xorist | 888e8c884608c66d3b71bd2440ee643f6fc8b416d63e4d3a79a614c6203abc58

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
05-12-2024 11:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
Size

7KB
MD5

c777c39aa89562d749c232c53baa5b47
SHA1

45861a873bf82a97ed122680a33d80d17437f51b
SHA256

888e8c884608c66d3b71bd2440ee643f6fc8b416d63e4d3a79a614c6203abc58
SHA512

bf51be15f0d8c36011af9ce834f22b3682401ece3d637c57f8983ee1c9bd535ec4bc20f0f7cc7724f7e92be12cbc28843c0f4e6fff1ce72116617ec23305b936
SSDEEP

96:WdZhl8wdS+r3yOYW189fTwUVF0CWHyjk8P1LOmjXfihEx1kUqhx/qMUA:Ezdrr1FG1WDCgmjPZSx/qMUA

Score

10^/10

xorist discovery persistence ransomware spyware stealer upx

Malware Config

Signatures

Detected Xorist Ransomware 6 IoCs

resource	yara_rule
behavioral1/memory/1968-5-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/1968-7130-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/1968-7132-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/1968-9052-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/1968-9053-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/1968-9054-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist

Xorist Ransomware
Xorist is a ransomware first seen in 2020.
ransomware xorist
Xorist family
xorist
Renames multiple (2193) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Drivers directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hvu40GibjG6QKIo.exe"	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\multiprt.inf_amd64_neutral_988a34fc912eab54\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\eval\UltimateN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\OEM\ProfessionalE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_eventlogs.help.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_CommonParameters.help.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_environment_variables.help.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnrc005.inf_amd64_neutral_31e08a1c2f933124\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnrc00c.inf_amd64_neutral_53a58f4fd7d88575\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnsv004.inf_amd64_neutral_fc4526bbfbd5feb1\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wpdcomp.inf_amd64_neutral_11bbf54c8508434e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_regular_expressions.help.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnle004.inf_amd64_neutral_beb9bf23b7202bff\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\rndiscmp.inf_amd64_neutral_4ca64d28e1be8fa9\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Speech\SpeechUX\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_remote_troubleshooting.help.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\_Default\StarterE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\IME\IMETC10\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\slmgr\0409\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_jobs.help.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_PSSnapins.help.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_environment_variables.help.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Arithmetic_Operators.help.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\eval\ProfessionalN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\0013\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\pl-PL\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Comparison_Operators.help.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netnvm64.inf_amd64_neutral_59c2a018fe2cf0b4\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnep304.inf_amd64_ja-jp_27c560b15d9928c0\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prngt004.inf_amd64_neutral_f5bf8a7ba9dfff55\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnle004.inf_amd64_neutral_beb9bf23b7202bff\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wiabr009.inf_amd64_neutral_2d7b3edfda95df40\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\eval\EnterpriseN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_scripts.help.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ksfilter.inf_amd64_neutral_86311fdf78a07678\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\_Default\HomeBasic\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\PostMigRes\Web\base_images\WindowsPhotoGallery.bmp	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnms002.inf_amd64_neutral_d834e48846616289\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_format.ps1xml.help.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-Sxs\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Switch.help.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\PostMigRes\Web\base_images\WindowsMail.bmp	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\_Default\HomeBasic\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\System32\LogFiles\AIT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\IME\IMESC5\applets\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\migwiz\replacementmanifests\microsoft-windows-audio-mmecore-other\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ru-RU\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wdi\perftrack\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Automatic_Variables.help.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnfx002.inf_amd64_neutral_b6dd354531184f64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\eval\EnterpriseN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_pssessions.help.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Break.help.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_objects.help.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netloop.inf_amd64_neutral_856142fd87f1c21a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnky007.inf_amd64_neutral_e637699044f367f3\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wiaca00c.inf_amd64_neutral_27f4ad26fea72eb1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wvmbusvideo.inf_amd64_neutral_8f9a8242d3699a44\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\eval\EnterpriseN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\HomeBasicN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\oobe\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_execution_policies.help.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1968-5-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1968-7130-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1968-7132-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1968-9052-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1968-9053-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1968-9054-0x0000000000400000-0x000000000040C000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre7\lib\security\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\MessageAttachmentIconImagesMask.bmp	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierWindowMaskRTL.bmp	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\1047x576black.png	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\tile_drop_shadow.png	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341328.JPG	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\slideShow.html	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-full_partly-cloudy.png	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPHandle.png	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR36B.GIF	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\back.png	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\weather.html	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287641.JPG	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\README.TXT	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\combo-hover-right.png	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14565_.GIF	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21323_.GIF	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.PPT	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR10F.GIF	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system_h.png	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_hail.png	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\PASSWORD.JPG	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsHomePage.html	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonInset_Alpha1.png	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00142_.GIF	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14794_.GIF	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21435_.GIF	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_justify.gif	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\babypink.png	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\settings.html	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_OliveGreen.gif	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTaskIcon.jpg	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_divider_left.png	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\settings.html	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101867.BMP	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\CircleIconsMask.bmp	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\17.png	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0144773.JPG	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14871_.GIF	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\clock.html	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rss_headline_glow_docked.png	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15019_.GIF	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\NOTEBOOK.JPG	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\TitleButtonIcon.png	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\cpu.html	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_divider_left.png	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Program Files\Java\jre7\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02040U.BMP	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Media Player\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Argentina\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\locale\am_ET\LC_MESSAGES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_nl-nl_5e53e6dbfe67ef44\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-ca-component_31bf3856ad364e35_6.1.7601.17514_none_fae061a2e0ae5019\CA-wp2.jpg	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..idmanager.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_d74bb9dc4ea86b7f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-taskmgr.resources_31bf3856ad364e35_6.1.7600.16385_it-it_bf7bcd2342ef18a6\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_wiabr00a.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_d9998152b75d7469\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-healthcenter.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_1ff5acc81262cef7\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_MSIL\MMCEx\3.0.0.0__31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-eventviewer.resources_31bf3856ad364e35_6.1.7600.16385_en-us_247c61a2cb1cb1a6\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-i..otmailapi.resources_31bf3856ad364e35_6.1.7600.16385_es-es_a4dfe49faa448258\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-console.resources_31bf3856ad364e35_6.1.7600.16385_de-de_d507029ab4c54834\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\XsdBuildTask\c9c1aec84139cedbfe3731aa316c0ad1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..rtuimedia.resources_31bf3856ad364e35_6.1.7600.16385_en-us_dc6047163dbae5f1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-advapi32.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_bae2a13a05218d0f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Security.#\33f2c8336e497fc65c9d414c2a7061d8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\winsxs\msil_miguicontrols.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c51db569c5ac8b9d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\winsxs\msil_miguicontrols.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c4e9124dc5d37d42\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\winsxs\msil_msbuild.resources_b03f5f7f11d50a3a_3.5.7600.16385_de-de_80aebca910ef4374\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-g..edsgadget.resources_31bf3856ad364e35_6.1.7600.16385_en-us_2b166002b7f51771\settings.html	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-msident.resources_31bf3856ad364e35_6.1.7600.16385_es-es_ae359dda7e9e5141\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.1.7600.16385_de-de_9200888cfd93d5aa\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\about_Comment_Based_Help.help.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-wmi-scripting_31bf3856ad364e35_6.1.7600.16385_none_bd062a3e0c6e3ed4\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-iis-webdavbinaries_31bf3856ad364e35_6.1.7601.17514_none_d2cc23097b35ec78\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-p..an-plugin.resources_31bf3856ad364e35_6.1.7600.16385_es-es_752d0cbaec4d2602\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-v..eocontrol.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b54c2fe3cb59c96e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-ie-iecompat_31bf3856ad364e35_8.0.7601.17514_none_bdb13999062e3561\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-msident.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_50ed13d9717067a3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..ctivation.resources_31bf3856ad364e35_6.1.7600.16385_en-us_581f4464e637a2c6\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_netfx35linq-msbuild..montypes_schema_v35_31bf3856ad364e35_6.1.7600.16385_none_7b7b199d7af559e0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-cpu_31bf3856ad364e35_6.1.7600.16385_none_a79a90daaf5bbeef\back.png	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_zh-tw_08ca9d4159f2a9bf\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_netxfx64.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_41c1919687d9c0bc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_wialx004.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_cfe4b321af4846fe\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-mmsys_31bf3856ad364e35_6.1.7601.17514_none_c6ea7a022a2b6909\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-s..ionengine.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_8ba155016eda35d6\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-whhelper_31bf3856ad364e35_6.1.7600.16385_none_7127322d9ea5ce6a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..shell-exe.resources_31bf3856ad364e35_6.1.7600.16385_es-es_9c855a7f0ed94550\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_server-help-chm.authfw.resources_31bf3856ad364e35_6.1.7600.16385_de-de_c7f8e2e93c94a4e1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_server-help-chm.file_srv.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c13c2ce8a9b420a6\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\winsxs\msil_servicemodelreg.resources_b03f5f7f11d50a3a_6.1.7601.17514_ja-jp_d0554bb590ada165\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-mfdvdec_31bf3856ad364e35_6.1.7600.16385_none_64a6ece3617cfb74\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-remoteregistry-service_31bf3856ad364e35_6.1.7600.16385_none_e55af7609d2857a8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-w..r-webclnt.resources_31bf3856ad364e35_6.1.7600.16385_en-us_9b5fe635ea4f5d2f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\winsxs\msil_microsoft.mediacenter.itv.hosting_31bf3856ad364e35_6.1.7600.16385_none_7a03adb13e2d6ab7\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\about_PSSnapins.help.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-p..randprintui-asyncui_31bf3856ad364e35_6.1.7600.16385_none_7bb7a83f5379babe\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-s..ortingapi.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_87804a7eddecd4d1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-msieftp.resources_31bf3856ad364e35_6.1.7600.16385_de-de_677827f68b7f969b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-capisp-dll.resources_31bf3856ad364e35_6.1.7600.16385_es-es_6fb1e40ce10a6478\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.7600.16385_none_a61138e7aab17fed\Windows Navigation Start.wav	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_sensorsalsdriver.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_dbec687ba4094dc4\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\winsxs\msil_system.directoryservices.resources_b03f5f7f11d50a3a_6.1.7600.16385_it-it_c387b66f07a54356\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\winsxs\msil_system.web.regularexpressions_b03f5f7f11d50a3a_6.1.7600.16385_none_22121c08dacc1998\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_zh-tw_50803feab2c2b869\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-b..ouppolicy.resources_31bf3856ad364e35_6.1.7600.16385_it-it_290f5012f306f00f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-http.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_116d1d4fe2efa561\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-r..orage-adm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_bec113c5d540c4cf\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..ingwizard.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0f1d141626d4168f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_ql40xx.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_0272c26ce89b1b67\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-scripting-jscript_31bf3856ad364e35_11.2.9600.16428_none_6f8ba5f740934aae\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..-comm-dll.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_6009136d7657cd10\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_et-ee_7fa4216b784f1383\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_3342e6899aa0557f\diner_m.png	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-a..in-native.resources_31bf3856ad364e35_6.1.7600.16385_it-it_0770496cdfab5688\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe

Modifies registry class 10 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TQEUHEWFJVXEXDL\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hvu40GibjG6QKIo.exe,0"	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TQEUHEWFJVXEXDL\shell	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TQEUHEWFJVXEXDL\shell\open	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd\ = "TQEUHEWFJVXEXDL"	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TQEUHEWFJVXEXDL\ = "CRYPTED!"	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TQEUHEWFJVXEXDL\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hvu40GibjG6QKIo.exe"	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TQEUHEWFJVXEXDL	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TQEUHEWFJVXEXDL\DefaultIcon	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TQEUHEWFJVXEXDL\shell\open\command	c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c777c39aa89562d749c232c53baa5b47_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt

Filesize
71B

MD5
2ff931b756ac45e6ff5f76137d70008e

SHA1
076c72b895648b9fc524b4c954057ae60597f54f

SHA256
e6cd0ec310309f6ed7e5e79eb2bd6a7a4db56e9f5680272d2793e74ef31f35aa

SHA512
f32745b84909309d178fa46b14000e1c8922bd87e087e16ba5f84df35ec3b4c45724c7ddefcfaf6238a42eaf1c83de4b4404c35ebe6823f3b471e03dd377a2ae

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
341B

MD5
0afd35c14f5d5ca32bca3458cc3501b0

SHA1
3bda4b6992176c7061b63713868ec1a2ac518365

SHA256
03d3c17160f5fda44b711d2242dea1ffb146e840c4fcb870227b44e30614cbfa

SHA512
feee48fd0f98a9f004d1e69c8f6812d94f34e2cd043f79a677a72855a718431b0557c3af67d329c8d89365b31da402c6d23a38a351f4b874859b4a6b21a030f0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

Filesize
222B

MD5
a117f5d23e1e420cd2e00065d0a37f6c

SHA1
371d963daac71cfd59b2937b2979fc966b3bc543

SHA256
784284adc481579b9197bfbcdaf67b9d9ab8a8490b060ce9c9194da3d75a445d

SHA512
43677ffdf541a7320d5be5d780d07e495aeba15961cd71574db1a3263ecd0d1c8ed45eb59ff76cb3c93484361eba2e97d7e9053da92fe76305c5a20502821e83

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\BG_ADOBE.GIF

Filesize
24KB

MD5
3d3d20597b37c3c05d1bdb723265771a

SHA1
e205ce6aa255e87e55c56f4a82274634da45e416

SHA256
204a0376acb82c2dcd98bd73b0d7b7cc3db90438c1c10be26618fc0c3e608915

SHA512
5b435cac32849b8c53726237efde9f7442d50eb2d858a0da191e31432681369b09ef03df9a1b3b1e400bc063e98e259030796e3653b2fa5ba18d6f6f4c24d11f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\BUTTON.GIF

Filesize
185B

MD5
b41473174f2bf665d4143ee74fd20ddf

SHA1
6421ae626f2dc8e73aee18252e28c22abcfd27d8

SHA256
5bbacc24e1c69bad7465b4e88fd4cafd2f3efb534e0e19dc5305943479834ea1

SHA512
f8f7d07f651bfef1fe44fc9db3a0e150dd2046e6aa7e813bfbe27a73e53f4d47f61f2051c11fda4eb936b7244e9c0749c17115eb80bc362ebe40bbada6c5d820

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_OFF.GIF

Filesize
496B

MD5
92fae5d83196912e1b0fe6da950980d7

SHA1
218bb9c74a827f807f857e8419aa37faa9f6abc0

SHA256
036096333db46906ecdcf54719f2a20a38d6abf968d2a67f95725e50ae537568

SHA512
64a2a3395c769202d10377a47aa0492ed1d150129389d49df53cfd74d3c97222832ddf69234ab6f1875af36fe29103ae15d200a39035d97bd80fb6a93d12ded2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_ON.GIF

Filesize
1KB

MD5
66b375206e4b28cbd00c010f87913257

SHA1
ea09dc7446d23b5ff790a180ffa929c25fd8af57

SHA256
eab18a05c2a9296f90bc9739bb1e9be79e921e37a4ee4577b8e07782bdc3a96d

SHA512
a2f5fd62441cd373a97345c6ce6f604f6bd546e8e24f22fb638daf7cda8118671c987e99f87117471a5cddd6a4ee502d92f807385e8118c7acd5d4fcc2bccf6d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_off.gif

Filesize
341B

MD5
774537dc17e29fb00225637059f74145

SHA1
5cf03a60639338eda34b1a53f9b00cdaa5ce3e84

SHA256
c0481b9224404fa9e33eb6dca83e163e4f8b7ee9e6e82360e06fce5f760ae33c

SHA512
c57692bdc8884db7919a91d061439cbee94b397ec8cceca59669798eb65b1667a2ad40af863d01f2b2daaed00581a7d7d0b1d20c66fbbd3b3d1654672d36874c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_on.gif

Filesize
222B

MD5
f954ec48a5b53bbd0f47d07b34e34775

SHA1
bfdda052dd1cef63134bbbe76b577ac562fadff7

SHA256
b3d1a6db3ed3694cd4bcd34b00d868926bc9ef1c36b5effbc754ecee97ce2b49

SHA512
74701035445f01b7e7121696ce93bb09bdd64401a915e43394246d9c9b97450986bc0bd76b45c56611036142d67b8afe9bd986dd23db394d1edac8465d74844d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif

Filesize
5KB

MD5
9d2ae9c3a7ebd781c0e20721af656a3d

SHA1
e3f04ee0698358dac2b9529b88144633103a8c67

SHA256
61aa4c4a02cf25703474c1e4245ceb388f6f9ef4f1a4abb12526a1742e8c4d09

SHA512
14600426f43e6366779c34db5029339e48f0b9336c7aaa6b53b680c5a22bf662d1eb9fc45264d000fc1df36c3c05b17b0a507a54e494373e387e374a843e88e9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Country.gif

Filesize
31KB

MD5
0feaaaabc2611069495d92c5cb1e1140

SHA1
1f3875143012c219c0985fc8b4999fd2430e3cd2

SHA256
3a3faf75d8973e0e5747933f49fc8db4506ea5b631eaec1a84701f56e529e4ce

SHA512
d70cd2f77b3ef8f62276873d940b7a6648c5f6b5239a7abb43d21ab1cd29ec5a9461f01d1538271053fe333a59378c1ef48759e8404af9231e4439c5581892a4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif

Filesize
4KB

MD5
b776145f701b31dd98464f08dc58b4d7

SHA1
0755ed07a4b289bb441d521c5b1b95837288416e

SHA256
4e3959a047864ec6bd7567390e38dd21271f7183d2bcd0698e48331f8da7ef3e

SHA512
05247e464cdca97d1dd222047a88a9e34f3a6bfe867e093a2f1b2823289de69f8cc618fbd11eded0c82be1e4bf31335d8c0c19c8883edb370b077230dac53566

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif

Filesize
21KB

MD5
ecab79c3e6b0863d92a824b111ee7250

SHA1
21fdc54cfc4e9e774fc7bf9100f1e8c7c026d122

SHA256
f3462835712019dbb491f4559343641946647c46bfb6bd66ec279eb34b3cbd85

SHA512
de42473f7ab57a839b5bd60429be4e93135f1b13fdd4bc64204f8281cd37d4d1e104af092a368a7e1ef3562a178cd4edf37410f81f82d914a1d458cc0d3e7e78

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Groove.gif

Filesize
106B

MD5
4b270c31ce63ed963d9600de9db3c256

SHA1
f86205087216b22addb33cdb4e9a6e7f530f0212

SHA256
568bdd9cd54f0f21980da1d0155ef6a19e2667242858efda5c10fd9d1cb36e6b

SHA512
5494174ec7b33a6e0616597e4e5d15f04555c7eaa40176dc434df83ec35c58c0a0e3811e2c263dc9afdd08147bcfad3a7f9987318cabdc3663c734735a90e15f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif

Filesize
8KB

MD5
c84f7e7b733e947fa1f8124c5ae4bb1d

SHA1
f094e8039c798a82bd11dded19bf3b987a1a07a4

SHA256
05884c2231d8ab5330fdd43aacde163b045d183c8d679e8da3816df6b91ebb48

SHA512
7ff3ae3d4a43c844e4afd4670781d9feef0f880809c539274608ff327c01106c39a30a87026d47ba3e859db97150de383eb91ccc6cf37e92f327734f45abef68

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif

Filesize
15KB

MD5
88c7a2432c104237df4ddf832f59ba40

SHA1
a7bf50b54f5991fffbb0229a77721e598f543306

SHA256
1a40d49753ae9f23deb93c71ba210afdb1146528cef9d088134e370ca28ecbe4

SHA512
44fa0678ad7137d113ff46cb06cdc7e7b1e3da296b3069c0149cf3b694393180b4e37449b2d9f08f750faaa8c5aad62988d954f8ce851adf81893c9be9f4c3f5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif

Filesize
6KB

MD5
5e81083a08084b96c761930023de2739

SHA1
35d85ec858753cd7e3c17b6ed1362c7f19aa6070

SHA256
19726ec07450592603e16ac4cc9fa1617d3aa9de29ba9d246dfb8794816e8331

SHA512
d09d06158aea5bbe69862ed2dd80db28dab969f9ea1e8b5851d0a7c62e85e7286ffe5fcb2a1efd6af7023e22589248c213abc7ef5d1dbdcbf1bc305e46af147f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif

Filesize
20KB

MD5
d2e19cdcca6a24ea290083e9126f48b3

SHA1
bc5853b55f2a3fd81147f2e6ddcca2b5c1385d8b

SHA256
6084a85e13f9fa472edff6185d881029eef345a3ea138aaa8f597b18085cdd5c

SHA512
c06fb4baf9e52776e9fab6548e402c9086ccf0a1f2bcd5281f0972516c9bbe79a3312745bcb47a7c5879bfdc01e8c09f1d91c57a169160e275a36b25a3827545

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif

Filesize
6KB

MD5
16a21a157cd96c9377b2f41ba65caca2

SHA1
b366ddb7862b59be466401ac1a1f710bfa004c44

SHA256
dd824421294e444e1682527000d0eae915bcde394245105854ffecffe0937e06

SHA512
22ba7f9855313d7622f7427543eae83a6e51cfb789d3c3ccfcef226481b6d59b8a8557b43bdda6d23d17b08d6c0eef7e152194ba03bfcb7842289e7225a3da5f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif

Filesize
15KB

MD5
d86ab0e164e2ab9d5b7e6b78c06c15a2

SHA1
33258726d8e072ae3a2493a1ca31909474f05026

SHA256
487b88336600686b20e581763ba1b782c2afd55dea36b4d12078498ca468ad25

SHA512
b091260386dfd7db9f79b50359878bd629e6bcfc33ee03fdf4499dd2bb7988628c03cfe30259cc3c66e599c5d4d4664bd426dc9e31d4391dd1bfdca621ea21c3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg

Filesize
2KB

MD5
c57d22ee089c712099f9bcd380a49baf

SHA1
f7d0a1f2832f171e47fe9de5a284c3e5b9fcdd8f

SHA256
7733d65b45b18c1ffff27234eb2c4e70ea03ab7f37dbd9deb43ad06cf621d247

SHA512
e8400b141fffed2abb734d2c2263f83d894f50c823cb14312562649676de262fd5a68229f563c397a3ce4e082a64695235d1acbdbd8c8353c0c9f8e7a26983ca

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp

Filesize
2KB

MD5
78c1bcb57910ff4b6ced432155a9abe8

SHA1
0dd17e48e4b43218961f0edf3a86f9e968a00acb

SHA256
95f8408d60f0b4cb5db4e2f6f1fe97b0538d7499ec60ea9022ebd664469fc9f3

SHA512
8679498cb190e74d87e51e21c3cb82aacef080c737db84619593a955168ab1bea0e4f57f0619320ea89566e6d857fe09fa8709673006e84b1dd40f0899f90cf4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg

Filesize
6KB

MD5
2b9e4ef9cfc7b3c1446a1342830d333f

SHA1
bc2821edf001f0bbc38765b1e51bf083e2e51ede

SHA256
e2da8866205b9049a0687f3f6bc4f432ba695605be464c03e95c9aec7621d2f4

SHA512
6e5e969d3ebf7e53463c219e7b878232b7d8a8b72d8add49f4e4be8025cfe7b3986be70fc9282fe1829e000f398c53188dbdf88f62b70a506e9fe353c8137ee6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF

Filesize
255B

MD5
ebdd0bc1fd4ec4184c781637b30a544d

SHA1
f34ba9a99252bc9258f195d3a7e1a7d6ee4f0311

SHA256
eada0bb7de231e5dd6575b8e92ce490b6d0f86be36203067e6ce7dffdc924d64

SHA512
d88d000b933fbf917ed51190b611750b94847e3dc4aa48f0ea9c035315eac63cc88dfeb9534e09489fe33d09a192fde4bc9bbfaaa1a82dca5ef921006212b9cd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\background.gif

Filesize
323B

MD5
f24397ecc74ed36cc9aa347e695e99c8

SHA1
401bce779a87a3509643d68c6cba9de1b6a8d0d4

SHA256
854f48970ad82c1a93817fbbffa83a6f53a94abc063e7948f4080eff93c85837

SHA512
fa94e5690400331eff6375aa102c640fe543796eb2efc8a6644b42188fc9a38d1f0741281cf5ad7de940e5328f0e3cab865681a0f58947b93f3b3a2754d963e0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF

Filesize
367B

MD5
8ba2539f6724f27d79e3ff89ff4a1351

SHA1
ab7ea147017297c3af68e77766dc5f09a570cc8b

SHA256
c8ff0085acbe0f2c5d17718f15bf92998ada0d607d9d7d65add0075758978ffc

SHA512
1541850f24dae250195dc7f52f646c1a34ae5dba938525fd53c9fcb5a25fe2549e37ed8765b5d55990c41c172a03b5010365bad8d10ef9c28b92dcfbfb9bde54

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF

Filesize
148B

MD5
32fe44285a404de5141356572afc36c8

SHA1
8f58db298e51abe378bb58b7fea41110377d6e3f

SHA256
00ccf62046abbd8dbe6260dff598587a68044f77d8670c818b5b3b80b6e5b758

SHA512
2fd0d99a75187195af56d87101e7644a5c9e70e0e38aa2f92652073185d8ba980f41d4152af41cb2463656e8906bf43c8f0875b93b4629a3b2f818b438beeadb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HEADER.GIF

Filesize
440B

MD5
c58e8fc435c43a5aad3b7726b233c503

SHA1
86120cfde31e10c8454e28f4141f3bbf1ea08631

SHA256
b9bf5ce6cd39258f5c38d9b445177518ab5a4e0a06a9816604716ba16bee6421

SHA512
9cc8e2a6ee576c6b2f3bca25da7f507913bfcdd31d3a97ff50ec226628169ed78e8e94a67ff2783becb8ff94e6c73908a3bfe826da55a2ec6bfc4bfe18645f1e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_OFF.GIF

Filesize
462B

MD5
01b97c877f11bcc4b41f0769be46afc6

SHA1
e0775396638e82991f4dfa6bc998d2483b1d504c

SHA256
c871112b5f495675660eaba44c324224cb30cf66d712c6b7b530320069067bfe

SHA512
f515a81f4372bb591225a03537c3c55097c964a839bae79c39c2efcea0cafd2317a96ed881ef2f701e0324d50d1307aa33a1a14d6dc03e64fe33b58fab52b121

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF

Filesize
267B

MD5
5fcb56017c9936ceb4053a5ed7a851dd

SHA1
c79d8482d24e2975392ea9f3095bb67a42d2fd76

SHA256
a12b98372b25467d1458cc0131f6bc41926ff8c0a276404c63783c88fc2fe9e4

SHA512
4586bf4dc1c0c58040e53a7b9250b20e6ca352cf77dace83f804e512fba7e298fbf1d0e9ebf8b1121ba2a9600b8a82d17c2116e123347703dec9bfd191efe81d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HEADER.GIF

Filesize
2KB

MD5
d2268c7e3bd7ee880fdbfbcbd23a0011

SHA1
5ee5fb24cd4654af1a1c03e32b236697fbdf9541

SHA256
d1eb2091017ea41e8d21ca2fbf74dbec0a44db362910e0d01560e62bd787182a

SHA512
b743db5be94765ea08412390cd9eed83fc640a4866657de471e318b9c71782a698455f74114493ad1167c10f2d734c64474cc85b11ecbabc2517afcfed55811e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif

Filesize
233B

MD5
5541a77b2570c15edb5f0e158d083d53

SHA1
b16369ccea1f112d984e197cb380dafd4289d58d

SHA256
41dd7c1a78cf58ed82e963b28d5e8be1df942040e34c358cfe9777c2022e00c0

SHA512
a530de0e7164acb35d6717d3e2d26ff38d61d788f1ad3272888b627debe468448ff366961256dd92a91934d61e22ffd8272ef862c7b4d9948901259e0a821f36

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_OFF.GIF

Filesize
364B

MD5
48bb3b19e0eb7c7d76e234cfc7d098e4

SHA1
0a38d25464bf877114cf69b02fe72579919cbb7f

SHA256
faa47f78ec1f4d00f8ad0781d70fef89fe7a7a9d7e90b8803d96683c5615ee27

SHA512
225da66240a69e17287f17d8c27fe0be6baa1ae1e9ae238a01b9630b6f0dd40805f19f410b5a7eff6ca85170507bee8a03c722dbef62ad58bfd8243c3424a2be

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_ON.GIF

Filesize
364B

MD5
bccf83e2454583dc9486694088fa04e4

SHA1
cab54ecb4352737ce10abdbce72aee443c7d70cf

SHA256
3862ab44d5225230e499d3b3aabcde09d2ee08cfef841b5a72c71cd16cc697a7

SHA512
54f0cc233cd9616bf37f3bf71f16a8dd43861b63d19c8d44a501290ae03d09f187cce7421035abf9b492ab90f5d3c3d22252a06efaf714cb7c234b8cc5106cc4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\background.gif

Filesize
6KB

MD5
133b9f441b638c24319f997f469b7a91

SHA1
1777c622904247ec93dc9869ccdc9ab350a5faf5

SHA256
d2d832917fd886f3ebbe1768e630b33065aa8115bfaab8305ec696a31538cf1c

SHA512
6d12d901a14253d9c2051ac6fc6b39a63e274a294e61107536f77c2e1e368e622b26f2e4c9c670aebe6bcb8668c07c63052d9a3f32181ef85da535cbe65d4edc

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\BUTTON.GIF

Filesize
428B

MD5
f84fd5cf6984b26f21b91765048baac0

SHA1
802845d117899bb81e8b09c4b5f3ad5f4c9ff6f5

SHA256
f49e0b25ec6acc63a1e7c564519d1a4f9327d60cc0ff291a6d8be2ac88bd0b70

SHA512
986975469fbcc181b4cab718aad3c5e4ff03da57d602d743a713efdbb3521c296808b977b601f84d73f75744ff4c2e2c2bc96a284bed5fc00e5f3e9a1362abbb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\background.gif

Filesize
815B

MD5
d8c66f6725632d7c47487b8306f398ab

SHA1
1078fe964b4448a382cb4567a396c6e20a0c6ef3

SHA256
75a500b3b0521786c63b1dab41c29024a32d9883520fffcfc6ba92641faa17e7

SHA512
332f8d2770e96f8e99f5ec95284707543d4fff36888a660bf77be76a6fe4e6ba7b4bbaa58ba8318508e5f39eec05d6978a4e4de3c8ac021b1a773e584f056314

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\RTF_BOLD.GIF

Filesize
870B

MD5
9d2fa8b6159039511996b8bf46941e1a

SHA1
7bbd89a281e086100bc10b8d53fe61dde5f53b48

SHA256
51532a084cf6128fd851a7264d21dc09595503bc18efc9770e31ff77096fd5ff

SHA512
3bed7c813f7649bc99591220b68809d1e80573b0ab02e88260f8edad5e1e7178eb8954c2dca7e10a28dd762590847fe6a73d233c8867a650d62d231fa07aefd7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg

Filesize
3KB

MD5
b7fcb535d29043c4c1e9339a41f86230

SHA1
9b58c1d6de5c3adc2c6fdea07b2944fa3ab23f4c

SHA256
ed49028df3c63d6fac5bff5d5230c024eccbb31f1bc64d0c9813f110121cec2f

SHA512
c47c6be3558f645916b28bae66fc90b8c6f011888db19d4db5e3583d6b6067c4c69fde48c9d8a121bba4e34fbb841c78a5c9588227c51b15e30604615bd0665b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif

Filesize
2KB

MD5
6424921ff78b555f6799e103deb31d7e

SHA1
db44758675f2eadc31610a844737d3a504b16b4a

SHA256
3c2b8058b1c40c2d80609719d11ad0436cfbf80b904d30de10341e1c7b240deb

SHA512
13ee919e9d0a69bccdd325aac3dc07c824a9fc24abad3b48340d9bbcd7051a3cb9474168be1ef523f4b9b70003bf5124bec1e30804807a64e829ae17277690a7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif

Filesize
19KB

MD5
de1e30394e9bb7b5c9390171e2edf08e

SHA1
be88bda4dfc5389d3c226057ef0a5020b283874b

SHA256
13a4bdff0e5a9099244ae0dd02a460676fc75357f22836ab2eaff6a58e41f35c

SHA512
e228c68c1eb0726e804a755d285b8613a2e0f79ebf9012e68556473249b7886a141ae070a9bb4d7491ef85712b66f148f0fb1e083ecb7e85b853eb6c828cedd5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosefont.gif

Filesize
890B

MD5
2d7a73fdf07ed69e553041e56ef54db5

SHA1
42568d12be7ec21ad3acf9b4199ce1eeeb243125

SHA256
e4f23bad197d607204c8645925c8f62d6a804f7d5fedadc416d7ad4faa964511

SHA512
8a33467e6dab3e13a7eb2acd0812963bc5386c9fca94c7775c6f504edf21142bde753f4b65fc3c98b334c163faf138716aaaab13034a2a55b0c6a837899d3f75

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif

Filesize
852B

MD5
8d7a4b521acca81678fc11861b765e16

SHA1
ca7a1265fb34e33162ec89abf01017811065a7f3

SHA256
7562dac9fddb74da177d4de90471b8c12d535d43745fbc221b3b5e53fd1cd811

SHA512
2b7a38328c28a86d5a9da4c9defa4f2ace7fb9b44cb97203b6e0f36e4c3d8243f16592b257b2f2137fe89284be6d4d2beaf4a40163b00f1e501d6f98984223ab

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif

Filesize
860B

MD5
410e64be2fdfd5fee0860e1288dc9d89

SHA1
fb5c3aba9327020310dc3f7ebda773e90519f5df

SHA256
3dd4160c82d884d719158959fb3dbc9179cac4cf392f77434e4c18050e6caf60

SHA512
547a21dc5c713fe6f7253bc5b3c3e3bbf4413d5d119d52c4c6c6fc8bdae2c784afd2de075f3d06a6011d0c668747e2f16d3cc7aaa4d199717cb847c1d6161f28

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ADD.GIF

Filesize
580B

MD5
f3a05a3598ef2f82ecd73e7a13e56a06

SHA1
6276a8638119048d7c8b8461e6e0d0a87bd4e1ae

SHA256
0d9c064233193afa47f71d8037d10153ef2ce30cbb4cb005a14edc289ebefaa3

SHA512
8418ac2361bbac05e8c6c877acf641df4a8e10d32bde2d712f8407e8a2bae106e877877f08372ddcc93b050e72a7a1089fab331608595983f1ee9f6ac36080f4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF

Filesize
899B

MD5
6e95480f9384730c13d8285134a75c9a

SHA1
fe0952904ede42035bab9153c28dcf42b3d7822b

SHA256
ba5bfd88e42137a5d2610175b87fa57b094edbd304cc94deb6dc668e2b94a91a

SHA512
5919d5d2a1877aceeba7527d1ef93f44bd08e7d8843dcd1c918f30e6018178cd93242d8d72fd0df5135fbf07e979aa8fc92ec4175475ffeaf047b4c210b284de

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIF

Filesize
625B

MD5
d46d1aa54cbad2c3303a29e6d9e0c3fa

SHA1
1daaa820197dcfacfaa1af24e1791b4c9b99eb0f

SHA256
e992702dd1a59753694d533a145fc8c11ce5eea376e155f5a6835c4431d7ef19

SHA512
0d9588afaca78e28c1b2224673d6ce87c5391b901434ceb8c1f1150457069a35ec81408e91332f715ef5b7fb6609588df215ac0132f946021a2952ab43e41ac5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF

Filesize
873B

MD5
ede5c1711e585584e7ff773698579847

SHA1
ec4f9e92a39cd66f44c87d02fc5f35992be52edd

SHA256
96bd15cb30ceb64a151daa980c2620b3ed532425ebd6e523be3b1a6b7c11044f

SHA512
e6b45992b715cd6b87728f66d9d5561ba1fa7214226bb7ad16b0c042131f7b5b3ded9e7cb618c18347a44e29a65f7b61cbd2d06f36e28ced5f2ae832241075c4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg

Filesize
5KB

MD5
9657814cb68a14e9db9ed00fa2efc981

SHA1
5db3fd02576ac4f353b17c9a5ccead8a68d8b95f

SHA256
bd945031f66cc3ce157b30c62416c4d9d9234ebdc18576cc96cd96fd9a33a3df

SHA512
ae886d79a0ed73558c53b661d2b00eca95ec2889eb15a833feb71f619938c3bf960ae2ad10cb3ba20ed4a493448f1d3f241894b8e80af91374d0a26eca2151fd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp

Filesize
1KB

MD5
e268d3f7e16de9a494bfdcbaaba7ebe7

SHA1
0e97642db0f2829e899d905f88ca544dec46efdf

SHA256
ba7e7f04cc58e9d4564b0a0d5014fb9f5981d4b0d3996a572522fafe2ec6e743

SHA512
4f40072f83ea332c7aba20635303ee56c2a9fd8195b1cc605907304093f9d7071807b75c27ad320cff532ff3b27268054a12f6a136850150786678320ff71b37

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF

Filesize
615B

MD5
114ec7c3af47fc89c8ff13c60effb077

SHA1
b438597fa4e6f0bbfce483b07b0855398b4936c5

SHA256
85e71e9c461e6ffcd3dbfa841aa35f26021208f51ca66e86f042cfd5373ece18

SHA512
6b50a263d455160c2e8d365225554bdd3c6d1e5659dc33954cc21b27d4b2c574c040c7d3a19aa798ad1802850bddc1cbb26b1f98d6a9ec6dd4d4db8d0be00051

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

Filesize
848B

MD5
ff0acfd77652a2a2c753d03706cc7112

SHA1
9a449fc12ec339f57da4655213d68a404532b6e2

SHA256
1be8cc8cfc1a6c37ea424b10fde89ed37c324f3cbb2ba4c31651d3755e37b55d

SHA512
5cc1c09acf97ef899aaca929a3c2d2a5effe7b9b6d718fa01ca328a746b0b248054fb62a9193b9cffa6aba1fc7d606b7c40644e3c6cdb3a6263b370e122bc5d5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

Filesize
847B

MD5
7217dd6634805837c5dbf54fdc8123fd

SHA1
918867cfc7fbbbede446b0ced3b9c1192d2f0424

SHA256
773bc437bbe41a809aeb09bade49c563cf6744c1195b048ec6433552f8773690

SHA512
72aac8e68df582904242f06726b74030c295c4b5da629b4d8d7e05ff74dbcf68b9079452254af6eee3ff67c5d5f1120216bb1a956747fd66ca31a6be4169cb64

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

Filesize
869B

MD5
174b1f5af94dd46f910d5b83748dab04

SHA1
3ed6fff0c13679dbbe660094272bc04a7fa7ecca

SHA256
0ca146497c3eef92028b113e28adc9bd2768a3dbd2d551ef637d24acc638f04e

SHA512
bf05632caf4229155d28932aec395bcb07c789ac6c08be822ce73d837a22c14fb3b2f77d745390cf9911ec467add8bcf8bfa52c326a95963284950a7965d5f20

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

Filesize
847B

MD5
15c1fdaf45b4367a3b8b8462be64b8e1

SHA1
30a10bad5b7a2466b032eb1742893a3373733739

SHA256
8b8de23d0b12084812419d5183beac35c30c2f962e2d1e43dfbb2f1c204ba0b1

SHA512
39e531991df5eeb0ad34e52415ca2ff2fd6b48d6c0bd39aa3d22484a2deac069313934de36cabc944fa0e57920b51fe9279f0be024d40f405b25818cfa845872

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

Filesize
863B

MD5
9c86f2c98bdf3c32c120eb2a8be372a0

SHA1
dcb3c895062bc96e7841082d85d15b8444aab9c0

SHA256
0886ca4b255d9cd3301bb2b9798cf3a572f96ed75d07510bf0d9d735cac4f309

SHA512
5267afde828d73394d13b61e6ea95b30d60524d30f4377174844d285a4253fb1eb92124973155508b403a6064cf4fd5e82b7e2c8fcbef8de17062b7025702234

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

Filesize
861B

MD5
5c92528e7955b5df58f4333858997523

SHA1
af5a74de0578db13c512bab4aca3574806d018e2

SHA256
2cfa4d2b425a836c7279da14fcbfcd61d4ced3f48f9faf37fa59c2fc2ed5410d

SHA512
3b406750c1e6c6e6e9a035850ba75c101ebc10f98acef2860a76d9fbcad90e1659479c1688c577c482c096738c6772647529d64abac394ba25c1a5c07fab87ab

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

Filesize
850B

MD5
d0f760025a9b83ee2593ed604df89890

SHA1
302840d3c3319653f100c6f32859e2371077f30f

SHA256
4fba4d5acd782caed0aa6dea3751ad90619abc033a353d6af9e9b4be6081e938

SHA512
99afb31bcc8f7321a5cbd6b3c2c8d704d315aac7dafbb0e20d45251120cb9b0ac23c3a89d1dd9e2a0511f74af63bbf3f63d654cb60bd08e7555ff3ad2c340040

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

Filesize
883B

MD5
173d17ab79f07b18c932bcf8d50cfc6f

SHA1
8cd17b54657938f9d9627a4c4f47b76252c4381e

SHA256
f03970ac16cb97bd13c07364075abc54695ff2e3f643ada7638339ba46f1451d

SHA512
a9b6d649cced25ba4d030d46972fee18e3b9bc5f6fce4d1f2c15b126762dd8f94338acb2e890f13997743409301658a020663a946295f9bc81137c989286ac9a

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif

Filesize
153B

MD5
308196d000a45c48a3610bd27938821c

SHA1
345416e7a9e8fbf48b2efed546131d134febd825

SHA256
aea1aeac9a746dff68eac418536ccf03cdf5745a9f43d2329679aa303169d568

SHA512
246763902cd7aeb8f410be89e43be536bbd7470d8fd68ca0eacb7c03481814597d5a2eaae91e28a1ee1398786900e612a1c6644ddac5fcbafc8200f4aaee1736

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
6ce2f5ec082a3465c7dca28da77765c3

SHA1
df7f3f12f8807fc0d6de380cba159c0be5c98e6f

SHA256
a3765511707d631b87e69db1a92c22ff39311bdac7592c86456ab32f13eb608b

SHA512
dfb60b2d8798cdb54e4e39efd787337eb590ce4f16bb1948a653f841ddd09427eb7d34528e759c1620673329e7be0bfa81f814aee87ad2d4fb35dcf73b1d5226

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
8KB

MD5
a4113be0628a2b13655140284b967e62

SHA1
475d9a356512a54fe71c006d290ff7b51fe9692e

SHA256
0a2aa7cb01c27b9d8583146c40cd98801ace60bd56db4d42bf40cd4d72a622de

SHA512
d35f672a78073363a628961f75c7960bb2ce513dc43a97823101d484ed5a65089618fc6087fcd8719f9c11599c09b7eb8adb245189d66b57a80944a1944edb1f

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
5af36daab13a5ddf7c868d2eb5bff321

SHA1
91889c90daef8652ad888b420c095f9954848fca

SHA256
9e3f963cdd0ab371ec8a0f50a1c5329ef39985ce7ea4070d0abea70d90eb5bf3

SHA512
2fee2f6152f6282dec433a5fa34ec6c26b38bc8dae05bef65c8f7aaf15c0fa8d1ab5040e9b6c42229bb8f2f98716d6e9dcab027e3778d4fba4d3e4afaacfd9a1

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
568153425d5dcb325fc24d6b90550042

SHA1
bc3bc67dd2fd58a68dfdaab42964fc38582437e2

SHA256
3a4b35679f58ab63964b00d0be4d2db08cc8a4a520e0bc8b767424dc4d49244b

SHA512
eed32c211df149afc292665ee8c97a14f8e5549b0fe48fc9b132f0dcff800fac72fc9c705e5242f44fc929b45786ca78b2b33834670d9725e65e32e426129dc2

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
172KB

MD5
c446dc793ab6eafac20e6c8c3c43f98a

SHA1
dd71a0d14c47e1c7956d6d9e360b0d48f465da8d

SHA256
88e8826bbad018379310814435749230cf78a218f1807a99d12b754618f550c5

SHA512
8ab2abff2c0dc54a8ff250ba1f3f75bbd16c9255c5436f9537f9b6dfcd68deac77766b5463af6a18ba89794adf77a9e73d9117ebc74a36a265a49ec32134f84f

Download Submit
C:\Users\Admin\Documents\CloseDismount.xlsx

Filesize
12KB

MD5
bf163def3c130c541183eb097825d8bf

SHA1
ea0caa36ec88dfcbe0b3537a008337e2518bc506

SHA256
ed02fc14376166e7e0ca2074e2b0f0829b32152bd54d90099269c07b6ba1f6a1

SHA512
214640013e5046e80946da127617bff5a8804ed01ad21d69d1d0e940b075aa342b9ec24113a61fbc211c92635d488c3eda8b4a8af3c5873345cedb5a5b6ee95c

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk

Filesize
1KB

MD5
e423bc3dfb65b3bee708b2dac9becd46

SHA1
935705c26e4fd21dec74790eb610d4aa36e560a7

SHA256
05c45d58d347eca6e8284128b178c1ea44843d192d308c4ee3b28877a8ac3672

SHA512
462b71f3fef30c5d10d42c681690aa5e1f535face4702e61dcc78d3a345ffad0b36ce502af01af8b05ad7fdbd6719de0469523a63ba77bd0b6683d8dc4b90c20

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg

Filesize
21KB

MD5
9db841ae6ecc42d80327706c557de779

SHA1
5fe066dac83461b3acf3e1c7148d54b6c3788adb

SHA256
b6d5dc21b793b9261270d10d31796bfe92abd9e8c5aad494f721e5e95adf8033

SHA512
d7d51fa282750e43d22071f8e7e9c73b8f3b7e1aefef5d6ab10fa663911c6f79416578dca59d08e1922e7504ed496fb9d204c835c25d438c4dd26775a9060272

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\HelpIcon_solid.gif

Filesize
1KB

MD5
2ac7f97a61c52d664f0295b12f1e4612

SHA1
8efc8eb971e41be2d6886bcba1a5e9093fa8e26b

SHA256
3ae13e70f3481d974122504d70acb6889427c71181b680307490079171003b4e

SHA512
cab0fa2ff31f1ed50515965c5b41b6be53915b32466aeca7a96c5fa2d42e957d6fc58cf6d76e1d14eb74f222198b0bb669dcd5844ca0a20730649db773b32fa4

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\alert_lrg.gif

Filesize
952B

MD5
56c30d8f838174add62475e9218dd956

SHA1
440bc59a423da8fbdd368182678e9406d617a3f1

SHA256
2587da7712753843e036cda181e6bfc5c3f92fbb2b2c5e827ac4f42bf19edb15

SHA512
268f67b76407dd1c7fe70499fec2fcb4b07fd719f403414588cde53fba879f484b13bc3899fbee0f3bad5ddbab5ee9335b06d9ff3e3d5b342cd35229c1f6f999

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\aspx_file.gif

Filesize
121B

MD5
eb2de057b857811517d3aa6bfaaa50a1

SHA1
489e3fd7ac9a56a18296f786082be67156fabd7e

SHA256
0ea5d7d24bb5f7d06757372e1978ffa1f6910e1633e35d9be755e8f2f9d196ff

SHA512
4b439af49b91228a8a5670f3ab5213d851b69189313f5af5bf4796b4623f21de53313f0601fa1ffb547d0f68c81abba86987cfe221a96b38186407208076e94a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\branding_Full2.gif

Filesize
1KB

MD5
d28d4439762289384f84df31844d3c7f

SHA1
06595fcae3992dd070b6e8b3b01f7ecca4c274cc

SHA256
f6b8141c391037333757ef0a09ead0a686c083f737d621c37f7fe9dc42d9d059

SHA512
b9f726eefb18d28bb6145cb5b44f389c4ff0f29f7745e76055a1b151417cc68d31db592866c9c0762e2a612f0fa8658d95545eb71e75815ec9cf41f7a5e1ed2f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg

Filesize
8KB

MD5
e790e800e0d231443c09231f98cabcd0

SHA1
71db28074616f71714511ecb45b97c9c95d17557

SHA256
841607e808e9dbc3b8002918d1c2a1b6b1198efc6cc097e46ffb466bc79315f2

SHA512
f2eb7b7993845fa3b38a9a8bc46e5c5eeae01154679314b04641bd6b476f312cfe4593dea8f4579d28e6194fe0dedc36e417da5d9f547efde2cad0e81e6468b0

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\folder.gif

Filesize
914B

MD5
058e87aee6607fc8551ad62d3e82f6cd

SHA1
0c7009965b154da5d724bda8b2e418e7ca7d58c3

SHA256
c51acaecaaa67bc6873eb75fcc1c7e8862aa4ad96f894ce1d5c094589fccc4bb

SHA512
e38c6444c299be43c90feb5e4ee524501c8e81bc91adec5dabc0e3d5f3a8a2ce295bc2a9480cc5ed528c876f0081c59f085e6065fdfd3261b7aaef15eac742c1

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\headerGRADIENT_Tall.gif

Filesize
328B

MD5
9dfcda4ae06e6fc277da3de6e60ab091

SHA1
00dd086850789e542ab9b3829340db434ce7521d

SHA256
325e085cbd5cfe05e95299a824e4c0ac9b0a38cb59885a85c030162b375fc2d4

SHA512
6352fb3dd9e69758d470580aae87441d59fdf30d1ee40e7d6ff30d624ab627b5178ef5e307f481c94d32335f3a34785d5ab16535bf1545c497affd705ad4fd5f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\help.jpg

Filesize
1KB

MD5
6c41c04d6b8cb360401875ce57603a6d

SHA1
2f460effe6410e809948e3741ddc94e740b88f98

SHA256
624a502a968febaffaeeed711ccb390773d64be7d99ec395f6ef2da88ffaf151

SHA512
319a3ced4d0ac1a72bcc842da520d7c9498a23aeb84c13f477191ce7874209767cb96af34d1d72941cbe3e55d57f1f0107ac48e2d3413c9397a3970464b40eb9

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image1.gif

Filesize
162B

MD5
a2e48459de55af07530f8a31911b6596

SHA1
c5dd7d39cc509a6c15f77e3a9e904b87463c1191

SHA256
e48fc5e9a76ecf80f24985248b1c198f2416253c7ddf000c64af7594aed7fe36

SHA512
f604c9592dd77eb14a32fad59670c1e81ac9f07924e3b0040972c82e72935d51f0302f94b9b025c94250f0106fc335f0212f73c26f2f25f517d39f3d3b9fa9c3

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image2.gif

Filesize
586B

MD5
aa03b4f759516273885fa0b4cbd8fcd1

SHA1
c9af30a40eeae1dba53b4dececb32f32409a070a

SHA256
9cc25b779a124e98c3967a6a6052f8a5dbae9e2dd0364f563cc306e7676f8998

SHA512
22217fde0720a287865818f2c82f49601a29f2576a55e15cc0ab72dce94b5a66b9b0d91130fd7ec45aa5d407bd74073445f6393202299903f57a93e78bf44e19

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\requiredBang.gif

Filesize
124B

MD5
cb7a7931f428df709956f6bd09f08517

SHA1
b25afc44dd87767735dc96dd20c64ed993ee3bab

SHA256
f2f516ba455afc9f4a12bbb03396d6cff7a3636a5f0b1384ccd7ef074d9ef9cf

SHA512
7454ddc6305bfc15fe059e81adb40cb1868270c8b0ad79e2774c1acfc87f036e22e313fd9adb3675b2891dc2d0dadc77a56c82fc29bd771396e123bf8761022d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg

Filesize
8KB

MD5
d427affa7f97fe2f30a1d32cf1753181

SHA1
78f5c1eb2a3064bfa34ca646bb534c586de35f50

SHA256
16491f5ca7c99835eebd2d6cd857635d39436a730669322e90ef201fa7731ebb

SHA512
4bca2df04932b27b70002f8925ed89611f70b3f9d2054b998a05a1e1996cb175de2a1a0ba0b8b70da467db43ab27f8f70d34498693a14de010d132d46e57598d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\yellowCORNER.gif

Filesize
880B

MD5
83c5bafd0de674e89d0c38bb7f19f4b0

SHA1
c5e94a9f82ce4468532ce37b7d4c2344d1ad4791

SHA256
27e9bc80e1a63e1859d0cd757beaf93eab00ba45baebd7f703fa26debe43ef55

SHA512
1eb33f33cf5319d37aae7e477e0848e38046bccd71298c17f5d312732a2061c8c9cdf2959cf9b6bf42b06c15fb9e970ae9eed6989d9927a50f49e0f0ef0d7046

Download Submit
memory/1968-7132-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1968-7130-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1968-5-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1968-9052-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1968-9053-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1968-9054-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads