xorist | 1293a6ef273eb551dc2a634ff8bb6723fd4fdcf4a0c8d88a9825bf65405b448d

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
02-12-2024 01:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
Size

7KB
MD5

b639ed6b63209bf0ab2a5b144f3fcd30
SHA1

cb5b7f4e3be0d8f9078845dd4b3cfef17e252432
SHA256

1293a6ef273eb551dc2a634ff8bb6723fd4fdcf4a0c8d88a9825bf65405b448d
SHA512

c4efd3478f7ad2cc4db4457bd0a92d2186ee875bd61ee80547b6ed990ed3f50b988fe058320c7a17c9a058f1d427fa5e23ca5b54886112050be9efce8a59d7d5
SSDEEP

96:1AZhl8wdS+r3yOYW189fTwUVF0CWHyjk8P1LOmjXfihExAQbodG7GqqKZMUA:uzdrr1FG1WDCgmjPZA2ZpZMUA

Score

10^/10

xorist discovery persistence ransomware spyware stealer upx

Malware Config

Signatures

Detected Xorist Ransomware 6 IoCs

resource	yara_rule
behavioral1/memory/1988-7429-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/1988-7430-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/1988-9075-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/1988-9076-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/1988-9077-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/1988-9078-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist

Xorist Ransomware
Xorist is a ransomware first seen in 2020.
ransomware xorist
Xorist family
xorist
Renames multiple (2198) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Drivers directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KYiWj5yFXd01P6p.exe"	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\bth.inf_amd64_neutral_e54666f6a3e5af91\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnod002.inf_amd64_neutral_a10c656b6c7c053c\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ksfilter.inf_amd64_neutral_86311fdf78a07678\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlx00y.inf_amd64_neutral_977318f2317f5ddd\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_remote.help.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_amd64_neutral_668286aa35d55928\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnca00d.inf_amd64_neutral_0600b2ba575729f4\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnle004.inf_amd64_neutral_beb9bf23b7202bff\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wdmaudio.inf_amd64_neutral_423894ded0ba8fdf\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\eval\ProfessionalN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\_Default\Professional\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_remote_jobs.help.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Comparison_Operators.help.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_functions_cmdletbindingattribute.help.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlx00e.inf_amd64_neutral_0a4797d9b127d3a7\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_functions_cmdletbindingattribute.help.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_remote.help.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_eventlogs.help.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\nete1e3e.inf_amd64_neutral_f77725472d91b1d1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\OEM\HomePremium\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wvmbusvideo.inf_amd64_neutral_8f9a8242d3699a44\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\EnterpriseN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wbem\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnfx002.inf_amd64_neutral_b6dd354531184f64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\OEM\Starter\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Automatic_Variables.help.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\XPSViewer\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmlasat.inf_amd64_neutral_bc1469ba40fe2114\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wbem\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_environment_variables.help.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\xnacc.inf_amd64_neutral_13c4e272a96185a1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\eval\HomePremium\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\eval\UltimateN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ko-KR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\cxfalpal_ibv64.inf_amd64_neutral_4c42ac5f00413365\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmminij.inf_amd64_neutral_7c300346e830b2dc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmnttd2.inf_amd64_neutral_9dcd97ab7a913b7a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_logical_operators.help.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_functions_advanced_methods.help.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Throw.help.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LIXMVQOA\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Dism\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnbr006.inf_amd64_neutral_f156853def526447\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_WMI_Cmdlets.help.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_functions_advanced.help.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\cdrom.inf_amd64_neutral_0b3d0d1942ab684b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\eval\Professional\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\OEM\EnterpriseN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\lt-LT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_do.help.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\eval\HomePremiumE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnca00b.inf_amd64_neutral_4412894f52d39895\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prncs302.inf_amd64_ja-jp_96eca15be06b1482\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlx004.inf_amd64_neutral_2cf95f307381e481\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\faxcn001.inf_amd64_neutral_d23021a1eb548156\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\_Default\HomePremium\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Quoting_Rules.help.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\_Default\HomePremiumN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_execution_policies.help.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\eval\Starter\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\OEM\StarterN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\cpu.inf_amd64_neutral_ae5de2e1bf2793c3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\eval\HomeBasic\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-Bluetooth-Config\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1988-0-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1988-7429-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1988-7430-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1988-9075-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1988-9076-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1988-9077-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1988-9078-0x0000000000400000-0x000000000040C000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground_PAL.wmv	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309585.JPG	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10300_.GIF	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21324_.GIF	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR20F.GIF	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341654.JPG	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Computers\computericonMask.bmp	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_blue_snow.png	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rss_headline_glow_floating.png	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\PREVIEW.GIF	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Library\Analysis\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\whitemask1047.png	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\doclib.gif	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\js\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_FileOff.jpg	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_off.gif	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proofing.en-us\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02746G.GIF	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD10358_.GIF	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Places\BUZZ.WAV	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\README.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AFTRNOON\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\SettingsInternal.zip	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPOlive.png	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\curl-hot.png	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14565_.GIF	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR40F.GIF	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\timer_over.png	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR23F.GIF	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\DataSet.zip	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_MCELogo_mouseout.png	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR19F.GIF	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bPrev-down.png	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\weather.html	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\23.png	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\37.png	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21305_.GIF	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_OFF.GIF	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\currency.html	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178460.JPG	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\TAB_OFF.GIF	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataViewIconImages.jpg	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToScenesBackground.wmv	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14711_.GIF	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HEADER.GIF	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\settings.html	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\helpmap.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert\TAB_ON.GIF	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-gibbous.png	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\winsxs\amd64_microsoft-windows-fdeploy.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0c122cfc48d72590\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..centercpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_771a5388e183d666\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_sisraid4.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_a287bbeaaa72af42\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\winsxs\msil_microsoft.windows.d..gprogress.resources_31bf3856ad364e35_6.1.7600.16385_en-us_a3c603c86d812f2f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_56cc3687acc564e8\about_Language_Keywords.help.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-msports_31bf3856ad364e35_6.1.7600.16385_none_8cf3709c50984f07\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-s..spp-tools.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b5694087aa5a965f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_MSIL\PresentationUI\3.0.0.0__31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-b..relevated.resources_31bf3856ad364e35_6.1.7600.16385_es-es_83dbde299525c2eb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ribbons.resources_31bf3856ad364e35_6.1.7600.16385_es-es_572ab74fa10dd77c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1c05266de8a7a982\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-winhstb.resources_31bf3856ad364e35_6.1.7600.16385_de-de_294057caa0539950\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-r..component.resources_31bf3856ad364e35_6.1.7601.17514_it-it_d7009ddd600aad0c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File opened for modification	C:\Windows\Media\Windows Critical Stop.wav	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..lperclass.resources_31bf3856ad364e35_6.1.7600.16385_de-de_a644c2d1bf9c0b5f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_nulhpopr.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ca8c999228c91ccc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-eudcedit.resources_31bf3856ad364e35_6.1.7600.16385_de-de_faad07b2e5533b64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\inf\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_faxcn002.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b8facc39af572619\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_megasas2.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0ebece47fd7a265c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..keyboard-korean_103_31bf3856ad364e35_6.1.7600.16385_none_1339db6bbca0b453\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..ents-mdac.resources_31bf3856ad364e35_6.1.7600.16385_es-es_2d85a3923c5c7157\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..iadisc-style-travel_31bf3856ad364e35_6.1.7600.16385_none_f2a7c66510a5395d\TravelIntroToMain.wmv	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-transactionmanagerapi_31bf3856ad364e35_6.1.7600.16385_none_56ada62f354bb10e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Net.NetworkInformation\v4.0_4.0.0.0__b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ehome-epgtos.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b661d7abc4d159c8\epgtos.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-eudcedit.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a23f4c127f87c066\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\403-18.htm	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-w..ender-adm.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2c687fbc1fed1fb4\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_sffdisk.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_ce490098e4623ca8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_wiaep003.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_38b653653c7d630e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_MSIL\MiguiControls.Resources\1.0.0.0_es_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-networkexplorer_31bf3856ad364e35_6.1.7601.17514_none_4259cafda42274a4\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_netfx-aspnet_webevent_sqlprov_b03f5f7f11d50a3a_6.1.7600.16385_none_77bb8934c5837c8b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-diantz_31bf3856ad364e35_6.1.7600.16385_none_02bb0612dc529329\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-wmpnss-ux.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1c6d88b93efd739f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4a6b77ab9aa530d\about_prompts.help.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-o..lfeatures.resources_31bf3856ad364e35_6.1.7600.16385_it-it_bf22eedb3ce0890e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_netfx-dw_b03f5f7f11d50a3a_6.1.7600.16385_none_a223bd3dd785391a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data.Linq\b357f35e860204c5b74e1388f97db058\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-help-artcon2.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f68f2f3f7ab4a846\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-msidntld.resources_31bf3856ad364e35_6.1.7600.16385_de-de_9967206457159152\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-winsock-helper-tcpip_31bf3856ad364e35_6.1.7600.16385_none_27a7f7694b388c01\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\3afcd5168c7a6cb02eab99d7fd71e102\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l2na.resources_31bf3856ad364e35_6.1.7600.16385_es-es_020b6045f219803a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\winsxs\msil_caspol.resources_b03f5f7f11d50a3a_6.1.7600.16385_es-es_8249688aa2ba4484\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l2gpstore_31bf3856ad364e35_6.1.7601.17514_none_7be61e8338badb67\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\inf\.NET Data Provider for SqlServer\0411\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..favorites.resources_31bf3856ad364e35_11.2.9600.16428_en-us_735452c879aa5274\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-lua.resources_31bf3856ad364e35_6.1.7600.16385_en-us_4a7fbba98600197c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-i..siondynamicbinaries_31bf3856ad364e35_6.1.7601.17514_none_f08b571e7ac4826e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\inf\.NET CLR Data\0407\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\1040\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-advpack.resources_31bf3856ad364e35_8.0.7600.16385_it-it_3a81cf2d637ac8be\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-i..l-keyboard-00000463_31bf3856ad364e35_6.1.7600.16385_none_4e6e45f0b1b82500\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-c..ng-common.resources_31bf3856ad364e35_6.1.7600.16385_de-de_220827922584dc2d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-mfreadwrite_31bf3856ad364e35_6.1.7601.17514_none_177bed732ea3f85f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_prnrc00c.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_203b96cbe00583bf\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_debuggers.help.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_4db0b909695af8f9\43.png	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-pshed.resources_31bf3856ad364e35_6.1.7600.16385_es-es_9335f7a3da9ee7a7\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-w..r-webclnt.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_6e1192e8ef37eb59\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-lz32_31bf3856ad364e35_6.1.7600.16385_none_ee846ee2431a083c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe

Modifies registry class 10 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd\ = "EGPKZMQGRDBQZSH"	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\EGPKZMQGRDBQZSH\ = "CRYPTED!"	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EGPKZMQGRDBQZSH\DefaultIcon	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EGPKZMQGRDBQZSH\shell\open	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EGPKZMQGRDBQZSH	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\EGPKZMQGRDBQZSH\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KYiWj5yFXd01P6p.exe,0"	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EGPKZMQGRDBQZSH\shell\open\command	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EGPKZMQGRDBQZSH\shell	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\EGPKZMQGRDBQZSH\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KYiWj5yFXd01P6p.exe"	b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b639ed6b63209bf0ab2a5b144f3fcd30_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt

Filesize
299B

MD5
b28829aa51a24c0452689df2364c7430

SHA1
1765a7cdd572757ec40616946ec022e75ca77c7e

SHA256
b0ab3473bb61bf150b9112814c51895be2cdc6284a1a0f9e8c04ab62367755a6

SHA512
57e6c8f60dbe1c0e2124f918bff16c5b9809be0163cc646f86336f612fc087e70f300e3c80bc3ce2f81c00037cf1bf47ac24f2172110e1b20cb104a645f1caff

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
341B

MD5
ffe019e61ab357c4891f85abb5676488

SHA1
3eab2453f5bb691e1c99d30f54d83712cf8e7404

SHA256
3fcfe3237ec26e104bcdc61af3d46051ad3a91387c1ca9e2da4aed8821e2524a

SHA512
edfef15274e0081d69bd78ee42a15763c6f134cbd28e4b81a0ad9b4c3073130dac238c86bb1fc07863e04b0524a4e8859c7e27f6a43d85abb9774098b0e49df2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

Filesize
222B

MD5
908de2bc98a57f745f483aa2e0931bd7

SHA1
3fef5eca962a2a654e05cf6bf7fb3f0104311a74

SHA256
f9f59447b925112e172c3075a4f4ea6b737b5fdf05cf33159f1fb725d44fe366

SHA512
32b7b8e797ac5853029f81905d767f8533a60bbca37660718b8ab76529c881eee543e425ea5278c4dd37c3c2d0a01d1638fe00fffbe00d4d0872c2741d3adf3d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\BG_ADOBE.GIF

Filesize
24KB

MD5
11033caeb9577a569cd716450ff9cdff

SHA1
5c7e7455e805c5db3e6b72f5bc5d24c2c629f5fd

SHA256
2097e26eee03a26a857fdfdf1c528159e5a9249284aac059d86dd92bd1843b96

SHA512
8fe218f09bc9929c715a21ad2483fc5c457426de390bd0e8f140b46e49e3482782b8b1e39eb2414484b83390397a25064170273fd3bec2d480b949030bddd0b6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\BUTTON.GIF

Filesize
185B

MD5
8f40e69c0d24b16e431f746d18c2d15e

SHA1
c6ad22ce548ad6316c0fa4bff654cc57f0d4cbf9

SHA256
7db52bb36766aba3b5ca795ac956a31e064a06322be5861f40cd99692cc270d0

SHA512
8e94d9773e4dcab5c6a0c6ba406ebea0effe97a3a74bb7aafa89455b0ea0fcb862c68bfb78c1be53603614b360a334a439356537f3c9755437a649605bb8c42c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_OFF.GIF

Filesize
496B

MD5
738d5e8f3f54d5f699e78abef78ecd74

SHA1
a752ec36a39109fcc183d0574c95874872af1303

SHA256
3ecb95c1af724c801cb2f3d914fa7fc0dcdd909fd304fbb70d131bd9210dc1d3

SHA512
062188f829aed7279f14fe9ed41b6a3af5b3472446f559f90da7941e8f9a6eb951b4e22147a9dc069486e9f95e37ee35f45817430301916edb235beafcda5d0e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_ON.GIF

Filesize
1KB

MD5
ace2fc946c21c16003ff5fcb1d0ac1cb

SHA1
ddb3b2d78b7dceffae2b8b6d24243f5c4d58ada6

SHA256
57414850ca9d258f4eaa034557838dd9134bce2016c7f7847049b0bd53cfc11e

SHA512
06e50d42c3c96ae23420921ebbdf9eaeb0ea135f68422aa4c8886c0011e4c037a30e9cd776ba18afdb79848c7ba781ffba128a576950c8d408943fd7cf6bcdef

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_off.gif

Filesize
341B

MD5
7525b625f68016d05220d2022ee1bed2

SHA1
aa3956cd35c99bfe6dee5cb90576dbbaa24683cd

SHA256
c8a862e8f459e70d92ba1a9fd45a1f8f17917a450dcba7059be486c14b51e984

SHA512
067a05129cb886abbf39a644811b484fbf33a341f7c8acddfc3aac1e869f8f09b9e1eb055d20e61b7e3c129e31259ecf3e02b239f0bcf05207a08974a9418743

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_on.gif

Filesize
222B

MD5
a0d0d21bf0b05f1133220df787f77cd1

SHA1
3ae916d954ca9e9edb8b3b1877cb320caa50b06e

SHA256
2fb4ff2239c9d4b142c2b66c632d88a41e9554cb5bc8f1a245882c4686989578

SHA512
b4922ed8af82459542d5ac83c7e264af361ba7990fa44d4642f6562500f5208c059bad9730668f2be8032f57fcadc851eff1116061ba4db5117b370678297bae

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif

Filesize
5KB

MD5
01902b822231643ca127fa6fab68e7b4

SHA1
02ba0697e1278238ea88f21948daf4100423c534

SHA256
f84536d5b6d4496b52a4a3f647bd5b313e7a213d39e3266ddb562827579cba2e

SHA512
2f21cf81897468643dda1aba658240ba13a3d858ca5b412a6f6068107dad8717afdbe91c1a053e12c037e172b83e4b1b56888c1e30c157651b26f873f1e5f954

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Country.gif

Filesize
31KB

MD5
208de0b3a7c2b121f7d08c02e26f0b49

SHA1
b0102d0c973fb3ee7048c96193a26c1c5ef2acf1

SHA256
09888624af65a29fe9e319a630c5991b47f005f959868cccda67344e76ed2835

SHA512
bafa72a42097cb24b9c590cc156b1907e548861612521273254959bc2830ce4747ebbe5f8b53b2a97821b566e30ee98a672d404d494eb867bc1c8fdc3675218e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif

Filesize
4KB

MD5
48940896ba43b2e557343a6fc32318a6

SHA1
bf8a88d1c3e2fa4c882c299a9424fdff41ef9b9d

SHA256
e8441e88e3e33d8dbfaa6f8e718d58253e32f88c83c649de19c1bc3d36152021

SHA512
94ab53b16e22c3bd82e015fadc31d1f4877612559552fa04b87f473c7937cf819bab120dc12d6d2848d4597822c49b4a4586adc15ae1bee29e161552d4e1a2e3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif

Filesize
21KB

MD5
5a732b5b44adb74fdf4f020e17b32c57

SHA1
7823dc316f3cf1a85fa5d56ef7ce07fa22e1d71c

SHA256
8b3cfb4c0b9ef59e0e53b7d961e8117c2aae22206f43b06d5dd59a6c8adf7346

SHA512
fa982670c0bd23a15e6ff670d26ecf984ea6a04bdce4d05fb0ce7c455ff3abe9f738ae21e43ce272168351c9c0295415cc0e842b3c303a6a61915b18dc5d72b7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Groove.gif

Filesize
106B

MD5
736d9277ab02a3a8c099c44f7e0e03e6

SHA1
1eb0fe2f0b1c949b73c14e4ab401d1a13690327b

SHA256
8ad2df4912ba4fec336b41ae644e7fb1ec010e95a720d98a8cb6aacda2aaaf77

SHA512
57d31cb297207d47981f23f324eb4c8d6a1beb3c1d5732538ed9a0e90babed96eb6b67938d2dee5f0a52d03f6f877b151e623ab5c588af9a0dacb3e808ac45c7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif

Filesize
8KB

MD5
2ac9363472b820a74e66a0fdc8013066

SHA1
1a3fb44feb1170986b8cc996ab55ce873e895732

SHA256
c8c2c037e024dfdd4e4dd34212bd623cd41404c6d27041b2b691324db59787ef

SHA512
c2db9547bf6e638372c0accc460daa8345066843e8c81e913b4fb123747c7437d20189755ad93ce8d5e1fe870ffe36a99e520d5dbe03ed64f123149f58f391a5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif

Filesize
15KB

MD5
57f0c1d2e9dffcd42b77ed5330312c25

SHA1
8aafaf27d3d9601860fc8d8f89583e48373318b6

SHA256
c68c6965f21d5fdd3bbd418a2b002486877a2b30162a9995cd6c0fbdf6ef7a61

SHA512
ec63c5a09341cf3d936a64a31736e135c81c3878f0bca8a301e08719a85795003e85168337ce4e2ca6a3ac3c63f8e58493f6fe7d5fa40cc861a3b9f91b2a2ffd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif

Filesize
6KB

MD5
b669a7157d1c3241a67822adbb0039dc

SHA1
f599f9ae2ced4eea61116bc91c84c0daa18f935c

SHA256
24bed6699ac41603bf45b3b863a1960c65e01b0f4a23b7a5f65a7e0287e02b93

SHA512
46fccc7cda32b2f91ea0c05790109791e817530d2b98214574d690f6e16f638cd528186af56fb3a1e1146b6cede03030dd4bb6d3919e4300a6467f52a6fa42e0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif

Filesize
20KB

MD5
ef6ca8e5c7c86f11d1d47f6ca8604185

SHA1
97e771ed85ec28312c8e6c6628382c802b79d9f3

SHA256
5299b6216059d817dbe3b35aa0223bd4f26580921ff648ff061cb4826f7a3772

SHA512
c6b4d310c9d4696c15cf8191c19c20f35c243d85a3e82251bcc4a117f9404ae94b6ad110ecc1518d952617a04b9575fc910e54d4d1a902baff93cd8ff9f22a77

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif

Filesize
6KB

MD5
fe2b4dfe7bf65532e8c232294dbf4b41

SHA1
cdbdc86ad4e5e8faf62516d6a51828258331a7a7

SHA256
17e47dfb83f8839db355d4edc725b3ba793a0f93efa0da0546af3ee53b11dcd6

SHA512
a22b5f1e834d1c7589c6d0e8b449f41c53e87954075be3003251d7a7e4d20e1d3dc23570cb846e4b02e983a62bb2970fce9863e556c7836caa7eecc6edfdfd7e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif

Filesize
15KB

MD5
afe0d1582f9c59ca55edfb32735e4cce

SHA1
626f8b4d8ca1dbea3625d213d430d21003e49a40

SHA256
b0ea40603667802505ff49702a2f9565864ddf976f5c6a7a9a98e29260ed90b8

SHA512
12bb44f83817cfd3e488520e7a290607b4b694febebe0885ad555d8fe5a4183322b2374b1907c4bcf94546b7f0305087d11fcca74878bc07fd005b72a4338861

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg

Filesize
2KB

MD5
50796f7db170be8c7228ad9afe86c4e6

SHA1
d299887be98233fb49d29560904b2fc9bc9e0f41

SHA256
441baccf55b265cda3b1890d80710e4d5f164db366f763929cab14e5ce18fa79

SHA512
dca7b95c1e4feeb51bdea09b2ed3bfc1c36d0a24942531043e9eb7e0eb9892aef13e1e554b7e9af79ece194d033bfa2965a2cc0f3b4f16fd9e257659580c6939

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp

Filesize
2KB

MD5
0475d3a01c163cb6fd6f6d6d2bae944b

SHA1
94d3862836362225c2c1aee0bdaa59c94bd39a25

SHA256
6b4340553e1a9070f94a4becdebeb3016ee7aa0a74db30bc46acc2da7ba55466

SHA512
78c8437f76abb7531debbfc634dc119aa532162eb10efa06c567287fb84246867eeadc892b148a6a1bea06de2117f7c37c4a77c8e31df5c8340927157169e4ce

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg

Filesize
6KB

MD5
995cb25640d37f92b8c3606bfaa3b5e8

SHA1
a6fc80678446b15a62128269067962b1f6de57ee

SHA256
9634ce4feb46711164e5576a3c1d6381e6385799b75e254e0a4ac62d0ffda091

SHA512
7f39a94eb3d5bbc8e17c1ab8bd94924cbff13685a827c48a625d685a8e150b9f08cf3b320786f7efd67b3a4c979a1f75c5844c3366bf781612317522b03bd874

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF

Filesize
255B

MD5
94f23cd41518b85b451e30f573cb2877

SHA1
60442f5667a9ac10a87ac2d5526608f3af7fcccb

SHA256
d1860940f2672f8ee9df1526247dbef8eb58b7ab2c3489b438fb8225971c0e64

SHA512
35c9e2eaf5a3fd420b0f5a85262a92b40717a0b4f3d5e1b6083fb9da8f77fe1b0f3ba1017fb6bcacbeb80b435098afda82d176e3367d99ac106417e2523abfa1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\background.gif

Filesize
323B

MD5
0327cde4692178cb9ea747b71564a4fd

SHA1
329ea497453277535451bcafeaa399fc0da595bb

SHA256
d7b55732121abf6b7602e85bd50b74ba3641a76a768b1215010bc62552e0ecd1

SHA512
8a6c39ead090bac619ff5a7b511841301ffd0d97b64e54f7ef24e2fe4f61e0470dddc7ac984da68b7ab20c6831ca225d30513a606072e6249c0819dd8baf759f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF

Filesize
367B

MD5
44130a125e3cf7efa7572831bc0946bc

SHA1
455d0833bacea948592fd0bd1a05b2b2d3f6e4fb

SHA256
3fe90f27a2f44cd7d9dd96d35c68204757cb496fd76bc90f3b0290cf40f3e2d0

SHA512
9dfa6a37bf367177fe2cf6383281ce8115f19d44806fe4e578f8be4e7d85e4ff91b8198151edaf564f316623d430b5259fd53027a1c0a98f45b56aa47b70d9e4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF

Filesize
148B

MD5
f08bc94fd429fdf68e7745a28bca344f

SHA1
bb999041afa2aa254d9197f2643ef47056f1b531

SHA256
7439ff9252ac211805769290e2e674f69016cf71f0f10c6a3e8865c42e517db1

SHA512
8c25a9de7d697e85cc1b2aadf9ad7ab8297c169d29c6a7949c6249da5d8ef9e05253497ceafeaa42432272f86e70f11a6e46737f60f41474b7a38be4b0fccf13

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HEADER.GIF

Filesize
440B

MD5
87545ff0f541ccff91dbaffbb35b41d0

SHA1
3f1053c860ea5d5e3c2f6a4d7ee99074d2c0bcab

SHA256
8ce773dd8cfd0cf2952088cd295dd1444734deaeb1f537d69b15a6f1e744f580

SHA512
6d07f7914230638b6f9aa6c4283f54d5f0073ec377042727d04901e25542393d070dc7ab8bc7c53f2140179662674a2fb5929bbe308bb8ac94e4e699fd82d637

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_OFF.GIF

Filesize
462B

MD5
c54e6516d60774c41bf33632d856785d

SHA1
6e8e7ca0cbc7d04de2da757916c2fd30d275ef6d

SHA256
bedf996371059475314609fcfaa204b7a3c04948ef23fc10068afb3f05b4b65b

SHA512
f194070a4798703b46b89472d3ba5180e170e54fa3bf5f6e9fb9efbf7838c3bc38deb691041771b555b543a81c37f39f4e6f5a2d902d7ee4e20e252787892772

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF

Filesize
267B

MD5
ff914c132a9765885a9e02fd90b931ff

SHA1
83ca3993b16d708be226965730c7b27d269d88e8

SHA256
3f9f5b4f8a25ac8ec65cb2840b37db4ec47be54a377f197ea4d64576ca6bd8ca

SHA512
6d489256ec936734f117d47fd2fb9cbe108a8613502b521f34c5f5c2b3eccf3e0f3fc884235037dd2cfbf3ff27f59b266cb23ea3777d0c16affee3ed1fa0f035

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HEADER.GIF

Filesize
2KB

MD5
26bad873faf1b871c033bc9a96ee11e4

SHA1
e34ed73d06b874b1cbd43285dfb01765c68419c6

SHA256
7a70e2e3c717bca7a8500a486faff2bd037bfc00b3af9f960bddd938c191e0b4

SHA512
a948342625dfc0944c59a936cb743493e7028da557e3f8263a81c6e32d63d1dee124294c202afe924562f68216cbf40a73802c29f75a46b76b4ba86c4a00a281

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif

Filesize
233B

MD5
b54f773e4444d7c9169947ede8750a4a

SHA1
191ef35642aa870ade3bfdb122509e4cbe66702f

SHA256
dab1dfd88e39fae75c40c6c08fbb06ec001b2ad91a3ea06741659ba1858cacbf

SHA512
f62da12d288dfe3a326d4e6e099f4fa564e827f4a527ea1796128a77fc91f5c0792a2f6bac2c21e033f0f976817a05e779374093f33bf7a7412278fc088bd3e1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_OFF.GIF

Filesize
364B

MD5
d7e7a719a8e24f172dbeffa06a190c30

SHA1
14192f875a04bc2453e4ce89b04710076810fea5

SHA256
f18a20671986b7448e82c69504d67ff80c2d24b39effffdd1547913f72247888

SHA512
90d45d67904bf8aa67d77eee718711ecfc90afc5b9ea91f744c59a800a073ef114f8dba41edbb3e5dcf40d7e8efe176d780ddd8857a82a687ddbb865eeed0d1c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_ON.GIF

Filesize
364B

MD5
d7b83fbb366ddb9f74602a00a3d0cc6a

SHA1
7921a966f9ac06275f94606c72c0aa9477ee5d9e

SHA256
77e9ff49264b0122605f991feb005bb76adcc29814c5377d9ad8c58d1a660e90

SHA512
e0bad0cdd667d7202077026b8ae6405a2b799c8b315d694e469d8198199b8d19b6b300426de6c1af8d45fb11d7367ee10c302ab889a252029bf3e0e233ed276e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\background.gif

Filesize
6KB

MD5
26d4dedaee75438fb2d2fe1d247e9345

SHA1
3b741dc207a6c46a699a8745c67d034ca2a28a51

SHA256
f6f96f412a6d8ddb03b82d0caa84747b8b777cda968c2e4b2d1915cd81eaf5b4

SHA512
ba84ff061283df7eaf4648dded6007fa4324d80cdded465feb6aa42fbfa15c7992307327cc961ea6f502133b5bbd99c7ca7bf92d43d311cbc43e00605a29745b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\BUTTON.GIF

Filesize
428B

MD5
d8d036fa9ef16752c713e35f5e5871a0

SHA1
9ea852179888ab56f97c2ee849d32d312053bce6

SHA256
dbc438ca67d262360bfc8712b7cd69150494ca21408b8ab15fa879b86af48200

SHA512
406009b492ecef65f07b1d9722cccd9fed3d23ceb3ac61463cc98143bdac7f0c154035e6bd5ade4d55c960a3fa63fae9c42c6705fc5639cb66da08b1c80c8899

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\background.gif

Filesize
815B

MD5
f6fda4cb190f4ac4ab2b5525bb1d94bf

SHA1
af32d2c897f4cf6c6718b889d090eb620c441654

SHA256
dbfe259772dd54e31e97b79d2a7db9d7b41f8605016077dcfa2ce162ccf67423

SHA512
39efc74f12a243b92441c896b52a8b68802dfd220d6a067d054f62f6c145050f0e753e47fa982a88d2a217a626db53978c3ea0bc0e0ae4f189509c2950a96284

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\RTF_BOLD.GIF

Filesize
870B

MD5
1600a40472815d6dd83242a6c65808f4

SHA1
43a6960e29e7eee0cfc50d992f9d0e22d4f93609

SHA256
2e7fe4ebeaa07479cf6f5cd8ae7e8d668a660929a60c12dbf74dd8fc9150cb71

SHA512
860590433a76422af37849276755016a3cc5528e86ed2c8552fd66380c754f3791c59c732a5fbfb74e43fac632f23f82973d7a0bdf759e0e3762d3446b8a1c49

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg

Filesize
3KB

MD5
e4186daaba22bfa478dc51a9a160b5a5

SHA1
e5962f35adad84da9c3bf7237e635c72af6b6e4c

SHA256
49ec688c48c3ef28bed9660de39f64c3663fb62af7a849a40e78762b86ed0e09

SHA512
449150afb19871f2ad7524933e7d28cbdecab6bfcfbe1743d73a9ffd20fefa130031d591b7aa845519f7e48cc125ef95dd40ee7cbc4b7de923d902fbc0a2d373

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif

Filesize
2KB

MD5
a6926840f590a909b084a1a8d02b9256

SHA1
e4c097d72d51202eceb414a344644c8d90d966d9

SHA256
db77731fffe53a2961e976a8b9a463b29998c243648da8349ce098bdd8635625

SHA512
da80893e100798ef51a07ab3f3a8455508d9ee7ecf59b729cd945ec0aa82931a8b0227d6eb3437721b84225fd3354bc56ea989748313f6b15a45dbcaecaacb47

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif

Filesize
19KB

MD5
69b6d2ad6c4daa2ed21198224a37be5b

SHA1
2326f4be3af23e3503dd056d5e866c1adeca768e

SHA256
e039a34aaab9194050b4828e9a5f2713a4b078bffed66a56a09663ee9e1d5544

SHA512
20baba0abbb8e390576dec02b74d464f28ebf7a0382c929dddf43b6a0a1b09ef586802a0258517b185a75f5cfe89cfcf604cebf7cc504d9573a9ce3e30897848

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosefont.gif

Filesize
890B

MD5
503e7746d715ad64ef1f8c02685de687

SHA1
018a39ec07a995e5aab9c6aaf2d2a547f7f96a80

SHA256
b3cde8261a8b1144dfba62a13b53db75706927f0c8543c765ec6372954ae444a

SHA512
579a0450a7b380d32c072e7cad88613c913068274495ccb34a316210f7e3131e480c2541b0487ade42793a6665da0a6514a759fbb5ec06db44857910d43523f2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif

Filesize
852B

MD5
fd16bfdfc3f011ff41455d9fe6723732

SHA1
ac437bb579263a60f010b57b891481aca864023d

SHA256
513c5af4a335e5f40dc46df8a8db403cb7b958f9800156ee870d00d2ce9da2df

SHA512
a67e5ca3e32bf6a1492b863eb53795e64b2501d64cde9e9f54e19bc1705ad97d0ff04538b03246c40dbd4bbb32917d5fd3523257be0ac5940721fae891c47e10

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif

Filesize
860B

MD5
6ca3041ed3e7f4e2ea1ff32dc13f0e16

SHA1
3ad6c72bc7410657983bdd036545ef705419d765

SHA256
1f5132c8886aa9dd43f1fce7a9aec89d117ae1077010df52b3adc43ae94091d7

SHA512
8361ca578c404796bb676e3b905a83efbf8bf596e102df17d3de13a6c379e309cbe788b7e03d5702d46d5ff507a25be21c9e521902d666be5d8d89e77fac7f0b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ADD.GIF

Filesize
580B

MD5
d92321254ccdba68458180940c8bd3cd

SHA1
8d26fe3829ec31c00ce2a09d9a9a3e85f8a3b3eb

SHA256
a98a6375b9f5f1593ab590cc7d20c55453ecab8fc08fdf5ad4b240a2856dda5b

SHA512
9bf9d1684bda3baa0bd9848d0466a7c505a606c7552f7a5e4fe14331c954a2593614c6e3dd8119d93bcf837f129b56c947a602dff8472d43bd5a47abadff1e7b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF

Filesize
899B

MD5
1715b76a1f99acc23638924078a25f37

SHA1
bbae72b14eea92a66870428d0c6cacb2872ad1c9

SHA256
f17ae9b09c89b493034d02aaad4726834efdb91c14e8582f2950bd7a2c17b056

SHA512
a6a5cb7a53cd1e394a7b324909f21ef663e9282be6f533449a7766136abe33791696d6838985c8445d8ca48bdc5ed3563b612cf20bb0c372e47f3b2aaa30d4ca

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIF

Filesize
625B

MD5
19cb483fa74c8d56e0ee06c8b8379d59

SHA1
fd444693c5766aaa8e1fd04da78dfea691dc55e2

SHA256
55b86800dfcdb8a458ceec95ce92f2c633e45282dd0dba81c2716ad7b24b6dd3

SHA512
9840feccd5885d84c6eb23d3c30a69a62c422d5cb6e5ed12ffd88030fb753b2563d355fc92a02b32aaaa492ffc65afc3e9d8bfe18412301472dc1abb831d1ff0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF

Filesize
873B

MD5
ff9d48a5852dc7119047d5463058911f

SHA1
a66711e67e693d5ac8d9faa56f028a0b71aff100

SHA256
cdc388bafee9575c6441046d276ea009ad5899235a8505b1a8d87dc4b86d88ff

SHA512
9a4f2eab06a3b4511d8f6000ecf560d903a221c822b08a719305598b5e5b8b779ea195d85370d1058653a2af3f35e05363d1231f9a2e6ba95594f04c627db0ee

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg

Filesize
5KB

MD5
660dfce18e3553d4eb0fe9a9c742b8c7

SHA1
0541bcc091e513bf63f66d22f1138a01c8923ee9

SHA256
69503202b210f7d17625ad2149d6a355169dc484cc984f07bd226ad89cc8c6fa

SHA512
fe25639d25ab84ec4e90d30439a28c3105b1b5d6c75f0344c7409324e247901d95e1f13d1ca5eb9436e4c794dd7330334de1e5de666e1d82c880ad2e963328b5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp

Filesize
1KB

MD5
fab24f0196b783052b835cfac43467e4

SHA1
653f6ebfa2a91065971c52c2840d11cc1e438398

SHA256
ec3e386fb2a85ac7257e05c60f8d3ce84d9a30b2dc4789c2e6631b9e81fc0339

SHA512
67601d1d56728ec1927c6dcfd27a387bbb88fef3f41addfca1336049dd3714328aeb3820d650d9844a29393fb064cedda2d2ab009d97bc748951fb841f80d068

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF

Filesize
615B

MD5
0640d2f3ef7cf477eacb4235cfc8c6fb

SHA1
79f0eb28fc40a0bd73e787843604d11beda1cb7b

SHA256
e739a77b184d82b16517ce2538e63f4864922c5157840a4b2af5f5bbcd163e2c

SHA512
cb1b01bf8071d199aff34b05837ee723906c56e48afefa86622a8a5f5899ada5257e1e1ec5f80ec6038910d5ed86af4ba3b7c3f2b7730660eb1f62e5de46a95b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

Filesize
848B

MD5
0bb6eefa3954c4ab5d9c7996923dd970

SHA1
4a3c88791c7f38f9e8f8af618df48f426c8e8d5b

SHA256
27cec81cd638fb47fac81fccbf21ae4e22ad616d04a96c9870db8d3685cdf105

SHA512
3fabc5fd9f17de06dc6e33212f41ceb1329c46937eac7a22b17f8ccb12940c0d3ecd0ff8bdaa402f0da487333bf558bf2acb356f1eb9da021753e39fff7d964b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

Filesize
847B

MD5
f225ddc9638a2d1b11a53e9e98021448

SHA1
b73906332a22763085fb4bb15dddf5d74586b595

SHA256
aa25b8b874b0c1bdcf854592d82fae4469809d20a8e61db490fff1ced0bab912

SHA512
ae93ee0bec8a4d607009f1e33ea79c7684387fea481566787f64623d4cb082e0a4aed87dfc820ec2be3c6ba44a1e89d6c79fdd942e924e76012d009e8ce32734

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

Filesize
869B

MD5
0f1965d16a525b3e8d944181917296ee

SHA1
ed17a1be61349f36fb0a163a0538a04fc914aea2

SHA256
997bd3d613a978ea70bd9bcd155ba68afaedc1605eb5f8facb6b2e3eb49fee82

SHA512
6e111e13ea4ad321e230df174930fa997876a5541e610d7863ddca0c9549a3204e96ce15bc8623135e7abde789497b2e8c8b9779d239d1eea378e4737dbd2d9b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

Filesize
847B

MD5
b0150f58ac7302df844f5adace0e701f

SHA1
baed9bf1c8a7422b539dfc26148bc4c1ec6b02df

SHA256
69af0f20971a938bc479a93278a00d2032053ebcea78d8236e784a12f4cb97f0

SHA512
08cb20a4b010f6abab23a21056ca74007f95f15e78aac959b292dea5556504991088862523f8478ceb73c2ecfd6fe9cc1d733de438f86b1f38bc2e92b3405659

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

Filesize
863B

MD5
4dbb5a129a0e5065c435415b8f6b92ae

SHA1
7d85a63151e3d0bcd52bfdf91fb318c2e1f2aa81

SHA256
0a93380b9e06aa5bba122345213afd6a4732361827450ec5edee221cb2945f3b

SHA512
88f9e02437b8c2784b36d0bd25ecbc4dec7ff4908296e29114b7d27de5b924852dd172172a1dbd637a39caa8ab56a416789de7483a8426a2e219e837c8ac4c11

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

Filesize
861B

MD5
392dde70a6a2f09030a1b157c1b58896

SHA1
20dce5a5a993bd094ead12005824eb2fa87b958f

SHA256
0af42ce7f7f212535db72956833f076bef63482321f4a9c03b965594e0ab23b8

SHA512
0108ffc34450a8ef27fb3e1711ba9d123c3cd056e7951fb30a7e58d6d26bc2fdc5432c8037732e7d70da9f95adadb3d1b4dd461e8fed2a742c6fc24e1e7ef61d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

Filesize
850B

MD5
a69c53ff5b46f4a774e4b1abcf3b5c2f

SHA1
d6cd5b92e0ea256fbe9443db7577001a63189944

SHA256
99b9e0b47301203215de76531b67bac8f0555a2c4d60346d4c80bfac189c602b

SHA512
df3a07109ddd9c921e94fb22a7410b3163aa0cc74207d14ae8d0d39ba98406ae8525c46990701b04b69259835eb7f6babcd20922858cc0a203b07dc963031389

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

Filesize
883B

MD5
a98afb980e56b2a55d58dc8d13d83af5

SHA1
8fc9e2b80a5254ce0bf191c29e394d770586d4f4

SHA256
d13bb032c4cfc14225804e142f649e8827c7259f1bccaecc2939088c9aceeed2

SHA512
030d83f02e5bcd1ba231bdffd7456c5e6bf743b7683816d5813940df979c452053f45509d5f8330d54fa675c10f6a6c92cc33d5b90c547fe14158e8f156a0764

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif

Filesize
153B

MD5
c41678dd684bf06e53a6245b53968128

SHA1
2a027bf562fec840a1254e9ba4c48029ac7879ba

SHA256
8b46f27c26058882537eb34553d3d54c7a8c31c960286c16c95b6d90fa81aeee

SHA512
31016a9419edd42cc14d1f4e002380ac65c6d686e62ded7ad1e61dd507ef81930ccd2946f3bb54d0b2de16722e6b707043cc7fa8cc4f7b9aba93ad0f6c92de9d

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
3b1403c22bd7611593a032024d74ec50

SHA1
b09751bdf0a8ef6c32428a20483530db5a429830

SHA256
920b424fdd13306ac01ce4b7aaa9f11501958737650771b4cadb90e9d69772be

SHA512
d6c34859346b6ba3aaec2719ed6cd12b3b98be2cc8a67d539868453cecbd9ff2a9f30c750e7bd18948d9850ba6d5e32d20cdd58efc2db35fa9a34866ba0128fc

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
8KB

MD5
0e0e5839556df9e904504b261ca5e5be

SHA1
27ea17a924900e8ef680e0f81508a8fd87b456a8

SHA256
04bac402879bac13719d12e992eb8c877455089db1ddd5186d356b1712f6b2ff

SHA512
6ef95a1ad5664a77edafd25df0f021657963267477573d05b27f8bb03df320f3f90d2ea686492798962641d29c0e9c73de2299220bd66eb25a2ded2c560eb9c9

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
cc302202b2c12a88b06b97f151a226a5

SHA1
76a7d71200a0eb54d0ba3c0d77106436da863b98

SHA256
eb9ce9d755191c3d605f4eba3226270fd05d053d5a1483fa01200c4019571771

SHA512
8b9913b719ac2e610341ae0c4f1343ce2b0162e7ce42a69e99afe27140f1afc1485142ba43101dd7359916cc42f516ea7542b0495a19748b4f4d4e9947936309

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
8cbd3f245d63ba98961f0c62e7b3c109

SHA1
b8bc3d81a0444e217a027ea8fd96e068c110d790

SHA256
e3463ed21321e58fdb158594a6c59dfeadd030992e5acc11fa2dd16dee5be4d3

SHA512
5a788eddbc8adaea37afcca036ff282b68d0335aefa4fc975ce72164a19eb1a3af2be461e7c8beea9cf1dc6b6d38a6c270f5b575a34a2bf3c99a4c03a99ab7cc

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
172KB

MD5
53cb5133c51d10a2591bed7d459131ba

SHA1
441787b95798ac59c84a24d8fe3a623961b18ddc

SHA256
d1b92ad38ac64e056cbb672d070bbf0848214510cdc4a3764624344278056604

SHA512
a23942d8479d82eab58b0f0cd403db586094cb4c52b5b9b6f5a2c4c00f53dfa435db7905ac0c759813f062296c6fe1b2fcb70e52133d480d739b51194c3a88a5

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk

Filesize
1KB

MD5
1f6610718bb7c4c12208478af70b8313

SHA1
7469149a60f41fb362d4b06d136be6f06e3b077b

SHA256
c763525e208cea91cd8cc8803ee0756b51455c2648f4a19dd11bfc20ceaf6e94

SHA512
666bed9ea6c8fe7e783b77aa26cccc957b61ab0728fb11992e625d79e3f5a9fdb3fe9aea67d43ea55c31c08bdb7461761cb62fd18620e6c44059c66db64b3595

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg

Filesize
21KB

MD5
215a0341a30a24fe9212d079a9b771f6

SHA1
9f3b1f436d9dec24586ea21eb8104d4619107e64

SHA256
abb6067afa90ff3508cabd61f9ca121d0f9c90507fab1b76d10f6331999d5e12

SHA512
dacd58c8c6736618e535e38d2e7161ffa010263fc1431626abab931623a5b203a1a0540afb0ef30bec06d88d3693d5602fe6f798b77100c24c0a80495e4a19ef

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\HelpIcon_solid.gif

Filesize
1KB

MD5
7601755b5dc9a5fdd884aaf45b1153d5

SHA1
98cda7b989d5807347f654ad8cea8761531b5b7d

SHA256
0c05e957dd1849724941a1e1e19b200de91dffae39a65eac2ee5a2da648646fd

SHA512
29504f0c4cfd106625367d401ebce2238b2e7083546e667627dac42bc3b41ed326f5389ad2137821a62fe02fcffeccf856515cfeb6f4eabd05196c36393db477

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\alert_lrg.gif

Filesize
952B

MD5
958ea0e3c3e4d9d1d0b14347588ad087

SHA1
3cac504e31e2873705bdf0ce0d2a037a3f842195

SHA256
7b834141748e5b88b22e7481b2a02058875a3e784e20f773e04c676ac88223cb

SHA512
84cad66f93a1fe6464b40afd3f6a5be62342e123e43e85cda773a8362594a7c6d0395eaed80fe3ef9c7e2aa807d4bb9539c273ea2aafb2266239e3ef97dd982d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\aspx_file.gif

Filesize
121B

MD5
a5b2a9795e86ed6a3d1e0609abd402af

SHA1
c4c26660daf86eb2fa74af68fde94acefcac13cc

SHA256
a7c8a59ea1a7b08496b9214a33c28177f6f7c7e9749fbf0660527f72382f443c

SHA512
45d8c2f92a62eabc76f5bb30da5b36ada7ad2374aa0971ec38b87488e9fa986ee1b61c18998015775df88048bf673e94fe74dca3a1cefa8e4ca6a9817a79c513

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\branding_Full2.gif

Filesize
1KB

MD5
5cf7971f5124a38214350c465cd3aace

SHA1
cd4e0f6ff4e19d2475b303d8f9c5a186237b8af4

SHA256
076acf7238d73824dbe55ab10e2ff8916a4e03c5205f46e59905524fa1650641

SHA512
735fe04c4e0d436e36255b5f399f66db807d280d627e55ec931da7f022136b3f6cc8ea56102e46a674baf0d2b6844409bc06edb092128cc43f91bc4ddf89ef1f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg

Filesize
8KB

MD5
9a21d6541be97f6ae6b0ddbf5a39fe88

SHA1
500855f31b919d5f10b46b2a3807c022e147b9ef

SHA256
5b6af7e20b6b90c44413900234e9ebb461679e9017c2b52f2f063c416bfbb96d

SHA512
eda142a3042cec239453f653f92d3a9131ef1de39a6fcca641a6480c92e1a056f2fd47d3c89ca2892fdbf3558425917b3746b25056cb77bad71eb80c547e5c07

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\folder.gif

Filesize
914B

MD5
722240bab399566bc270306f9df8600b

SHA1
9132894ed87ceda4a1f66e6d89ee502d57bdfb08

SHA256
2c2636a6c3c53631a37e5aee914478ac6a224187ac6d48be5a9b9baa7c6e5fcd

SHA512
fe79a9826ded6be6ed8d848884dbe46b7402567794159b8112a549ff6a59869afd5ea19d7cf5a39b8423bc3ca57d31ad6f2a5ca4f72acaac7dfb60b8f9e627de

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onBlue.gif

Filesize
90B

MD5
435a7d0a8ffb995138b68ae1b83b0103

SHA1
6d58d94d2588688f35c0eb74c4f5ba7efc50c091

SHA256
eb363739f1a3552750c219cce7c3412ab5f437ae1ed6cac3b53adf5b0620a232

SHA512
1921f0b80bbcc5019cfc4993072bc7878d9399e84cb20614f807e18f45221c7d44d21fdbee1e30df8cceb0d0f68f0091e49bf1865eebb575ed757d820326757d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onWhite.gif

Filesize
90B

MD5
a4858bdfc6a8c2f77c7666b9cba76f0c

SHA1
3d6bc50e18d155c41261435546c028e9bfac5d9d

SHA256
524d28a45b8635deaef0e96cbeb656e30e3c2a3089519d3c0b87ebfe1960c4de

SHA512
92d56756f47453801b0645769a4590fcf2e03847f054f65d875c2c6e891c34b7b379719e8096a804a41bb5e9697fa19dd7e2af79ec1430430db5ae9214140b66

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\headerGRADIENT_Tall.gif

Filesize
328B

MD5
15d544996cb9c3a47615f5de052ed8ff

SHA1
33e535373ccd36515bf12e566df82c477e413db7

SHA256
b4e2bcce0b715f490ad5977f0bcffafebc9c1558c42a6577d2baa074498ffdcf

SHA512
4a66a869ca1fac68aab8730f2bc559468db138204a4dfdc1be760960fe5d5a1fb755ffdde9510f748820b9878ddbe54be3c56365191a3cd7d4e374ba5cf4c846

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\help.jpg

Filesize
1KB

MD5
fb15ada5b4f7cd0bcc8d0af4d0d7ef7b

SHA1
253aaf914b4c6a5219e7ba6575731d6358cad098

SHA256
c43e561058463f7264a3859e4a700bedef54dec862ac1d264082736d6327d933

SHA512
fe1c7ebe96a5d65cc25c3fd2ae4ab311115c076c770cad3cd9cc25e9f7b294fc4ca4b2d7481f4516cc6b76be0b7ed71059be07694a4506f9665ef7dd41ee1867

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image1.gif

Filesize
162B

MD5
567ba6759c00c7773e2a2423da61089e

SHA1
cf4272372a4c1337abd399f17f051f9b6e20d846

SHA256
83a5ca5ac43f9ccd9c705802d8134cdb31f6095a903d4b7b03381279c0c542ba

SHA512
cd13dbbb01b5468a0634f1bd406fe65643dde862259d7008433894275d64da1985c9bea6f69656611a17e5cba0694e336be84bf43ede1ea1a38ee0f78454aca2

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image2.gif

Filesize
586B

MD5
fd41b5253c55d14fd75253b1e2639e88

SHA1
9fe76ee44322b2ab4908ba50a286fa3baf2b27fc

SHA256
03d00a628dbbe8a63f9948ecc618928cdc37fe818b9b2208fafc6cee31e191d7

SHA512
4a8d49245bb7dc3b86ee52bb0ec9fd4435150d44700e94d650f574a77857a91f4af95d734ccb3bbbfc54fadd0c0bd76960599213441bbb3e57daeb3cc26794b4

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\requiredBang.gif

Filesize
124B

MD5
171a23b90edbbbc9781182967397e2c6

SHA1
5b0f85aa42410d06e375888ede0c335deb8f2c7b

SHA256
7bc1e27c44ed401fddf1b63799e45107c830ba8bf39d0eb953614a0c4991b47e

SHA512
16fa5d38732019292a329ced8b136f30b482c449fd2c28b8519dbd848d12bef66cc5abf6e8f30c1c65f9fa86447a41a92e10d6c6e04ac7631e8997f1acadbf68

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg

Filesize
8KB

MD5
80fd59f8c4eea72d54b11547efc6fd88

SHA1
21149de9c5e9b6187de1a66b7de1c8670ad0904c

SHA256
7094c18efe63460741857977ee74b454a0d7eb7238d9f1761a9880f9313cabd0

SHA512
dab9abebae58b1e55e6b083cc0d471cf07e57fbad7f033a5bf62796d5921c1fa0d8d3ca863c12983c7fdbd00a4681eed6b9dd08de79bbf9e914cc2d8b49fc300

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\yellowCORNER.gif

Filesize
880B

MD5
699f2fe8a792fa2ab89e49233d47875c

SHA1
ddb5d48ccfca7b02203038c68db3e3e50d66d655

SHA256
9477a12bc94c0e94a243db6d5de6328d3112759ce45b10ff7ac34ab0fb67441f

SHA512
3e2d15ec534cf8e1e4ce2c7a4ee01b0e7c18b6f6ce0901e59aaef3ff9bcdc70516f25672007e919464c7285a47efbe2c8a25bf3538f9ce0645ad53233a4e8804

Download Submit
memory/1988-7429-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1988-0-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1988-7430-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1988-9075-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1988-9076-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1988-9077-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1988-9078-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads