xorist | c0fcf3ac6b125e985c6574ed7ef1a7929f3be8f6487b68e4d58a48a3b1517b5d

Resubmissions

09/12/2024, 11:59

241209-n5y4sa1nar 10

09/12/2024, 11:49

241209-nzbfjawng1 10

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09/12/2024, 11:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
Size

33KB
MD5

d9789bfbc54d5cb6d52c385fd8f5d288
SHA1

b8f60c64c70f03c263bf9e9261aa157a73864aaf
SHA256

c0fcf3ac6b125e985c6574ed7ef1a7929f3be8f6487b68e4d58a48a3b1517b5d
SHA512

21e81d64136897e86362304666cb0a8510ae2280c432c8b768875d5459b527e2cdafe9a61107433d3ff7ccf8092f3bbc226f9366623c1d39f76445fc490dc4c8
SSDEEP

768:IPXirrjYZp0Tf6yFz5Om5jPwxgjAqJTKV/Z:I/iTYHQCm5DpjhJTKVR

Score

10^/10

xorist discovery persistence ransomware spyware stealer upx

Malware Config

Signatures

Detected Xorist Ransomware 11 IoCs

resource	yara_rule
behavioral1/memory/2684-50-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/2684-54-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/2684-49-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/2684-4396-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/2684-4397-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/2684-4896-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/2684-7295-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/2684-9175-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/2684-9176-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/2684-9177-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/2684-9179-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist

Xorist Ransomware
Xorist is a ransomware first seen in 2020.
ransomware xorist
Xorist family
xorist
Renames multiple (2214) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Drivers directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\it-IT\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\ja-JP\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\de-DE\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\en-US\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\es-ES\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vQVykYApjMM758B.exe"	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\avc.inf_amd64_neutral_3ef33c750e6308ce\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_split.help.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\default.help.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\OEM\ProfessionalE\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\de-DE\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ph3xibc9.inf_amd64_neutral_ff3a566e4b6ba035\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Return.help.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_modules.help.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\lsi_scsi.inf_amd64_neutral_cfbbf0b0b66ba280\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmhaeu.inf_amd64_neutral_6611a858035bf482\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_If.help.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_WS-Management_Cmdlets.help.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnbr003.inf_amd64_neutral_dff45d1d0df04caf\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\eval\Starter\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\nl-NL\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnsv002.inf_amd64_neutral_6ca80563d6148ee5\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Core_Commands.help.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_properties.help.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Quoting_Rules.help.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\XPSViewer\ja-JP\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netvg62a.inf_amd64_neutral_5817ae5135655364\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnbr009.inf_amd64_neutral_fd2ac5b9c40bd465\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnin002.inf_amd64_neutral_977d40799168c216\Amd64\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnkm005.inf_amd64_neutral_c03c9e328608873e\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_neutral_f935002f367d5bb0\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\_Default\EnterpriseE\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnsv004.inf_amd64_neutral_fc4526bbfbd5feb1\Amd64\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\usbprint.inf_amd64_neutral_54948be2bc4bcdd1\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\eval\Ultimate\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\eval\ProfessionalE\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\OEM\HomePremium\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\migwiz\replacementmanifests\Microsoft-Windows-GameUXMig\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\PostMigRes\Web\base_images\WindowsPhotoGallery.bmp	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_join.help.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmnis1u.inf_amd64_neutral_15011483bd8465c4\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\OEM\Ultimate\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\eval\EnterpriseE\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\_Default\Enterprise\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmrock3.inf_amd64_neutral_9fdc5d710dd63e80\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\iirsp2.inf_amd64_neutral_9ed65fe0bab06b1b\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmdgitn.inf_amd64_neutral_09132735f1063a47\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netl160a.inf_amd64_neutral_f8bdd2cbac28a8fd\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnep00l.inf_amd64_neutral_f1fa021d2221e2c7\Amd64\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlx00d.inf_amd64_neutral_ce7a0b4e23e432ad\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\OEM\HomePremiumE\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\OEM\HomePremium\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnrc002.inf_amd64_neutral_fdb6f2e252435905\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Command_Syntax.help.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnsv004.inf_amd64_neutral_fc4526bbfbd5feb1\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\termkbd.inf_amd64_neutral_e561157e16aa2357\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Speech\SpeechUX\fr-FR\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hcw85b64.inf_amd64_neutral_22b436d5d06ab017\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnep004.inf_amd64_neutral_63b22bfb6b93eaba\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wiaca00i.inf_amd64_neutral_de104aaa48ee4b00\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\OEM\UltimateE\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\migwiz\de-DE\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_prompts.help.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_types.ps1xml.help.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Parsing.help.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmbr002.inf_amd64_neutral_ce2134188ab21f59\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnca00c.inf_amd64_neutral_510c36849918ce92\Amd64\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnca00g.inf_amd64_neutral_6f76b14b2912fa55\Amd64\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\eval\HomePremiumN\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_scripts.help.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2616 set thread context of 2684	2616	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe	30

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2684-40-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2684-50-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2684-54-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2684-49-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2684-48-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2684-44-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2684-38-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2684-4396-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2684-4397-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2684-4896-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2684-7295-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2684-9175-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2684-9176-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2684-9177-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2684-9179-0x0000000000400000-0x000000000040C000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\rarrow.gif	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_hover.png	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)alertIcon.png	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Defender\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099188.JPG	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\9.png	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\background.gif	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectStatusIcons.jpg	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\20.png	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-previous-static.png	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationLeft_ButtonGraphic.png	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01743_.GIF	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR14F.GIF	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02845G.GIF	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\VeriSign_Class_3_Public_Primary_CA.cer	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\icon.png	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\next_rest.png	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00038_.GIF	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\preface.htm	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_thunderstorm.png	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143749.GIF	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\Response.gif	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Program Files\Windows Photo Viewer\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\System\ado\it-IT\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14691_.GIF	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationRight_SelectionSubpicture.png	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\Welcome.html	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01770_.GIF	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\dialdot_lrg.png	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ku_IQ\LC_MESSAGES\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\Tulip.jpg	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\TAB_ON.GIF	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\settings.html	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\rightnav.gif	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Games\FreeCell\it-IT\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EVRGREEN\PREVIEW.GIF	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02897J.JPG	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21315_.GIF	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\css\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)grayStateIcon.png	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SPRING\PREVIEW.GIF	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145361.JPG	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WebToolImages16x16.jpg	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\prev_rest.png	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\css\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\21.png	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Stars.jpg	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\GAC_MSIL\System.Web.Mobile.resources\2.0.0.0_it_b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..omebasicn.resources_31bf3856ad364e35_6.1.7600.16385_es-es_77c3e2c030c9a730\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-cttunesvr.resources_31bf3856ad364e35_6.1.7600.16385_de-de_1a9b8c79c6d662f1\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\Help\Help\it-IT\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..ponents-mdac-msdart_31bf3856ad364e35_6.1.7600.16385_none_42074b3f2553d5bd\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft.backgroun..nt.module.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_836a83fa126c10f7\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-alttab.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_1130acee02899dd4\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-n..erclasses.resources_31bf3856ad364e35_6.1.7600.16385_en-us_74ff7604b8c68a3c\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-rasdlg_31bf3856ad364e35_6.1.7600.16385_none_6ce99231b0f48322\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_server-help-chm.cmak_ops.resources_31bf3856ad364e35_6.1.7600.16385_es-es_41c2a0c99232a8e3\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-font-fms.resources_31bf3856ad364e35_6.1.7600.16385_ru-ru_7b2a0898d09e3888\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_11.2.9600.16428_none_11b913172f0cb26f\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-rmcast.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_725e5d16a880d498\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.1.7600.16385_none_3b995fcfc0e586ab\deselectedTab_1x1.gif	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-dataclen.resources_31bf3856ad364e35_6.1.7600.16385_en-us_bd1e14477e5cb066\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.SharePoint.BusinessData.Administration.Client.Intl\14.0.0.0__71e9bce111e9429c\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..fontcache.resources_31bf3856ad364e35_7.1.7601.16492_en-us_201bcb86330412a1\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_11b04b481efec48c\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..lient-dll.resources_31bf3856ad364e35_6.1.7600.16385_de-de_accc80812c85f01f\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-ie-jsprofilercore_31bf3856ad364e35_8.0.7600.16385_none_253839ca09b4c8e4\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..fications.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e7853b25060c6221\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-mscat32-dll_31bf3856ad364e35_6.1.7600.16385_none_dcd9059e393675cd\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-smi-engine.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_80319c33636a43d3\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..component.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_dd7184bbcf6cd663\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..-usermode.resources_31bf3856ad364e35_6.1.7600.16385_en-us_6e69236bf1ae1f80\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-gameexplorer_31bf3856ad364e35_6.1.7601.17514_none_aa7afed00c3d4db7\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-w..ure-other.resources_31bf3856ad364e35_6.1.7600.16385_es-es_ad7f1ebdfa3f77ac\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Jscript.resources\8.0.0.0_de_b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..cyscripts.resources_31bf3856ad364e35_6.1.7600.16385_en-us_742267d524200863\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-healthcenter.resources_31bf3856ad364e35_6.1.7600.16385_es-es_eebfadad58553da2\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-ie-feedsbs.resources_31bf3856ad364e35_8.0.7600.16385_it-it_efb555207ab6d84b\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..fontcache.resources_31bf3856ad364e35_7.1.7601.16492_fr-fr_c29e9e6925fd1aa8\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..tbranding.resources_31bf3856ad364e35_8.0.7600.16385_es-es_6cb94f2a981a0059\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..oledb-rll.resources_31bf3856ad364e35_6.1.7600.16385_de-de_ce5e4d236c2cd77f\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-t..cesclient.resources_31bf3856ad364e35_6.1.7601.17514_en-us_76a51ea2cc60773a\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-v..skservice.resources_31bf3856ad364e35_6.1.7600.16385_de-de_f8f65c9d5ef440b6\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_circlass.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_419729bb6c44ac33\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-main.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ac1bf6c4ee6b3ec8\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-bcrypt-dll_31bf3856ad364e35_6.1.7600.16385_none_54d62f663d777131\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-w..publicapi.resources_31bf3856ad364e35_6.1.7600.16385_de-de_332ee52c7283fee4\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-rasifmon.resources_31bf3856ad364e35_6.1.7600.16385_it-it_3b1c9b1d18c1a942\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-e..presenter.resources_31bf3856ad364e35_6.1.7600.16385_it-it_7017226bc5bb2925\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..-freecell.resources_31bf3856ad364e35_6.1.7600.16385_de-de_cbc7ace537b928fa\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_CommonParameters.help.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-t..minsnapin.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_36dc5da3b60ee79c\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File opened for modification	C:\Windows\Media\chord.wav	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..revention.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_dde37d0503aa8003\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\winsxs\msil_system.windows.forms_b77a5c561934e089_6.1.7601.17514_none_054834d3002dd72d\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..cingstack.resources_31bf3856ad364e35_6.1.7600.16385_it-it_75597592789f1a85\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..tional-codepage-866_31bf3856ad364e35_6.1.7600.16385_none_2adda600b4e25a37\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-mail-adm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ff6f7ad3c2f5987e\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-p..ssettings.resources_31bf3856ad364e35_6.1.7600.16385_it-it_3c20a8ec4d33bf48\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-c..legacyole.resources_31bf3856ad364e35_6.1.7600.16385_es-es_ad22180475e0d9d6\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..how-other.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7b9fd1df961b4d61\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-eudcedit.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a23f4c127f87c066\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-w..umservice.resources_31bf3856ad364e35_6.1.7600.16385_it-it_54caca9fc5890277\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_prnlx00a.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4e455faee55246f3\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_format.ps1xml.help.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_hidirkbd.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_f0d1a908e7473790\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_scopes.help.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-takeown.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0d1dcd4f636311e2\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_bthpan.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b9b457911a7a4781\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-rasrtutils_31bf3856ad364e35_6.1.7601.17514_none_6b3b9980011a19de\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_wiaca00d.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_9cf3bf463e653b83\HOW TO DECRYPT FILES.txt	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ZIBXKKHVYMVCCPW\DefaultIcon	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ZIBXKKHVYMVCCPW\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vQVykYApjMM758B.exe,0"	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ZIBXKKHVYMVCCPW\shell	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ZIBXKKHVYMVCCPW	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ZIBXKKHVYMVCCPW\ = "CRYPTED!"	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ZIBXKKHVYMVCCPW\shell\open\command	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ZIBXKKHVYMVCCPW\shell\open	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ZIBXKKHVYMVCCPW\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vQVykYApjMM758B.exe"	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd\ = "ZIBXKKHVYMVCCPW"	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2616	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2616 wrote to memory of 2684	2616	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe	30
PID 2616 wrote to memory of 2684	2616	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe	30
PID 2616 wrote to memory of 2684	2616	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe	30
PID 2616 wrote to memory of 2684	2616	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe	30
PID 2616 wrote to memory of 2684	2616	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe	30
PID 2616 wrote to memory of 2684	2616	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe	30
PID 2616 wrote to memory of 2684	2616	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe	30
PID 2616 wrote to memory of 2684	2616	d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2616
- C:\Users\Admin\AppData\Local\Temp\d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\d9789bfbc54d5cb6d52c385fd8f5d288_JaffaCakes118.exe"
  2⤵
  - Drops file in Drivers directory
  - Drops startup file
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\HOW TO DECRYPT FILES.txt

Filesize
394B

MD5
84aa889a87f60a5efba19bf8d6464613

SHA1
4fe67d41d2ed917651e5820f131780bf078e3c7f

SHA256
43fc35d4b08e00236a28300d95f7426593db8f95f47e995477a77bfa5fb0ec99

SHA512
1d67c2552d16b8c9fa33417d45c8229d291077f45a12692d8a7e9ade813dbc629a4b13eb4107a773896386b9c4e6993fbefe54348568ef28f44f40c6153ff0a4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
341B

MD5
1af7d34ecf54e18b29b4521ade01f482

SHA1
76aeeb49f2db5b5ea19cfe94003757cf76dca92e

SHA256
761a41ab56c996490019bd9b7a2b14372d9cffa64c237284643bef9297f50937

SHA512
21989a19abbe03f023e19edb25ce57472eeb8b2a60ed0468b8753030c1b99f649e128af5eb8938162146bf64baf701b873fdc366c4094ce384c131275f6ceb21

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

Filesize
222B

MD5
8321938fde27f77a50bf2340b0fa405c

SHA1
db54bb8b6c243abdc7e3fbeacd5be46afcb150ca

SHA256
30de98a31555a2712d2fb74c6ee0b27ef1d7db74805c4116eb9d94c04ac21bed

SHA512
d3b17b98654bb73185fdb1702d5ebb0e9163230049c5af0a9966d3c74058418b14382e3ab5634020a6091723ab1c419030d3f58fcc32785ae20b885ea7e49c84

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\BG_ADOBE.GIF

Filesize
24KB

MD5
6cc7dc7807dcc77ede213cde5e316579

SHA1
6fa92b6c5222de926752f1870967f4256a5b062b

SHA256
dfb926a62310724d4d3bde6d018bc209d31b37a2e74e5470d1f27ee8356f672d

SHA512
1d97eacca8569ea3ff369a264718953e2d02adf7441cae137b73b306186e9131d109b67ef6560d09c2f76c201940771850680fe9ea096b29e1d049210f3d2edb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\BUTTON.GIF

Filesize
185B

MD5
129b10bc49bb5bc1f57f72ddb004ebde

SHA1
a61a554555135bfde998ef7303f1989b87070880

SHA256
c351655e7779e970fe8681634d92622ab14efe721c5895d52a7ada2d1c5172bc

SHA512
20a17c7e639e613bbdebf8f73c4de25846eadb5fc1bd90146456dcef1bdd0219fbe97874a8ba182fbb2727ce579c96d20fa06f207b88ebf01c87a9ffb0a32a73

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_OFF.GIF

Filesize
496B

MD5
90ddbfcde3b20377a35bff127cf73ff3

SHA1
7a7ede591bf8d9f21de616367b3093b285dcb21c

SHA256
9eb0010d944bcb52540c519eb0ce7fa7a789567e706701bab250d57c01af5d79

SHA512
62608a4310529c745cec0f62aac9a49fbdd00698a2c2ff65e774797639b18a38fb9aae5de660a54e5f13c14a59627bbd7814625d694d094e3a2fb50ba0076097

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_ON.GIF

Filesize
1KB

MD5
fe670dae5a67ec4be196b6159f0fa4a9

SHA1
54b7d1ce5f11146fe70cc08ba26866fbaf7170fb

SHA256
f139cd555236f56d0eb47ba750b18f9fc63dcade07ab8ac04ce3339238f644fa

SHA512
f683cf92f425b7eb74c5a86c0fdc260649ae63af771bf99ebab9a77ca1930f0c53646e042b72a1a357b6ed04fc5c4b2a5e63235b1767c4bf82326a0652908c03

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_off.gif

Filesize
341B

MD5
2191f9e12b06c48ce41f2a87c3da5665

SHA1
766db16171f27a44b3fd9c73db199f5ce5c42984

SHA256
716503674b82752ece37c7fc0e302329430d675b3fe1f8bbd6073a744d1fcf90

SHA512
dce47540f50a05a3e7ee6eca61d90998b553ee608daccf43e12fae400076e862fc5ee924e4f82639ec78bd54a82895322eb283aa2064e461136e9c52b93a8ac6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_on.gif

Filesize
222B

MD5
1ff6398949983dd41121f17bb6372ce7

SHA1
9ab8267a552836d26968472d24a89352a20a99b6

SHA256
dbabe0cb31f73881e8ee5772a5872722f9326bce0694f05bc0f4ed077a3de21a

SHA512
afefd4cdad836019995189ac901920a2f1f07d6725e67ad5c54beadf5f30d5fff9a5be2965ee24bf4e042514de3fbd6e55c1e3596da6fd328265fcb85fa9c266

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif

Filesize
5KB

MD5
f3633373e8e0c7766b0f95579bc4ac3c

SHA1
c7bdffe2bf44bf4c2e4439594dc21f4044b5d455

SHA256
4a17527487be1048fd913b65a1e578a44d40de9a252f2c8ce354c736fcfbcaec

SHA512
e4b7facd7f12ede517614fece819cb88de49f69491158c7c94c3b0c02fc6f1979ea9b9c882288da2fe091adc05dfd3c4ba67933ccd122d8bc44bc5d4c4a8a98a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Country.gif

Filesize
31KB

MD5
0874d67fd3a220a291bab11c5d6ac794

SHA1
cc6f56089dbd3b8209870a82984208c43d01cd80

SHA256
536545828d40a151b4eeade33fef03b8824a7b7cba0292ee08fd4e1511fda755

SHA512
04827149c1dee564b50cc1c596301528d08c8c80787c00e69309cbfc245d04ead4b9db14446758e4e645b6c8ee32680242415edd5af01ff485414fcb64e416c0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif

Filesize
4KB

MD5
3b02fe5c5472e8562208798eca30a4be

SHA1
db04ddf930e3cbd63230bef71dd3872d882dcfd9

SHA256
52607fd4de7550b57fe177f9559b0a8206a84688944e85cd56a8aa3ad8a148ed

SHA512
eb64733a22988d5532e6d07d37670a789d4c7a5de5829624d32cac65e49c7e224a19e90223e7b26dfa2d547c79a3072d659277fb11b4f8d4c2aeb7b9cdc398a8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif

Filesize
21KB

MD5
2cc390c00a5fd530acc33d0047a41d07

SHA1
035a954db52459c1af0d1b92aba21e88820ce19d

SHA256
29e65d51175ac9cd88576b9776b55caf40f6deb643a7b134b657fc2817dca928

SHA512
df1b393bac3c7cfd1b5dd0c7ce1ae8e55d9356d72c05ef7d4c6dee8e390d65fcc3aebf681c2add565f78587aeea5814d56e728e8cdbdb5e58179dca7f69d6989

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Groove.gif

Filesize
106B

MD5
037a40463211dcef7895e83fbdaf51c4

SHA1
d4061d838f68179bfe857d47f7ccad8bfd1ab892

SHA256
704fb0f7bc0b9316fa7eb7d3b6a7aa433aae1a36f0e37423bebd7f9006e61eac

SHA512
0a926b8c562cda294c8828088409457a8e0800b06a560709c3015e7a312f5625821350bdc87bc241f1256bcbf51ba4585f13a724e8c2698dd8d85038100289a5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif

Filesize
8KB

MD5
e4eb37d9927edd263c169bfa8380694c

SHA1
76c0dd6a9a3d175c619d73c17539b78d8a86574a

SHA256
9d1240e24a870dbdbe285e0261d62c093063b7a1d477f5a0c1d00980abee6e79

SHA512
bc93b9b4211b404cda7c9bff60bd547c7ffd1f3a2e6719ab39f4f268261239f450f6b556e643ae515943e81e95c4f483cb85740c3397a6d5963b0167c808ccd0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif

Filesize
15KB

MD5
0b5333afec9f35206926e204f5a0dec1

SHA1
cde48354e72657c12e47ec4f24b054f47284a26c

SHA256
7cc0c9233f07d999a7ac7f1c601f74b98c8ba825c4c275a477a4b2e4151edd93

SHA512
4c16493a1632867ed6bc4adf648bd14e1cb517b11febf6c446f93272a0aad5696956fff53cc705ab08cb2579905f8780a2a0cf25703fe01a9a18d59827611043

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif

Filesize
6KB

MD5
9c362b8c6b3cdf188a276b002cc14312

SHA1
2beb8de0eea83839e2309fd040e08593dc398c6d

SHA256
5b5371344edf9af149ac0c651215e0ed3d34a833e04e017ecdd8f4a919ff8227

SHA512
fe16f3bdcf60a21b97e0f90558ba5a833240a93f1b5abc8a059a3c486477b50cb59ba9fcb3d91090d699afacd225d03bf11c6830bf27385c552a9e4523ca1a8b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif

Filesize
20KB

MD5
239a81afd06619c189ef5de4e9d2b31b

SHA1
2a715c8788cae6b76c428d0e0d043ec8d18d896d

SHA256
0c521a36c64fdb6c61dc8d4d7e1a8872816b3c1d61699671c07fbb74fc85f631

SHA512
9d99b4a4c77108858c3239bbb33ecc181cb8fcc856088fecf3a1436d1c17df90d930696ae4f064cca07ebb8c5ee246e3719823f6738f67f830ecf29944c112a6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif

Filesize
6KB

MD5
189313edf729895068a09a40d48bc6bb

SHA1
f59b014b8426dff96512ef7f217f54e317fad268

SHA256
6b6672a3ba6f8294bb84551f69227a58865656c03355045cb7cfee2feb5a25b7

SHA512
fd88918c92dd23c1312044b803f893f998355342496cb97dc9c18b96d0b73f5cd0ec3d91474d702e7058a57d911a01abb0467c8a129403e8fb6b3af90028a739

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif

Filesize
15KB

MD5
571238b7377504c87fb90931bd3e8fde

SHA1
b1d54a5e2e1fb59bc673ad5910a8f6cdc7e4223b

SHA256
32749a6331c55f7c4b0028be698e119cc94dfe3f8e3b55616aae4a8a5aa156cc

SHA512
b0832b63561a52db5294c372218100b362f9def57710e23e47c5a7510a6b84237f9920c845f56818619ff9393ed3737883f357aeba56d7ac35cc3105f41fe8a8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg

Filesize
2KB

MD5
77ba715a0b8f4a96417464c1dff7e880

SHA1
037881f283a0ae8a1cffc251cbdbcbe03a70f462

SHA256
3c85e83631e5c64c73e89486c3fe9de952a203dbcdf7870c0d91618539c121e2

SHA512
1e021b19fff299543e2494bf73358e88224c6704152167779297820603913b0a6279d47d7d757b052f4cfa6de2138dd4ab339da7acda1c83269150b24b671f6b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp

Filesize
2KB

MD5
bbfc9fee85b3cce5e01feeadade57067

SHA1
8e41a07021da1d89dd05f25d23f74f1ef5d668fc

SHA256
aecf2f6aadd43fe06a095579ee03b2741d8996f3aef6ff5c73d947ac3c989e1c

SHA512
81c8436b4c4f259a287977e7ab01a5a5d05574ab023106c1cbd82d11e1f7445bf1c271f60f46a6f70f7381ff8e2e32e0d7e0d9bdf12256278630624849a7462d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg

Filesize
6KB

MD5
fb7ef9bf5138a01442a111f9176b2706

SHA1
884f716bc9ddcad0a7df541cd6afcf1738faad3c

SHA256
63205119b10b720404aa0088f988c4040d8457a57a36ae5910bc20ff09c553ab

SHA512
da53b773ac2e949b533de2f820c80581e508d6bd53de6419932ec5e1ccae44cb96611d53c44755cf96c194625ce34f995ec6458369fa1244512a29f48e54f5b9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF

Filesize
255B

MD5
aa0df9608730ca7882be62542c5fcea8

SHA1
b938169f5b3e2dc38859584c95bca590728d992f

SHA256
810d8e04879cb2023cf1ae4673ebbfc2c4497444cbd0d065398bc90c7d196641

SHA512
b9b8e7de87577cd2a8fa0332110d76edbff5ba1fbf834157bc43e933f89d687335935a6f5282bc756fb93f85f03300a9ab50726db89c68954759095492981aad

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\background.gif

Filesize
323B

MD5
ea00bdfe137da25d60eeda1a8cac86a2

SHA1
5ad3c2de5e197cafe4a8919dd357a622ef62dbad

SHA256
56d65fee28afcf0b6d2bb8857bd203db283f6620d1f0c1ad1260acaedf74b1a2

SHA512
4388a220e47ea3fcaeca93d55d9761a9c022f06e6b3ed3f1da2d3baa9ecffe19a4539a428f04595f14ec0826d0f368ea2703c848c8dc2481d7010dca934f670f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF

Filesize
367B

MD5
75e246b20447144541d8e0f090ff6a6b

SHA1
e996764bb7f7ff60044654e985d93bf7cabbfe0e

SHA256
47aa405570f20e7b19b35d463009d865afb9717b8ca7378fc81db75c0e327a2f

SHA512
8e782d4a72918c8f486c5a548dbcff47f9fc5107af456366b6f3a0bbb7f14ffbce1a5aeffa92cfe2ab3e23f7711b9e22854f19f8e408c0a259a9b3ff55eee4f1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF

Filesize
148B

MD5
dc15280b790fca5bdbfabab3bc5446f6

SHA1
7428449183562ef329bc3fcdab355a3e5800724b

SHA256
a151d05b42161fee381ed99130f60c6002b3ccd97a10bd156fce5e3eed8dcbaf

SHA512
aef9a2f423259b83c48f9cb305192ae77fa5f2a45df59f6308079fa2db17dd52b7bf157cea269b6cdcffcd31579c112225951422963183b7e4f04ff0c481d3ff

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HEADER.GIF

Filesize
440B

MD5
96cc94b8826144226e703172f6996627

SHA1
a6b6894ffbce36ef1bc026cae991367bad9da20c

SHA256
72aafa23161237c3ffe305f5b60bf84def198e741b56ceb79d5c76bc5b1d4c99

SHA512
3c8aae13146a89bac8eed311248f6cc992d62e4e2d961d6df83bd3aa49a9dc3b36b5b0d424b5f69485be73ea8d2facffd7c63fb47230a1e64dc8778fba9b2bb8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_OFF.GIF

Filesize
462B

MD5
ff57a6f0d9b9bc45e08c2d785863507b

SHA1
cb5e1611b69fc97af9585413409d8efb1069630f

SHA256
47ed0c154653cda79e633095b05b860ee59f8becbe27e5726cc133a46c9d2678

SHA512
dd14ad9024704eec2acded45e116e0509f75b4ea3681cd3466eedf245430380f8165766cc5e788b262d0490fe699b7c702f791f72d7464309714290a72ef0558

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF

Filesize
267B

MD5
b5ed2a4e21c005dfd68a5ddc944027c8

SHA1
b012bfaf356436773a9eefb71533295224008958

SHA256
a520142c90a32538118bfd76fb11b549bb2a295a202c7b555631dc0df18a6f85

SHA512
5e833354d4dc8cd6ff1c222ba891680ca04823fe246e9819ede09edfe4b92da8509c8d11f39e384c87577df3d589a76cf7507cfa8a62252705d3accb0f9037af

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HEADER.GIF

Filesize
2KB

MD5
2cf1c26777eaa7724e67786a6ca48a81

SHA1
9c3132acba55cf0532b85d928e83aae04dbab033

SHA256
19bd07f62873b934a29d3eab74bb2e7f5ec5ecae751fa6499759bd9316a65ef7

SHA512
5d9d0de295687fedc342e2d05dc85b35221c9ea48ad660b70cc5ce6141e3173c1080be0a7142bf1897841348d8654710c63c55b45b3d6dc779a06528e9c36b12

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif

Filesize
233B

MD5
145842d6c8fe02679b5deb4096bad130

SHA1
699a4d263663f7bd753fc5ce2c1bffb006b4ffed

SHA256
c88b1bc2005800f2cc6ba64dc3dcb5b2c4e008a22b8bd83e053d427f3598c6ae

SHA512
d6950580bf8b615fa2deb1eaab8a9553bc0735c7d95e1189504bc2513c2228dfd9bdea2c530e0ad83958fad87acc19c7c834bbbb44fd673709f5be4bad21e9fe

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_OFF.GIF

Filesize
364B

MD5
59c102ff356b708076fc11c840ea92e6

SHA1
8fac6d7712a18d13e113b7ac07fd98fb9f362603

SHA256
33b128e9614c64504e0cea976975e96337578970285d1eff73fc1c471f40a70a

SHA512
7d327ca9f5f9cc730336193db0023ba498d6dce60bc64926aeefa6be446b04a6d86637612b13a51ed74c815927f57b8b7f183e00ee5ae341679ae5d29a37280d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_ON.GIF

Filesize
364B

MD5
999ff477de483db6fca4043de9420d7b

SHA1
56290a59a63fc0750dd4b17a288898f86cb4b7b0

SHA256
d0bd2e06848ac27e92564c6134c4b6ae9a3d236a3a62537e9e7317665bbba503

SHA512
2d48d69406231b832de3130133d549dbdb93516dcbf0baaf01c014c6374ebd985740340320a4e03522515e1c5fb660df6902e099a959e403ff47af542ec256c2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\background.gif

Filesize
6KB

MD5
37bcb3378c6406012f98e09bb01543f4

SHA1
491a4e728c93e72753fb220d1ed4660e77c15631

SHA256
c262c865d610f582d647c2df016bc05a6a64c65e34700661af229d020cbe040a

SHA512
ace302257f76a2a502c30535c2bec50d04c67bc45a64ef5a9899c6073892c6601ea7bc6e6033b1dae817482034bbb6797b2f6b548b99632b4da3a246df64591e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\BUTTON.GIF

Filesize
428B

MD5
88f055405cb3f1036373ec29458aa04e

SHA1
6ece1dbb791601a65d92cb630acae8cb8616d4e1

SHA256
547c5402337effc10fa5a67e5dd7de9df13497bad2cfb153d29ea85e848f3ad1

SHA512
f094be8bca8731294911a1769e83f6319668dc8aba27e53fac755270136f8bf6cc94169f5ae9fefd43b22bd0e88d20d94880e8908decf12583efa99a4bd9f912

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\background.gif

Filesize
815B

MD5
ff964617307777c91053a822cb6d7c01

SHA1
300c86581d3c540058196f97145d31d6e4114b1b

SHA256
23d066eb19d60da76aa3c00607ef20ad069ee5a3303400d427928e8812c46819

SHA512
4e81825e522ea80eb48d961aa319f42bc34101f5763324c95a2de2d9341b4e8a6959ffdf954780a2204c51e16fc7637ff8b391bbe5930dc087b9689bd109185a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\RTF_BOLD.GIF

Filesize
870B

MD5
f38758e1513385075b72b53a280ab302

SHA1
d31fa8aba3282fa49ba32f1a9f5246d939c288c6

SHA256
f25cc7b3162b8817152712bb9472244d42d0e01ab81ab6ce4800b112653087a7

SHA512
ce5438aea734081098246fe499914bae2be0fbfcb8a48f85abfa30ce38c96a712dd88fffbd3f65fd0ebad77ac6b3663a018cc8b64e6afe54b3e0d95b80b7596d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg

Filesize
3KB

MD5
c9a07ce0901259930e2667bb8724b281

SHA1
4490a70fe323700b51e58331cb5938e0dbc4cc19

SHA256
25ad073765302530d4d99f9faff234a46f23fa621b08a6121ab5d1b3c83c113e

SHA512
d37e64fa87b065c77dc6656312b8a4c4efa6161272cd7eca8bef04646ec619dff544c41b554d160847669d8d1c5986b56c96d726b0f2149299bfcb925de50108

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif

Filesize
2KB

MD5
4a96cd84440185cb6450ff80f9515963

SHA1
21c23ba3bd1e2996cd4b30a321651131e1d0282f

SHA256
c483fa507d3ba541202dea8053c0294ba49babcca5a0a94d21bd13c9390a4f9c

SHA512
ff9fb1a1d03188adfcb066cd0407ef8c7661cf6b62bcd593a92a122b822b673a68a7f9a80ff17a6f87835edc21054b20bb4cb3bc69ad7afa0f5ba5157717398d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif

Filesize
19KB

MD5
52e09aaadc8c1bd1fb62c148740939b8

SHA1
1e93c9fad83ee2c11b5e74860e053ef9b22869e4

SHA256
adc8c15207c98cb57c12a70c5e50b0cf2edbee9811f8d106619d47bd869fdf22

SHA512
9a28269aeb2950e3b5fbfa76a026051edf10ac0d313c651d986183d79a5774d38db0246549d27c2e4549a0fa502a6c807a7001199cb5aa019a90972a9026dd31

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosefont.gif

Filesize
890B

MD5
529610eadb200dec457b8ca9509793c5

SHA1
35822e8762aa6c342503b13cf6ca546ee5ae20c5

SHA256
5830b60ea874131243788e4e92b6f6e6d79477685d09a374f966d07984a85f5e

SHA512
22100675f81a9b70fab257fa1aea73222dcec9fff39797adaeef470c0ab1433b8bb12d350cc8ccdb2f6b99419db29aafe4f11e7af612499438150cfb49fff982

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif

Filesize
852B

MD5
5a777f24df2f3a838c54a2eeece47c5f

SHA1
b3ed1cafbb1ec3a16b40aa155868474f108b1d6c

SHA256
d65f339175116d39d5e60559939fd8bccb303f3a0c1b8f4e70fe73c04478891b

SHA512
edd206aad270b2e30f59852e3f9623d6eb69d42c95c6def5c2cb4dfe32ca0d0ffad0ceb0af6c87b2330e27055bc04ce4ccec4afb6adc9256a9fe3e112e75a46b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif

Filesize
860B

MD5
a1860c16a2e6d7531411610550892fe8

SHA1
b656cc0a27c3677bf6fbee9dc050e4336b3be89c

SHA256
d2fcaa260240d9cb0c73fce0db625f9317b82674c8054d878a0bedfcfa71b80b

SHA512
0899319cb416e4bdf4c0b9df22ce0c1def403f8d9327dd6e88ae53b0971f8810ecc08938969f893b86b0d3676b33d83c5375102d65dd1f67aad9274003cd8fcb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ADD.GIF

Filesize
580B

MD5
7fe23a7a8a2b1e39855bb443c3549007

SHA1
4cb92470641a6e0d5fec3ad21c4da30f400a7c08

SHA256
46d40020b0d1e82e0ee3c81fc6338b1bea27866ec5e1b7ebbf516a8b723c84f4

SHA512
848af5a09029347af5653878c67c58f68522dd937fc078ce7dc6c0a985fb7fb209b2c70e2949b66ac341dd53f49adf8517867f18024d53024d53ab30ce16af5c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF

Filesize
899B

MD5
104a8fc104adaa6ec0b908110029f029

SHA1
db9246d360163a0002e1cba970a0d8e468a00d41

SHA256
2a975372744f4901d0e527773a5aece8ab49574d300d480817d2ab5e0ba30c8e

SHA512
07221ed73cfab40949411192c34b101251cf58bc7445933d9ec8b02cd86ea6273c0043797d2e1015600593e0671cd24269ee2d311650af1b88eed81d06893ae5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIF

Filesize
625B

MD5
199b5c0a10456d55a63e1d5d31ef931b

SHA1
d768145dfb504e3f1a3abe5c2549581036455ea7

SHA256
a299207d72efd127b79224d01025f5f27cc721e4959a4fa93bab10ce1cde6a75

SHA512
f01fc015f1bf05dbfea8a793503564fd367667a519b62546eaff234fed4cb4a3f7c76c5c86f418fb9f156d4cdeb5e72acd29497c4e4d29bb6f1c99d08924d262

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF

Filesize
873B

MD5
eb6f6b867242d0d794fa5d7494a3fc5e

SHA1
999ceccd9fcdf73691d04493cc33e0e41d9c1b49

SHA256
af79cebd96f06612eac986adc6ce098d66408e751dbea2a96dc65a0a34ae9ebf

SHA512
b8d3019b33cb18cbe0160bfb88abe9d9625b545e7b54f88f29b23b80542cda356d9a099cd71d7fb67e7d2407486f2901248b214770dd7d811e7d6b24d2f71ecd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg

Filesize
5KB

MD5
d40f18421223be9fbafa73f4d2d3549b

SHA1
2a6192a75767259e4983e715a733fcc31f32d130

SHA256
ded969a81919b844096029bd067ce71f9b1d8a7fc84494ccad55d663bd3d76fe

SHA512
51158af49a9d4bf23bd1d844d4065b4074d15c4c080062bb9556f1592d26d6aede2fb513deafb6753acacbc3371fa6a5638b398bcf1dd1b4a22b630ba289048c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp

Filesize
1KB

MD5
5bd49cf1243394561e3fbaa0242bc501

SHA1
5c402d4629e8973676bc0233cf712cd36ab325d4

SHA256
eb0116877343e27cdd9dfefec196d1230aaff96fd38f8ec0cef4d831cb647bb9

SHA512
458621c66b057a9837c677f76f9e76122067c57df58a8c42e62e99fc3f5217eb51f4d2394713980726ceffa547ef37441105b3741036374298e6e8383d94575f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF

Filesize
615B

MD5
97ac4bdc1da5ef7d7cc21a02de934423

SHA1
830ce88d496230d529bc507bd51b07123b2ab5f3

SHA256
4a8e5c94f264aeda3bda0abafc9d7236f7775a2b7d1f233fd18712fe9360be7c

SHA512
3dcee6c41ca476c8b35fc384a638abdb6de2461bf435a31b4f3fbc5e1db98a6fd69521112b42f3d8203375b728b5fb4707095b85d6486c96ec49f7db123ab416

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

Filesize
848B

MD5
a2b435a9ee8eba8b3a732af749cc6e99

SHA1
0909fa22df696dc1afcc5206e56c405320fb9f80

SHA256
3374217860b15d352e6eb55a44501550f672ae986b42db66829dbf79959c61a7

SHA512
b9381a90d6fb4e4219dd2d999166cd2a789021539c33f922f1e674673852f9c7eb043cf48b4f1d4e85afcca3a548e3025ac039722879b4669554fd8906fa401b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

Filesize
847B

MD5
fb101ff707df20cfb23be6df94c1e01d

SHA1
7d2f9252c7e8b7d929ab741d4d888007fc5d1dac

SHA256
c8df420f7ee9a895c5a7cab749e6914ff5af06adc3f74e2f74cb6a0dfd25fffe

SHA512
153b41a2da57dd541076ac7e8ffe440b1252c2a6d7bcb1c895229e65c67f02d440d24e8daeb01a9b77740ae1040b72e2b1c281ffaf8e44644c2e04a77a0ca91f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

Filesize
869B

MD5
af9eae512bb1fe024a90df083bb9628c

SHA1
349ba6a80e54ca46f3808df8bdeb4a32c9c7a44a

SHA256
f46e2e37aba8dbcc957f979861de961eb9d0e42cad9a53c994f197825f6c7bb3

SHA512
d1c24d52ba800ee9d57ba9a93b2ffd49047c8ee1c9e019ed9039be33f9ffcdad688f8233270fa2b2bf13d287f856a3bee93882d87a8abd6443aa085ddbf6e9b9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

Filesize
847B

MD5
f1d7c3479982db1eee8069c3d398c7fa

SHA1
924629b426685ea84ec83bee1d057041c9821529

SHA256
cac8425aa84352cf861e1334954feab1ccdd71a2b3e8a92f0a9086620077b4fd

SHA512
8e30700061a1fe0198137750e5778b9bce8cd3abf1c9a83fb77efaf1a92e21eb2cc6c80eadca920337712dec3c3358cb35f4e334afb16f8f709dd3abc3bae429

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

Filesize
863B

MD5
6fbe7345ffb868d21ee2dfeddbc9fca0

SHA1
7bffbec9772f2137f76843dcef120732b36d2f68

SHA256
72d6cf5bea78745a8db2207c9e3835ae4ce36c5cee1f70253886835e60990d85

SHA512
879f9d171eafcd4b9a8225d679a33ceb409d295e1dc7b18049102691ff0673623c1c082b6252d3976237d7a413408408407e63a05eba48834fd7d0c340aa4f01

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

Filesize
861B

MD5
2cde10b142e0e2a2ef03efeca791a46c

SHA1
c323134f4c29d40e92fc61fa46468c8d3cd5d0b7

SHA256
a1a7536150a3fafa238d3862363eb66b5abd05a5b6d533a10a47c15f9944c0f8

SHA512
2f7fe733d57b00a7927bbbf1efcb73bc9ea9758d2101cbf83fe6609bcc53de0cbd0fb0625ece2ea439771c1cb2b20a9e9c6ecda9bc035b345dd88a4b45280134

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

Filesize
850B

MD5
b7412761d9fb158d2665c7bebefb6a11

SHA1
00d9429c8b1e28395bb5ea5d16eb33cd501c4f6d

SHA256
b90189b5db13e7a61f0ca6dc1a7e7238c524f78f9039e67b13d7e80e3bfc4cff

SHA512
7896f47a94efee6fbbe44448c07fc80af40d81fbc29da8140478419d4fa2e5e07b047366226492326596e4a4db50ff00a80d39b3c98cd6730f63e9c3040c2db2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

Filesize
883B

MD5
76495b6cf106051aa1ba8037a1ca934d

SHA1
949447acc4b553113a8261b8777ff202936e771d

SHA256
12f098b9712c6bc602a8a58a1aae93fb2e31fd70dddbd41c42be7f8d6014fa69

SHA512
ba726e2246a6253f77ace8f714d9657ff458543ff75e8411ae585cc09614d3fa3b791a766621ab9a38793258393327fff7eb118cb0b51d3f13d7c8960c38a273

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif

Filesize
153B

MD5
27c9d1245163f6a2ba76cc91b0c3bb3c

SHA1
5f126d6fca1dd15ee1a058e5e96a0b3c89dbbfab

SHA256
e25e7c97fca79b1146429e074fd830cea1283c464836c5b0e9676054e9469542

SHA512
c331ac3a69f9c599bf00cf6bc934ddb6195d8454af11603a7e954115376c8e0d1d7d9513357c2012c200a57e9ef6d43caa2d3bb3f2eae4eb0a063a825edf616d

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
331ecf38fe5668c78edb8f2bb51f0aec

SHA1
21695e4b52735a172e86a732c72202802d89731d

SHA256
0386d83e43e17e64adbf24ffa5a52d5640accdf4c8072a19f4c7e6c13f8f5312

SHA512
a7a89ea5ee617ecf375218a96e3bfbf37574b400ad3e78a7c849cce29dee873f1b364547337147f83ca2fa2dfd7c28fcccdddb17dd902eb3442c1659d20d0c2f

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
8KB

MD5
371b241caff76c21d055604f7675fb91

SHA1
28bee99eadb23f6aef2bf49d609694394d4ba115

SHA256
a4725bf11da5be3e0a849b8c242a9eb1859bde3f061c8491abed29bf48dea725

SHA512
8258a5c185fee6d540ec933bceff4b9f6ef86dd47ce7b6c654065448882a5cd2036b949263504b32e74925c9d4072eb518fb86d84fa3b126c4002e2362fa7f03

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
966f4cc9ad4ff431c8f1d8d062939882

SHA1
ac03fe94102cbf1834c9a94545e3b5bfe6938b95

SHA256
a0828a0adea714702b6320c10ec46e1b92befacb621d9562db257d43e410e412

SHA512
4c9dbc87cf7ea0c757ccd5c965b9f63a5cce97bd360bf92356436fbc3eb8dfe3a9a0f4c91e7a48074a5c30543a12c944667fb0497ba13314d5d92903522673f6

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
e3adb8dda9d633a95914de56f1dbe84f

SHA1
7d321579b36f5c337868142696a1a39dbd1d920a

SHA256
e0e86d5a7275cc2315198bebd385e385700ebfec3a1f6015437f644c2afc9e22

SHA512
fc0d5fbd22924df69bc851f4dcb06c8bc3c11a63ee2f62a29cc435c63cd47ed47d7fff4e7c18c4e064d43d6d11a87fe2bae131870aad92d3230021bc0d853edd

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
172KB

MD5
5789f6e2fd217194f716477b7d2bb1cf

SHA1
677e3359be96317acc0989271ffa306f0218e547

SHA256
a68145965acc56b247030d8cbe79606490b893b05529940e652d054f803ac2ab

SHA512
7039e07572b2d143f80559bffce1a265a3c120fda3f0f801e7d14bc9ed9f409398f7dc753999c44de2940f1b032e88d306ad4adcfffd01d126112f6064db5b24

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk

Filesize
1KB

MD5
5d92af01977406945c2816e61e8dfd54

SHA1
e30a5794ebfd008bf6c243bd2b85848506f9a433

SHA256
88971b384a86c5fe7286b3cb84b0975e901835cea27ccf8b5e8cfc76f8d2560a

SHA512
1a1d545689cf2712f0fee43678b5a848a98b859ad1e7f279ee506cf62456859b138b05d65cf12ecc131892147fcb5d5df9cec43e68daa8ed5535b06102ecaa2f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg

Filesize
21KB

MD5
95e26a99f1735b921594c263341ce2c1

SHA1
01b3a9a236573f120f0c786124ee9ff2ba96f700

SHA256
59105a9f1c1c11ca4e7abb87a266e7b2bc594d6a9d4b49d51bd4afc958b4713b

SHA512
30ee1538d076d742a8e684d157c16d71daa37f7054711bb9368e3d2f69a2795a0f972fcb298becb527eaf1dae4632aae86db09e210af75f1ad554eb07e8a484c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\HelpIcon_solid.gif

Filesize
1KB

MD5
41526eaef057cc772abb093fcf3a2f09

SHA1
7ac26633f72ef4e634f665242977ceb9405bc983

SHA256
70964a3775e2d2e9dbc68ac218fb0a30b45460f8327d0dce70eefa439f9de82d

SHA512
89d44d65d738891559d0ee3e78fe3dfa46476d7418b5be8d989f3788d19a09914b41b2c8cdcdb126b2e1fc106832382038a2a201d2df6e531bd375fcca38162a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\alert_lrg.gif

Filesize
952B

MD5
66c643fe3add0b511f0667f7190daa3d

SHA1
bede5464a77e2b9241103883351d67591f3c829c

SHA256
53841b17be03947251789fd8843814b2d686a330e353d0934ba59e8a42d440c5

SHA512
ed3f84325e86115948b8b59a534f5cd7153b9b9e1fa6e532ba092ec77eb60fd43f57bc3056bcca6f171ca59dcabe5964a864c2b9299846e0a9163a1ce9e28578

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\aspx_file.gif

Filesize
121B

MD5
c4c893bd72e7f20347c96166150212be

SHA1
b521785d1972475fc0451b4e185b69d70a0f002d

SHA256
b3065b47d6999dd2dff7f1cbd2a490a1a0cc14925264e77ffe4a78c40f2fa014

SHA512
d9a994ad6d864e2b890047e14a55cb354d03a782387276f45dce56019ce32daf4e25d01d59ffe337e54645f7f94ff790ae81218ba04a37b941295066e11e5da5

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\branding_Full2.gif

Filesize
1KB

MD5
92ca8e0fcf7c5f1c4094b66090b90391

SHA1
73f9dada15010e660e996c270b7e66dd4fdd4cff

SHA256
e3bcfd660c68d3dcb98f84447d260f4adccacbea46f6deec8dfc315a0ae8366a

SHA512
1df478d4a29b9b853d4f4270a48d1233afe397537ef6685e2a9145b00e89fba82780c4638afe6fc8dd14ebfb17b5429a8492c40e531fe674df41bc674ac6057d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg

Filesize
8KB

MD5
48d0e43e1ff4c61cbb4819b6cc87b8e9

SHA1
78b5ed201b438366946419de394450d6dd63adcd

SHA256
f8642f052cfe5bc6543252bc9ac14dd3d5323d7e9cafe0e2e0d4d8ce08224f6d

SHA512
d7ace69436d70f1b19b0069ef55773d8e9a2a9b8ce5795649141deb9ec2ba83b42b836830e3bf53f2be66ff3f6b14a7ac208b908864f100ed492048158240750

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\folder.gif

Filesize
914B

MD5
91f00ff2312c7974c0d2902391da8399

SHA1
4f8ad04d575cc8914fc6cf58695429836eaf711e

SHA256
542013c56fb0fa58084282b35891362bf8d2a516cfcc418ea3efc7e8a37db86b

SHA512
42ec7fd1e2646ce908e60480d51c021ab4fc78aae43e8004b33400d38d620c3fbbb4454d61cd7ee8db84d7742085ad2eecac0e2ac090af52c642d942614bf2a0

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onBlue.gif

Filesize
90B

MD5
74a92b45e5cded1b5af9fcb568ef242d

SHA1
c5d110452493c1b92cf3db67b39779e5a3e7ec6f

SHA256
93afba154fd15e29879528cd877791b73dd2acbd8549020b912450ca3e26dd59

SHA512
72eff94a1b385c602720d437e8d1ca273c0c7556b2dfeefe571e455ab884574ab80e2e19770572cdbda0330fe5d19388aa8da7d82d703c4a5dfc53163e8b8c8b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onWhite.gif

Filesize
90B

MD5
c184ee4c96058287f30cac484bd9ee8d

SHA1
7a8ee8b9769d276b1aeea044fc74c1cd441a3d6d

SHA256
45ee7e26cb782243f7ae1f50c99dd6bfc77fe844dccf875d349781ef044ba4c4

SHA512
a40597141e860e48bf58f8a6f9d41edb8ea01a6cf3baa82d86242898c4b44821471722b5bd12c3b42ac15f8c989ad9697c724026555d8585c9ac25792418e495

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\headerGRADIENT_Tall.gif

Filesize
328B

MD5
e464aeb5dfe85b1a1ccb00ef09935905

SHA1
f89e3586da1385be7826f4a3163bbe75ae84594a

SHA256
ab393467312bd56b428392b869cef5ad1778ff3af8cdc4c58d636600cc597078

SHA512
3efa2c00c0b96e566a3aa9d5b0ab04a75116655a7d8af0e45795e26992e31ac8f8f5f696b76573c2b208232ea53b8b8b33514d957fb9a25ba719733c641f77e8

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\help.jpg

Filesize
1KB

MD5
6e7f2dd48c147b13d485f6c839d41846

SHA1
ab257d2d00400f165c3848af78e984f9cb6bf767

SHA256
f7e05c4121962c4c052c81b0b8c0151afa4ae01eb2b52c37f4c626c2f9a22b05

SHA512
7f36fbfad0aeeb038ecbdd3bdd182cdecbfd624db8f7c69e58f569e35e29c592db66dbed0aab025ecaa9c1f7cf6c6df9957195207288c42feec72f6de0814789

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image1.gif

Filesize
162B

MD5
744e7b23d328c836034fd5ca01423ddf

SHA1
b1e81e0d03a722341145e2e4e17dd69dd2285010

SHA256
727ea69cbf7f5d1e7bfb12d05ca3adb4ed647b548a41eadcf7ea66508aecdd4a

SHA512
f7c9facf0e90e8a091465fe124389b89793c55b7eed21bab610da5a606d57e9009ce9c394b60ee6cdcbf118b628cdf9f37d58d49c0a8370c3f1a95edf81f1ad5

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image2.gif

Filesize
586B

MD5
f1d235b8ead9bae3004d2828c13c95f6

SHA1
d88007a4623301884d63365b7f5f5576adea7e92

SHA256
feca6b69af4912dd3b1f04dfc091bd73070f2f29abcdc38ef69f185526f5c769

SHA512
07af1cd5cc2e753b056d2ef70f1775f40b814721672229f243f6cfe0f2a3a0ad7952ec1b903e870c355f135a65d0a1334403e3370c72d71b0fa6e36cbca97577

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\requiredBang.gif

Filesize
124B

MD5
0cba4e5e16ab58e7b932c885915de1d2

SHA1
07cdfdd0dd483b5200e3e8a838cce317365534a9

SHA256
6ae30d8599094052b05af2e94519d3f0f8905a425ed9e6538ee3b65980f9bce3

SHA512
366d986db2aec0158a48d079f1f12dc30d7cf1db717cf1608d95d971d0d9850752a87e938533f3062a8c15126c5fc3a13249a0d2b44b58fbbbfcfc997cd08e73

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg

Filesize
8KB

MD5
26ba333e7a7d012f740b211ac508d149

SHA1
ec4b64c6de7c16249ef9aa7ad2c28cce782f7140

SHA256
315291cc7a3b5aa1fc7eed56347bdd68fdff3cd77240ee58ad07b73388408de3

SHA512
0acaa61a8b6f6984137d20389a7c6085afbde06df45cff2fb112bf9884280b7dba6a38ceb9cd92124f53c1d1a9ffea0691a371525da4048c2ba8358f57f621bc

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\yellowCORNER.gif

Filesize
880B

MD5
7344a100eae6134cca920134ba6f3d1d

SHA1
02659c0b1d95addb9498beac7faf7d0acac7e34f

SHA256
8f6ab273a64fb63622e6c307b270f5d5c9c6ce9012b385ed5e5426801899eba0

SHA512
d61814141277177fe26dd04f86bf736d705cd655db9342031945d1a89f5a39913f3d2d1ac2a7826ce1561a544dfd6a8bd0f24cc6459ddafe54f8f49da1274607

Download Submit
memory/2616-47-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2616-21-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2616-33-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2616-0-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2616-26-0x0000000000412000-0x0000000000413000-memory.dmp

Filesize
4KB

Download
memory/2616-28-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2684-4896-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2684-4396-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2684-42-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2684-38-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2684-4397-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2684-48-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2684-49-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2684-54-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2684-7295-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2684-44-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2684-50-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2684-36-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2684-40-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2684-9175-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2684-9176-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2684-9177-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2684-9179-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads