3b0a71ace290b700b9c77b6df1cbb8ac8ec0d2445bbc6bf2680bd4a578277c9b

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
08-12-2024 16:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
Size

12KB
MD5

d80afaaeb842ded0c6fa15143d909ccd
SHA1

592d790d0dc21a4f1148147dbae160a253607acb
SHA256

3b0a71ace290b700b9c77b6df1cbb8ac8ec0d2445bbc6bf2680bd4a578277c9b
SHA512

24cb2953c96a0aba9291e5cec18a9d6fecae79e2b161b9b6812862bd0a7b7d728a7a530910dc35c0296b18a676bee46bc3b670f98bac7cef1fb24cb354433d60
SSDEEP

192:G/TrG62a6B10k3g4fXk1iTV3HGc7EkpAqEjvu2q9C/YpXnAITZfPtRMtvM:GebFNw4Pk1itKkpAjjI2Ypdmtv

Score

9^/10

discovery persistence ransomware spyware stealer

Malware Config

Signatures

Renames multiple (2179) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Drivers directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8k93yDRf12N2G9W.exe"	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\prnky305.inf_amd64_ja-jp_4d77cc4802b17ec3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_preference_variables.help.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Switch.help.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\averfx2swtv_noavin_x64.inf_amd64_neutral_86943dd17860e449\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmaiwa3.inf_amd64_neutral_77e515342bd572cc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\eval\HomePremiumE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_locations.help.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Core_Commands.help.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\_Default\EnterpriseN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\eval\ProfessionalE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\OEM\EnterpriseN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_operators.help.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\brmfcwia.inf_amd64_neutral_817b8835aed3d6b7\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\bth.inf_amd64_neutral_e54666f6a3e5af91\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmpp.inf_amd64_neutral_a9cb77fe1985cd2c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\vsmraid.inf_amd64_neutral_be11b7aaa746e92d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnky003.inf_amd64_neutral_fe7ea176f20ab839\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\rdvgwddm.inf_amd64_neutral_dd691eae66f3032d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\System32\LogFiles\WMI\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_execution_policies.help.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmgl009.inf_amd64_neutral_bed6224f27f5c478\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\System32\LogFiles\AIT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Speech\SpeechUX\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\af9035bda.inf_amd64_neutral_aa11aa34552d1d4d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrndis.inf_amd64_neutral_4c56d83f6e4d75b0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\_Default\Starter\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\tr-TR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Foreach.help.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_do.help.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\v_mscdsc.inf_amd64_neutral_8b1e6b55729c3283\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\_Default\HomePremiumE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_pssession_details.help.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DriverStore\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\dot4.inf_amd64_neutral_b89cfac15ccb2fba\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmgl010.inf_amd64_neutral_46f466c9e68abb4a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlx00b.inf_amd64_neutral_89b555703683b583\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\_Default\Starter\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Path_Syntax.help.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\_Default\StarterE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmgl002.inf_amd64_neutral_e204d4267d752eb7\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmtdk.inf_amd64_neutral_e567adb271831b5d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hidserv.inf_amd64_neutral_f2223e39f37c69f3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmetech.inf_amd64_neutral_230358eeb58f0b3b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmsupr3.inf_amd64_neutral_8416bd6e64a8e858\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mf.inf_amd64_neutral_b263d46928b97a9b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Speech\SpeechUX\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hdaudbus.inf_amd64_neutral_4b99fffee061ff26\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmdgitn.inf_amd64_neutral_09132735f1063a47\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wiasa002.inf_amd64_neutral_6429a42f1243419a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_trap.help.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\XPSViewer\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnrc005.inf_amd64_neutral_31e08a1c2f933124\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\rawsilo.inf_amd64_neutral_8eb7e6403ddbb7a8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\scrawpdo.inf_amd64_neutral_4c228493af8567bb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\es\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\0416\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\eval\EnterpriseE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_remote_FAQ.help.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mpio.inf_amd64_neutral_0c74c0f95001b61c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\ProfessionalN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\Starter\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\hu-HU\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\IME\IMEJP10\APPLETS\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WebToolImagesMask16x16.bmp	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\ADD.GIF	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_snow.png	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\INDUST\PREVIEW.GIF	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DiscussionToolIconImages.jpg	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\drag.png	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\settings.html	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101859.BMP	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\TAB_OFF.GIF	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\scrapbook.png	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color32.bmp	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\setting_back.png	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\HICCUP.WAV	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationLeft_SelectionSubpicture.png	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\J0115875.GIF	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)greenStateIcon.png	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\splash.gif	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonDown_Off.png	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0177257.JPG	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21338_.GIF	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Program Files\DVD Maker\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)redStateIcon.png	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\search_background.png	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\rarrow.gif	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382957.JPG	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_LightSpirit.gif	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\graph_up.png	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_blue_partly-cloudy.png	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Oasis\HEADER.GIF	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\icon.png	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14516_.GIF	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_TexturedBlue.gif	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ERROR.GIF	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationUp_ButtonGraphic.png	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\js\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME-JAVAFX.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382969.JPG	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\rtf_italic.gif	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02106_.GIF	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\images\cursors\win32_CopyDrop32x32.gif	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02417U.BMP	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\ERROR.GIF	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\flight_recorder.png	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Components\SignedComponents.cer	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\BG_ADOBE.GIF	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_SlateBlue.gif	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR24F.GIF	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\winsxs\amd64_microsoft-windows-tvencdec.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_32160da138c0b18e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-v..r-windows.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7554e1450e725513\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_netl260a.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_da58296f5fa441c1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..oundthemes-heritage_31bf3856ad364e35_6.1.7600.16385_none_5872c0830d0c4747\Windows User Account Control.wav	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-lpksetup.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_60b92b2fc697922c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..xe-common.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_5c6b5be6eca6db4d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..llaboration-drivers_31bf3856ad364e35_6.1.7601.17514_none_64f550c5ec60bb1d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\winsxs\msil_presentationcore.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8e2c8c3cc660a879\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-keymgr.resources_31bf3856ad364e35_6.1.7600.16385_en-us_ee31a958a16bbbad\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-b..isc-tools.resources_31bf3856ad364e35_6.1.7600.16385_es-es_3f0725fa3b0fc19e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..-dvdupgrd.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_1fb5b01120db22e2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_3342e6899aa0557f\trad_h.png	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_CommonParameters.help.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..soundthemes-savanna_31bf3856ad364e35_6.1.7600.16385_none_8501e89d0b011992\Windows Hardware Fail.wav	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..edirector.resources_31bf3856ad364e35_6.1.7600.16385_en-us_2a1869870264573d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-b..roxy-main.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_0ce7c1c7ed016c9a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-powercpl_31bf3856ad364e35_6.1.7601.17514_none_63e85ce6d27a5cd9\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-i..onal-codepage-20290_31bf3856ad364e35_6.1.7600.16385_none_5577c689454fb8e4\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ntdll.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c45501a075f9ebe5\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sud.resources_31bf3856ad364e35_6.1.7600.16385_it-it_3e4b8e05493f78ed\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\about_Command_Syntax.help.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..ntrol-rll.resources_31bf3856ad364e35_6.1.7600.16385_es-es_ff6934859444b77e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-optionalfeatures_31bf3856ad364e35_6.1.7600.16385_none_663d506d4f028574\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d2d.resources_31bf3856ad364e35_7.1.7601.16492_es-es_e6816cc6ecca4c22\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-calendar_31bf3856ad364e35_6.1.7600.16385_none_6a1946701e0df451\drag.png	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..egacyshim.resources_31bf3856ad364e35_6.1.7600.16385_es-es_7f347e0532ea7c64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..ntalcontrolsservice_31bf3856ad364e35_6.1.7600.16385_none_14417ec0bbed2d1b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..terprisen.resources_31bf3856ad364e35_6.1.7601.17514_it-it_0393b1f423164fc2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-landscape_31bf3856ad364e35_6.1.7600.16385_none_7a83a914edc3de49\Windows Battery Low.wav	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_netfx-eventlogmessages_dll_b03f5f7f11d50a3a_6.1.7600.16385_none_a3ebab27af457126\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_pl-pl_be0701531dbe7588\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\diagnostics\system\AERO\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-opengl-mf_31bf3856ad364e35_6.1.7600.16385_none_27505f112f7632da\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-w..-provider.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4abcb5ecc3280fcc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_usbstor.inf_31bf3856ad364e35_6.1.7601.17514_none_a6ac5425ae72a584\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole.Resources\3.0.0.0_de_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Mcx2Dvcs\53fddfded025faba07fdd8b69fef6bd6\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-a..face-winnt-provider_31bf3856ad364e35_6.1.7600.16385_none_96978ae7806d8215\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..p-support.resources_31bf3856ad364e35_8.0.7600.16385_en-us_15c06431e26d1b99\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\about_script_blocks.help.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-w..ender-adm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_b8b5f50fea3a170d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-w..ctionflow.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6a13b934287994ff\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Data.Entity.resources\3.5.0.0_fr_b77a5c561934e089\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File opened for modification	C:\Windows\Media\Sonata\Windows Balloon.wav	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..ity-vault.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_7d5504b4e13c8ab5\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\inf\ServiceModelOperation 3.0.0.0\0C0A\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\diagnostics\system\WindowsMediaPlayerMediaLibrary\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File opened for modification	C:\Windows\Media\Quirky\Windows Notify.wav	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-help-artcon6.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0cc273f0ec6d7082\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-rastls.resources_31bf3856ad364e35_6.1.7600.16385_it-it_97da1cb10c56338e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft.windows.h..iverclass.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_609ccbfc3879b51b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_networking-mpssvc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c8609145475c0c59\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Web.1586a486#\7a64cac99250742a5f555e238496ff78\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-pnpinstaller_31bf3856ad364e35_6.1.7600.16385_none_eeafc93df5d83e81\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_netr7364.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_af061d62029f3394\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-t..k-softkbd.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7a71deba7f23fe38\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-crashdump_31bf3856ad364e35_6.1.7600.16385_none_01824f663087096a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File opened for modification	C:\Windows\Media\Raga\Windows Default.wav	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Build.Uti#\97d05b893a063bbb5b56c7b3d20c5245\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-g..ets-slideshowgadget_31bf3856ad364e35_6.1.7600.16385_none_815d27dbb889ba17\next_rest.png	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-n..tions-adm.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aca7b5b92568c873\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-ucrt_31bf3856ad364e35_6.1.7601.23175_none_ae1225b1910fa4d9\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_amdsata.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_3ea4ad375858b344\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe

Modifies registry class 10 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Ejei\ = "ICJIUERSVAVCLJG"	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ICJIUERSVAVCLJG	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ICJIUERSVAVCLJG\ = "CRYPTED!"	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ICJIUERSVAVCLJG\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8k93yDRf12N2G9W.exe,0"	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ICJIUERSVAVCLJG\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8k93yDRf12N2G9W.exe"	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Ejei	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ICJIUERSVAVCLJG\DefaultIcon	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ICJIUERSVAVCLJG\shell\open\command	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ICJIUERSVAVCLJG\shell	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ICJIUERSVAVCLJG\shell\open	d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d80afaaeb842ded0c6fa15143d909ccd_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt

Filesize
332B

MD5
7da46930a9ba3433e4d933160f7e9720

SHA1
339817403e05c061ff9213c13c6d673f443210f7

SHA256
b0708ad36fc59038bcf50179f0d2c19b4838b1fd6e9bd80a21ad0e1ed8723eb8

SHA512
cad4231f925fe41d34d4bac345ec810e180f872401ee3b8b9fdf3ae8d8fdcaa22f8b1208e9380ef4e0b87e133f4c5a5a8278b5f4de7466d681a84007f5bba63e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
341B

MD5
06efe1c1941a2b75c88b4d3ac87da627

SHA1
b61f3bbba4a3eaea4d30f8fe356f5479355f080f

SHA256
e69b332112bff86ca4b3798d2615157eacc0a38e3e51550f86af0294f207b983

SHA512
39b0f86790195466654750280431d0173f71a4f42dbb5c9310d74df8c447b7eb0bdd030f541a396847964843d3e16dea9282dc69fc82b985333de22234a91064

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

Filesize
222B

MD5
8ad54b008060b50119813385ce36d7ef

SHA1
21c171d61c94315f668f9e479dd90916d4ee2944

SHA256
821bd6ea7d447ff4b212448307e8c72c0af9e579584519ff34faadb1f54417e7

SHA512
28c8d0269103c5ade431de1fba8c825fa0aa284f833cb7461426056ac0b195a6973eaf369438b906e9a7ad613a21211f2056a746f8c2259e9abcde54a67cd464

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\BG_ADOBE.GIF

Filesize
24KB

MD5
1c5a6052450bf04be0d588e2f7fb08e1

SHA1
ba95e7bfc2d0fcf809423c966affef4f440520cf

SHA256
54449b76f5a8afebbc8aa9958bea057a92c2813e7c55e10bf14fd2a6873e7801

SHA512
9f45f282b74b9212f6636f11b5bb74e790a3c1dab7d8d83dbd85bd0a36e5b4479615838a4b1ab8a97cfbfc8257d4f8a9545d862f5f41a06790a44e4701fc473a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\BUTTON.GIF

Filesize
185B

MD5
dd897c747a9fbc406dce07009a096f13

SHA1
12a397ef9d02ec933f30fd62e989b725f2cd9566

SHA256
a84f1502795c1556e40148989f9e5a5cc8fab74e826a485f88490d0050871022

SHA512
1bdb44ad5a4c142701fd8800eb9af7d82ffe8134bd351f786a1aabe6f882e41dc062f6bb37f255d945be67d336152dc4a5274d5b12703988c30053f30bfdee5f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_OFF.GIF

Filesize
496B

MD5
4d485a5e9b15a4a802f6585406a2257c

SHA1
6c8e9fafe204f5c0a09de516d4bc345fe4dca759

SHA256
f61f0fb68a13a5b2556d265a5f9fd256e5ec95364b19efa80c4f002289f694a7

SHA512
c071c2bb8565d2f1206700f2b0c101e21c50b421e89822df1f39ffbe4e1cc138a470c126c53f2f12903034610b81b7e19520cad879c5867f49598d2bde29d00d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_ON.GIF

Filesize
1KB

MD5
d2caf7d2385c71993e76eb41f793c1ca

SHA1
bb500784f80d16f36d9fd22ba3aab53078909dcd

SHA256
928ae791b6fdbefd4ca819e980149f29a640d342ba3c6861de05d16b1ed445fa

SHA512
6bf4c03eeed46a0ee959b3de9358a0ce794a5d620cd7950cd11f5d8c205eaa54c35ec0284b456e865b1f7406fc06026241fa7346994ce922e086feee7d28ea01

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_off.gif

Filesize
341B

MD5
68b0cf011d50fb01c5db0c997be32dfe

SHA1
c150b0f6da1a01c2d12d26618dcf4410b3451ace

SHA256
107f5239f605bfcadc4c6832369cada1f7f75102d83ce123e3aa0204c19920cc

SHA512
afd9a5ca329526d6c1e22f4e54a8314975b6b8cf1febcb50743e071b57839e4036ae2353dbdc3004384cde6035f685cbe45c66d6eabfeb6836a9b4a223192259

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_on.gif

Filesize
222B

MD5
3a492dd10eae971a19ab66fb7ae091f9

SHA1
f2096cb84da7a26a1ca0d47f5c597d379fe7d8d3

SHA256
494e15a18ae6751ed2da2d674ecd524cd43f58c3c88f62d518e1d8605c2f6ca7

SHA512
123c71123facb999bc1f6041eeb6835d36d7811dd6917c1a467b6308f7f3c2cd0182b586c09ff943cda93455c68085738f7f4caa921918f65fa7427dde6e45cf

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif

Filesize
5KB

MD5
72eeffe7a1e662beee7399af6b166afa

SHA1
d89771282429e46441aacd03bec6f3cc5735ed3a

SHA256
9895f3b90d26b3925933f62b02779d1b906ab1847a0a9388c37440994aba7a7e

SHA512
125e5252fa98fe7b90c9bd822608f277c6446b6905f1ae3ab0f96d5463feb7c7eac0a6f54e08c525a839d2af04e76b9521df2732ab8d3a2d59ee73ee44653163

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Country.gif

Filesize
31KB

MD5
b59afcf373bd108cd5e24ef8e3501e28

SHA1
9ae97cee1e276d03de1dd1c2d3dfeb761984b724

SHA256
7d02a293e2d617f2ed7c7589b34c98f7b40548198dce8f3bb25df2389e107895

SHA512
a18777d51cd27c4dc81253caa2475b2611792b29732207c63ff30ce1cc115befd7f0b72db89df757ddab71c6f0c7f7780dba1e4f7e5fad90f9937e35d31e8a87

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif

Filesize
4KB

MD5
8e53c9bcbef9b040a254dffeeb170cd6

SHA1
5f954d31187c3f61d0130bcd130f608a26cb45f4

SHA256
0433d08c49ad8e1b5898a124a589b8ebc05939a478e9da036f945b4f2aee2c51

SHA512
c811a640b092f64eb39b7c970fb6a6ec775673cb5351653ab851e5e660b8d1fdd22d06f1ef54e17975e9d0fafe1c35b1f77d5d594c0bde5db9300b18503e0094

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif

Filesize
21KB

MD5
9eb96dbcd029765967d7f4cbc82eaaff

SHA1
41b3602bbbd397e6c20b83f491948b4d5d07e901

SHA256
7a181bc919872ce280907754042d84b2620ca48e052bef4d437b763b25225695

SHA512
06ddb373ed3fb83c3834fa7bbe32e910dfbb0b3fc9e865d9479861132f8f98681b7966d24d6b8fce39c7e8d82b518d1c2a4649dccbb16fbd2b7b8782aa397151

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif

Filesize
8KB

MD5
5405cb474449d2b8bb851ed5c458eed5

SHA1
20561c5b8570fddf97c5c1b603750436cef2c0c1

SHA256
5ff14aa27df12727c2c227c2dd756e40526ad218dc5d8435276d9e9f1055cec5

SHA512
79e0ccc74a4b51049bb10b012a518690d8388254aa199ce4815eb0318776607f94abd9cd8e60c45b0773c1f4a7888eaa5280146f6031ca9f64a19a95177ce558

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif

Filesize
15KB

MD5
591bffe7da913daec7783a3469173cfb

SHA1
73526c5fa4770c2814353aa60ea36020a7fd16bc

SHA256
d47d44ff5eb2ee8ce378abdeee1edf99f53e93f0c066119c515a0b5209581570

SHA512
04832192af3fbd490cea48e7246822be3a78891e4cc7805ff5b6241fcad883c67166d977f6ec1ab4f6897fab3d89a05806f2de7ac2bba8b257dc23e19c0ec406

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif

Filesize
6KB

MD5
a9bbf060212e56de5ad7a400ac3dfa6d

SHA1
e58b9abaf4e8942eadbca888c38879acd055457e

SHA256
3cfedbfe8d6a6e19515da31a7e460b78705fc63dd5a889d7a940047799675c53

SHA512
d18e81ab157c9612d38ab605a19940c6d676c85e235ba3d77cb9a8d1cf3a848ec22b782be721c187c3cb94e99d37895738bc93500dcea8edb2894de8643889f4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif

Filesize
20KB

MD5
acd865d2f49c5484654a042449ce7078

SHA1
2cc5f2ba8fef41157bcaf811516d3684c3fc0a39

SHA256
7bfe57f8ab2d60326c0e3b6779f56dab2749193cf69e648743709f7d260264a8

SHA512
e70a731b2ae31cdd71d2f66bce9589c3f23aca2d2f707acca565e39976199f3514eb1dcc793cd2484dc86686d100d43083177d058f0074454f3484460b0db75a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif

Filesize
6KB

MD5
754f6e8a0c8cd6996ff615f7c57842c4

SHA1
6196a96b05bff0147c036d4b7f39d09b27765114

SHA256
e6edc81b1871deb1ca29b52312e2f4fbe3e16d75551b030573b6803b392598fd

SHA512
9b53a321f8d769c7889f755c9cdcaf13d2099f69e05e2e9baa0023e75a32a952f52d6f10e6d1e36a5d64942f598ee81ba453cc729c6cf5962ecf6ce911c967d2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif

Filesize
15KB

MD5
1322bb7584a60b23bb0d18f76acc2635

SHA1
cb36ccfda406a0004c80991c5f3dcbc8318e57e2

SHA256
cccf9c120467f61d013eb0088acb103fba6aa567577566932ca1edc890e35d8c

SHA512
792d5e1448cc69d144f453a6566c85ec1f071e5d8a3fe4e94c18c0c39fbce08d830098b8b8eed6c3b4e6ab9decb58c432eb7bd95a310a86f056f4e5ba6299a78

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg

Filesize
2KB

MD5
f3c4a5c853bd356bb99fa94a7ea0ac58

SHA1
8c459e35187ab4840c5acf47f1f94634b7544032

SHA256
5dbea28244dfd39cb5fe52821df25885bcf77651aa5103722bee195c4f1c6e6a

SHA512
e87a8a65ce1f8f7bd0b626cd286c749d4568c6ffdc2db031404e13ffcd3e215ba68cbf3ba9d127ad2b9b03b37abbf4e890d99d18bb66be5c507e5a987f171462

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp

Filesize
2KB

MD5
1107d8ed330984b357cb1d1e4fc897e9

SHA1
7a9357765e6c714950ec22e05877baf0a779ce05

SHA256
8af8e2e6b14e6d00b488e92e27d887b441de81b8fbf19367b870a138a2638883

SHA512
364941e0c0970fa90ce14d44f82edf8b7c6e1ded049ecea862ad4250d0956f823206745114220db59fde2ba50cda6803db435fe5fdd8640c00864f5fcf9ed391

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg

Filesize
6KB

MD5
bda9eb06c89dbbb69af8946191bca2c9

SHA1
d31eb7dfb748b4f9c5cad75da4fc27342cb31513

SHA256
49d5f2d828a597780184051c57a504e373d744309a6fc2820c87c20bb609d865

SHA512
2d68c220bf20e59deafca4ac0a21a020bc3ca89358a1928cee0493df6d1310fa7ae32e39a7064e287e219040b28b9be81468c0a1ab235e33901a6f5000838134

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF

Filesize
255B

MD5
4d324ce9126588320818a77b23fd6c5b

SHA1
b044aeb78c93831185cf3553bb2394059df3066f

SHA256
7cf073cd14fe152105931ff19fd1ad9b0d8c140815f0364d8897dc4a9ff53bd2

SHA512
cf94a10fe985456d95f3704bc16a3fcca326c8f2df3bf1b685e0dc70941c8915238fc486b392ce9f09114f291bfb08aa938dafc9afe37ce728bfb43770d779bf

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\background.gif

Filesize
323B

MD5
6255d0f490b7153e8ffc9bb014a8c4c4

SHA1
54df5d20e11e501cd9c48b5994feb25decc17c10

SHA256
08927b492dd19fac5e333f5a9584059bec00bf554f83555f5fabd9ceb3f9f913

SHA512
3cd43a9340a3ccde1f58c33ecdbdb22e2b26fe6816f163f98ae0105a4fb0ca8681a2184038a5af8fb4551f4255d4e15ccb15453a666708c132c7df30c3d13d1b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF

Filesize
367B

MD5
4361357314f27aaa34501a87e52555df

SHA1
9092a71835239875e8181b3978a76db8beb62c30

SHA256
96031ed59ae8e3eac5920c4a11d4611aeea463f1fc9b949fc9d2a122fe876469

SHA512
4d50388ebedb6b6fd6fe21bea2f67dfd49d9bf5b13a1240affafbaa86184234f41820739b7abc407a622d69b62c0d7305215eb9d9dbbd81f9afb9d2174997df3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF

Filesize
148B

MD5
93c7b07988935cfacc055eecfdfd3fac

SHA1
0a16844390e701e5353d318b3abefd9d5b1e3053

SHA256
161ee9619d3e5731feab24c09c657e7258e3b9353c8d72045d1eca886983d4bb

SHA512
be19adda96be0346b630e2219c7e57b4cb5d819aca104338fae2e95c931687d4bea8e1258d70d1d3c00ac41f7f052659b3576d33c0d777c758637787570adf72

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HEADER.GIF

Filesize
440B

MD5
ac45a0c08b0410cd4e108129c72873c0

SHA1
a5d05f4cc260540d4666ddd626d2cb8e5ab4e6ef

SHA256
e354cda6d8c46976707afa60b5d15bbc71724b2bcf0fad8dee25cf16974c4d97

SHA512
f70b8682b9de7ded3cb9f0e31c1a961ce33f77f69aaf5f755dbd875480c1579c844225694117e021ae60cee4051ac5d53280f631a62d36b530b49b53b6e73795

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_OFF.GIF

Filesize
462B

MD5
aa3e8c4e562d7dba1c1fd1fe51e9e764

SHA1
6309b4710c488c0cd9ea35dfa91d21e5ae69833f

SHA256
7ee12e024fba81edcbdce9f48d22ba7f6949baaacc1a859580e69cc0eae0cfed

SHA512
cbddb9b6ed3dc2538316c82602053d8588efabf2e05814628856e8ace32f7a6196cbfb317eec227863acadc4588109d1aec58e63549ec5210359cda817e4c646

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF

Filesize
267B

MD5
e563ade2cfe17e8297bb6bba89149881

SHA1
ad4cc505f556daf5d6adc9ec6b31bb84a734bb8b

SHA256
31033aa961a9421eeeeb095d631cd6ae6f4c6efd55a928011e03ecca6a89e4d0

SHA512
74fbeee68aca6b7e972b2fb39c4eff317edf636013d994b87736159f60ddb33cf9d0c6d45ddb8e625b65872ddde748de2f131ac66be6d58ac206253ed72f89a9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HEADER.GIF

Filesize
2KB

MD5
fb50fbe12f29fc94ba2c2a6939511aff

SHA1
dbc1c0f5ac6d46aee24abe64ba66663535b05e80

SHA256
072705ea7de55c285ab3a4843cc19f6361273acaf6fd93263462562906952bc7

SHA512
31ddd1e50287ea2fb5c661cd0f3202a8e205a3a1c05b9389d432ffcbb5c623257084f8fd0f507195be686d9ee417698371ab9d16550be148d7d7c4791292fe13

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif

Filesize
233B

MD5
f10e9d4b019c1d00b72f39bca383e307

SHA1
8dd27cd2fc77620879a055435fc5df39010c9e23

SHA256
bde1e5fa4cd7025cd784c0ca6e5b617545e18e9420d7ebeec4829f1fcde08c3a

SHA512
b997df4db709e4923aaa577842861ecc00d8cf43a3df012b8408c6601dbf92484318466128896575d533ad2852e498c446a5d6a2ab492da137b44c0bd3b0d44c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_OFF.GIF

Filesize
364B

MD5
fe95bbcab334d1ae363b02f7b42b3dc9

SHA1
484094a9b1e940d4e4ac09cf043d1939c904c963

SHA256
49c313a838a3b9a3274e7b6afa05d40d00464ed32a63ac9aaa5b70549861ba38

SHA512
cb7a0d5c3e2be4c53627b53bd74d616065b760ebd134a582c61f7128bbf92d30d1867df696df34b07cb444e87f44f8523cda21cf04825c33f0943582dbb1e540

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_ON.GIF

Filesize
364B

MD5
595566ca321674cfbae07aa5266e284a

SHA1
01c2ec565d439efe0353421fe8a0cbd04e398a49

SHA256
3f5cf525caea21fe674840aaa1d20ec80c34c7639c8399d8fb684888ec093624

SHA512
18b51169c4c69c7c3307e2497830e64661ceaf9c0c20ab03893094b7d0bf30a045067634aefad319e7f2e62396b018329f7ec957965aef4bcaeca2fc85e11e24

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\background.gif

Filesize
6KB

MD5
5b172b9402fd9530a798003b6c91283b

SHA1
206b0e61089178e799ca4753f88284bd717984c4

SHA256
2c5c0eff48dce27c0676a4dce6bb2a35cc40128c709147b5ff34ecc7f95ee8b5

SHA512
f0ee587fd128bf317740c3d82abdc33152c40fda57937a0982c55228d3bbdc225a245b19da0d2f86e1e2fe25e163733b99cf706294f8e7a2c4a7fda29fa5fc7e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\BUTTON.GIF

Filesize
428B

MD5
cb8555cd7ddcf6ae4440a43c26e7f8b6

SHA1
1d762e72905153dd7e43575228469d6824ec6b7e

SHA256
3083e18b1d5ea8e86e6533a353ea0ed4cff484ec10bb50c2295a59fd4c9120a2

SHA512
e0d1a740b3b73b165f17c32150b4cc571ec27566f39bca66cdbbf21d2716f19917d50449d8126eb780b753b52b647ac9571f3e3f2531a47f525f7f4dea4a3136

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\background.gif

Filesize
815B

MD5
741c931ccff216594e039278c6f270d0

SHA1
27b0149f2d4e2b147832f123e15bf3c585e77564

SHA256
31abd596c26d408f75bedfbadff4ff23881c4446abe255ff1c7f2b8545764a01

SHA512
9c41f03afcba29a839f49a2bf950ba1770a457199426bb0af07c1d17696cbb202c6db13fa8c42d92e7e0c4d52d4c64510fa1d0305346a50f859654a27b22a32e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\RTF_BOLD.GIF

Filesize
870B

MD5
569eb50a1fd2bb00358da37f27f66681

SHA1
62cc380fef19c5e50160655dccd401d60fac6c8d

SHA256
6651565aa1f611278ba4623cf380a40042cd88af4534d7d6fe1ff996bf6d2af7

SHA512
aff00bb12e7e7a1f68220b154575090d2698fce81d9f684dfeed9aa349ce53a99fe7fb48f21a59655e70bd07a8d695e9dbce6e68dc43f94226081e3181044c14

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg

Filesize
3KB

MD5
457f029717412f659b9307662c1e5ae0

SHA1
2528c2cca5b17d06b394d46a64d2ec4f6615bee8

SHA256
1ca99dad849b72ec1a654381a5c262d025a79bf616e2b6453131801428a9b3f7

SHA512
18f5361a7ebb64ce89b20e4527bf7af811f0120007218df2b123581ce46c813d39d8dd19b9fbe14023e0572ccceac4326500f5c7346f2297d1159f280ad6730a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif

Filesize
2KB

MD5
00c55c25da15de0244690d27e46af18c

SHA1
cb2cfb670f6c09a5a7e4e84fbdc3a4f9089a24bc

SHA256
c0fce52784bb83e3464fec1d92090eff55efc1a5bd2f1a3aa042c02c7cf02fea

SHA512
6f9bf0551e27b6307f12052e869484da25d7cdebf991acf9d82f43ee6778252a447f82f7f1ccb354e5167e75949a6727cfc10dd6aeca811ee8d3c4eac5832238

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif

Filesize
19KB

MD5
ab32ceb46784cd84e1d7f8c7c8dd74be

SHA1
60eea85d4f9c1cfd40b2c76e424a72973ee8b3dc

SHA256
a0a7019aef65d5cdd3f9a8c40352d712096427f95f5d93c101b3d4861a8ca5b4

SHA512
78647d7c8d1b618d370d14c413446ae84ee4cd6342f3f4c78921558c7fe895a44692adf3cb5437aefcc41b4fdce81adef4f6c6dd0f43690c963eae69e0e9b0ad

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosefont.gif

Filesize
890B

MD5
5460e5362f08a49eb0ab2dca56a7c2d7

SHA1
5c4201f3341e5ece67c14ad39e55e53eb565634f

SHA256
97dad2c5f6a99e0407e40ac4564bfca0a275501c25339439fe5e5fc26046875c

SHA512
4437f2ee517c91315cd98835dfabd1c4a0cc44ce5bb98d5bf5596861640827d588126130f6b822bacacc61b2f9b9039fcbcef29e190030c59495c2f95e59e4c2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif

Filesize
852B

MD5
809bc56d2ed7cf4f18d81a6f675e41b5

SHA1
4a75f6f3baf0f7472ded222d4eaa73a306634b9f

SHA256
59e6291f435654d4a7fea0ae801f50839c0c80d920278699a065c91a2ccf02d9

SHA512
0fabd11e97cc2b73a705d02bf584d5c640ede23d42f79179e2bfd999347d7aa0849635a5bdad9e4e43520efec6c5bfb80260481efc3a2c3e147204b4bc63ffd4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif

Filesize
860B

MD5
7d1215a45eba5c0798a485a3d48cff87

SHA1
ad44273e542bc277d8059d30fdcdb164a520531a

SHA256
d7358b10846875cb18057e1138070aaf1f2aef8fcb37370458e55ec52ff94707

SHA512
7d0a08e45f038977adb5c3a82d3c27bfe82b9a7d88639d96cfcc04d2b04499e095e78a20ae851918b62280361e10c80176d328eebd395a602c5a3e0bdd786a1b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ADD.GIF

Filesize
580B

MD5
b96652ce8c7af24b1c0d0878a0dd3714

SHA1
c60fc67c3906073161a2c6072620c085b8007bdc

SHA256
3747d68e1ec08a77effe380553ef4e81e2d28b6c588fa20260bf2de797c8b8e5

SHA512
1fd0ff45ca635ff928710c7edd93b16a97fce28f42c7283293962ddcc1848df75d052b348ec2c99230e8eba3bca4a877cb0192ee5524b31f0096f0b45323aea2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF

Filesize
899B

MD5
7c1653fb98fcfd4789a5e463b7d92375

SHA1
234eaf831b81a5f26d563be1182f8611a376f883

SHA256
824ab82a2a4bc3f3dc0a0d33a7a2a8efdf52bde0e518ef0793f2f69913e461e6

SHA512
091f2e9d3b8e459d5034ac6fc131adb11e411b3b440f38baf631eaf7d5f8000db01923f45c49088540db28077ae4f9f8053bbdeb9f737974e5fb9a5d0e36766b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIF

Filesize
625B

MD5
e038a25fe3fd45436a2ae4f12be55d05

SHA1
b11b0080ec9763a2618251ba647fe3a9d26b6ed5

SHA256
f510931d1e440aeb9a59a370b9b2b95c09ad22e646075c152a037a70fffbedb3

SHA512
c238a7b85cd0425c7e173f02c027078e2aa9fba17a3ea07d164cb839e8ebc9bb9ffcac31e861c094f4eca40751608775cbf72f6ffea1b68f890f85204e8d1a21

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF

Filesize
873B

MD5
f4668f806cdff4d2da78b503e7d275de

SHA1
1be908c6fa8298c0b8a07f8f669583c2aa565f64

SHA256
ed5166421ed70056610dd05ac5cce36783a94b2cad5addea2c10d81ca78de302

SHA512
7bfa6a349381b7099ca0f2fce2b09976c6f5a3225363be0a6661b1f37a3b22343ea4a4448eaec5467b39b7f6cfd9a058ed14840f9f60825aba7b67b09150ef4d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg

Filesize
5KB

MD5
82a561e0fee23fee0b70b383503001e3

SHA1
eea63d0f05b9c8e2f2dac5460299066255648046

SHA256
94bcff8b5ccb5f2ce168a8a6f7c268fb3d214cc7d4aa2beefede6b088233e1f7

SHA512
07d7b0903dc5f1a3d181ff554d275388f12318f958643ff681e463da30a4ff086f11c9c0cf8281b08605d3d1a26270e4d3288129e49acc39273df6f80389dbe4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp

Filesize
1KB

MD5
0eaf48d6aed040662e57fef70d0d8707

SHA1
cf52b7a5bb624db52f4e483f23969dec7a2d5da8

SHA256
7f515916f8ec811ced9cccacc095009f8ac2d13700a12d5ebba6227c9cc60285

SHA512
180f698cea3d46cd0ef55a52289f7945e77753e23638007208b1e3879d9fa38f14a7a0a57696304fb9c5444259decfc2e90c2395be76a7401bcd17fa3d0cbb41

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF

Filesize
615B

MD5
600d996410219f2ce0555aadff9d37fb

SHA1
524c11d4f3ac92d444e2f4ad89559f0755e47adf

SHA256
364a58e84c468808723c163c5f583b0f83b8f0c042dd46e0a15204f0cef88821

SHA512
6efe24d2b2686444a08e437f17618edee2642be36cc9cf147f4bbe9cd85992d3f01afa2386cbdd606edfa337b6626841964ea774dfec7903000dce6d2e93edad

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

Filesize
848B

MD5
619aca7c83a39bd64f1c3890a9c5b675

SHA1
e98ec8475b47bd3d9fc0c7e3e9fc7f669f4778ed

SHA256
e4df019dbd8dde99586e06c1343f09f6c4f611e79b0091d3890f8d69f51d9c19

SHA512
2d4506976a427ec5e9799766fd550ecb358defb01b0a8ecae34def81dafdc88f3aa7a698237d173fe082041fe146e2d00999a0d192241db687e690684da6f81a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

Filesize
847B

MD5
cde4bd45bafcaeb640e9b4ac835065f1

SHA1
e2f4d25391bcba2daa1d387182a49a56aefeea76

SHA256
3b76ce0e69f52a5041cff3302d07b3810206205ae1e5f277d4377cec5227b2b1

SHA512
4f19a0a25e9cc94d62ac03580e3c962043fc123f0e4000f5e3edf806ccaae896023795fbab86dcd2d10dc1350dffffed9c9b232664c5de42253199f5ed300b06

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

Filesize
869B

MD5
9a727222abd87209e138e32bc40a9ca1

SHA1
08a7c1019669cbd63ea79f293bc7267b6583f84d

SHA256
985d6cc4d70726f8e5cec0c672c3db620d5cb8e4dd825615a2e4930caa5235bf

SHA512
7bd6c63cfb71270d7099299b2680204b43d8c605eeb2bc5ab017940717f39a19daf62d19cfa44372d848adfa9401768f64500ef5c24c915705a01050b43f48d6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

Filesize
847B

MD5
42306ebfc64065899b7b91cd50fc9e92

SHA1
2615c71f530d59e7778c8bb08d50b81a87d4c0da

SHA256
4961ae85149e982ee24481d649c8ebdf52fa152fe2c95404fae272e613503c7b

SHA512
3e610fcc9f644182691b5da36d3d69dc8a2a38974094c277119f8907821c216d91fa1223673697f6a0ed21b8ac4c7666b6063c53289f8d0ea8ffb00d98f3b734

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

Filesize
863B

MD5
140e7480cf34c294b7c3219b3975cb37

SHA1
21b237f9fc24ddcb04652b84b7940bea5f664f70

SHA256
857f040f35f014888166928ed2a79cbf0a4a0f5bcc69e01a5d15e63909122afd

SHA512
3b1a98be9fb0642f9b12fef07eaab0f588c4373fae55ebb17ba49453e626efa2efe40fac8b88f64e73503b8f78f54b9195ffa632a004af4aee3af59d99f88a12

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

Filesize
861B

MD5
62f99fbd36706a11ddee32a3af35e21a

SHA1
c717faf3d3b7c6bc854389677a17a4e1af36745a

SHA256
2f147c5bc11b1832b6517800be950cfdc445507431151e471fb9d5d360cad292

SHA512
6f835c9bc386277885effad817c2fea1b53b3a005fbe4cb2a7bb5b1bbf0b6adea120cb03e0ff4222eff7d8838bfe1bcab862692f44572c06c8217a5ff34a3aba

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

Filesize
850B

MD5
afcd076fc9270ec481682abc22078d97

SHA1
ea655bce2df51a8a979e8926bf6c9c21aac40b15

SHA256
265be809f92ed9f68e4ca155682a7d86474ef0789ce7cee21f49296c97f64f79

SHA512
a46bb332fd272d81a48ffd82188dfa15e4a1bc5721e8e8887f5f32ec5db806797a4d0801816b852a67183440766a449b687f3cdbc3ae5b01b647f1846ae5db4f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

Filesize
883B

MD5
171a097fed96047c903dfb28cd4bf24a

SHA1
c3d0f4d1254d92af69612484166c1152ff8843cc

SHA256
bfdea9e3da22fda9467f3bdfe66c13cbc071a0dbc1d8fe2e80a0a1056cc6ae15

SHA512
55012632def3e3c189fa2a98dd9d0519289fc4f84e4301075d2857218b9fd3736da1391aec74e61fee72136a5becce5fdbe02bbaad14ea05f2df9a0d1f63c640

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif

Filesize
153B

MD5
6263dd008991523f6215a6e40cf251dd

SHA1
306606a91fae6ddb1fb964a72527fe219c3642e3

SHA256
4d59e03e036ee975df920334c0c9b3950e14c36244bc10d35a06c9931146bf6a

SHA512
3fc507f5148b9b5084e5917d755308459ce47283a487ee674e1c3d16f9a38eade7adbb2ae8055fd3ce230ee72c8db3acd749ebf40bc00dd2bcc9790849e6eace

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
8c3b3e6213a8fd766fbebc4ae94db066

SHA1
cacf010bd23b910a771f8687f43565643588b218

SHA256
1765167fee5a12f1780712792f6426c7c89369545e8350b8652db28d437b8eeb

SHA512
c3e4efb54be59ed73f2edcc2a67be9c68f6ea6f18d578932cac04f0bfb5186571d1c1e04bc6fbd617c02330a6ef3e2c2305e383977c482e3cbc3fc562ea0e411

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
8KB

MD5
134868895be630ff1601557e119f3b96

SHA1
c89b6c37c6a114d551620dcf1db46bdbcea9c52d

SHA256
aa7f5abc2c5f5511ea7ab649d10a76ebb3e1317875a6dc9426f9aba4a6e502b9

SHA512
cdd02ecd15759648f63196dfd6778947fb260d7aea0199c0aaa9c6ffc7f1b62cbb3b29d26b27d06cca1abc922e2de9d130c7290a792fbaaf219870968c58ebe3

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
7472bfc286a80c4d1668eda1fa85d972

SHA1
b7faf72b4060a6b9b0450e1ed17852c56b2603d8

SHA256
488752d77365d95ee43d5aa30f40d700bcadb1cebc74b94eda2228540698db83

SHA512
6867d7a9acd886b04101dabe66e4dd3d16e68a5aaa8cceb725876101c63f448fb1ec449469331b8db817a99f0fca22923e6debc67bc9fe7ba4694791ab25b88f

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
247f8245279a05e7a010a4aff0f92039

SHA1
794e4fd52965be403a3c5e3a57ee480a34e320ca

SHA256
fa7722db28d89e3433d2fb0191d2f14fbb2a2acccde9ebc563ada364fa91be20

SHA512
7dc8d138dd2ce16e7bc1944a907497a6716f4f9248bd30f90dde6a383a8ccd9c6628745b8db172b893fe07d3c40295d508767ba30d1e0184e72606e6e31f6e72

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
172KB

MD5
dad4897b3e30de7ccf41787c786d9e9a

SHA1
badbcd627ca61311819d1bf49c885c5f9c67f842

SHA256
350da3c1e561ed8ad86c2a0d9ebf2e848b9388420eade0cbd480348b133b8186

SHA512
dab36bff303b3737eb82c39e4bf594b95498b62c4118cb72076dc50bd99d8f83a12fecdb788ab4ebbe34fb2c9ca970a3479996741b844191f0762d64d01dc6fa

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk

Filesize
1KB

MD5
a9cb95f2cde532827448c94dbe0434cb

SHA1
2164c29b597cd512990eeaa1aaaae4d70583369a

SHA256
dd08088ea1a7161b0697dfd343804abc052da06e8081afeb56af2d13f430f9ff

SHA512
93cdecbd6ee7f3b45aa8fabccc9912b29740989c5e8e95507a266e78a364e8aa8ea4570742c986356256de6ac6370932a4c4700b2f9876f32b88e5a0f4f6f42b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg

Filesize
21KB

MD5
67de34cef79080b4d3b2448525298f7d

SHA1
2a10171c653bccb7e8ec90d1d55665043be5df36

SHA256
b5ae494ce41bcd57bd81269370fe986f3deeb419e854fa92f42befca3718caaf

SHA512
caca3897a37c57c2440bfa37dbd1659dbcee08d27438525463df5baa6eb54f3e496bbece8ac3b0ba266168d72b15afc25f308a265f5a4d6d013dd7da8d140f52

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\HelpIcon_solid.gif

Filesize
1KB

MD5
19fbbb9855d3e772ba0ddaa2b120224d

SHA1
b8e282743ccc4e2e2b5ac4875b0dcf0ef697b3aa

SHA256
8bf7f9edb0f5940c6ed4bef94f1853f15f7e4baa8b36bfaaec57d3ac8c3356cb

SHA512
c5431a65b4784552ea559d06595c6a29cea5841a0784f07a838a26ebee149c190fff767314f054edfb87105a423d20b7bc6e6e6d279b497039f3bfd86bf0b351

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\alert_lrg.gif

Filesize
952B

MD5
69a4768c45749c29cba9e6671eeb3f5d

SHA1
71943fd5f7515455e61884b5c80f73921281b395

SHA256
9eef911bd061d8fa9ceceebee2e50c7ed4e4cc180bddd26603234dcc6b6156e4

SHA512
d21fb95007cb452cff3b6ff3580b37f75dbe55b353943658ff025803ffd249d606f118fb1444a0d0687d1c047aab4a2806b14c53919caa3b24e652082e20c884

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\aspx_file.gif

Filesize
121B

MD5
b88f055631baaf98f9f0338236112ee9

SHA1
2fe0baa6a572f9073fa5ebc210e6b5387bdf88c4

SHA256
9f8f0f9804a8e48c7199785e83c8f96450fbc252c18d06e8bd1b5c44001ea51a

SHA512
14e9e3e3f15c1c8de9ab7f1ea505c1c00a06b1e12f36637ba5468e6b2ee3a0c24ce46b11e39f7bee3e933d3d48f61620941f88de5a19ec643575d78899e7ce2d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\branding_Full2.gif

Filesize
1KB

MD5
5d80667ffdaa5143f22a5f28754efa03

SHA1
5f2177600b8c273c72a38a394eca2e09941d18e9

SHA256
c16e8d9131db7ea3e1d222b4d58a02050d2e8712a78d0ec015e5bf3e16cb746d

SHA512
cc76a54d258d2473674f052c7413cc4aba575546b75b9d83585d349848fb6e30bec1e9a592b48fec0dc6650bb2bc4c33115652bb84a338bef543bd653b7ba99d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg

Filesize
8KB

MD5
daffe9fb7d8e9beebc9318218c20f152

SHA1
95b05c3153d4c53936f9c9bca9f843ef9ef5c8cb

SHA256
768d05c108294f6675ed9019abe2d5e9f371765827aaa5e28bd829c57ad6b616

SHA512
3fa173e491472971dd89432ee00751fbacaef8bd153dfcbaca4040cbca300cd5d5e42c495cb7e014ccf7bc43245b24ef19e1242bd9870ecdd3a89d624737551a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\folder.gif

Filesize
914B

MD5
c005ae380989b3fd60d65228e2206f46

SHA1
5da73697cf62283f6b24e7e9b0c2e1dfa7d49d6f

SHA256
7aad57fbdc7f8b25cb8a9416aaa2b935b7cc98ffcd779f14b7ac4c8214ba1b98

SHA512
f542ce6581c7c2c8886480142542cb469e7c420011ef94bd7d1150ba7a52a8bafe158d130a0814abace04a18a9a6d3a52bf03842f31c5ddbddf037b4a94f9e99

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\headerGRADIENT_Tall.gif

Filesize
328B

MD5
4c5b4dd033f171b7e9006831b85c49ad

SHA1
3c0777ac62878fdc76456a5668b130fb2cb81d3d

SHA256
8a00dd0ec28a8605e5fcfb6643dce64ed71bd3b54d22c0c8ed80db92fe0a7d4f

SHA512
a6b6e389b4198dfe6a66b0d41ae62e27be65c305029f480363167ca44dff02ad08bd552c369394eef92332b1610b6bd293c747778db9ad4d9bfb8da5979bfa42

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\help.jpg

Filesize
1KB

MD5
5e29432f58dc21fd4fd0ac46ac779544

SHA1
ac8b1828d1c1b02c5f7502dddba0c5911d5126e3

SHA256
89a8c942f3a9a2082c25738b3e7e853ed59e1493025d5b7889fa3623e1fbfa2a

SHA512
a65d5ac5231d075068a310fef96c94182c40f55ff14407700defd9a4da88aac562a69bbe731f2042aacd57cd26bc817411b0a47a43410eecbd60eff345ec3c6d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image1.gif

Filesize
162B

MD5
fb76f6fd721ff94ee6f9ef86a7ed4664

SHA1
0bfc56bb8f7780b7645c65d417bcb7be9843b6c9

SHA256
0690daeeaa5601d829fd8828e1c21a2482d580b071a6211f099bcd62d98a4ee2

SHA512
aff93372875e366872c765ac57063725b6bdb1b8ce775fc376faf96243943796ce98a116a97ce2f3bb6e5a0e2ed0fa11f6cc905fe03c0eec5ef98c86fdea2408

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image2.gif

Filesize
586B

MD5
16e0c2499230da69eae2800cc6c1903d

SHA1
69993b3fa4cbfe0130a1f542ac1e68bdcf94511f

SHA256
b565573363144da63d82dcbc434a1756642d7ab452931ef4072930678ca73da7

SHA512
368731733660c4fe413a114e39c9c6a700aa6c12ebc83498b603447e6b037348ed4f0b74d2c0ea41a30c8b41431643f9dce9256853899f26a4af9debeee10fae

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\requiredBang.gif

Filesize
124B

MD5
4f62202b51d77afe278e6319b853ea8c

SHA1
96257190cb674038d28f4ae04e9c9f1ff07c8a33

SHA256
cbcd2f2c2f455f8a79810c92d49273b76ed5c2110964d5b15ff6c336264631c0

SHA512
d4e61ab58e010fa3108bdda5c06e238ef79b9c33a824a82b1d84bfac6ffa7d43813b9868bc7aced6f5bacfdede68977a494eb043bca0190a9f12dbfe025dc494

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg

Filesize
8KB

MD5
9f6b5189c9ecf7fb88be605f2273a830

SHA1
2272ec8f8e02ccf38eafb029b821f4c31f2bc8ee

SHA256
091deb94f9f913ecee9e1c0372e2ef4339f7f54e82fcc49a71b688c58ee9e2e8

SHA512
e4ec7ae8e34b7b2893221c3d6f7ff976b9b03ce55c129557c4e8daaf873e58d1ec61ab70327953ede992983507e5e99a5127284d25e58220c43c45abf2865b6f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\yellowCORNER.gif

Filesize
880B

MD5
25a309a1d6b4d1c470e3d29cece47be0

SHA1
c833d7616cebd4632787ce0d429c2fa5b4f95488

SHA256
0ed7c58902368cb678ac383266f5d006f93ef0d119e27521e5d7eec1a862d3b6

SHA512
6c0ff60342adb2bdb9491df1c6a888f9f19673c7a26e9e888e8ffd96317f989f34996d5bc43a1f12618f9fce76ba77486619148fbec5a3edab9d559e1c1238a4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads