xorist | 46e084c0aa41bde6122bc181754da29c52dbef8e3a3164f01ec3387b959cfb9c

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-12-2024 14:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
Size

455KB
MD5

bdbbd93c60160000acf078611fc847d0
SHA1

8dc08bcb2540e9f3e75ca8d0d3934d145e15df04
SHA256

46e084c0aa41bde6122bc181754da29c52dbef8e3a3164f01ec3387b959cfb9c
SHA512

9a3bec14b4e05f05e3b88ff35e993472750bbee30cdcc1cd97c31ad3b1f8c8c40df8e9523c7f801e06f9c05871e01bf3a3c9a6caa5f35a88cf119c241860d40d
SSDEEP

12288:CuLJEVTLKZorUNufUgsT5HNUZWhaaLacQWFE+U1Q:EBWZorSufUgEND4C+WFE+7

Score

10^/10

xorist discovery persistence ransomware spyware stealer upx

Malware Config

Signatures

Detected Xorist Ransomware 5 IoCs

resource	yara_rule
behavioral1/memory/592-8841-0x0000000000400000-0x0000000000482000-memory.dmp	family_xorist
behavioral1/memory/592-8840-0x0000000000400000-0x0000000000482000-memory.dmp	family_xorist
behavioral1/memory/592-9073-0x0000000000400000-0x0000000000482000-memory.dmp	family_xorist
behavioral1/memory/592-9074-0x0000000000400000-0x0000000000482000-memory.dmp	family_xorist
behavioral1/memory/592-9077-0x0000000000400000-0x0000000000482000-memory.dmp	family_xorist

Xorist Ransomware
Xorist is a ransomware first seen in 2020.
ransomware xorist
Xorist family
xorist
Renames multiple (2207) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Drivers directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\m8m0ECBq5Amw3n7.exe"	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\pt-BR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Automatic_Variables.help.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\PostMigRes\Web\base_images\WindowsOutlookExpress.bmp	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wbem\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_modules.help.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_operators.help.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netirda.inf_amd64_neutral_93a886f96cea2847\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\icsxml\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_objects.help.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\averfx2swtv_noavin_x64.inf_amd64_neutral_86943dd17860e449\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_command_precedence.help.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Redirection.help.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Session_Configurations.help.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Speech\SpeechUX\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ph3xibc1.inf_amd64_neutral_662220c3016bb4d0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\tsprint.inf_amd64_neutral_c48d421ad2c1e3e3\amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\OEM\HomePremiumE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnep003.inf_amd64_neutral_92ed2d842e0dd4ea\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnep00b.inf_amd64_neutral_2e6b718b2b177506\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\eval\StarterE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\IME\imekr8\dicts\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\OEM\ProfessionalN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\eval\UltimateN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\tr-TR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_parameters.help.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_amd64_neutral_0684fdc43059f486\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_neutral_aad30bdeec04ea5e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_remote_requirements.help.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_properties.help.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\v_mscdsc.inf_amd64_neutral_8b1e6b55729c3283\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_data_sections.help.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sk-SK\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\OEM\EnterpriseN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\eval\HomeBasicN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\OEM\HomeBasicN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\migwiz\replacementmanifests\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Command_Syntax.help.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Windows_PowerShell_ISE.help.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\iirsp.inf_amd64_neutral_25c14d33af7f54f1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wiabr009.inf_amd64_neutral_2d7b3edfda95df40\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_script_internationalization.help.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmcxpv6.inf_amd64_neutral_f62ac4bd04e653d0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\migwiz\replacementmanifests\microsoft-windows-iis-rm\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnep00f.inf_amd64_neutral_a5f6001b957bd7e0\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wiaca00e.inf_amd64_neutral_5a376e6a7cb007d5\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_format.ps1xml.help.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmags64.inf_amd64_neutral_e68956e24e287714\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Continue.help.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_locations.help.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_WMI_Cmdlets.help.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnsv004.inf_amd64_neutral_fc4526bbfbd5feb1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wstorvsc.inf_amd64_neutral_d7bf942e99bb1d41\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_try_catch_finally.help.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmbr004.inf_amd64_neutral_ccf1bc353e588fe1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netl1c64.inf_amd64_neutral_30b0b06f47cab8cf\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\OEM\Enterprise\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\OEM\Starter\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netxfx64.inf_amd64_neutral_3336ecb2950fdc45\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\eval\HomePremium\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\tsusbhubfilter.inf_amd64_neutral_d0615d6fd67bad03\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\migwiz\PostMigRes\Web\base_images\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cehjjmppbehhjmmo.bmp"	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/592-5-0x0000000000400000-0x0000000000482000-memory.dmp	upx
behavioral1/memory/592-8841-0x0000000000400000-0x0000000000482000-memory.dmp	upx
behavioral1/memory/592-8840-0x0000000000400000-0x0000000000482000-memory.dmp	upx
behavioral1/memory/592-9073-0x0000000000400000-0x0000000000482000-memory.dmp	upx
behavioral1/memory/592-9074-0x0000000000400000-0x0000000000482000-memory.dmp	upx
behavioral1/memory/592-9077-0x0000000000400000-0x0000000000482000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTaskIcon.jpg	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Shared16x16ImagesMask.bmp	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_choosecolor.gif	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-new.png	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\flyout.html	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\1047x576_91n92.png	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\js\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14867_.GIF	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\NOTEBOOK.HTM	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\OFFISUPP.GIF	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\control\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR34B.GIF	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Components\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataListIconImagesMask.bmp	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File opened for modification	C:\Program Files\BackupProtect.htm	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\TitleButtonIcon.png	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\27.png	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\LISTBOX.JPG	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\shuffle_up.png	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\slideShow.html	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\stream_window.html	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\System\msadc\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPrintTemplateRTL.html	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\rings-dock.png	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\DataSet.zip	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OSPP.HTM	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\square_s.png	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Games\Hearts\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)greenStateIcon.png	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\NETWORK\PREVIEW.GIF	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143745.GIF	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\buttons.png	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\JUDGESCH.GIF	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationUp_SelectionSubpicture.png	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\delete_over.png	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\rings-dock.png	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101858.BMP	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0148309.JPG	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Mail\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Tanspecks.jpg	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Program Files\Common Files\System\ado\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Program Files\DVD Maker\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\text_renderer\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\misc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsVersion1Warning.htm	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_divider_left.png	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\images\cursors\win32_CopyNoDrop32x32.gif	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\REFINED\THMBNAIL.PNG	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\winsxs\amd64_microsoft-windows-packagemanager_31bf3856ad364e35_6.1.7601.17514_none_4afdc98b09e3cfe8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ringtonesamples_31bf3856ad364e35_6.1.7600.16385_none_135e536ebbe59c28\Ringtone 04.wma	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_prnca00d.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_d6450cf8b08b7a68\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-p..opeerpnrp.resources_31bf3856ad364e35_6.1.7600.16385_de-de_58540e1cff71559d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-processmodellibraries_31bf3856ad364e35_6.1.7601.17514_none_43170c92f5e2a749\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..zlegadget.resources_31bf3856ad364e35_6.1.7600.16385_it-it_32d323ec6e85d609\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-mydocs.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_df522a4ba5f37da0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-mp4sdecd.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b4a30ff5056d9253\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..al-securitytemplate_31bf3856ad364e35_6.1.7600.16385_none_49dd84a06c7c8863\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_netfx-iehost_b03f5f7f11d50a3a_6.1.7600.16385_none_7dd203ef359dfcfb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_ntprint.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_63f8160e2b58338a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-e..converter.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_e68c9d3fc84d6309\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..engineres.resources_31bf3856ad364e35_6.1.7600.16385_de-de_371099b276226761\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sysclass.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f2990dde4ccc5f50\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-usertiles_31bf3856ad364e35_6.1.7600.16385_none_f385bacaa98d1e8b\usertile16.bmp	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_prnca00a.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_39efcd50f173b20d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-i..onal-codepage-20866_31bf3856ad364e35_6.1.7600.16385_none_53e1c8c7465becbb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-rpc-netsh.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_1fb0f7ff098ace80\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\winsxs\msil_microsoft.web.manag..ftpclient.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_1280e4a474676b56\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_d7244b05e242e449\cronometer_h.png	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..qlxml-rll.resources_31bf3856ad364e35_6.1.7600.16385_de-de_4aa5acd77477ce22\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\inf\ServiceModelService 3.0.0.0\0407\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-w..nttoolapi.resources_31bf3856ad364e35_6.1.7600.16385_en-us_e51f384e54ef7022\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_eventlogs.help.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-t..rk-ctfmon.resources_31bf3856ad364e35_6.1.7600.16385_es-es_961b4830979f02f2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..unddriver.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c9fe3cf3abb22c38\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-themecpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_ea861cba678daf97\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\winsxs\msil_system.security.resources_b03f5f7f11d50a3a_6.1.7600.16385_fr-fr_81e7293b44ded8e3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-g..ets-slideshowgadget_31bf3856ad364e35_6.1.7600.16385_none_253e8c58002c48e1\pause_hov.png	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-usermodepowerservice_31bf3856ad364e35_6.1.7600.16385_none_b9ff78b166245993\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-winrsplugins.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6ca26fcdeb38671c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-u..lsettings.resources_31bf3856ad364e35_6.1.7600.16385_en-us_3fc4fe6fb4bdaec2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-w..mcore-dll.resources_31bf3856ad364e35_6.1.7600.16385_es-es_d76191178b56954a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-c..ityclient.resources_31bf3856ad364e35_6.1.7600.16385_it-it_4d5f11bb83b0ad5f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..ntconsole.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_8de57552324e4cf7\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-mail-core_31bf3856ad364e35_6.1.7601.17514_none_eb2fd71ce868a93e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-t..ty-client.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ccd6dd6cd4234820\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.Bu#\fcf5142785d58bbd7833d24cf9461961\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Users\App_LocalResources\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-cmitrustinfoinstallers_1122334455667788_6.1.7600.16385_none_edf9e9f8d0b878f4\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_Special_Characters.help.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File opened for modification	C:\Windows\Media\Delta\Windows Hardware Remove.wav	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_6.1.7601.17514_none_42d65ed50fa3c682\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_mshdc.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_f937983ee45e0e81\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-font-fms.resources_31bf3856ad364e35_6.1.7600.16385_el-gr_12c9f045ef7b5d20\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-n..ction-adm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_d69edde14c81daa9\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-whoami.resources_31bf3856ad364e35_6.1.7600.16385_de-de_c61956f2819ae1cc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Office.Interop.Outlook\14.0.0.0__71e9bce111e9429c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..l-keyboard-0000044b_31bf3856ad364e35_6.1.7601.17514_none_5b22ae686cdf8826\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-uiribbon_31bf3856ad364e35_6.1.7601.17514_none_d102e18929d497cb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-o..ion-legacy-stdole32_31bf3856ad364e35_6.1.7600.16385_none_481a4b41660aa9fb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-msi-adm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_1999bdf21cdafb8a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..allpaper-characters_31bf3856ad364e35_6.1.7600.16385_none_bde0eaed84920a21\img20.jpg	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..engineres.resources_31bf3856ad364e35_6.1.7600.16385_en-us_e0016fab65007326\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-dot3svc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0fe518f678bc24fc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-a..ore-other.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_e9e04fcc9fefe1f5\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..re-client.resources_31bf3856ad364e35_6.1.7600.16385_it-it_984866fcef320945\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-speechengine.resources_31bf3856ad364e35_6.1.7600.16385_es-es_749668c4f00c1753\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-u..dem-voice.resources_31bf3856ad364e35_6.1.7600.16385_es-es_49b8f030ce87f986\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-userinit.resources_31bf3856ad364e35_6.1.7600.16385_it-it_789060fcb62e86f2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_hu-hu_4c936d19ce8f71ba\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sysdmremote.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0743e6fa5b05a465\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.Bu#\dc575bdefe4a3442f165f8418535d9af\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JYGLMMUTCQQBZQW\DefaultIcon	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JYGLMMUTCQQBZQW\shell\open\command	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JYGLMMUTCQQBZQW\shell\open	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JYGLMMUTCQQBZQW\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\m8m0ECBq5Amw3n7.exe"	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd\ = "JYGLMMUTCQQBZQW"	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JYGLMMUTCQQBZQW	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JYGLMMUTCQQBZQW\ = "CRYPTED!"	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JYGLMMUTCQQBZQW\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\m8m0ECBq5Amw3n7.exe,0"	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JYGLMMUTCQQBZQW\shell	bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bdbbd93c60160000acf078611fc847d0_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt

Filesize
395B

MD5
4758c66db1e43a0b8f5a2e591308a651

SHA1
c8787918309d6c7324399694119e795857550a10

SHA256
159143bdbc43c5a72693a8ce37cf29532828dd18f7684044910671e8cb78dc1a

SHA512
ffd5ae7ccff4161778680e4092ec7ec1ade7633bfb6e2b7b992ec4adaa3b8baa2bd166499721fe9475812338229232aa58ccc56103e37d67471143df30a9809d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
341B

MD5
f6fac7da162f2441b5fb8fb9dd8a9f92

SHA1
2f0856f4d0e3e63b36c3e57877df8d7552a34844

SHA256
00f06b211d03390a77d1761ffa0235db32b2b8ddb09063a2823533cb6b3c1e17

SHA512
1c76b98a0e252fdbd35c49a0a7babe967aa5809ba689d9110ee14cffdb5bb918d08c22082cea04b40e96a949302fd3743a79864a410b5791900625558b4b3830

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

Filesize
222B

MD5
5314e4c0a668e5c099f8f7851376b4b3

SHA1
a46340c40a4892b7e5d4719b7c1f71ed8e347d7b

SHA256
56977c8a255246fd096b494ef2043f11561f33ae3e56389e0b499547f4fe1fbb

SHA512
10f557f8cc56a8fc1a408a66f4ed42cd5fd07c618b9b35cd7f14913a8b83593b0e76894ac809106a676140f3aeaef4a06b137d9413b9ae6fa351b079be17f38e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\BG_ADOBE.GIF

Filesize
24KB

MD5
8d968d2db119ee5814bdaa6ebe6f0836

SHA1
79b38bf711ba206b611af5ff0671848f645bb4fa

SHA256
7be3ad5ec0ddaffff80f81b755a46845d0b1f5b5432e5458509d52bb19c5bf5a

SHA512
5e4dd9aedf6fe1803eeb01e74a7e18fd6e160e8ad0272141bea396bb582e6f35fafcbcf8a31d2b369e9ed5f3e7a0aee5e1d307acd097ff11f40919165f1dc860

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\BUTTON.GIF

Filesize
185B

MD5
5b534563a945e0f4c887d7ba5ba25891

SHA1
10d2de2bc63e6a578e6dc43a640fa97e749ea3c0

SHA256
e258c979257785a4d7145f722f26586b1a4900d0e735ac01c5efe86a6f917e5d

SHA512
02cc60c52fcf6f5324e938cd161ed46dd4cf950a06628804fb51e2c891819bef2129105fe2b5248708a9081b29c383a68753ba51ee23b79831c695afeb5a9882

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_OFF.GIF

Filesize
496B

MD5
b0fc287edf19ff1dcd83b6c0efec1708

SHA1
4c3aa6af6579e20affdc041c63743819c8327346

SHA256
712a2810608fa094262ee99305617895e8624051711162c777ed0cad84547f23

SHA512
361064ed4223cb022b54fd40b2063cda7452a76363246b0f85794a8061b754a4162edd2220e5403cbd29e06d167ac0f4d965e4a3045fc73077f009d99dff7d8e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_ON.GIF

Filesize
1KB

MD5
db988b8fb3b4c1d1764fc922dc6dd126

SHA1
20007b788d500db53d5b828275c90213de20a167

SHA256
4da98f429222c0f4bd2ff7ba9f5906cd82c35882a4868d14759204fbe10f20c2

SHA512
f5c438daf662519c5c51693242ccd3578891e87ee2ee19607a82cf951133bc7437b266a1c32ecb874d623d34ad6aff18e3590eccf581b17d5804ae42125e71f5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_off.gif

Filesize
341B

MD5
98b213950cec23ffd507219a34542f1b

SHA1
fe547b34be6fbaffd9f2fa61aaad3290da7cf3ed

SHA256
f43349553157b50af0a84cd23ef49bd82c689161c0a6967b5d420e3bac4cdfaf

SHA512
81cc21032c084a69b1c440458b7361aa384d960ff9afe5535d39c1861360609de7b2b3e8fc592acd68a1a5dac94fe09aa47ccb8383fb4b18e2c7b67748af8c22

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_on.gif

Filesize
222B

MD5
c06b72919212392f06a5b79e0b9932ab

SHA1
bc090cc1c4308041e342aa7493703c99bc99fd6f

SHA256
6d6d576962a694857c290a2af3e1631cd44a7e7809ad35c3c74212a16f107a14

SHA512
fe1e01f5e0072eefbde85798ec622fd042c5d546579255b9bdc614b64c5e0cf62ac35fa43850354b6f98571662bcc63b519b7b3f96419e563b9d6bcb1455fde5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif

Filesize
5KB

MD5
b9606ad1338d9a9684d3eb5e93e5d6da

SHA1
6c197388e5eff5595206f16a4af7c404aa70a670

SHA256
41f147fa895b723a349cfc31a431071b68a8cfc6ca3138b8a911208c60ca96dc

SHA512
3c4e2dae1e482b8e3e8a6a4f353bcb34a0d6a7c66fde30e1d80a434746a5ac286a72b823549b06feac26a27f086e2606dcdfc93927ef99fadb433bd65f055900

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Country.gif

Filesize
31KB

MD5
484bf33725671997a2867bcc4746b531

SHA1
d7589908bcf21131f84553364687e4f046e6d07e

SHA256
0f9017ed81faad20e8c6211eb83c82f134d62a210ba6af0d1b8dbacab09a2334

SHA512
63bb4f06a48f80c342370b5745dbebe72010f709d676403dfe9b3982d88acf5a01dc809f1063f6f71620dfd817ec8581ce1e8291478876f0a7aa0e6dc8bc571b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif

Filesize
4KB

MD5
2b54341d6df011ab7f69d0894070ebe1

SHA1
86ba6d51436231ea3770c6e010a7e63c49ea2ec1

SHA256
1614eb3a59e1e66d1f94f725090c7fa14829d5735e169ceabce0cb7b03b3b892

SHA512
3a9a591591696edfb2541d287e71bbff61f5ccd241fca8785ed14c053b2c81117302f4695efd29992205afb97e08f941289acb477415d9bde64afe3437158b53

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif

Filesize
21KB

MD5
e718ea7c03c70f27a642cdd91f2e6c48

SHA1
f705b6133c0c0886de5ff58d3728eb47a8521504

SHA256
7fd104225d753b2c0cecd71fccfc3f423ff637de417557c59c9f431b1259273c

SHA512
4b68b6e474dac633eec67d56bcbb23917e0130a9ca1c7b6948a1259ae69b79987bb8a74e2eed17c1730cbc85ffb1c1c2747c62f7fc9cf63fa3fac2a9894c85e2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Groove.gif

Filesize
106B

MD5
17b2a8d7947616b4c84e03a618948227

SHA1
2933334be0635fa7095d1a0619ae6c56cfabb73e

SHA256
aa9706fbf1478d85f081a84bbc73aa84ea30f83babc069046fee5d66a8100d9c

SHA512
3c806633401364743136f53b531bf23ea41b4e7c49f2ad9f85015daa475e7a545ed44e93366ec0b62a661374901ab438aaeda86536a0483439732586dd81a0b3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif

Filesize
8KB

MD5
ce293aa73ace50eacd0074c8c25fe817

SHA1
3063325681b9f6f818e5b41618976c27df3b0a2a

SHA256
168c427ae77b1d099bb00a4786e11b7fb1ffb86bd12d9ee4046470612487dd61

SHA512
c43a4e7e6830f73d42fc2b8187b9140f4419f802e3d314fbb1f93e87fa8edb493620b3350c4c177482b7f48a59ce55aa3cc157805ca4a86156ba58ef3f2de9f4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif

Filesize
15KB

MD5
9f3be65344929f717abf9d9827bac8a3

SHA1
9b7bc50311ed9628f9d013337bf84d4088418dac

SHA256
0e40e0293b7b4efe1931123a1c7d1982c74d73869f78c55d0d95ff3da1730255

SHA512
effc5e775266d9e6d78f4aac30326ba8c07669677a4a30d8ab165307a7abcb2116f794279f60d580dc11ceceeaa652561c8a77281993d4ea6c4c5a4f91897e57

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif

Filesize
6KB

MD5
2978eba29efab367a2844b93596f56ea

SHA1
717effb62611894ca8016da08d7282c7c274f8f3

SHA256
6cbd7d61b255fce47992a8becb63a9249321e93132a5f1c13782c580fd44d83d

SHA512
17f4ab9ff0e279e659f0dc8d7f703408f2fa720d27c258a69d93855b28669a82a5ef5ede8a2cc74f2efa515e0cca3d3360e44b013e70a3a3ecee9aa22d92282e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif

Filesize
20KB

MD5
e4057f9ee97aa94986509e63c26493a3

SHA1
4c66f4da8c755d395161b259b2eb24c256c1511a

SHA256
0370021f8414a14f7ab4cac1fee969c125abd34936d289e0a3cf2d6aedb0f821

SHA512
cdf4de4ba8a46d423553928983ac1718f1654cb847552d585d6cdfdf7f09e6c5e4de5bf640ad9abce3bbe944651247c6c917f9a8f26ec61df74baec03c0005ec

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif

Filesize
6KB

MD5
667b5c49a9af6ef82ac24b29b5b23e0b

SHA1
90ebcd557db3769ef0e0049ae6c50996c3ba8609

SHA256
e6953b257cc79b8f672f45c2b30ff1104e7784587dcf520ea5628783a84443df

SHA512
6097f23e466ec21c20472434a37feef79a7394071d71c9a9a7a3e4d537267ba018a0297400415341dac7df3020ec852fe9fa7fe1bad4de4e0cc0a931314416bf

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif

Filesize
15KB

MD5
e2cf80037ec7e6e428893ea7d16b730d

SHA1
a2f8f09a074217dd3b5e4ca58f354f3ac2af79ce

SHA256
a1ff76eef0f59aff112ba4ac214b7e187fba81e365b9f05bb4f5e22fae2208af

SHA512
4a15be4f78c76fdc6e21a33f7a66f42e78b15e69f2e04dfbdbc2ff0c63ad6a3d0a142c4a7d73c6885b954e8e34b724081d3a9ae8745f3830a4aac14518e74e16

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg

Filesize
2KB

MD5
1d7d1050bbf689ebbf33604f6697b6d0

SHA1
67dbc1bb3673a23b3b8c78867d430b10125ab6d9

SHA256
1c05dd039604a1bc8d1bbe669ba0a642ae1fdfd51e6ab9dffb033e0dbb079919

SHA512
97bd82f18d40f5fc3da2e6e2888db703cfb46f955c1541980c5ef4c0c872d3f7f27589e0b7da1a2d9a43fb67b053f2122cf2da98aa4fdeddad4c71ba0728ff31

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp

Filesize
2KB

MD5
38f388c98e5686baa33d781e1f377c6f

SHA1
e48e9821d13401a59e6c32b4fa7419c865eb153e

SHA256
b80b0e6b444adadeb7369015c5fabdd22d5ebaa4857d539a8fa7cc5dcea43d0d

SHA512
0632ae8f6f88d30897e60628f17bb4c0ff7f35bd963ba7d96dbcf10e6c726276d84633d7511765678bd0add08a82f37fcccbaf9dfe8fa999c3336ca455f7c360

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg

Filesize
6KB

MD5
a4b9c7f6a35091371bdd8483f3cc274a

SHA1
6b47939276dc7f585258f890d1b5e28fdc582ede

SHA256
e8c8895ddd84783b5bea56a6eb15e4b20a08c2243ef313b6f010553a1d0b8a25

SHA512
33bb67a63e22c072256b4a4de899541e08fa22adb501a463df5e5557679bd20b6f47b471f661f7e09fb832f726ef8f0f2864b76e09796e920bf2e025f20d972c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF

Filesize
255B

MD5
ef1fc2935f2527cf0ebe2dfc8fd50122

SHA1
0e5acfc33a967ecd4550c842ec82b7d2bc49f36e

SHA256
8c067ee7d3d703349c12bf18789af88ffbe7f2c1d538a7c625d450d24943d7f5

SHA512
4dea3e13cf177a40b93d9c550cfd27c1e86d72b5fe9a7b94f45796d5e2bf03c46112158dbeda835c1f3a8adc6fe915fc8f3a3293c587e0e00e308cd3d3eb1e9a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\background.gif

Filesize
323B

MD5
66aed873ee9fb04661c7a7ff44a00d85

SHA1
024d4a748c2ada2654cf57161e3c392f1187992d

SHA256
ce5abca543b052d64624c2ca5606efc9c16831f2e70fdad45d0bb3cc59c3c670

SHA512
1697b2ea9d5ffb716fa3c70b5a41bd5be58ad06b6e930f7c12aa3094d0e8b2f424695af64912326d60f5d8842743dc9902615b59b4e2195e0be33e676615e339

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF

Filesize
367B

MD5
117de2ce98d50a424ff37d14b3b28733

SHA1
85931b333f8a38aaf7271859fa703af56d455c5f

SHA256
84f7006faf2abbdf70ea79702726e58f5b1e0130f1f71876639bd94df5817714

SHA512
95a23f3ac79a0a32072a49891f0e266447008f1bb94e19eba8cfb47aa4efef20766d828b4c5ff31d204861e3bb3c95c8555a813b0c219dbed581d35850f0565a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF

Filesize
148B

MD5
00265e2a8de2322e43360116bb72baae

SHA1
dba06b5691c1799e1f3a12cc234493a5638270bc

SHA256
9a171aeedfc990a5752f3a5d663907e2a476f2722a0f35a0833f587dc4cc670f

SHA512
930850d78d92533128b24ca6fd058ae141e59f79dbeaaf0399bb6a14ea3af68650c950f0e9e80809029512ede554688e6591e18107978b1b1d875403a2798d9c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HEADER.GIF

Filesize
440B

MD5
fdd4e4f23806e3befe8d044eb678e254

SHA1
a4ca55f39f5a1c5d1332af7ae15047ac8d61d5a7

SHA256
ab583093286bc2c4d95071c9351f6e607057f4d8a1344050ad3d3c4ff3713cc6

SHA512
02eb0e2a18e7391effbe74a31286c2ef154b167fb0d4030cb5ea09d0ded4c20167f11fd6cd172cd61bad8efa955efabb5f33aa11a2688f558bd0aa6e9f8df18a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_OFF.GIF

Filesize
462B

MD5
ee5fa9e67ff575dc6f16abe17290a6d8

SHA1
8addbbe84a6ce8178fc26b83627fc75c4175de08

SHA256
38624eb116cc8d1d6852267b553b269d877342596cfdb8ad65b4da02aa175731

SHA512
fc54c769077cd5c0cdb83889e5bf2ec37ab5285e9d5cfbbbec46562c1610650ecbf97065cfaa6f439651f332399e30706e3c778c4e2224a43bfd9113bff3ac63

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF

Filesize
267B

MD5
8f34f0ac216397cad7d4df3304efdd5d

SHA1
5491c95ca561b8effa7483bf5fce14ae6d02df40

SHA256
a6385e43f392d8eab324fb145b768f777b1135778f54cdb0a799cee231492cf2

SHA512
f83819a5474bac0567f5bce6c7efd435058afe329bde23942d5f00e44e1149caf889524c621334188b2d37a3881bbb81391dc308d6361f9aaedd4e7129d4cd29

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HEADER.GIF

Filesize
2KB

MD5
ee2ce3d82be9047b147cbaa0ca23b0e7

SHA1
d52e594f34514886ee14377a29b2416e94b0e00a

SHA256
bc0b275797b070714503b449c38f322b70d8ce49860c0fd9e0cc704248bea86b

SHA512
f2892caac3cf90265ab588186041b1e1f7b532aa14938a252e500ee6c16581a789f04154f4fb0d01981030fbb42d9fd67b17d45b476a7819c37eb2d667215da7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif

Filesize
233B

MD5
2b1b1287a1ceaf01dc6ff871f359e0ae

SHA1
9aa72edce8124abc34a091c3880ba8598df2c8bc

SHA256
a8a39a0aa07244942f698d8f9fd44c67b32d61532a93397ef493c14e4341f25e

SHA512
d5817ebf14df75f23539c17510602cd29993a857964e46c7e93309b128ecdcaa151d3446377758a98fdc3a90d3dde5dcddab763a1a6135addbdbf6473a4f053c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_OFF.GIF

Filesize
364B

MD5
58a04969af0394af33d208d0a2ea8be4

SHA1
59669e53eb8d85a7a457046262d2b1921fd8a147

SHA256
c63c9c32881a88a9747e11d4d20a37c3b76968c42599c2e9ab4071c68fb97c3b

SHA512
773968d29c7674ad3e4ae97d65d3f75c3e1a243fb933bb0bb3f613dc55899d22a80da8eb0755a77777cd987ff0cfe7e6e08523b889cd9fb2633d01929ac387ea

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_ON.GIF

Filesize
364B

MD5
503273554fd6533295bc0c5dd5de6958

SHA1
2945fecd6f2c3716125430db57d9d976151b7589

SHA256
87a29b44c46077723e119b9a4921ffa3c0fc841839921998babda81fed286a48

SHA512
c2cb7e05e0c34c446ac054cf25ef59cafe9f9bffcaf62f095040398ffcb9dd47f08825b14ad87370d7bbd1692ca83ea1dde029dce16aa3be6708c93af5b72242

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\background.gif

Filesize
6KB

MD5
ea0e654474762390e810ec370463349b

SHA1
138ba9656ba188047ec75e1f00bc80a77ebd1edc

SHA256
4aa48359fceaaf875c2ef48afbe0ec671bb11b179508191ab3488b00cd407679

SHA512
979d4aebe7db0c309b1632d81eeab06657cd1ff590405b0bd76b4e321dcb75f3b6f9fd9076de7ca3e5ad97e85056a69cee0378973030217c2959e3444daa5dc9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\BUTTON.GIF

Filesize
428B

MD5
b10ebb8b57fcdf4b29a5acdf16ff017f

SHA1
3c62b90ac5bb51420aef3a1d0129d5ad50101a33

SHA256
1a794d05f690174f7d75f72931c7a58b395fce9894793669cae649b9fc600dfd

SHA512
8c00bd608701668ec2c97feb2f248bab7e9b53e8417b5cf255ef2adf15dec91f95e9dcc3be491442737b22169427ccdd18096eb03ad47dd498350d139aa1d929

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\background.gif

Filesize
815B

MD5
331a076d4151b3612e31755253cffd5b

SHA1
739bf386adf0b88d518423cce0abef045687b056

SHA256
a63619dab1a099db3bfd63f87bc1a973d7bce97615ac7984e74f74902685c644

SHA512
f562ed11e612393a494a7bf5f55a17e52e29de4097f48cf59eabd09704496f7d81f379ee4780297625ec937a42112288470f9ad7f94a1569b93bac1b5cb0ab02

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\RTF_BOLD.GIF

Filesize
870B

MD5
eaf37ddf11bf554284026ab46e828d85

SHA1
206c3adc474f3477ae1e46daa3c483ebafdd7054

SHA256
444350cddec4fe25393429b8b05862129f343b7d95fe24c7f7febef35566bf24

SHA512
9b4eb1a2086e15ee39c92325a9f41c80ed9ec6d16d9f56430129903951ea3abc870545b6d66bd0789041d4fad15fa65be625436827bf45acbd1bd88938313b9e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg

Filesize
3KB

MD5
2557257ad75dd4c4cc24ae58b54f74fc

SHA1
d04d6c9e031f852e2cfde9fe7d38d90882b65086

SHA256
813fd181e5b4f3d908df03ddbc4d41ec661eef2d77d7ca13184eb08533931a2c

SHA512
2c8e60acd8a4d4c60c2dc367f0bb993df3e814353514aef52ae2a978a22cfecc2a0951936eae28808b772cff31b79a594d9b38622dbf23fa8c9a456f79a106d7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif

Filesize
2KB

MD5
854e7b9cd7e4902cb3f2c56557c2e047

SHA1
bcdd8d2c7ab5c95b8c60af4d90f00ccba67ea264

SHA256
eca4d0b61a85dfbd51970cb122346f586c941683db4d31d9b540337cef3edcbb

SHA512
3d3134d59a82a3d638a56f0b7159371791625e38d7ec4f732883aaaa0018c2a154d0f54701acac5a529bf24d2d3dd2b12e4eb54084eae1abe34592ac56a8b05a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif

Filesize
19KB

MD5
99a311e7eacc14e12c2fbf8166fc27b7

SHA1
c7ab696c6d9c58c1ef3abafb2cae8df7f6539ed5

SHA256
aa9dd7b384b63d9cc518bb5237b1d794ea055acba5756d3a2dabfdffb79d3456

SHA512
ce76f4fcc0336a5c5145ea2ec33a23a95c1a439b2a60e515503eee80fe21123b2f5b1001c327485e10addadd68267b1c8c058297c3655e4ea32ed2a435a372ac

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosefont.gif

Filesize
890B

MD5
4c3a8fb312acab1f0f80f493ca32eb73

SHA1
dd565ff4320aea512a0d425843035a1a1130fe79

SHA256
17d456c213a0a03c43abc4ab6a1968b84d1ba1e8ac5e0553a48a1756b0360cd2

SHA512
897ea573583c07cb042b22d01bb24e03cde8d9b555f7540ce85f7a6157570d01277e0133613fab48b803d65ff28948e8199f8a8e73121e283b0d25716a05d544

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif

Filesize
852B

MD5
960310e4e560a8013582617bdd0672b3

SHA1
1255baf3ca9960ee0cfc6f81dbbfe4651f276505

SHA256
c892583f2dd2d61c3e8acd8d39ab3b6755b11a07ce32b1a7089211fcd1ec0ea2

SHA512
11c3cdb0e4926d395fe2a37423968126ad9d70f93bc63afd5f8bc95257ddca2bb9701473a190cdf6a644ad1ee960ed2254612d489c6ccff2d7f868dce16db3ce

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif

Filesize
860B

MD5
ac1579091574b98a86ed6b79d7657ec3

SHA1
c74eac9e2f7d2281a23fc0d406a6859d90e53f1a

SHA256
b7489c0521f2c1434b223436665d01ffed0c3b4aa80beb1070289300ee479ad1

SHA512
d7d5da84dd366bbac7b3530db868f56eb1aa656fc30be76bf2b8d65fa2ecdf3c19d98d933b017cd437e985c2bdf803c120a83c807f50dd9d96eb2bdc750b5400

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ADD.GIF

Filesize
580B

MD5
688f25b179bb7ae2c082cbec95fbe7a8

SHA1
b08afae230b7c54e6c05c748055c0eff01f53a47

SHA256
b3788982321eee232a52206fe40a8d870b12fe612885dde899b6f7a130b79b39

SHA512
c667ed7cd8be2fbab6454052d4d528490415f5c8a70381b656c9f54b165b4058bfebfab6204b7525d19e2915e8b4befc547a4edd9248f1c71554b40b06203eb1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF

Filesize
899B

MD5
7582a2097a93ca06dab32758f6cfff2f

SHA1
a01a119249b4ef872f598d1b71379602768e230d

SHA256
3cfc07e3639df5311e371e502aa3bae3a62208b59eebb4111f85b6fa412fb9a9

SHA512
c234ba057a75ade979846f1668e6ee5e4e83c1d61442ed00119f175c159140e64c5b68bf1a2169971a6108d36032112796df325234b9aaeed54f78630c84f7f7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIF

Filesize
625B

MD5
edf36cdd8ad8f90ff4207d3c7f3773b9

SHA1
9a710379729679092a7148fa3a943c1aea3e2d88

SHA256
d2d02953815cd73998afe62b28dbf6eaf6ebcaab64d1b226c7a106607d6cc6fe

SHA512
f8d90c5d5544d6cb4d6a7a8ec59d277ea6e96f31365284fc3bb26ab9c6ddcc4c9f45f43a68b2d9e05e69857a375ddbbacf6acc80cef691744066b8dd13c129ab

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF

Filesize
873B

MD5
e6507d158253b616f0bde1d8ecbfcf92

SHA1
1776b908eeec120dcb62792591cbf617f61eb2d4

SHA256
913c9f2bfe1d81f8048f60fef7d2abbddcf385f33f47ba2d854cd5464de5a464

SHA512
4476a8ad93cbc4a0b97f568aff59b95f29c40a9a68b8414f1dcc0b1d48dbe94145813b012f01e1f1c56452f69b70f3d0b32f55ca5777c6084f427abbde883c34

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg

Filesize
5KB

MD5
1ad7cdd79df85e94b28e9fb84127ed73

SHA1
5e348a86331074f6bc178d58c58774f3cbeed0af

SHA256
3d421eb5c828a77606c27b527696f0be331f87317a8ab6637af8895721d81411

SHA512
60ea90aed81fa4cb62caa01fbb09ce20e6eeb4113fb15231f4b467561bd6b667b5354df16e872b4f4d3a69d99154d4717089e233187d0ee30b31d53e251b8f38

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp

Filesize
1KB

MD5
8b7ddd18ab97c0031a2a8032b0dc7c8e

SHA1
84d8321cedf96a1dda997a935f24e9751c8a29e8

SHA256
56bbb00c1023b426ae466c512599dc646dfa6f5494415ad74b575f164c4a6d20

SHA512
cf29626ad4fffd7e06b8030a51385bb7cdd6d273710a823ef35fdc433fe070283a3115163f53567c5b832979d73ae390fe2979ba8f5534a34e26900a48d77cb1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF

Filesize
615B

MD5
a201ec769cd948a282a9f803c42129f0

SHA1
f5788c01b8826b15d222c5d59536534802f84a91

SHA256
cc3af13223fe6d289d60e43511bce0bdf70a914e594ea9122003cc07bedefd02

SHA512
9ad50da242c3b39f329346f08190595fa95cd9f1942af88de62d15fdf7a3adb2238fba887e458e367e8016df91a38a241b18e8685d1580ddd3b67848c07cef76

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

Filesize
848B

MD5
6f9c5a624385761d08bb3ae69b93b679

SHA1
95a3e2431ed8523698f2290378ce4c2332741f67

SHA256
90bf0148a9f5763e7be9ca4257337495c30f9e487f6f7db0a8baa0452fc0ed9b

SHA512
e1173f1b0170f936bbe0babfd45464fee59a7310a4ed4b55d987a9c86e9d3367cd2ca7d443fd513b961d7f2db72e8147bcbe678c72d0225b67ca9a68edc5a066

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

Filesize
847B

MD5
f8ec549b4fda0b669c964c70a97f813e

SHA1
5b16b057e7218573204006321468772c90768ff7

SHA256
77a214d0ea36a6b035cc3b89e356c5a0052b363da764c258466664ad27ac9fc9

SHA512
a14776f4232cde30c4ddbb9ef074e169a217a35e62fc4855afea69bceb0e34678400627ea15ddef5ef8061f5b49ebc16087edc42ec90670ae7e4acb35cf60868

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

Filesize
869B

MD5
413c7d8f5c83d39ca70fc9af6517637f

SHA1
804c2ec20d9a1ea0925047c823c3ad2c2bcd348a

SHA256
7ef6eb4d1f65c67146d7071ff68272a9a7086e3718787098f4ac9b9cd8eed717

SHA512
837338715698f266a23475d0e9d014f199cef3e8755208d083305aa51d8ef81b488043f49df600af5a511376ddb326f5f7c14743ac7c365cf48330ed3ce2e789

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

Filesize
847B

MD5
c616f62e2c3f6aa03b131efc4a7750f0

SHA1
f993d677820ac1df4e5e10b608ab0f659975a95f

SHA256
9fbf78e0764b461e4ce83599862bcc2148249e1ae111105963e6a1f9dab6624e

SHA512
0fdfa4ca4070fcee63b8bd96acbf9d704c171dfbb8800c1bab517dfbaea39ef7e60eb610292b5a540b75f94494e8a94001678f4b78b8e0247fb400794aa4d282

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

Filesize
863B

MD5
30171f46ff55f9e5e8b960692718af3e

SHA1
8a73fddddba981361fba16d0c3b736c0b0f35453

SHA256
91344697898b5f1c908f46b048f98aa8aae70b93a2121e44fcace52df184de31

SHA512
f565e6018060835adceaed8a6fad0b2129d09e81fa56cfc0941b98d4a1f5b6903b1d2f156c739c0712b32503d4878982c4c0d854f6bdd6a42451e5c8fe7a84bc

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

Filesize
861B

MD5
1719a75e473014f4ffbf12ece21ab508

SHA1
09471c362f67119a384a3aa2a015bc4bba5550f9

SHA256
e5235d30acaa3a0aa6e3883b1af3df169e74a56945b29a4c7693cca0766e15da

SHA512
172ebdcfbe79126cbbb29fccb7a1c76fe25ce76f546cc50c69ef3be3e00e730c42767e736eba378ef6ae20445bf9002da9dacb222f8c09c2a2f55632da163897

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

Filesize
850B

MD5
47819ef1e432b9d362a78b671671b402

SHA1
b8fdd5e8c5b46a3b56f561acdb90dc6e9317f6e1

SHA256
1a0c69edd41290f09990783ed4a5e73e3c92b1c2b4613b33fbc77905296b9652

SHA512
a3522186f1b8ac647dc893078094cc89e9c20cd9a7437f5e437d4e50d7ed12765398617afbe06650f53282faf9660abaa040f8a13f655f7c8a84888bee09f95b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

Filesize
883B

MD5
405395bcfe6451b9d9859326a2a3139f

SHA1
253b1adba8a9dff5679a4f6a6d70336065db07f7

SHA256
1cdd0d9c8c0886a39e796cead5411529f6a8029fac13ab6e3c1afae65f010613

SHA512
55a2ed44127d20c74cbab8659dfe55e9d68c44b106c697f42cbf8191502d90a229eb08af2e6e7a0ce5bfb5dcfa44d8850c69f5eb2524d0787af20cc209fc28ba

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif

Filesize
153B

MD5
8f8dd244e15e04dba90c852355a5a748

SHA1
fc3f2cbc0c614b2479b3b9da243cbd39ba7163b4

SHA256
59e870b32b1a124aa1c408a402a5a7767ee08e29128016ce83cef2673da88040

SHA512
95770e0a7e0c898189f0ef604e34783f4f6abb812f4d9b3165ea2440fb05f4620bd712b85401d317ff25a31d347cb3b7e66126a37278fb969f4674c985075e23

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
4391466b29b1d6271f32066fc3dac956

SHA1
b6f1b2ee6df2a112437f18b1371adb7ebee9616e

SHA256
61688b5d9112aac5ea6ad8fc17301da4384b27650e70a58e2fbc97c7ae42cf72

SHA512
076ac492a1ec6a7a798e272fa7a3034cd2b6187e2daf961587f8aebcfc5795efad55004f12c1168c38d41ef1918bcd5f1211f242542ebeb5728d8d7c36575a49

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
8KB

MD5
3aa64f0f295459d3bea04cd3f6543160

SHA1
98cd24800055c3566ee9d88a11ce7669a0b20b4f

SHA256
2b8ab35e6a7e3e22b3b7303aab9766191b7e835996d4a5fbb802d3efe3c0ec08

SHA512
ac08d7c770922c21c3eed8fdafdbb06c0772ad9d1d9407477adc0acde7dab2722598c4cc01201a9a02aad973e0412d721edfc6a24e8e9584f39677b20698392b

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
c80337caae966c90401f92fd00499c4b

SHA1
98d2088a6cc4344b4507325bedd4f9e11fc350a3

SHA256
295284637272cb892c954723603dac145dbd6306b613e6d47d782d18d505655d

SHA512
9c90b5928dfb4bc70004bc4f1e68bd2d723d22df56ad3604008bc0c70d3646f299428e758efeb6cb18ec4fad4f60e4c57a7bdc494585b8268b2c49cc61c00b2b

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
59ac0d902b76235acdb7070a9fcd7f13

SHA1
4929ee780399b3674aab28d3c071a376d5172a78

SHA256
e85d151b769cdddbfa66436e5781d7ef4469ee53864550d9ba40d9cc4f5c10ad

SHA512
2b50f1a67edc261efe2d1a4ee37639d917781762a6578e8ff2820f2bd72aa7250ea150a2f86a2b30007dd8ed955fa8b810cc818a876b2b259e708efba8ad4ef6

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
172KB

MD5
96594b0d359c86d821771ef31cf737d1

SHA1
7327da609cc85353527175638b0597bd13267956

SHA256
6d241a856d02fc5fd228fcc97506ac6f965a87c247b7d710b59f3a1ae154276e

SHA512
bca1b5d84186c541816dae75214fff7361aa439cc015a5c166276a2591791bf76eab34e102cdb24d66447586f4596f7b584214827877d80283ab18c8772cdb53

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk

Filesize
1KB

MD5
c38548284b2a2d6f32c6f0cd9c87366c

SHA1
cb05e22910febdf859b1faf05644c926d794d219

SHA256
9c8ff498ccf8d6ca190bc22aeaf9817235e3e78e04405b5798a6a63a0d15fd08

SHA512
11ddd959506c7ac6154012dd5f8f12b279805b371509f0654e6fdae84b88b2c5d55aa05e06c9425fca08719e750c30abf4507715a6001cc02cc0ec92663ec1e0

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg

Filesize
21KB

MD5
c27157c076fad4f598ff08af617e7e27

SHA1
0978d169defdb4dfc8e8b2a90f8dd4e6b9962feb

SHA256
448d029a49331fbaeb0b47ed59f7d43273a8e5a983a8f0a5eb3f227813088521

SHA512
e2e9406e484a3d871d65a53e6d1a44ee239da0774fdf91b1eac8d3875a656cfd2a26d1d8ea5710caf6c87dbbd438bc80ed286277040795df7fb4d8044c32be84

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\HelpIcon_solid.gif

Filesize
1KB

MD5
9f1f7a113e1a26e2b0c260b8b93d5ec6

SHA1
e4204683b07559e905e15f5d72098fed21814239

SHA256
107c32615812ec213b81864f97e957656c8e62107673e112ef4e0666482bd2c5

SHA512
b4fe1fa5a1bc6a8a408a12647bbdb38516e95944ab7b4b92cb9e297172991dc93c048c2c48d48d27b0ab8e448eb5b0650e72e18f770e6e20c0cc646f548c53a3

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\alert_lrg.gif

Filesize
952B

MD5
fb613ffeec3caaf381851b5ef2e33089

SHA1
2f55718cf2b1eb5176d450f7233135e562c74611

SHA256
dbc21acad79e02bc27d5bd53924df78aee6bc8f4cf6bc180d49f70d61c7ca1d7

SHA512
f38cba15d78cf40f9ec449c56e2fad086edef1d713299df80e7706a11b777e3a16cbd19a8dea22b9e99f27d414b7e6086236d8225ae21752d046ce830c1c2201

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\aspx_file.gif

Filesize
121B

MD5
bb99e8573bf8bfd4704486c1e08d1bdd

SHA1
76a5f9763ebc88b144b097f65a2e9536f685a1da

SHA256
b8a91743d9fac5c128284bd2b134ce51070e51ab6db665dbb5ec7633e0493921

SHA512
b6ab88f06282c648963105f8b37edab5d28def0a3c40b0d3c01673ca8364256bd660a57877f55eb70144a24af4eda09ced775de4e2f22ad852ec9ec9b150099f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\branding_Full2.gif

Filesize
1KB

MD5
abdd757d76e61a197968a5827276169a

SHA1
c4f8235e80883653a8e54252275a3bb02b34a974

SHA256
21ef75e9447676c57b8877156e6a9ea2d38f5f6d8eb01513190749f9d166f223

SHA512
2aa7b93a5524aeda98dc90956b15b8be1c8934fdfca608b87e4a3ca500bfaa854be2ecd6cd07df9b770def5d1c661b9e63e28ff462bb5fc8a28403c9e00d807f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg

Filesize
8KB

MD5
5c69998fda6b523c33499a31a29cd547

SHA1
1db1efdfb57bbac9aa7d908bdf3391fcba13f375

SHA256
4d9352a21ffd990a902afab024c3c4936e70551f19b3e5d1171919bb4af119da

SHA512
d81cc8f4d63f5ce275d5a3c9efe888a27a9bf753e8a5a475cbae185d1c0cd37ec64c3431aa591237d40dff980de16f460a4cdb18d2d1d09a64b09d3c65fc38b8

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\folder.gif

Filesize
914B

MD5
b2e2478cb580a806cde29dbc5f4d7e37

SHA1
9004d83bfb9a0dc56d0132ab9c5d57fda935d6bb

SHA256
a6a2811761d4895a17e11c6123db54cbf1686e45c65cebdc2f2b3e4fb36bb862

SHA512
ff9c81c828095d856e2deabb1cba6013645bc137cb38869b9b4e3678b1c34860331f66f8dcadca92f5b6b323162f5185b287546d3ae5da6e8d08b6b1b1ff1f05

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\headerGRADIENT_Tall.gif

Filesize
328B

MD5
ffe1d46b0e65c48be85a088b926c41f5

SHA1
e1ab7ce45bd4a2b1c7ff4705dc4d10b76f7c683a

SHA256
cd65e806538d56820affad0d29753846cb16c7957d7a9504475dd60a0ded62ce

SHA512
ca7e164c8af1934d95e0568c1d11194bca0daf573b306c78478a88808e1a5dd9e58145b611930adf88777f4d03cc600e997993f1cba6c42ed08caed6e7ebe497

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\help.jpg

Filesize
1KB

MD5
00897d91a19a71caa1d560ff6aebeea9

SHA1
6eb3e74291a95e057f9a95fcf8e5f9631d013ac5

SHA256
b9688d0895ca07de8afefa3017fd8e6e35bd42baff4b9516716597b7127e27fd

SHA512
2c390d361375ed8e8f5f53d6ee9d2b75b34701070d2095d11722836f64c722064eaef84803b40ad729bb634353edb3e82643a21f90aeccab320233f13c750a9b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image1.gif

Filesize
162B

MD5
df2911d50ac88b24ff26384ea46a9fff

SHA1
f846ed88dfbc29f4421b0b06f6b3718b173f7b6f

SHA256
229be2b7199025ddbe6e12d4d5889268170afc8e7e19389d15769a031f688054

SHA512
c2db0ea199ef9781defc4031174e2d1ffc097fe19b338fa8e53e65507842d04a735f3774bb81457db1cc0d1feaa3aed442389fd65c79da47b71f001d7ad92844

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image2.gif

Filesize
586B

MD5
c32276c1a4e63ee3c826afabfa9b6a77

SHA1
61680c23f302cb3b4fd667f833851bc3e584b6b5

SHA256
febbb935306679a813820fd2166773436716ae6536814a9a45bb3d49765edffb

SHA512
c2e49142771da689f628724b5d320046a670575126e6dd77beedd0dfa8633b4851dd4c184c330b5897542b2aeb2e67709ac6f51faed0f298ced2379125ee0cc7

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\requiredBang.gif

Filesize
124B

MD5
e8d365c4a275febefd83b9209ac9aa5b

SHA1
0455761f661b4ef938b4427421af16678c2a0ef7

SHA256
6d499e97ccf0ec8f4bc4800e6ff068d4cbef4273877405c424cd1ecc945895b4

SHA512
bc3bdb6e70b41dccf0c3a3319396624a619294f9effab5ae8379fa8ff1534fba0b6b6b6713b5a011fbc3e57d453a077dabaae2efcdc1bc96f2c6b5f6a2dbb147

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg

Filesize
8KB

MD5
e937b2f25d3373aab7af9ce4de580c45

SHA1
f69ea6278acad958871a08e458597d1498030e87

SHA256
0619dbff6191717e67f3219c21a4a2ce49c125953214ff20c5a41505fc651d61

SHA512
478edf9467a6bf075d8af01963931abb771b957b3f1bf7ae8207e9aeca54fef2beeb5938ce967ed7f80b23c109c97a6fbbdbf695f1e5d488a84c1cae539fb192

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\yellowCORNER.gif

Filesize
880B

MD5
6ed95d525ae028eee1e04834192f0a10

SHA1
b14305bad5017b68697872d4a49cddb91183874b

SHA256
ac6f2bb6f9798bc26e2e854f03b75b2c162d57fae6682ddc4ddd4570c3d934f0

SHA512
3c725eb39bc487918d904ed7c5428f891b97aeef84eaf774198a22b281d062873b742930b4328b3d8b4ded9b81c8f082a610aa79353d2f4fa6db80a6f86e9a09

Download Submit
memory/592-5-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/592-8841-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/592-8840-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/592-9073-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/592-9074-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/592-9077-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads