTLBAPSNHDKWE"	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OPHTLBAPSNHDKWE	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OPHTLBAPSNHDKWE\shell\open	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OPHTLBAPSNHDKWE\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\78ldJ46l75Z3Cdn.exe"	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OPHTLBAPSNHDKWE\DefaultIcon	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OPHTLBAPSNHDKWE\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\78ldJ46l75Z3Cdn.exe,0"	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OPHTLBAPSNHDKWE\shell\open\command	b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b089042ca0da14d87fb124aed96f74a0_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt

Filesize
667B

MD5
a70e7c90f6f2ea9b2bfbf81a9f624db1

SHA1
c82bd170aab5b1782ebf4b99e6f0ad7865ab2d6d

SHA256
4d4cfa8661dce61ad768dd23c81c70bc9b4c3d4698412f3a5cca8416aa826814

SHA512
e129b3b50743db0e8a45ed79e77b7204ee79bed78787a38ea827d4caeeabea4be060a4a59e77ee10ae9aa3233fe4caf89159c81f53e13c8c6a936501358cf4ec

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
341B

MD5
51377760a08c50d752d2b3900293d32a

SHA1
2019e524b8ee34f52c41ae6d7e9ea4672fa11432

SHA256
289028e32bb52a434654381c11925be18871a73d3e547b618e91240de4b74ee6

SHA512
c0b5a219a5e5a48a93a884959a6ad346481639011bf5781f5dadc4307ca5280c9e602569071f3235101943fadb65e24ab43e9bc6ca7b0ad03b233c2bf3a53ef5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

Filesize
222B

MD5
d0f2236494496066fec58cbe57dfc9d8

SHA1
b684385503af7b771e6226304b4eb9a217d70d71

SHA256
36930f9de26d8aab5ac8a2f575d5a0105d47441cfeec9a542cb3151af97d51f0

SHA512
3859c65ff1a8f046889a132862f121ff3d6ef1febadf9b11737698f25505794e3b321a779d05d77a28d31d3755b1b00db5389de8513f8d5eaac2936225b75862

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\BG_ADOBE.GIF

Filesize
24KB

MD5
d2b1dcd1c48820504ab623d1f6ae8599

SHA1
01de5896f2be97f0d55b88aff281b0f2ca3067fd

SHA256
191aaa0b39a0f44f0bcb02ede93079efe53514f23fbaed543cb2faf645f7685d

SHA512
40cbdf9150458f97a6bd5ac59a9382656abe46e35062b9e29235f5acf669dbb4a3ce0936e649de43552473181841ac8c2b578610f47ead0b4298b50af4849bce

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\BUTTON.GIF

Filesize
185B

MD5
15a63ad6b3f279ec7d459d2efc3794d3

SHA1
6482595fa6b42e687eb142f85a2fc305e7bacae8

SHA256
0ea61dff859d6fa4a98589929700b3eae1248aeb2adece6a5b82138c1ac1d0a2

SHA512
efcb28abc77bae558449546628d80b88e553642c984a0ff43ecf0713ac12bc15c46f51f3630c0204a2cc4bf84396a7a0c8078148702c38078c34119f41ac78bd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_OFF.GIF

Filesize
496B

MD5
12f037b527dbe6b4810d398dae75d34b

SHA1
d6602beb80bcf48d946cdf46505eaac4fa4d427b

SHA256
4d99430a082d69d1bfcb607612d83802a0586d00efb846971b9efe9490b7950e

SHA512
de1b273e81a3ddc745a5ba3bd922a19b31ae2ec032a54c988dc95606a80a107c5cfb71465beeeb672aa51905d42938d8eebeff79f46cca9b82f3b9419efde9dd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_ON.GIF

Filesize
1KB

MD5
a0a049111afc2e75a005b0e27fd71ff5

SHA1
358d38b1876c25516b5c3f939c5aad2b89426e53

SHA256
881fe44b09a1bbc1f84d8f88fa54904bff14a4e0c0cac9eb73abadc16c8da6c3

SHA512
3eddb18928167cee68348b38539a0fa75e1a7e83eac2136868d5a69b3cbf188c7500368e4be87030ac81fb4865d65c19575a176f7e9d33dc293894304b27e458

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_off.gif

Filesize
341B

MD5
80b9a14830617c130d698ee0b83735ca

SHA1
6f25ab0bca134a33986a713762d3297f0380eb8c

SHA256
119cea335e7a2c05b9cb275413fadce216fc1a91a29359b5d3f9ff936c54b9f7

SHA512
9cbbba13c622ee056dcbba95f66eca8a4356558d2c9b1022d853c1985f17920ff6e83c57d9017bab1d51eabe64e953d500b09e87a63a0ca540840609541f9d0a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_on.gif

Filesize
222B

MD5
649652eddbbfe82b2bd335037b841584

SHA1
88fe58f4c4168bde9274490e9cc8610fbaeead4f

SHA256
a47335fbb84bfa89869d3d75c0fbc99bf82fbee5d214f67b6c5da5185b01b749

SHA512
4f873444e6cd0f5a0ca439d2de3d68362f19be7e5f229cd9e0d2c9349cd62dc534a401254f292b0f900e3ec11409b33a477371cb38c85f1185d26bd383e9d6a3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif

Filesize
5KB

MD5
400e43256b21bed1e513aa29e7244dfd

SHA1
4b8e23fe2c645f8a0d76f63aacbfff52e6ac0c09

SHA256
8a92210fb17bdbd1d41c8e5953417bcd46718b0a57ab50cc9d63bb757e691564

SHA512
a09ded0b3bbec840325347f2b3206560bdd0059fc9dbe561be8dab569d2abd896994bec188a71743acd2fd1d54ea945dd52c238cf2dea4883b62cc6e87bfdf7f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Country.gif

Filesize
31KB

MD5
05a0ee7a8cc51bac7acc5074220a7b29

SHA1
ef6267d8683131efa513d6bcbe2ef8806ef162e8

SHA256
813c1b77399ee1b0841354997c79bb44d13214e4670f7c608f0990c5ee557e49

SHA512
de37bf452c882bd166d99dcdc084c9ee66eb3cd11131f5d24faf93a7af00f8bb6dda8ca194a327d3fd7beec8386d836f733db44cc53e6b74e420707ac8f4bf20

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif

Filesize
4KB

MD5
ab4778b40ff42a406b0415c825c1e2af

SHA1
2a58a646f0a6a4606bd518255d23fa1d6736bbcb

SHA256
d247f05b48a2f1c46d35ab9d452da41f232987b7a1e38c0e60677e5cda03e16e

SHA512
3d8dd53263d245fc984d5e16046a29febd4799b83a29b322e8b62e804440eda33a1a1bcbe568edbfc5dfef397e1fc50d76d48efedd1f35ae8bf8c4395d5377cf

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif

Filesize
21KB

MD5
1a26af6b5b86db4fe571ff8f36f9ed0f

SHA1
6061266b8117f92d209e547f49baa2358aab6b7d

SHA256
520b8287e588e02fbfc88a973983990bc327de4bc3c11ceb53f78e386d56eeef

SHA512
17d33251e46c3e62fbd224c9769ab832e4ed055d26b6d1d3953fe08179985780a05fd12b7b06cad5f5a64d865aba5231dbb8a72bfa9fb6edbc30d2e457dc6d66

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif

Filesize
8KB

MD5
de04c56e47d413ffd79ad48a2d83045d

SHA1
d79bfcef016d78f187234a1744313f6d721eeec9

SHA256
935743656f86fa9423c8bdaed36a214d4cf5fff466cb91d43ac7b126ff6af312

SHA512
97c0dc3b980eeedbfa5a5f13b0b5fce0524818d52bac764e44466cae7f9dc532e20e9df0c895d36c97695d02e6ce1984b970f2a3b194f2ea4c8e93333936224f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif

Filesize
15KB

MD5
38f1989a9403c480480b790e84d253d0

SHA1
50c0ff533d4eb51cc5df93b87833997bb8f882f6

SHA256
9f3078facfdde093fdea8c5e7f7847ec63d5fea5ba5d852b752bfbd59ff805fd

SHA512
f4490fc065ecf76c5a0794315cc5400c24b0b9099addf824213c7d31cdb37467445bbe3e0a85a033136db80492d4c719c1384f65e705614a851fe37968f29fa1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif

Filesize
6KB

MD5
76f607926cc83134bd8767466a9e99a4

SHA1
4a71831836d6fdeb7bd8e753357abec12797d2b3

SHA256
b64b9e67de00176a413fe01a48b29764476bae48bc322ff04ac867d3c349ef36

SHA512
423001226db29074c46e85d39d81b721c13d2cd193b2511369221ee1316e21a021fde8ce0909136a7007f5b80d1f876728b53a13cc6bb9d048d5ce78194d425f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif

Filesize
20KB

MD5
2befc9de8c94276479870e0b92def38d

SHA1
f01a41cc67d4bafb3c80b4b066141ca1c534774a

SHA256
9ff53c2e11679fbe032627f7cfa0d0b5a414d15e2f2ea6ed74b749a34856ee08

SHA512
cf665a5e08e8f25e39b1e96c9c9555946afa763371e849a1412cb7c2380725d90b5edfa8e0b2eeb12951b8c97ae68fccbe2b490cc0aa35bafdd992e51e851109

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif

Filesize
6KB

MD5
f18a5e63b2b6c51ad496d28ed50ad797

SHA1
4c8882ee63874ed0d22cb79a67ad0ff16519a3ab

SHA256
e80eecdb051a9bc4a3bb718974f7dd470241b2317015a7457b6c5d125c25842b

SHA512
ae176c0165b917446f5fcb1843e0ee315b422d26801c88af3ec6908a0a349056e2fd6d43f63c069cf4f6a2ab4eb765dcc4b08dc6cbbf689ffe236f46f6d937b6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif

Filesize
15KB

MD5
5b99ee0fdc7c9f70b98bf29b2ee41384

SHA1
f42a3382a99c01887551e060568cc0fe868105d7

SHA256
b909ddef7630bfdbde2152ea32001de9ac033f790d6b8e2f52bb1b7ed0cc5ba1

SHA512
49b58853524e13790afbc7f8cdaabbe81b79a3432841d3ee6398ac5f0a466c638699e1a450bcb862fb64019fa20f55dbcd44d029c109d98ff95e3a235a719c31

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg

Filesize
2KB

MD5
6548552b7f386dd3836dd8a80a8cd10a

SHA1
71e8918d2a4808f11150d3531ca53ca1155742df

SHA256
cfb43d3371267f7a9875beed3fa4535cdb5e92d4993a801cdeb00c9772dc3594

SHA512
da282ebb2bc2fab95fe62f1ce7ca7600cd5ce29c22189db3497d6fce94956941a365a7f511499284465389c0da32b04ea8aa6a1f25c3b5247e8d467aee84d8e0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp

Filesize
2KB

MD5
9db133fc8befd469731612581803155f

SHA1
e9aa5afe0766ebb27449fda85db88c278e5b227c

SHA256
58e855c5072d6bcbf0f2719ebae83503082d8ea0b2a23e512b4a252d846545bd

SHA512
92ee6295d63bae2125a6b3989fcd81caad7b7e4c017f62a147bbff1dc9ee7bf7573b2fd5cb0116d16d5a0bd1b00f1634293c9fa2e7ff7b56772c11f729f53cd7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg

Filesize
6KB

MD5
99fb6bc839024cb38f4020bed581a158

SHA1
b9591f7c5e9046220201c0dc5cb93764a88eb7b6

SHA256
94c345ca126eebf901eabbd028c2e97427a5acaece7f1605a5c38430ed3f7694

SHA512
e2d2e35a0c91cb1ac4cad87c6da60a9502103667d6fc81044dd8a29bee4cfcb40931409e1d2df53a816acde6a50e529df04acb16d83e82ad29749f1bb9448d41

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF

Filesize
255B

MD5
0d6a4ca515bbe462ebf753c58fd2f4d0

SHA1
349d6703246b2d547ccacf67aa2d7ca283a05eae

SHA256
fba1d8cccdae846bd28a8f0990f3cf0e83d2c852001a975bf3c53dec20849dcd

SHA512
b7e02f494eb4a31ef48c283c11ceeb0d1640287b8df942914f2c7a45c35974cf7a82de157606b03c63ce28d6faa390b8219a086b75e769bb1190bdd5283b3f64

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\background.gif

Filesize
323B

MD5
42b4ee000617b607ea19006ad7553072

SHA1
eddabd5a573048f30cb23e988b862021959db70b

SHA256
8b078cc2fb8434a8c36e48775854e97aab68b285f471e2c12e0bb743d3559c41

SHA512
68eba4f625daf75a81681c6a7ec54fe4cf7cc86e1dd5837a3c376a0d4a27ca12210311f369c684ded2851dd69cf60bbc6bbe6ec160bc4ed02310ee4e1cd448eb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF

Filesize
367B

MD5
4b3b6d103df306ec7179f940fcc126dc

SHA1
700b39e01177fa92dc9d2a947615b7b8c909c26f

SHA256
22867329d16fe3fa71e588fbc8b79f5cfb228e5a7cf897ec292beecf71598516

SHA512
78f172097586868f455d3c4b65bbbcd50bbab3a3408e8b367db411c5ef6cea2b67400d389e93e507486535f9f93a0754fa4ea5573dda27b518a10b469039cc85

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF

Filesize
148B

MD5
3e095b6ed74b60d156f9b5341b824042

SHA1
bf9c4f5571ad90494ffb6a414e89783627ffb7e3

SHA256
b409d7b184eda850613c0117cd141f7068010ba1c796bcdc92185e09d222b97d

SHA512
8511578ebdf926d54ad75144abd1229642068fea9e5371b2044fd778addd4b4ce8453a375c6ff2c50cc64beaf0f0aec1afbc63b289ad49e6803ee1f601e0dd11

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HEADER.GIF

Filesize
440B

MD5
1f989bb687014fdb9ec06e8da4489499

SHA1
31b0e25b84130744c79fb54ed1c119312381f4ee

SHA256
eb9469bf17198ee1b2f7e20cf0f3906faae50af562895c96e96508f751fc7ef2

SHA512
8efa0d9437488b3bf19c27411c1d735535cb998be839a6e662b19abcaa1be3fa2ee0ce6e3d56746678fe0378a3315a3fe2fe546d5a13bc6dab83a511f65b274d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_OFF.GIF

Filesize
462B

MD5
8f983e6faad632df6717d80c3847bbfb

SHA1
dadea857ba8e6a7296c945565623f2c531085b15

SHA256
e7b8ea2309bd93904248dbfdb19534773deca89fd2fb799b72f484ebf4b976dc

SHA512
91c5328720c4d31867127685a17574318cd917014096a40a3ba3aaaff32af56ba418e865024fd810fce8fca0ea47f28d41f6f3d99ec452686b427fc2a3841d87

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF

Filesize
267B

MD5
28be84be51056abf39f895d6aa7f3eb4

SHA1
3a3bb9345897a0dd96402a25a4da9be33767137c

SHA256
0323f76fe18b891cab366a576a4e8661e7221ab99f3fe9bdf17af20389cd3109

SHA512
f0729e5b990653aed300e03313c7b6766c77f0a8b76ba847a6ca6086af4dea5a710005e8c3ba6c413279f319fa88c39958731861cfba6d120034d340adfc43e3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HEADER.GIF

Filesize
2KB

MD5
339c95ad37ec1049b6f620a0aaf22086

SHA1
33b650f67d90af614efa50facd5ba032bf211abb

SHA256
a7b93c8cf3272ae5cd54dae7ce18794eb3abb1b02f73c5c2e6871d902366fae9

SHA512
57a521e4236fc4c7e31eb7ff365f93af3077952a031522010ca679bebcdc6644cadfb2557fed520c11f83b59170e8067e069a7be06d3ebb3b5e5947459369915

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif

Filesize
233B

MD5
b25213b2a0e134c46074c5e2784ff465

SHA1
979c0f5c29e1e59af7329c14c90673198809e694

SHA256
e48a69313b847b0eaa6422de4864fcd41134bfa2597c44daf87ac449e627b245

SHA512
53bc6e70611f5c9f0a56cf0cb7dacced46c877bb49312ab6fc182efc8fa156f6df2eecd96e589923fa8c48efccfc98e8661561ff766f3f8e922d66ba42b39139

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_OFF.GIF

Filesize
364B

MD5
31b9b43c3fb5c0ac9f0710449a08a1e8

SHA1
3e70917c644222ae1a9d83cb36be492bca8b73f0

SHA256
380abd744c7a1dc2e1d8174eebc9df1103cd4559d86f4497f179bc396293b8af

SHA512
164290307599e05e903c75dd58eae344ee7e82fe80e7da620f801cfaa56ab9ed4b03d2e8fcdd1245ddec291328664b6b8551c014246ea4729bf942cc3af311db

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_ON.GIF

Filesize
364B

MD5
33229217f469477c2c48e236cca3c01f

SHA1
2ca2ba7032ec98d2f3e445a0f67d83d4dc71770f

SHA256
fe7a42596f34d4c72c87c0155557118fbaa49a532a04c8cc9a642827c868a103

SHA512
484771d85ae71445f620f9c36acf3a98a9ca834cdffd827ce22c7bc4b3c63b09a0dfe3481ee97a8a7d23501dc7a8ba969bfb8dda3d86fe011d54c8feb8cc8595

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\background.gif

Filesize
6KB

MD5
d591aed24aa639933c2069c0e43bb3a9

SHA1
57da66a406c3cf7af92e5577d408665e6b4b5b58

SHA256
2f8353767bf69a496563f68c113e2e36dbac3477db7b00fe35b1a250aa8e7fc2

SHA512
e6c6601eff64e1138b71151c19d34c13786a1d1b258d4e740231fc692a1e4125717a7146ba1a0249991dc63a428adba1b6933eed9642f824bfbeff3206c918e8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\BUTTON.GIF

Filesize
428B

MD5
fd4fd87f827943b7d0d6bb90d7eb345b

SHA1
e09d8b3e930d40bc303d4048f32161fa2f2c1781

SHA256
7b943adf37ed785b9c81c34365adb65c768acf91f3eb1986c148d6f1f1b344ff

SHA512
f7a2937e954e060ad0c2aba4d3e3962678d2426374c84f803436fd8e2ac915311fea9281896a6217eb171f87060146064ee1b60486f7c0edc212c79788ffee1e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\background.gif

Filesize
815B

MD5
5628c35b5ef0716dd3e1d6f6b733df2c

SHA1
9e2a9a32f759a85497bd6c0b8f2721eff84592fe

SHA256
142ed267af30b26778be1d5f3763f3ada877efab0009d33877aa98a9b71aaa53

SHA512
c222aa7a9c9587dd5a0de36f6addd05652ee412d7a44a2440c3a4af16101c34a759b669a713c889be65db60561387e12c365a104bea51870e002ba84300917ac

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\RTF_BOLD.GIF

Filesize
870B

MD5
fd2ed7592d2ca503f22cd220c0f03774

SHA1
3ab7e877a1756640385916988a0a87aae56573c6

SHA256
bf9217c0f0126362b1eb619d27a1746368c5383b68aa974b2dcb03a0d7444bcf

SHA512
6ff65608aba518a83d2730a4a1324ee4b3857791e317257307fb894f6646b079058ecfeff81650068e5900b7019b064cf5e5e505578f12b6348905257657305e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg

Filesize
3KB

MD5
7f61a3169feabfcda8cf0fe7688a174f

SHA1
3dee0d1f32eb031b4924f7e2885180c399668f3c

SHA256
22123bfb3f31fd24f75e0eeea46527b6d7d7a4ad160702911f17c619bd6db390

SHA512
9f8cbd826f9ad56d10c90438519efcc76bf276299328775fbf1aa23dc9bcd3bda102056a4717f6b0ddf80b325167a717d95051111fdbafb318954adf9f6676c4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif

Filesize
2KB

MD5
f22fad525d56084d9ca4fce5cdec59b4

SHA1
e4acaa1e193439745f29a50522c3ecf28ee8dbcc

SHA256
deceae1f4e0583384f05554378e27b27f936b5f2039509945ff516fcce626bd5

SHA512
468cc66ac68361f201ca88352c48b5e847e0aaa9427c10ef33902818218a95ecb55a81f3cb51edbc907ba82eacd46ec5b29515646bca84dd86df22a358073103

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif

Filesize
19KB

MD5
4ee6fd5343dc19cc04cc3890e57b7f6c

SHA1
a04a2eadbf8b5bb114158bde9b8a6ae464fad252

SHA256
c5a1c1e0d738b52ae5df37c93f04cbfc05119ee4325450245a0bd4ae8bc8a800

SHA512
b8ee512be348b68ba844a4bea690bddadb73a70377a9b37d1fd9dc6365f02e18314a723713dfce1522f90f7611bbd78cc58209abd949f4283a13a18cf34222be

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosefont.gif

Filesize
890B

MD5
909c80f0e3c6038c96e92bca188b09d3

SHA1
0d3ae5d28811a7ba99d8d0bbae53dc18a4d664bd

SHA256
03fd53bebc88a5ea8aba7589dbebb85b45d6c3e8d9cf32b3cf69a4f0c169cb6d

SHA512
13bf89d584484731f314eed96c41590e27ddeebf8d6c7789359a9e3ee43920b84b1520339cb010ca34fd35bfd740f663442cf2bc64e86dcb9dde5152b22c14d9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif

Filesize
852B

MD5
c667a798bf0e6058b65b49a624517b7e

SHA1
7710fe5a5e35716d91ec8297eaa7771eb035c17a

SHA256
79a9342445f7ff7ffb20d6793507d57b206357ce06c3b2313212f9eb4ff6711b

SHA512
f491a6c6920b44b203b1c9f893182c33fc4992fa0a01683f9328422920a2cbbda8e63f841afe9dcf0e7b32d2589db0ef58349245e3684efef09b0471af18f6d1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif

Filesize
860B

MD5
b2a79b34aeef328c684b0004b85c9dba

SHA1
48206d58aae5197aaf2e30c235afd066a0e26e92

SHA256
009af815081006c78d2aa86952843b8265598a23e2415d993994b3f19819dcb1

SHA512
d7dae84488430c355b5fae41acdf20a9bbe82133b2b98a496c16cf98936d5dc933d0cd154dc9e5c4429eef07f292938e603e084fddda474dc7d118c0e14c5f7f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ADD.GIF

Filesize
580B

MD5
fdf7c0290ff0de7d23e5d12180f73814

SHA1
3514553e352a0e1a86e4f5819c2c6837a7d24e9c

SHA256
aacda162512dffb98745d32883bcb97e2ac12b48231c036a431dd1060f97a0fc

SHA512
648299035d0ce67301e74d8cefb33d04e41dd96448045a890983f1f0a019b8df5e9af6378d89c86df1c49ab14a0b435b254617fbf23e10abb05a03513ec4efe7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF

Filesize
899B

MD5
560a4334739539684275e0b25bfd7c19

SHA1
0d3d0996b0ccbaf4b59b099f159ee2f9bd5e37ae

SHA256
7a0db6d80be75236540ca5517f2084041d7649fcf7996247d4030cbad2517486

SHA512
8bd92f6e546ad688a3527cd6a0085861e69ec4e3b6b7efa2d479c7f4e81b66c7d59a7c61f1451a30d4df0149ff56fb35207de78fbc1fbd9572e832a8bdc8f2a7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIF

Filesize
625B

MD5
573eead69c7b0b2f3e61c2e67d6a8fc5

SHA1
c59cad4c543113f7c5b62767e6a2a2740c4c77aa

SHA256
921eab9b1ff8047bb30ffdf2dc0aa8053e1a757a38fffcb6dcbe695929a5c842

SHA512
b06bcf05f73fb57612089e8620a8ec70aa7a28708f9664b6e578dad424db2335ba84a4ca0b4954e42858ce0777cd9bfd4a9ecb07819815473e9b42da74113c39

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF

Filesize
873B

MD5
99ad7eb6fce459ac0d3a9fa5f7bfb3a0

SHA1
580d50ff7796ca1d4d2c3e21e46c80c09afcbe15

SHA256
ebf1a5d3dcb929d96fb53ab41bb0f8e354462405f4c55ade5c83d6c9ad6e8562

SHA512
50eb12a18a860a145d1b904a98a5af6ac1b835e012244d92d0cce8257c74c9d2bdcbc18bbb3626440ee5f2a6c65b945e24f00826654099f02b1583621354503c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg

Filesize
5KB

MD5
1fddb3ae9d39d7acdf7438a9cacc11a7

SHA1
09c5d8a547059c3260f1e497b84e66b505a9cff4

SHA256
2b08028be1457b8c3dad0f0dd341460cdd1d5379990e8bb5fd5ba36e9e87933d

SHA512
9db9f29a5afd51ce57b617e3be93cd3c97453a544e11c7207f65186031271a1ead815124c0aaf63875435805bc503dbba53580d7f49500e99c67f79ca498c3f1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp

Filesize
1KB

MD5
36369e1455422fcd61422c1cae61105e

SHA1
3159e637e37ac90d7d1f33ed0aceba97187232c2

SHA256
78c06ba7defc0c8dfe183a94839ed48f22bf9a5e753c5211e38068bb1335fb62

SHA512
ca39712a4acbb6df96448cca302e7a4ba43215eed6d88434d100ff9e14d6cfbc62a0055bf24325e4bce95d612299464bac51dfdd6e59a9d61d7ca9caa56a7ba4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF

Filesize
615B

MD5
c6942d29c2b29476bc59caca33ff6663

SHA1
58f121f0b2f50d29d5b9b4f58a32dc9f891ffa41

SHA256
c01c97b229e4ec8e9453fe78dab52a7de7af480725a3b2d473dc996cc116c933

SHA512
a3df0e49d581de324cde2697b7bd5782559ec6415d582923298fd588e7ed00fd4457c678afb7c295c3833b874f8b15e77215adcc53997349b6f12a1d174b4d59

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

Filesize
848B

MD5
3a9aec5b83abcf6161b92d52b831375e

SHA1
f6da0ec59557530dfe39572487709db9a638a60c

SHA256
a3d256e179ab835f7d80681cc0f9f77b1c78e50a005717effdf93dbd50c070a9

SHA512
3592afc00deb81f1e8a930233bc196829ba6121872f2a7067a803487eb4ebdfb803e8900b16a46929c6a13bd85ae17f81ff25c6108357487176ff2e1f02e9bcf

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

Filesize
847B

MD5
50d2659c224eda40ae79bd589b4efee6

SHA1
539c1004399e2c8520410a6c4d0d6069a5119896

SHA256
34663d5332d00b262d507c3f8b2123a7f0efb8eaba572ef906ae27a65875d1aa

SHA512
88b8ffbda2e1748963d1f020bf388ba259cea412a430c8a2cdac807b287f1885fbcc92f9ba4b9da98170a424ec831d737be7705fdefb27fa066c0008d2c9746c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

Filesize
869B

MD5
3477c6dd2036acb623c24c9f2ec28634

SHA1
ad61b430ff428b1af7dea2e01c75dff1ba8d68a7

SHA256
13eb441f06cbf804baaa88fe31ee78314079381a0f4814ba047d0d7d19b21fa7

SHA512
86212f9733545ced2105651dab3c4903db7eb2ec1399cb258ef4ab65b0aad0e46d5bf0fa86e800667c04ae3bc5cc172a20bfd9c4d12bd121c423b29d8e58c613

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

Filesize
847B

MD5
f96453d913c0aa11d0c8da46f243937c

SHA1
0b40e30905dcc3e2a82c3f80c0f91b968acd5af9

SHA256
052ba2653105dcdf07cc4bf563d4791b3ada8740f953a398e3922796333c9c6c

SHA512
e14fe3e4a1f897e3b1676add39768e03df963247e3e6f2b7173169e8bcb2d82ebe541fb09ad9dc4c1a8453697eb1919633a05749fb6d071d78f13f0fe885ccab

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

Filesize
863B

MD5
8e835f8577a9f28d90ffba3eacb1b020

SHA1
9583f54f5f4a9f57a6c8a5114b5b6da038376983

SHA256
953af0396e30fc2749158956135e03539e6a5d0f491d668a02654f916903245e

SHA512
a279a0fbf94a142d5d6367467f964dae80a6a29d760606d77f150cc61e45694473c74b3bbdafef3ade764dac1f3f131252f0b542b3d15864f3ac79c8ef438ae3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

Filesize
861B

MD5
47b4cc0ad51436a51ba6848af7d86059

SHA1
0f1b12cbd17aba20158518d0afe3ba7e3066562f

SHA256
fba1fff8489a24e41eefc0010452f85968354f3e7da0d08b2db4ddb3dff1b455

SHA512
5f993ae6d72fdd32340a44fd551133fcc7e27bce95d6762edcd9a4cc546a2e076e66797ee446c95e321941f5fc1896d80f9ed0e93dcc16ef9e7e95f431518f92

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

Filesize
850B

MD5
6b196f94d37a6837dac8a1a077a06f7c

SHA1
790c45d3327d96594f3ba9da349d0c8a6fd44a31

SHA256
4ca13550c442a08b7057aaea02a85b3d1edce06d151cff6b818197c751f5fdc0

SHA512
160646513ce918a863c5c0757a5f7d7844a22c87a3de4fcbe59d232402c09ee362b3942bb51f08d929b48362f63e0c0429fe3ace67094dccbde0596c4a7faa39

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

Filesize
883B

MD5
d18cac0ee987e427d97e16faba9148ae

SHA1
0109b5d503143a26033f34e44ccecfacf3b4627a

SHA256
9909375d29251c41b0e283405fe4ee32ad1e4ce924d598d88d03e008503dbb86

SHA512
e8a2cd99a2790b3ce24975c1e817ca55be950481ad9047f504aca321330c772298bb579912db97d402c8eed97da731af9753e06feca6140f4a520441117c4b1e

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif

Filesize
153B

MD5
0a3be4569b122c8963fbe96fac27f368

SHA1
8b086cd6ee8b43692e07e43e802faef686e3a751

SHA256
b6e41a8bab85d2e3b7d61e675a9f1371cd3e0ea537bd8bfb808ac4fe4f5a3429

SHA512
8c5b0f50ec1c4d14a22277f13c36ff0cc93d1607d3390c4e2778a76fba2d5e9b28bfe7cca3e45092d3f89ef3ad82b09e834e6ab7720939539d5a321a9e5c8ff8

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html.KAAAPEC

Filesize
12KB

MD5
9e48aa7413d180e9b5ba7185c84a5b94

SHA1
2a6b7dadd58859ae6542ce679a104bd087cccf0d

SHA256
e03d93eadc6bdb7b6d68891c2c1edf4ed41b5dbc0279cd8b3c0de376a1129b20

SHA512
07122e3cc865a7eee87a50f0fec911da846e467adcc3c4413486cefd933acf4d877110a7658fc4be0c3d9d3ed4c058ad30a80fe7a6855eb8e396a34da658b97a

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
8KB

MD5
ee9710d1587011b39edf496ace75a836

SHA1
113b721b261086022c08eea6f529ccaef1f905a6

SHA256
23cd87d42562f9fb75f14cd0e39041543dffea8d1c92a2cb686c1fc61ec23b72

SHA512
ff7dfd53c886b21b1e6cccfb9a77e9f161130a5f365eac014a4c3cbb9fb8e5760d8be8c5ac2440c1d9f8dc34f2850353dc46f74ea8d2fb2102b77b686684c3b7

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
e105658a1f74fd88ad0f8edbbbd554b3

SHA1
8631c76ccd4cf1f1fd9d374959e3ea517e814b4a

SHA256
78a1379d087d6aba03630e79b665817651e737b89217ab55fa63fa43406c5a9a

SHA512
05560053f5dc49141a5ee82595cb84b212bb508d99cb90b51916b6b1b21d9e8a67efe85ae1b0f41298947e4a85670dc395fcb5dd4c955a3a7f3195331802bf10

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
c9c43a0fe4dd6c66ceedbd6458f17698

SHA1
d5f3da4a2ed251c243a74aa1b17bc18ff519e2ac

SHA256
f4b69a33dda0cb8665c5f61970212a4e49f708473abf45f1f245eb9c203bbbe1

SHA512
ad51ba03d02bb128b0623236f9b27cb0463f623d2e261733d397a444ae1f14ff1fb71dfffeb62aba455183693f935dd895b84379d727e57339bdd015c5eaf6ee

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
172KB

MD5
d7f8f1f7f7cb59afb9da28d81da70df6

SHA1
45d1b7e6fcb2c430f099b84c98e352e735ef633a

SHA256
a9f593b81745821cda5c05010432b60a7ede634769bf66d8f7542c29550ab709

SHA512
c182b40cb1f84fb16c17aad52eea2755adffe3fec8f908d43fd1c1436c84f10f26f6da7e5e37c0a50aa72338e4c55cab64d3cfa56261ad3c7eedefc99605e970

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk

Filesize
1KB

MD5
2e807570091704a9e7244b362d2cb446

SHA1
37aeddf63077f10465bece50173e274d8aab5486

SHA256
8c5d3ea4c236110a1ba660a2fcd69a9e8a017057a0dd2337bc78c30424d82ad6

SHA512
f1a63e93c5eee65bd9fd13b2c9a522a64e2a02e4ce06031d56bce85b50d48a62407b145d6cb419f3d257fe1ba8af34f13829bb394a85b9bf6b58b89d9fb404aa

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg

Filesize
21KB

MD5
cc7a8ce0b1e27b9210bfda5b29c3f636

SHA1
7ef87422e44bc26aec46ed74cd54501801a4541f

SHA256
93f201daa50c5b5dd959e54e11839c2730fa41b55497108153cd91c86b23962e

SHA512
e25910ef6087d693e755142fa0c4fb6f1ae18323f66718acb4ea2a817daf22fca9a5934a9f5e8be013f98c0793c549883208e7c8c3eaa62efe8430f64fe7f264

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\HelpIcon_solid.gif

Filesize
1KB

MD5
90fe25a5fd05443e98b1a4b7ce04475a

SHA1
e74de92dae374dc8f01def4cbbe08b114d5bfe5c

SHA256
56da39f715356ab30a0c18d30cdf3abd5334707cf7b53216e741b8bbdae99a00

SHA512
003b9110f0f94ed3b7b3e77c3084502ed6236cc739874d12744669f2650b9bce518afe7d8d07a3ddb5188c9e1a2029b449d069b43e47160e0cfd23cf98f3d665

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\alert_lrg.gif

Filesize
952B

MD5
837659b2c43603c0faeef7c8b57c4743

SHA1
1d87ecdb61c16eb38b56923f16a3f780ae21f6d2

SHA256
2475c7b7915e1ded6109e43cae4276b9e70e404385dd96e9fdd7750d74c925e7

SHA512
e07fc5782826255742d06772bf4b9c483ce5238e8d8925ca39cbf1afc6078e25c6c151137e1b6f46b91e6819cb430157ee645fe5abfa501b83413db7663a8be2

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\aspx_file.gif

Filesize
121B

MD5
b6e3aeff0d47e9cc8a64c22f8170ee52

SHA1
2cb01eb6d51fd5bbc003b10547b58e6d7e77adf8

SHA256
dd5e7527b57e09cb7d53b7314daaefbff087f294d7261c713a497b2f4162827d

SHA512
66d0fdcd08bfea3915c3610a9cf0420eec581d62541f63cd40dd2b83e0aea30f8ba192aabc648b437264e64a81706582e33d65d2ba559a20e810eea503ec614c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\branding_Full2.gif

Filesize
1KB

MD5
b30e23255d3a3e97d1a9846bfcaecf14

SHA1
98703b7940173fc92429cc0d5d2ad7298384ff74

SHA256
882a711eb0d196cc7b1f0a4976f70b27c40f49fb50fe9347b365de198d885989

SHA512
0745584774fa27612eaa58ade6aa7dc8fbf1d3736ebe9c061d0886613b5a47b8b9ecbe8eaa8db6bec38c001f4086d58ac93dbb4b35777ad255d0e3bf5a5341fb

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg

Filesize
8KB

MD5
3d3cff968fb42d99e0e2f0722cccda5a

SHA1
79b2afdf16a814ba36bcf6ee7c700980f45fc06a

SHA256
6d900608afe49ae736fcd8923c7b059c0b95639f7d0a375e357ca3ff7e2a41ed

SHA512
f357017c9c01af21f9878ac9096e53c6e3e61e06005e938028c2a917a9e9010fbde4530eeab24fdc9b0669593b0a6a121f9fe7d9a033a066f14e533f97cea0e1

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\folder.gif

Filesize
914B

MD5
8a32c44f51bf0785f34e1b340bd6b672

SHA1
da5a49203b5e34585ea533e9b1eb6c29909aaf9c

SHA256
e989417720f37aad798d8db23941fd8c89d297597a63e753a5dc42e9e9837a7f

SHA512
1e423bb605e3bcbda2309eefbaeb321ec11fd218df031b170b7f3325b9749c03ff790849c7df8b08a284417cd75f53fefcf8f84aa149d56df5ba93f1337db5b1

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\headerGRADIENT_Tall.gif

Filesize
328B

MD5
c927455acbee9f5e712368221b240273

SHA1
e6de40a549d1fe3eff81d5fde1e3ca73baa8132e

SHA256
4db06342c6c756dbecc4cf27a64a156df4dcd7a4c5ff8f57276eb54706f53b34

SHA512
c2251e04f9a5b0c838a3cd22b3e7d752294776279a25f83f635cf6fd75b0bcafb8d386552f1a1713ad583c64391ea863e6fe21df1c35f99082d61e9fa9537905

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\help.jpg

Filesize
1KB

MD5
32f75ac729732295e3aa07d15b1e6354

SHA1
02587d66e7b05bde296764117ed19f54427c1190

SHA256
05b39cb296fe4b260193b429be3ae1af291301dabad9e34224321c62352f7758

SHA512
a9e555efce5bc367dd314f8de26f5ebc97fcdeb5c85a9640841b4140c2c7b059683ed7fe68d5d03297f81f386a8947ac23102da51e847d2b1261f352abdaf623

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image1.gif

Filesize
162B

MD5
0f6e528e9ff722defc16cad172f42557

SHA1
58142387a3e77119f84c0629164b94f64b7b66f4

SHA256
aff632c1f63eba0452a4503c0d9644d4736aa35ae2b3342049ac57ebe47cf4e9

SHA512
d334422268cdc36216f72815299643eb377f95087463703f95622f7be0f00a6ebb92e3c3eec28e7f748fa4cc0eeebca291f78a2f40e9da386e7f5ab8c672d8c9

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image2.gif

Filesize
586B

MD5
718720b48fbd265314249c4f401b2acb

SHA1
2f9a669d7430210784d01f13180686f8f14cc404

SHA256
cd281ce59b3d934a8490f2426b69f7d2f217a7f781d7e7a467bf50209d323649

SHA512
0b26ff670ea87a612f11128c7be566db4111c553cb4381f46c9e5afcdd862c45496855a4d4e3e8da1195d252b5e096bd36eb605bbf5ec249358746f6c41a1cf2

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\requiredBang.gif

Filesize
124B

MD5
d01558ba077850c496416171df9ed11d

SHA1
8c86b1f53c065989f41eaab7141ac0a200989584

SHA256
d3ffd42876d79f3198824c0c373cdacf62bb0ef14a8a6576b47f0bc69165a18b

SHA512
c2c24e45e46a317cb60d15a215a9ad8a7f42c79fea89064c98dea5dbde70d5c53e87415b03ffddb556df11f87eb6724af0d5734d84436e9bc0d4350a7e69f539

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg

Filesize
8KB

MD5
efc30b62617319fe70c9addf1c432679

SHA1
85f5fd2ac6a332e995f67e4587d5ed5164d2faa0

SHA256
3e1294c53d795cd521b4f515ba259cdb42d2b88e97074a6cf879a2c1e71b8ca6

SHA512
c6ff229f1de0c14a0f476c2f4ec99da30270815fa2acafbea90760040d5061395f40de35cad6ffc346b57cf36cbf749d98ee7853b93633a720317f516a756305

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\yellowCORNER.gif

Filesize
880B

MD5
e068a7f021249dfb9085f9b7f79b520d

SHA1
72d72934fef75fcc35e6f1826792ed27bc427e04

SHA256
2d2e91b9f3174f88778c81f68e29691e237eba9a9a95b0f3611fb0964e280db6

SHA512
e9fa02aae1f2c71e3fa1e24919327b97f231fdef8d2ba77b8d3570cca8ed69b51dc50ac4bc618a5bbcd4ded19ada3d1f29a8324b93815c9f5491694630894f88

Download Submit
memory/2744-0-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2744-8879-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2744-8880-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2744-9056-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2744-9057-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2744-9058-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads