c239a0e143d63c177f0647cb88febe8695feb31c7f9d2f67d7fdd0d3d3b4731c

Analysis

max time kernel
38s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
11-12-2024 21:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e342274b59e65578a37019215b798b45_JaffaCakes118.exe
Size

104KB
MD5

e342274b59e65578a37019215b798b45
SHA1

6f1acccea63b791e26b464066aca10d6b5263bec
SHA256

c239a0e143d63c177f0647cb88febe8695feb31c7f9d2f67d7fdd0d3d3b4731c
SHA512

0a96c7f3ddc34dd52a907d0d96ee99245f57a22ad7460c5bbd9749d1887e5b2a765365bf4a36d22026e97f60c9ba22607c4dff17c9dc86380dff484f96977032
SSDEEP

3072:OCFqSLhcXBVMKkQNsgrr/8vsp0vrqUs/8ICqP5:OqhcXBVMRQHsvS0jdDM5

Score

9^/10

discovery persistence ransomware spyware stealer

Malware Config

Signatures

Renames multiple (2364) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Drivers directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\it-IT\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\ja-JP\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\de-DE\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\en-US\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\es-ES\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8lX6v1peh72Mukh.exe"	e342274b59e65578a37019215b798b45_JaffaCakes118.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\prnca00z.inf_amd64_neutral_27f402ce616c3ebc\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\StarterN\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\_Default\UltimateN\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmhaeu.inf_amd64_neutral_6611a858035bf482\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\OEM\HomePremiumN\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_types.ps1xml.help.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Comparison_Operators.help.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\acpipmi.inf_amd64_neutral_256ad642985694b3\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnne30a.inf_amd64_ja-jp_b2245ba886355a9f\Amd64\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\_Default\HomeBasicN\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_locations.help.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\_Default\ProfessionalN\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\it-IT\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_methods.help.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\kscaptur.inf_amd64_neutral_6cb3fb6811a3f83d\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmiodat.inf_amd64_neutral_839e9ee1a8736613\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlx00a.inf_amd64_neutral_a89d2c01c0f43dfd\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnsv003.inf_amd64_neutral_1e0c4fbb9b11b015\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_script_internationalization.help.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\com\de-DE\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\_Default\Professional\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netloop.inf_amd64_neutral_856142fd87f1c21a\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\eval\Ultimate\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\_Default\ProfessionalE\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmar1.inf_amd64_neutral_b8ebf59556c3dbf0\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\net1qx64.inf_amd64_neutral_85d10fa4c777b7be\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wvmic.inf_amd64_neutral_b94eb92e8150fa35\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_remote_jobs.help.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_prompts.help.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_remote_jobs.help.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\averfx2hbh826d_noaverir_x64.inf_amd64_neutral_da2ba9e8a30dad14\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnod002.inf_amd64_neutral_a10c656b6c7c053c\Amd64\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_requires.help.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_scopes.help.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Arithmetic_Operators.help.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_jobs.help.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\eval\Professional\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wiaca00f.inf_amd64_neutral_f7f7e179d99acc58\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\040c\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\eval\UltimateN\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmbr005.inf_amd64_neutral_d140721f97061bba\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlx004.inf_amd64_neutral_2cf95f307381e481\Amd64\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hdaudio.inf_amd64_neutral_ce7bc199c85ae0a0\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmmct.inf_amd64_neutral_15bb3ed734fbbeb3\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnbr008.inf_amd64_neutral_0540370b0b1e348e\Amd64\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmkortx.inf_amd64_neutral_1975687236603184\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_PSSnapins.help.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Parsing.help.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\eval\Enterprise\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\eval\EnterpriseE\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_functions.help.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlx002.inf_amd64_neutral_12563574abbc36eb\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlx00b.inf_amd64_neutral_89b555703683b583\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wvmbushid.inf_amd64_neutral_6708ad28050a6765\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_data_sections.help.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wpdmtphw.inf_amd64_neutral_a7a22bb0bb81abb0\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\migwiz\replacementmanifests\Microsoft-Windows-TerminalServices-AppServer-Licensing\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\001a\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Line_Editing.help.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmtexas.inf_amd64_neutral_7572473d88d69307\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netevbda.inf_amd64_neutral_bab421df9c31cc81\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wiabr007.inf_amd64_neutral_442d902f3f3dd5b7\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\eval\Starter\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gjmoobdggjllobgi.bmp"	e342274b59e65578a37019215b798b45_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_double_bkg.png	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\currency.html	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Program Files (x86)\Internet Explorer\SIGNUP\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR19F.GIF	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_foggy.png	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_INTRO_BG_PAL.wmv	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\README.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\background.png	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LEVEL\THMBNAIL.PNG	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01747_.GIF	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana\TAB_ON.GIF	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck\TAB_ON.GIF	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_justify.gif	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-first-quarter.png	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTaskIcon.jpg	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\info.png	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\27.png	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport_mask_right.png	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Games\More Games\en-US\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101857.BMP	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_High.jpg	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)greenStateIcon.png	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\reveal_hov.png	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14539_.GIF	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\css\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\4.png	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\COMBOBOX.JPG	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\css\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_blue_sun.png	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15022_.GIF	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\Panel_Mask_PAL.wmv	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341561.JPG	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21519_.GIF	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR42F.GIF	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\TAB_ON.GIF	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectStatusIcons.jpg	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Fancy\SPACER.GIF	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Scene_loop.wmv	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\specialmainsubpicture.png	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationRight_ButtonGraphic.png	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext.png	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_pressed.png	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR29F.GIF	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR3B.GIF	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\CalendarToolIconImagesMask.bmp	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\logo.png	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\46.png	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Scene_loop_PAL.wmv	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Program Files\Java\jre7\lib\amd64\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Program Files\Windows Defender\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\pause_hov.png	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\System\Ole DB\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\ManagedObjects\SignedManagedObjects.cer	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\icon.png	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\settings.html	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\locale\oc\LC_MESSAGES\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\js\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\502.htm	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-mobsync.resources_31bf3856ad364e35_6.1.7600.16385_de-de_2ea5a7ec449afb22\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-ftp.resources_31bf3856ad364e35_6.1.7600.16385_de-de_69044438125fef1f\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-s..cingstack.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8c9010e4f616bbca\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-getmac.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0ff099de0f3ac8f2\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_netfx35linq-linqwebconfig_31bf3856ad364e35_6.1.7600.16385_none_56e30bcc495bf9ca\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.AddIn.Contract\v4.0_4.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-forfiles.resources_31bf3856ad364e35_6.1.7600.16385_en-us_34a3bba803e202dc\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-help-efs.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7b42dfac415afe76\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-console.resources_31bf3856ad364e35_6.1.7600.16385_es-es_d9e1d0fb5c27b6d4\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-efsadu.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c0f2532bf66b1c48\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-imagesp1.resources_31bf3856ad364e35_6.1.7600.16385_de-de_fa97652addc65bf0\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-s..trolpanel.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1c2f17658368719d\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-n..35cdfcomp.resources_31bf3856ad364e35_6.1.7600.16385_de-de_a64913c605a9a2c0\DropSqlPersistenceProviderLogic.sql	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.Resources\6.1.0.0_en_31bf3856ad364e35\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File opened for modification	C:\Windows\ehome\ja-JP\playready_eula.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_netathrx.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_6197d21cd2c659ef\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_fundisc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_6ab892e3e837a0b0\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-format_31bf3856ad364e35_6.1.7600.16385_none_265f38d5eb4d284a\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_4db0b909695af8f9\divider-vertical.png	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-wwfcorecomp.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5dbc7e0875d581fd\Tracking_Schema.sql	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-ldap-client.resources_31bf3856ad364e35_6.1.7600.16385_en-us_db423f80885aae7d\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\Tasks\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-e..epassword.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5ce30f3494a74e9b\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\redStateIcon.png	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-i..onal-codepage-10000_31bf3856ad364e35_6.1.7600.16385_none_240f5e8729f07c94\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_9a7206c9fd273385\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\14.0.0.0__71e9bce111e9429c\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..-mscandui.resources_31bf3856ad364e35_6.1.7600.16385_en-us_779a74a5042c46a4\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-tzutil.resources_31bf3856ad364e35_6.1.7600.16385_it-it_04361f65b5251181\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.GraphicalHost.Resources\1.0.0.0_es_31bf3856ad364e35\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_image.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_747741c93ad55b1c\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-bcrypt-dll_31bf3856ad364e35_6.1.7600.16385_none_4a8185140916af36\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..fontcache.resources_31bf3856ad364e35_6.1.7600.16385_en-us_2cd2a68aaaec5026\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_bg-bg_5ac99802e880497e\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-n..ce_iassdo.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_8aef539b8d387fbe\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-n..-security.resources_31bf3856ad364e35_6.1.7601.17514_de-de_a74c5dd3b3f79492\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Web.Extensions\3.5.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..-startere.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_7cfc747fa923d94a\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..ystem-web.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0c773247e275eda3\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-wlanui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_82bb5ca8fc5e600b\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\winsxs\msil_uiautomationtypes_31bf3856ad364e35_6.1.7600.16385_none_b8662df873a3a965\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..ultimaten.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_02ce9af6fe2baaa4\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_desktop_shell-gettingstarted.resources_31bf3856ad364e35_6.1.7601.17514_de-de_957d2d76493d70b9\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-dpapi-keys.resources_31bf3856ad364e35_6.1.7600.16385_en-us_e8c314b68736a191\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File opened for modification	C:\Windows\Media\Cityscape\Windows Hardware Insert.wav	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-mfc42x.resources_31bf3856ad364e35_6.1.7600.16385_de-de_75a5d492b9d7cd2f\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-networktopology_31bf3856ad364e35_6.1.7600.16385_none_2d4ae8dc142e71f6\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..ty-identitylistener_31bf3856ad364e35_6.1.7600.16385_none_d57180f075948160\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-shimgvw.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_409b8e1ddfee35ef\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-powercfg.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7fdfdf01dcc88490\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_ko-kr_1b56589636443993\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_desktop_shell-gettingstarted.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_6b0d37ddf872f844\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-mfc42x.resources_31bf3856ad364e35_6.1.7600.16385_it-it_4f22d831ba835543\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_faxcn002.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_046e7515912e39e5\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..-wmpshell.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_5eeca2c456245c7e\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-netprofui.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_df232de45e87f7d4\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-powercpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2cb62be409345109\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-s..gement-ui.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_55fca664dc994c6c\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..anagement.resources_31bf3856ad364e35_6.1.7600.16385_it-it_c27658c0cc75cb0b\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-hotstart-adm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_92dd14f5eb72ee5a\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..qlxml-rll.resources_31bf3856ad364e35_6.1.7600.16385_es-es_4f807b381bda3cc2\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_transfercable.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_a9e0f2faff6e7ec6\HOW TO DECRYPT FILES.txt	e342274b59e65578a37019215b798b45_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e342274b59e65578a37019215b798b45_JaffaCakes118.exe

Modifies registry class 10 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.CryptoLocker2015\ = "JIXYNMTGOFNNODU"	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JIXYNMTGOFNNODU	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JIXYNMTGOFNNODU\DefaultIcon	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JIXYNMTGOFNNODU\shell\open\command	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JIXYNMTGOFNNODU\shell	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.CryptoLocker2015	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JIXYNMTGOFNNODU\ = "CRYPTED!"	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JIXYNMTGOFNNODU\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8lX6v1peh72Mukh.exe,0"	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JIXYNMTGOFNNODU\shell\open	e342274b59e65578a37019215b798b45_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JIXYNMTGOFNNODU\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8lX6v1peh72Mukh.exe"	e342274b59e65578a37019215b798b45_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\e342274b59e65578a37019215b798b45_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e342274b59e65578a37019215b798b45_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\HOW TO DECRYPT FILES.txt

Filesize
438B

MD5
515f29d240c8defcfd6ee9395f2f7564

SHA1
e7ff1b461236fc7dacfa7776e43bde1188fe8a0f

SHA256
dabcf6b327c3ec0f177e21044c1aa01d215055b8b195aa1a7298ff8f8820ddc3

SHA512
5c42006bdfde4ba445325c3ad5dc28b5c5583d50c0cd853911c6224827b0dc1ba76d3bb16514b5815b3d82ebbf8e990a32ac64450df45de52a9f36fe74e0bf8c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
341B

MD5
687d079579c6829d98382e8b8dba4749

SHA1
c97e1b6a48b20c5dce5ae4f1bfd7ca8bf0659a83

SHA256
599114fb09ccb7deeb349149df9aaa35edad71e48a6d4604e2d6c5042a89ec31

SHA512
8bd241e5cd7ad64ed49e36f1c71d8da4567fdd5a25a8e845d8e00bddd4c21bba10bb88005ae1b2a4b2bc314663e7a9ab7b44e8326cfd2cf41de95c139727c056

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

Filesize
222B

MD5
8302a37bf157409b8d053e068b1a48cd

SHA1
721aa419341aad4b78adbc1806388b4a3288c7b3

SHA256
9004435f39201f3622ac46016e047107365632057568259e271a61f869e0db7e

SHA512
649a9639373bc27bfb8b8821714a575c94a4d59106f201c1ce33dfc54895b68e9a93ecec16f444278110b79b08efbc3e3366a277a1568c9f88bc8fe0d9241599

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\BG_ADOBE.GIF

Filesize
24KB

MD5
38ca7204b0df71c4ec2770c212547e19

SHA1
43971bcb67c772a58603edb85fd85db801c0bf5e

SHA256
141b5ff72ac494aeade7eaebd29fc74acb682cb99af8c09614fc1bf0022993ab

SHA512
9a8ffa6fb5a73dab2b623005f9a2dd312f624ffd6d0cc118cdf90d432e77f7a0b50c86e3221260dfab125b89df246924a33e287538532ad1da452188107707f9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\BUTTON.GIF

Filesize
185B

MD5
d4edf00c3f0d4ee5dbf3be801583cc2b

SHA1
67fc3c7f15a89b9a78585408fe1f28d8fb120aa0

SHA256
3fb564650b7b4ec83e10528719b97df2f2b04328e3407e55bd106c71d40411dc

SHA512
42b6086e0de3517541f195460dfdba2ea08b04378bdd8f34b9be1056531bfa7a1bbc42d3b8adf79d850d2db34115c1afa6fc1d0987a42438aaf379c541f56114

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_OFF.GIF

Filesize
496B

MD5
7d07c4d2690678740be870e2c7ad17ac

SHA1
08537dff6cacff0ebdc088f84a7caac08a24fee0

SHA256
1952b17b5679fbdd0b3376a960b169a1e98bd10dbc3bf03b4797bae72202b343

SHA512
1f4322486eddc66248563c8e33192d73d870ca9b0376b5d6f47b5bcf42860b36a01f6d6e551a87b22d96ed4d9eba4a80ce105a6a820dcf450a95af3d7c78b1f0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_ON.GIF

Filesize
1KB

MD5
e2b3f0c4502a3a7a18d18519702b8aa5

SHA1
2da83266ea95d4082f46232af32f930a9f2a15e0

SHA256
d1d2b429d21c1180d608e57af912910e6cb205582411ee95e0bcc8f966815d56

SHA512
0bbde4c0eac4a542ca808e5de382c5cad4c7e067ffa329a215be6ba043d6b693985322c18f85678d13c62d3f081bc982fc9d98f0da25e48574e759300889ae62

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif

Filesize
5KB

MD5
1c39959115c1726e85f92d4741e37095

SHA1
00630b3155b6e1721970a175e028ab938078da91

SHA256
17fa52c522ddef4094abae5f89945cedc67be47910dec85d270b3afd138298d9

SHA512
b06db891e544cf2dce70ba652c507556540d4c72afff34f59428b18d81a18e050e4964358d9dfc684c9c5f249802037cff90a75f41847b5ef1c821c241c3e431

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Country.gif

Filesize
31KB

MD5
544a816b3b0e56b8fd80bc01e4a80cc4

SHA1
06c708b79153b8f82bcade46a406806dc2a1e642

SHA256
8936ac60bcc9bbb3692595c53cf63d6c718fd058191feb03bb5be26a87864759

SHA512
f433b8e5cb4ccc1ef04370fcdb1158a0f116bf054d909db72642bcffca765926549d912400bfe5467303251d008b8ab15797e38fedf45e0ea5284d318a3b3985

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif

Filesize
4KB

MD5
04631d440ba5aaeceff75e51705f31eb

SHA1
936b7d5330d8421ddb4d38acaf045934aae1c735

SHA256
e09deebdbbd503b02d1bc257edaf9832c3d9f3f504f215175d1ba97596936d0e

SHA512
dfe2cca59592eefde6a27faffa3c4dac33be64f1b06b28192ab2d7b6748c731beabe18c832e4ab5b3907e1dcb80bd67d1122e93b14b81d23896592ff3e3285ab

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif

Filesize
21KB

MD5
fcb02106c96a095c57f5455e6223b186

SHA1
be253da8278c3358ed93689bfacc6ccf1ef23bee

SHA256
3b92b2b50fd686fd1530135ac5415d1da960514a170068a019c2ca6bb9d86356

SHA512
b63d7dec86b2c287bf8b0b226dfe40607745e33dc03dd69fd232552535a0414d99deccfe5f0d85dffe09752fb1b6b4459e8135c380caf581fb2f1c155d011a2d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Groove.gif

Filesize
106B

MD5
f4ce39719179e7d2c1b87b7065bc7d5d

SHA1
4a994d690fafb71e8f51b9eafdcc408b45ae6f09

SHA256
3ca38b6d05026a68af9577a258f075fb960644ac30f67dacf7eef56e5a4ba05d

SHA512
976a4512402603146d5b4170f7e9c63890c0fe28807559790cefed00385805474e1bb1040b1150b3e5ff64f126ea0abad908c139de1bfe44447228f0f3024a40

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif

Filesize
8KB

MD5
13a834f07b4e4c7f06d7fb6fe21c7895

SHA1
5b681d44a5911558ab8c020f8b11189a87ae1d54

SHA256
239b43f4cdddc3df5863e9e59940584fcb0d099b1af5a06c39bb9eac12a77e32

SHA512
8bcb08bac5223fbf4f00ddc6151d9cac0a73d81396f9e126892c1f124ac30ce55fcd0c1f14f2b32448194e4e2a9535a7e8b6c2162283baa2fd86338c5089c868

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif

Filesize
15KB

MD5
54a40e9425c9d9eaedd407626e8528e6

SHA1
25f924e9fcda8e7b1747b2afd9e6512e586521a4

SHA256
5708c2dffe96f209b31a4a8dba50aa53a5ac74dcf8951beae6fac782d953198e

SHA512
47b33e5f3e0580f58f52ae635c4e0fda3a94022022a9b4999793e896783c8a4281ad9e3b33d079dc7a651ff968c37349483d4849e8dd89bed5e4becb9f0fbdc2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif.CryptoLocker2015

Filesize
6KB

MD5
95788b73e936a9492edc013178968238

SHA1
c3c57f7c6a07333953940e56e00d42ff5cc6433a

SHA256
4f94377c3ebebf2b0cfbaf35a7d43c481c042a7d0e5d6f880cd8c906554b59aa

SHA512
3623f6acde7828e292a2f1513572e2841578aa5bf60989f057a13a84a2cd4153c9c2b0be0586c47ce4f39ad9d4d7133e5af0b59c165df3d24330dbb9b7baca34

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif

Filesize
20KB

MD5
1a05b95c1563b75aee382a0526fb5c10

SHA1
2c433e258ff66219949a4154c99cdac159670dbb

SHA256
ec8d8233aba8b640379e480c5c57e774633c0e74b7cae628f24ea8b3b2e866cc

SHA512
ba5217f1534a2e7d874fa0280f46c99a26563636df8d23e1a361489672e34e70609ba70ab0a804a257b8e7054d6c25fa4a0f409e4d6a45eaa77b15a84ca025d2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif

Filesize
6KB

MD5
9bb778dea1a89588e549f02add072118

SHA1
d5aaa4c1437063bfbe7f5cb4067f5d33ad31d091

SHA256
6b625dce5a50d12f40e7513df6fae16255ef04777a374cb2440c3d9b362b6d72

SHA512
67d7b3e431d62dc7dbe0ec7f98337f55b13cfc008330106b37b76a8f3c1a59c0f9414dd37f7c3a77dec812a8433c9095df9bfad68db71cae8262b701746a1f97

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif

Filesize
15KB

MD5
ac781bb1c49d0170c3d2f3333f2909ba

SHA1
192c5df2f7f8f80868988acfa0f35b8c6673bfcd

SHA256
ee95a86cce0d9deb8bc40e54b8bbd2334ca2cfd67445155515de28eeb8d399fb

SHA512
566e90f937587626f52b6d1543783a3f8e709a3213791a9ea0c2e26e2697d9a1b237818eef0933f80009909f6c2a967b82448b98172b6157d0ff73eebda21986

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg

Filesize
2KB

MD5
6674a0c64153f88f72a1fc58b8273bb2

SHA1
9623667c817ac105e690b9ac2997f3f3d48c69bc

SHA256
28e44801da98090f3326404115fcdfb6b05e3abbe198ac6c33bc0ec41ba22f47

SHA512
397c7f672574b544a77f290a35179a7042a9cf5765d57ee423ddee86134ea0087f50384de15054169ac838f8c61a732845de96a7db2df7771d37175bf91fa5b6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp

Filesize
2KB

MD5
705e05e1111a6da9f96b222187719eaf

SHA1
9be8c71c76775bc1fd101691eb86212ee6fbd2ef

SHA256
a3e9a251968b599c04828b3a36e1d7122314e5a344fd164c119a0d73488d1015

SHA512
fb0cdaacab8d8910870652e5d1b9536d57f923f07c77e0e5e863f66caa30fbbaa890551e9fc083061dbd06d87f666ca1309bddb67f3e39cca91d30e9024869e6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg

Filesize
6KB

MD5
dd9779f9daba99953accb7c32c23011a

SHA1
a4fc5ca456d538473e4d476c3cdd7ecc5d51eb1f

SHA256
0d7f2004f0aeaf46a6f997ee98c2c28d990d5c9429b79888fad7a0c70e4bfeab

SHA512
9f1c402f151e9a5f90f7862399ab07fe25bcf183f4c7364c29e8fb4d3aa672ff71649ebf4dae02548f6ce4b3646608b71b34d64f00070796047d9768f50b1851

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF

Filesize
255B

MD5
7302dfad7e2c5d7ccc9c959770eca9a0

SHA1
3aaf2015b062d12d7354a1b37177cd0baf0963f1

SHA256
fabcd55e47e1da4703aaf749b2c3377cc9150bc2340e70b28e1cc30ca0d7c04b

SHA512
07c97e6db0f0258bb2ab5c6d3d94ec056174a665741ab0608af08eb105896959c8533521a597aa30cd3771ca2e48b3273242ec30e5b180b7ce336f8bd7590a0f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\background.gif

Filesize
323B

MD5
0ef2bea69ab4690a2a2e98e4ce5bc062

SHA1
08c2251be78a633a6cb2a2dc508f9d7e6b796e76

SHA256
729c0c79c8fb9204281d62832cbb4e4232f73b980b508e23c2ef5577935083b8

SHA512
f96631c9b55c31c5d492184719607d69031e0b06c38fc1d15d4ff88dbf9e4fbb260216222d6910fcb9f0dfea48c4b0968521db4101e23f0a60bb41f6826c8a59

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF

Filesize
367B

MD5
4d363c341144853cf333edbbeaa64827

SHA1
0d9eb2530eab2423cf03dec01b1756ba8ce98e24

SHA256
d715344f42b8d50f71eed5cf37e244c7f75602f5ad4fe23565897389bb913f57

SHA512
1947e2dfcf81bdc4f36efbe2812a72b81bca4fab3d44ab3b966f63d24599b033c4b80644f6232045bb3e95f0a84ad7f119840428066210a828024f07af24139c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF

Filesize
148B

MD5
65a037c04e16741b2ca881db3d41c601

SHA1
e5f904431e0ce0151c96440ce7efb10167096cd0

SHA256
8d4b43c5a8da983be04b09e66a42a95bc539b39cecaddae85b141c4ff1c94e55

SHA512
ab2600211f09a7a9dda4d717953a2780756c1ea78ddbfe2a84f470e52778123de00a2d2f36ecf94e7ea29295a1f9979a7fee866923309edcdfa73851ba9f59a2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HEADER.GIF

Filesize
440B

MD5
0139270ea981435b2b4f92520d5d57db

SHA1
b5558ad6df3ce22071886978c3aca42460adfb94

SHA256
95464f871c966638eee01b4f7b0fbc2bc437e7ceb9af5d946d50396d16fdac8c

SHA512
bf8c0d7fc3fc4b35bdd568995eb10e1814d2709098bc6336d1294fa553b07c7f8d5c385b03c34ef05901bd18b1315eb05dadedecfa6229e7cddd67fb6519f3b6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_OFF.GIF

Filesize
462B

MD5
a834eaa934d03751168de3c59d179a6b

SHA1
5f26bed2d356fc4a2bfeb3a6afbf5e5efdb97030

SHA256
50f9d52a73a6e96d4c27b4ddc36ff1b63a3691dae16c477bc49ffd2b3e580ac8

SHA512
3d060fc445e4cf122a3baa40150df2156c0c2c8aafc4a02d2a1ecda7d5de2ba2177959e67cbe3399fe73804b33e85422da25f73f7aa2673bd99cae58b590ea2a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF

Filesize
267B

MD5
d0e5f0f7cd422918ce6bf20a8b7d9c67

SHA1
91c96d69f08c690ab8bdaa25749c6e6c83dbfa59

SHA256
20fb111709115385e74a7ee742b5b9b3f7685843dcf5daff3a87ba73bf2a5cb0

SHA512
1a7e3e78a133c9fa8e2b5d86f2b41755345effb52a010e66af28f2f8247d720cef33408dc3eb75a19e972d95e8cb17f6943d150987ed6391c27fdc32c65e27db

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HEADER.GIF

Filesize
2KB

MD5
cce3c9207b755a5130620c584775a4a9

SHA1
b16dabd459f101089dd03ccfcf103004b7863839

SHA256
de30c8cbe438b71eacad6df1e90660a243a49e673cd99964efcfbb1f9fbe8f5e

SHA512
3d488050054267522395ce7005bee250179f21da6b39d41d4cd0e82378163536caa5765e38e1ef891c19583b804f897939712c41d81dfe066aeb1351d7e8513d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\HEADER.GIF

Filesize
3KB

MD5
137389d820d95164fd3ac0f3caf0edfb

SHA1
3267bf32a5caa31a1dbea8fab39314396e21e93e

SHA256
5faf49587b3ceefdfa645e57b99f640ca779f369e7a0944515a5867d225c315c

SHA512
f4d6c671ea73b25ab4db585d8daf6e74d83b60cc772af50c1eef9c090f14a5368366b5e8dc11325ef7b8550dfced062eb772e115b5833bcdac5612daa149d71c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\TAB_OFF.GIF

Filesize
462B

MD5
85f10a9eabc4b1fb820b0ed49985821a

SHA1
7a38f5a40c2a6e720c6dd7cb37f6dcf2e3493d86

SHA256
769eb067258aea790ed87dc37fa8b97654accb524b3f4bcffddc3ec3e2cab51d

SHA512
faba3a93e8fe5df8463282ba16335140004b027e9c352cc769196f3e1e8ef0143d71e02611576ff804c699123da9ca95f821762cd80379e759b2670e7b568eda

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\TAB_ON.GIF

Filesize
264B

MD5
9e46412efc8d08a5242f5a1a100a9f70

SHA1
9977466ecc395d3b820ba4903eb409c94cfcec99

SHA256
0131bb4323374b1c9b4fd03f63c8ae979b20dc25bdb65a0cfab3c18cfb1f98ae

SHA512
ce2f1b4572b5a0ba66ae282761678034c0c78140e7d932a37a6d1d25833b21593cefe90d33e80c1c01fc5c6439a1231f1c7895bd5428bb28ede1513825e6ddb9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif

Filesize
233B

MD5
f7fd84b990cc5d96f2a4f12e0baf4a27

SHA1
8c685e216c3c38c7c1dafc10dadbdcf83c3d5c1a

SHA256
bd0413edea72474ec26fb745f793447109b3f8d41d958932669acc8f13cf8f40

SHA512
b8eafd7dc171eb9341ca8e4ae53e3b2865a29f139e5aad90e204b2a098cb6c9b42032d544ba91959587f00e70087c0baeb6b03a9f56958d0f2b419f3ae994048

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_OFF.GIF

Filesize
364B

MD5
ccd6d1354d940a8ae3d69aa95f416510

SHA1
c3f102ea16726dc18ad2a5eb7fbe92ef5dfccab1

SHA256
cf0a78c35a6514d2f23a84b3b21ea94f99a81227123ac65cf71f615d4f2a34ec

SHA512
8524b937b05d0d17eeb473c0e8ffdcc06c62d38f3a8c656a23923f324e23da6dd072ee3db1365e25e83f8e851308559f3080f7849cbbebb3d4e2c74ab73a4631

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_ON.GIF

Filesize
364B

MD5
5d036102a06a094dfa1625f2175fa2ba

SHA1
66ceb98a8b9ea9b3d9fbae5da0f5588c17a31362

SHA256
6b9158520033491bbbfcf2a06fabca25eb906756bbe47864901ee1ef5415d42e

SHA512
7c54192a1dd22128f1c033829113716ac05a50e32414424c01bf02ca937b94f5e2972e154457dc647eb28174f94f82acf14a68f7b96c597c756633dd9c1555a4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\background.gif

Filesize
6KB

MD5
566b869e2cdfeffe997439778c0143d5

SHA1
d9bd6dc93b8315328230ee66c2d11a1ee3c3ea54

SHA256
dc9e9f3f985f07b47ad55401e08bd51f63e43b65be7e54fcb43ce54c59492a4e

SHA512
037cfb1e9efa0ca7b4f45bf745f179329d6b3192dca697cb7168114c093005eabb5975587b6dc87424e0316a1b31e1bbfdc4871c5ccd4ffa8e203c923fa21329

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\BUTTON.GIF

Filesize
428B

MD5
f80fe812e4bf1e418e355f84319105ad

SHA1
3249106bc3beb9ec287a1f16e5d231d60e2e6088

SHA256
ab02f35a255ef45d35305035a39a4fe4f038cae3c29dc42d55144648c4b023af

SHA512
c27f8559b0ff394dd727a3fc159eab23654b049bad293205bea5a42de70b709ff65e133d76daac550855126feb9a13167fa5a8a5bef10dc1bd8d5ff340cf0ad6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\HEADER.GIF

Filesize
26KB

MD5
959ef11442ede410e1c5c16482e3acf3

SHA1
00e9696348f58445075077e3d442a93f2119fc4c

SHA256
2010a8fa564ed1dd6edc2ca4ebd37793723774ad2081f50d8c11f49e71b58528

SHA512
137be7af6cdc41a55129bd087288b2ee97b96e02389452c1f4ddf1c3c4ecd94f9a1a11a366589cb91e4dea5e2babbc377ca735cd6406ed90c1f38333ce0a3db8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\background.gif

Filesize
815B

MD5
1a4a8630db17631cc601af320ca68c3b

SHA1
7d13c5cb78c0b821db58d8d734cba092805ecb47

SHA256
7f34a9aa5ec48ad1aaeb95a3d8e2f653fd7d37dbe8f2eaf8d359af220ef30956

SHA512
3c4f12cb63af34945295a7eb061506b0a855bf08b77bfcedf62a7404d22c743ba9d785ce4056ff6f2a61dba4788e5ae1481ea64c9762896270c9af36e6af968d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\RTF_BOLD.GIF

Filesize
870B

MD5
9aff2a89ec2eb963c3b9829bc8659733

SHA1
7ec7e1a8dcec7fd787344a8c6cb6d908d5b6a1a6

SHA256
55266ad02f2bb4d658fd50839fdcf4eb8d99856550886fb6f5b84233e9300d1a

SHA512
c63223b378ba02555745044af626e7af1ece04532178595cfdfaf2cbbadea29c29ee6604c169cc40f4b60a6eab41b2cbeb3b67ee9432aa2248915487567053b3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg

Filesize
3KB

MD5
b512712e83e05e2e283fb9390664a641

SHA1
fea371ceaa75b552e497f063c1b06baf6499751a

SHA256
16cfa85cd1907b7c5435bd22b8b5257c85cfcf07daaa2a32fa8ac68ef176093e

SHA512
62e3b258b7f5f71097d91e9aaa7e5b95395d9697fc77c246458c672d7f79d9a750d60f2df8fea42e6aca2bd2161f527bdf1badd0c02f9f5b651dd1b600fe2c42

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif

Filesize
2KB

MD5
a4d61c4ba04f21534e4ef17ee740c169

SHA1
a8aca685f8874b00a105eef314de3544daa477fd

SHA256
44f86b8a58ffa59f2b2043690de1db23a71a3443505d717d22cb2871bcb97758

SHA512
fe4f9eb78bd8572519de00f63e2226c8c014d3146e158e00d0dee693822723b9c60e13bea38b104b8deea1852940b732c6b6680779603085607131de1af437be

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif

Filesize
19KB

MD5
b06b1b5585d916dd02b73d2b587d9a7d

SHA1
39103de04fa9027e0019e0ba3c0ea0bcdbee9310

SHA256
13c9859f7273f9e3c032dee02aa2241d193b0fbd6c874e91e3a0679184666609

SHA512
eecba15f91e75e956b9238ca69ef5c93c99f4ac6c9ca1856bbc1b715af79dbd60d99dbb6d496ef0807e5dd3ef563f09cbb17cf56622c3f3f7e606cfbf60d6694

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosefont.gif

Filesize
890B

MD5
68e4cf9abced8f413f68474e9ad38831

SHA1
0dd86612c4732258a619aa1f7966f473cec4b5c1

SHA256
0d6229026234a3033b50746143c34e2bd02609e83c25ecf975e1ec90884cfab8

SHA512
3fb3b52b834f58d156c7d39f3fdb21c40aff4d42d4b7ccde739738783e5e7f7d621d07762cbda0779b2d4e5468b925aeac03912680395f5affd44febecabd260

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif

Filesize
852B

MD5
78e457f568694036ffd147a2c8bc63e2

SHA1
d9d5b84d182a81c75f3dbbc8ecd52dade1bd52a4

SHA256
59b352fe561d617fc51537964c399c287d52a50e9249bb0b91ccd1f21df47613

SHA512
a999e4028fd2140e93c4f58926f210bfbcbc0aa57a0bddddbd82f2cd4686f30450b5d0faa35b7b91665aa21ad26d330ce4c2040ebca7cb4e4f979cd5b8b6006f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif

Filesize
860B

MD5
9a81238862e23ee88f2ceb60c3120676

SHA1
8d6b3d647e4d8095b564419d300b328b9fc29b23

SHA256
4e10873f643bf3afaa6df6bdc86f20f5cd8fc1210651c41aa888838c3ca4b132

SHA512
78b4c43455ade1c8703408162423eab2d2b4f72e8b1e33f68b8f3813461f21ae0059d6a5be9b78534b1b2b88df7eb52ca40566ceeb7ffa3e3ff955925709c1b3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ADD.GIF

Filesize
580B

MD5
b1ade11a4ae0c5f3c73aceaa58e0ffb1

SHA1
313a9b896ebe1a1ce4b3bfac4d23b8c655775459

SHA256
ca391889223fdadc18d0d130b75f9a9e3590301d4acab6f0bbec84d12366e1e5

SHA512
2e79d86521e3d0104a51c5bdf0de51888ec69028ad6f2be0ed40ae59b07ee220879b7aadae64607e81aafa81a3361e15a85eb3d590d6a090f4bad69df03723d3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF

Filesize
899B

MD5
c13df8a8062b386c248cd12da5612f31

SHA1
3ae1ba9db6cb8d0ac17cd43d3333c70d9f4cf2f0

SHA256
39eaeb3eae23b89a66758798ade7e901caf14b548bef270d77c1484c0d803792

SHA512
725da1ac79ee2300e21fb8de32cfd52300e127b94e98069ef66ae5f47f28378c69f503616dda55b78f2d57e3cb1ebd94fc1376b504d2c290b5e0e47381d60746

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIF

Filesize
625B

MD5
d7a4cd498b7a7c7eb11688e894573d96

SHA1
4cef3495f900c67e0e628bbb2ec70cc91e9921e3

SHA256
c4f7fd02f1aea70ae9f021b4f8bf797876b487b395a81a049f6c6d9613ccd7ab

SHA512
edeb4e2b37733e50a8b1d8e68e94e09fceae3300e9eeb744d55b7907dc80e7039b1837b56dc7526ea4d77da9d5097ba32707fb85bb975dc4b975a0d4df4d1470

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF

Filesize
873B

MD5
ded443d7270dfa1b5e15bf207c909d3c

SHA1
552a3905209680ed2926c245d248fdb22a41bfd1

SHA256
7f29751155169485c1bfb568d9a0acae7e5fae465ad7e2f184fbd9db201d64b6

SHA512
54a8013a62b583900e60840f8193422fe0c3dfa4cd7b0e7cda53d9c7ae7eced86c95f4c6371622c0fcec3ee63de387921b82636638f057856a9ee6781962beca

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg

Filesize
5KB

MD5
06ff1880c3760141b7533bf3f6243d4f

SHA1
f81e4d9bb4c4c7cc3ad7d719756e3ebb8f5f5bcc

SHA256
8a0af659592e7f872806166bd62a13f4acc7f678acce89e6848b3cde2faa64dc

SHA512
01eb4080e56e69aa5f6230bd169af7d826c271f669e610eb274b8c1124f32c96af10f39ed0c07f6d69b0e55d4dbd5fa765c20a0913c2768c893fe8c6e5dccd7c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp

Filesize
1KB

MD5
79cd73a6155ea10c767b768ff266d0de

SHA1
9ded4f4fce381aaba732c77f40f030189b2e2a41

SHA256
85bfc56e257225991d6c04c41fb32601b6ac856f0a2fa5b486aef9d84b1b304c

SHA512
df24d6d2d1ef0299e284474fd46f7698e85204709c33c296b99fd7e09e0d9bbddebdc0430dd4aed4311e3b1411f9f038a37739e0f7ca9b59053595d344124d42

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF

Filesize
615B

MD5
5c1a7f3b61ae1640725b472975d08827

SHA1
038981cecc23642c133f3c006d124948d28018ce

SHA256
a3ce563b6c58beeadf3d6ef5e604b766c1e7b48c30e6d50c537c05ea56bdd0e3

SHA512
163059d526e29f600dab4fc7976cd470821fc55db3e05f05e2569cd1bc0560d0de4bc6a76335e297cf8b19871fdfb10256c1406136ca54b96e0542df9d591d89

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

Filesize
848B

MD5
cf90da95124aba53f7c28de51de16465

SHA1
e6c065bddffe0e73eb74db14b2e5fc62f94a0943

SHA256
7f3f31c581b64032269684f8555e486621a0eeef25ec3cbdb382741aef43f195

SHA512
29f7eaae9ba9f4cebe9cb3c19ba147ccbf8492b464534bedd44d803470321542c9985d2cd5813f5cb8e88c21998e60739d37b8672b994935254ebbff28252c4b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

Filesize
847B

MD5
51cb904aeb8ae47b378f7ce807986c99

SHA1
726991f9b01ba83dd0f56dfb3db542cc3d288846

SHA256
156b52b3a678dae33862fb3f635fdd564aacba4e6f42853aef3a00a0694c5b19

SHA512
0c0fa1805d77c969cf18c549040f7e87b5fa21fe173af3d4a31f2ae4abda99dc619fbf9dc730a3ce8f42d8cd6fc582fe36ca33b6ff3432d019d79330caa110f1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

Filesize
869B

MD5
8cebecd896037ba19ea48b527c1fe362

SHA1
3dae2506dbecae3c520ef06bf111bd197429d451

SHA256
c476047f79d869441ee5b5a9d82d91d443adb9c7874237f333a09d77bc93b2a9

SHA512
6af78cec79926948078a99b0df99a5aa7ac8cc3840e0c2de67ac9c36882c332cc2561f68d66c4c2af6108072156d96a4174f3315215c71564181f936629e1690

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

Filesize
847B

MD5
5fa4c4422268231e097adfd63a2cfa1f

SHA1
34865084cfe6b7e073f7467089289b4453404bf2

SHA256
6734092a89b5ad8eacba05907221fd88432eff86c104e83595ff4c3d09377d94

SHA512
ede16b3d660bb324dbceb4503870ae4791ebe1b582fe9b530e5742f5a3ab2a2450635ddd6c9c0181eee2fe283e5157fdce91ddac358baf2891634bd0590dcb10

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

Filesize
863B

MD5
ad9ee5ba112da4e6ec4592b9492960e4

SHA1
596f422d60f09b96b75c7573668fb32cf1af3202

SHA256
21bae3c94a668484f5aac02f8cdb1a905225f1a8b7b040f0c616185847ff1ada

SHA512
9a12538b122ca545a9e0202bb398d09affe5ece9e745ef9afe97ca4814c5e2d05536b71a2be75e2c23b32c942fff8f539d8e238d6ab9f44ff306ff9e808639c4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

Filesize
861B

MD5
e90686eb2c93edb2f10490bfb5ecf91e

SHA1
204fe844f7d181708a6974b91e7fec5cfa00091b

SHA256
536e2f9150d1e51e132ad813918ab6faacc3e6c01f06b11130b5f96a68322360

SHA512
db6d702a1775b631c1d454bf3aff7e66067360098f6f26f66a1ca27b6c026ba51e4557bc4964c3a37db905ed52926f971f93d00b7118d5b6b565ea9d85ca3d37

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

Filesize
850B

MD5
85f8e1d82b75bc1e0a367bd803c3c2e4

SHA1
ab643b1f14474836b3a2faa802d03e227b23d2d4

SHA256
6e7916832c92a9eb66947f9e697bc87c9a2551d2270d9463143a17344b8cfc4a

SHA512
7860dedf7a1434a5d39adb71203f3f53199f46361a6c5d55aba3551e84f545ffadf47aad3d4865c950ddaa778046b182bd9b0312d05c9282cdf76b3b58d4e49e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

Filesize
883B

MD5
735d50ad2fab560c1786139b26aec486

SHA1
7ccaf55bc46bbd1f38d3b39c4205b77f7fc9efcc

SHA256
b347a44b872af4d800c94b2a4c1d9f629a3ed7cd8107a72b41332eaf11fbcfb1

SHA512
e371264c8fdce61f2a113aab8fee8b743daca0c1f688251ff2bb96b3758545d2b8301676d9061c2991f3aea72aa78a7776d19ed3fa903264faeefe9e3fe0b418

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
153B

MD5
61f51ef4c749977540451baa47632167

SHA1
bb9f0c5d17205316589cfaca227feba29de7f324

SHA256
536c04cf0c28c408eae391476b9e3e192dd595ab2d9dcc657eef9899454b2f33

SHA512
867fc234780ac7f432cc6f6b256117293fffb720b286397b8e7856830821ec5a81dc7753c3cf4b25d6aa3fc9a5b2255270a41705bb3e393da862f00a1b1abcaa

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
e61174bef2b209144219702640ecf46e

SHA1
355f4fb81fed3c355cb55a3977c15d123daba65b

SHA256
15a3be4b59a2976e5f95ed6ca199a48f80c00cfcc71ae4169841568e3f8f4ce4

SHA512
2bea04543e69a4e959f54ac10e4144334d97e5abf8b4be413d88892472d9aac31d28840e2dbddbcfbf02e50a614568671f0691abdf4fba3160b1daffea77539d

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
8KB

MD5
feac420aa14cefdffb22713ada779ad1

SHA1
1067776a34173d67f2dd7a49ea253c57dae3e2bc

SHA256
4098021c2e7f29f71657fe8234cc102a00c452a20940ae34e718ef50a71f09bc

SHA512
9c58400113ab8b08085b0c72cd48c386c85bc257548744c037e2ba64c688c72ef1877a709ab21b7c1c00c972bcc02b88579495c17e4fad11aba469b6f5bde935

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
731a1d2cacc229b56f32038b0110a8fb

SHA1
5a7ff97cc58bca11294dd0cc9030086c483705d5

SHA256
ea944a82cfc4c4fd80cd8a2a1763dbadedd21f69ab2befe386d725e76f34761a

SHA512
a0919270e2b76f4140da79146bc23cbb396a033a472403af41f777457219976f2a6ba1d39e581b2186d40cff19285ce9b36d3ecd64f3471cb96d6ea968f0177c

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
3d9a66f2cbc1064f1ce0a9db34627564

SHA1
38765dc351f65b6ddaeb072511a1be4d984a6074

SHA256
bbab5eecd958ce7cf5b6131127336283a441cbc7511d564ac3e9239320993c37

SHA512
7b5acf6d4f55cb6cfd9faf562cb5f1592684ef0dd103a0a75232771122d4ed8065b35529e1010556994d064c64cc82960bb133725e7ec76357e70ee57779a03b

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
172KB

MD5
a2d7d1c79e80ac72bc949738987fdf0e

SHA1
a53d2fcd9e5fe8d012ec32d22818006bb480c6b5

SHA256
701f71c305128209606c566667afede91563a1ed996567ef85aa1598b5eadb80

SHA512
64fe7af3cc37c1a729500ebe598d0c47de51081f78983abe604e443fc502f561d18a08d5dd26835a8455e6378a8431fbebe3612b2bda51ffdb683401f64fed53

Download Submit
C:\Users\Admin\Documents\RenameSearch.xlsx

Filesize
9KB

MD5
d84dc21663ac86fb84b4dc1e962210c6

SHA1
8f9d32a71d864a0d6ba1c9835795308e3dd82d59

SHA256
6161d74b3787440d2da11ba8ebffec3c7f62dac41bc24f6ec5bb151b37148600

SHA512
8fcf4949074f58e76355db5ab6d2be0203b61c646086da6edb9342d1e7c93b796ff93ea8cef83d7c2be055e8e9240628bf790f02d4ef0305ede5757e342e5fd1

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk

Filesize
1KB

MD5
b16b7add5a7cea6615b691cc33272ecd

SHA1
7cfb4fdd8c84f3518d542395c7e014e8c49727e6

SHA256
4175ff072fa26b53baf4c42750dc998eeea8c13f29ef3c0a0fccde0362e8a697

SHA512
a26ed4f6bc483572bde8ee1ee750d575e8e1e6f2756505fa2a7c23e9cd75a81352936e40ac581c717791ea884beb0db85bfa895027d48e6f4eafc8a913fe56e9

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallCommon.sql

Filesize
24KB

MD5
7497c087a3da874668d19c22c50a87f8

SHA1
c479cd4d93678b90112f45fa649a85ab442aa8dc

SHA256
43375589c0d8f88db5a56e2cace01db528901fba53112ccac9c7599a695d3ed6

SHA512
40ccfe68ec49502f1acf96e10381fa2c2fc7bec1ef6fb67975251a7edda56f5639163345933fe21a63cd9b5298655cdd05cfc1892346940c9118e3a5eff69790

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallMembership.sql

Filesize
54KB

MD5
c1512547915914e7c189d211a82241e8

SHA1
e084887cd497dada81f1687a12988d0d18e54a6a

SHA256
760a54b3641fb7cca0dcd91cb40b01c63ba861db9f90f8406cbb2d362b95c042

SHA512
119e4b7685aec7059aacaa7be253da8db02f95af59e573f890833135d5fa020800651fae2d5744864794916114c4fb37cf4ab8f6f228e22cf7b1d30ccb41ff53

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallPersistSqlState.sql

Filesize
51KB

MD5
d81911b2e6954cd40ad650ea71988abf

SHA1
7a6e901f33f975a7e87cdf5b3bf83a33d181eaff

SHA256
886e94a9d9ab98e9c8cbd9d5078277cb831a046eebbaf334ecaf775d5ea41395

SHA512
4fcf4b55de4987656153b8605830fa9e5c2b3532c3080ae698bb671411ebfc17e88c3df8a0927459c1ef3a99eabe1f21b80d08bdc0016ef4e5f492a3132e81fd

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallPersonalization.sql

Filesize
34KB

MD5
e70f90ed9ad03b1fbda7b574938a59d8

SHA1
921b41285e6f6a5650dc740fd10b8124d0360fcb

SHA256
587f8e85ff0c5a29c3fcad6ae9a925d7d648db2f2430cc1ffd77bf101f139ad2

SHA512
cd76538a6b0745d0e8a1a5808d101414f83b58c656c1068e59637ec90006863a500352f217f2412c055632466dd3cd47439c23f7458f67b71d3368fd4841b2ef

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallProfile.SQL

Filesize
20KB

MD5
83cc3ff8578f31abee66540cbff4f422

SHA1
845be9ac25babae73dc5cfa1b598fc50cccf303d

SHA256
2622b503767c00ce292bd572b9378580b43269d1424adfa2e9ff8eac808a87d0

SHA512
8d8e7b44b62571b7a574d38efe25e6c21a9f816498c27117676068e623b5ce3a245f5a4c59523adf0be923d8cc67f1ee7be8eb89c869105fdde5fcdcef311fe2

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallRoles.sql

Filesize
33KB

MD5
75e9c640523c8400c941bbcc74da3e7c

SHA1
1c1275322131b7166e57e950e20007b3cb52e5b7

SHA256
f7d0d9d8c39117f990450206642b52fec04401b45a79e42b70583dc7ea2e7cc8

SHA512
9342d3cca5544eafc5d4304b495b411e351939ad09431dd8cd7efc5851df0d74da90434bed7fbc7cd1119a399b2ca589ded665f9963478aa9140b382434404be

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallSqlState.sql

Filesize
50KB

MD5
dbc0f9949992cae6be61e2f2ca30327d

SHA1
d5dcd522af48c4dd905f242176bd4e80aa0fb262

SHA256
e6f2b8a0b68d8c9306b45c79f6853bcbc3f85b11aeb51a57bd0858f3880b6839

SHA512
c3c6708f167b45fe3044f1b58e3bc211e5cf1bcf37cabf3f09b51e0222148cc859137310c3d1c3200387f69035ee474a0129413672ad3c48059d1287a69a0d35

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallSqlStateTemplate.sql

Filesize
52KB

MD5
bbcd27db1745966a1bc22091fe51e83a

SHA1
d87384f6215848210981a705a2f62b887ac27dd4

SHA256
80c5f84fadc2dba93e5aff966d66ab8d9814c8a4748faf3e8bb1214e1a150d75

SHA512
015bdae81ced18aa4e6e6e698baf38a4fb0ea5976fda7d732ad232524718d7d867ce222fc9f46427801f7dbf64476e36834e48d9ed3983ec4120cfce71190a12

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallWebEventSqlProvider.sql

Filesize
6KB

MD5
d93feebefa356bde982eb2117a17b2a5

SHA1
a2de5e8b29a4bbdd34af00deb17847588c1587b5

SHA256
4f7ae1ecbe06996cc8cd5fbbc38d7bee154e30575ccd6d51970d98d400f69fea

SHA512
45d2c091001c2daf628b33ff0bf2d506c2577dcece802fd520fde616fb5eb1aea4c9dcb45f28c32c6e77fa955fa6966535957741460528ad9764f6d18d9873cc

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UnInstallProfile.SQL

Filesize
4KB

MD5
1d7bcce60394e087b148c9abeca3daa4

SHA1
7f95158c8295568e5c77aefe8096961f66a7aa7b

SHA256
df88feb5c8136d07dcf24fdff037e416be9506a96e97a223945bb020f118b9ab

SHA512
3c83a5975d61b5be51f64c094a1dac8315bf779fe7aa4915e24a69b70e3046f545e1b0e9539d9b972abade97751f90651335b2b0c0b5ae0fb6a5032387a2431c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallCommon.sql

Filesize
3KB

MD5
61aad74f9a3edf709f11469e8b52a433

SHA1
f6519ec452667bea209b73a0e30a30f04b3210d8

SHA256
e66f0e761598e5f84ae4087ebc502d79c2a117064b2c45f725ebab5e40ce59e6

SHA512
bee2ede482f5ddeed967d3ff854b95adb74cc8a2d452072d9c2f7f8d2ccc2b60347fca4466612cc24b178d0061e6249dd41f53404a7ef072d000f154b18b9a30

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallMembership.sql

Filesize
6KB

MD5
d010626df71b6aaf6b2aa85c3e504ecf

SHA1
741a41b7dc1653424c3c989c70f35653e2336f83

SHA256
3f2e5c8a38ad871d32a9ef8183d75a45bb6cdd373966959274610f6d6f49fc4f

SHA512
33f1f70eaced1dbd633ae8769cce165e5501d59fa6971733657cd7f4f6b6f7b99157e41064e66d6c8f8ec0b374e8b10afb119ab9c885cd16c8acd11f055ee91a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallPersistSqlState.sql

Filesize
9KB

MD5
6bcc8b0d26edc27e31b7c2b6b38e9626

SHA1
b9b22d13867d7edfc4b3ef003bd0b179f1d44f0f

SHA256
87054856cb58e6b2e4dd19db00e98813a41174eabaac9d826d7cc375657b4751

SHA512
55d636facb4da1f7e7200b7dd068b792bc46e0503632c5055de4323593fb48c67c774fc5c8996d4cbadb158a461f97150ac4d15d12039d88d4b8f2785f229907

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallPersonalization.sql

Filesize
7KB

MD5
1d139a7ea6da8cb268080e52e7088f83

SHA1
bfab81c1bbe194acb5d415a5e8231f9eabbc46f9

SHA256
67622b4b021cde3089c7ce3abb3f394a2e06583588becf702eec14f472530bb3

SHA512
82e7c8fe7d9d0525e9c22bb35d1711b1352275dcc1e6ccfd24994bc7b553261f6d8e8fdb54c9c83df21a766a7a82b2a5bc75926a6f3983158ed455a0d7cea27b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallRoles.sql

Filesize
5KB

MD5
74c168a8b2661f7f30ae356a2a264d17

SHA1
46e4c617cba2d0d3cdbd320bfcbbbb88a59a7730

SHA256
e1fa7e2ebae224b63effc4545c35fb5a88336f564df3b4ae3431f055c9e20280

SHA512
59a35fa37c019bbfc09524011579f5f232793b6cd83ee7cdaa32513a4b6fbb1680a9e44269fbf90c596a8d63bd66d58ad7f0c1c9bf089ec25ea319954b3b759d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallSqlState.sql

Filesize
9KB

MD5
2c4d15542a775787e416a24a5ea42528

SHA1
c3d6f7a5ec380b67b4176c4dff194cfd7d06ce0e

SHA256
f1a22545c502ce18e466e67da81613209646f945da7f7cdb702e3c82a1a07483

SHA512
b353e90ec3bb39fe1ba07688726103a23e3cda1aa2483ecdf5559004ea88b0dcaf9bc52a4ac61d5635ed57b409eea559fe1859c7d01322564ab008c6c6222b9f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallSqlStateTemplate.sql

Filesize
11KB

MD5
b36d4b95b72644a22b9872655cc9c107

SHA1
8eac430372cd355cbca2532029f372fadd3847d4

SHA256
ef075542a31885215b85b1374024720efa3120a7d4ac7ed9e842c24a9de4ab64

SHA512
969d490eb5f8193cf753ffb38a4da33dee9dd8f5adb7e8a37af45c92335ed1555cf45b003fa1aa7b98243c1022c3d80edce2c4bb2c56e8bb5dfa4d10268f68b7

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallWebEventSqlProvider.sql

Filesize
2KB

MD5
6c8e7a78992c7ea9c00bdab0a5a29bd4

SHA1
71769593437cefe003b9e3e0a50e77da3cf3881c

SHA256
81b8381d13bc74ae9c86d4a91a8c311f383e54cb689a638306fce4711da0f23b

SHA512
6674b0f1c807669d893c378dc83bf2b95db2201299c8d4afb06bcd5e8addae7c11ee77fb93b2a132ec05bfc6443972e9a1410d8500fbc5e8e49ce9c23f7a6ff0

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg

Filesize
21KB

MD5
8a131e686f2b7559aa448ad87c8a0132

SHA1
f88ed9c516826735a432107ac2dba6c13725b199

SHA256
a83bc2250f4f51be3fddf5baaa9bd12e727984467b3f4dc23db66167366c487b

SHA512
53bfec80311d91e1a08ccb9b466605f3b6d1d7959aae8105fcacf12abdb8e5e43561737de13210187f180f637962f15aefa97c9bdad753bee2cdda40f476334d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\HelpIcon_solid.gif

Filesize
1KB

MD5
9e6538e1ee09f96bd696ffdf941b0c31

SHA1
8bf05ee8eabcb10b77a8dbe9ad523ccf6f593110

SHA256
f8e89edd113c82ea85647c4f4b7561567e51c0ad2b8b5c4edc4d668813b63e5d

SHA512
95f72b43725e93194be0e1c14e87774147cdfdba8046cc7283a22e90ae7f2e4e2c82b5d4b0da3302e80ceb9f2b51e73a7bbae3522ac9cd3911f9d53d39a93539

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\alert_lrg.gif

Filesize
952B

MD5
42c0f6f58e6be7b9a2ab1fd075bbc55e

SHA1
b924bcc78ca3515a3d9b71d6610df25b9b3ea4d8

SHA256
82ded1476660bfd9c7157002a3030e3b4742f2cceff60f44c0214b2b060ce0e4

SHA512
da20fac333e63522730efa004ffa338b25970775a3693da8aee45af8f4977059ebb59ab6c4b548cbe40a0675966addea7bf4f6c70661246976b5e884b39af8d0

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\aspx_file.gif

Filesize
121B

MD5
65dfca25c9f496d84a2c1b231442c5b0

SHA1
c1a44986ae16b985f4d666ad36523444b6d23933

SHA256
ceb8c1d2b3c079833d7b19e93c9a8c0f7b6ca21151f564ddea481d963b402de8

SHA512
d2b8ee94a477357a2b7d5cdb70cab216f5cc85bc26788896bd896100757f8eee3087fb957f5c01f2b26d975cf0f9e8bd007faa4706b6e50412ee3e230047199d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\branding_Full2.gif

Filesize
1KB

MD5
96cddaa44774e82d7aedc762665122a5

SHA1
58337de5dc14d9d1b650cb8ad048d7b021e07472

SHA256
eddc8bacddd596337b4981eef8468a6aa817786701eade0742b799ff616421b4

SHA512
defd1153a33c4470b96d401639eede169c22ac57a3e1c92c258d3e76966f1b7b01a8aa055dd2828bcb33b20e276a70e7775de74c4aac39e4c0136d93eae58a98

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg

Filesize
8KB

MD5
f25f79fab2656119ca12fd4832de08f5

SHA1
a5eb7a3538f4437b738335a14ba55ef862294a4f

SHA256
a2b83ec797c25f2f69d9d55618fa6462cb3f5de692c6183c0cfa7e877a6f3966

SHA512
3ad26bcf24f111a7b8c3b266b41337809a08ac24c0b1db9007759f53fcc704e6fd6ae6752bdf67eb05a3e23df0efe6b7f3ca94ead6bd8688d23034ceea6ba25c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\folder.gif

Filesize
914B

MD5
00bf6bdae4682f81c2575d04bd4978d1

SHA1
c33b8cf1852c1806ae6af92fdb1bece081e1acf5

SHA256
94b4ca1eaa2008cce5cd2a723fca7921b74058e5f314d3f8102aacf72f2617c0

SHA512
e47119be4ad9f29693beced9542f3be7c542299cd6ec93f5a19fc97ce27cb51699b855a06415f8fd8c390d32b2fe40c4af9cabc875ea722eeae6fa3a221f8076

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\headerGRADIENT_Tall.gif

Filesize
328B

MD5
f0d736c834fdadbcb62fcd6985125005

SHA1
dfe2836694900f5f2adfcd49cc8ae7e793482ab8

SHA256
1e7c219bb4604d435709a121e1afe4022549479f5c0eaf1bc0d5fb5af385a707

SHA512
111cff8bb0c51c30fed2b2557fc1a71b0a4293e7b7fb7a100051255deae90f5809e838fd37be82dfad288efa2e6369050487fbbb04860fecaa085fe625e370e5

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\help.jpg

Filesize
1KB

MD5
51cd650a2589c3bcb1a747f3a5f2de0b

SHA1
2cef3e6720773715570093806010b42c7d3dec29

SHA256
27ec5aba2b778260f91ee4b8996baddf73c92dcb02c73dc6360a1337bedbc594

SHA512
1609826d62336399fc8e6e20f796ccf71eeb8deddb3e760a31a48ef956ad9755ec248bc50b723190e0f763a0f8804896986edf9261e4fec4b89a02da55585bf9

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image1.gif

Filesize
162B

MD5
77bd4f8807abea386d744ba96c33b8d5

SHA1
d9e81e6f355a8d60c4afdd31fa40de753f3ca8b0

SHA256
485b8cdc78c3db3be230e9049fd3146fed497adc92060ecc056cc8fd5e4bd24e

SHA512
ee093a3c886359bbaa993c555b11a0ec26b14a29fd731f2a8b7e99b301b3f65144c4e7cb63479a2a4c7a49a316d69960d234125a2a6eae4b35f671fd4ffbeb98

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image2.gif

Filesize
586B

MD5
417c58aad74b0cd90e76f77c8d2c2ac1

SHA1
b4d89ea1738f85e1a73a03f8a38b6454f9dd45ea

SHA256
41f2b910cc16dce9f4ecc40a191ad5de91485398ebb9668504c03e17a4e16e5e

SHA512
212e3b9e957bdeb5bd5e382e2381ebf3cf7cee00cacef60dce44e7cb697059287e8622efa54be63a10100d24609c568b2f2a17c43d9b852a32bb966cf26cfbb0

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\requiredBang.gif

Filesize
124B

MD5
f45e0aec75bddf174dc418ea3669cc76

SHA1
7b17407b945d748715714fcadcf5c54392971870

SHA256
3a1ee21a59e73f7f4e8b7535501ef6b0b528019472d9e5c5778331758e35200a

SHA512
7c8460d7665034838ab8862c286394390750501ab9d681c52bf44da7824d620d85d7ff57dcbe761f4a9a091c6de7be89efaaaa1ff4ab4002ee5902bfac914b15

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg

Filesize
8KB

MD5
a3b3139f75205d176f310bc8d087cb5d

SHA1
92825048c870c302d7e4d88df8cc4e98233a5837

SHA256
f4d10fe6cd6ff7ff82d8002606c29d551fd788ba4b8a623003e1c5c6bcedc843

SHA512
028bccdf0968818ea38777290e822d128a68a9446214668d417b6afc04cd191adc1a215dc529e3e58cba982aad4bed786c8fbb98e0ff3683dd56b10fdebcdeb9

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\yellowCORNER.gif

Filesize
880B

MD5
3d615f1cfe48e6b70d468e544ac2b576

SHA1
3205d086f7dad7f589beb2a240d7207f901de8ab

SHA256
464163505bea41ef2cbde3924b909c072a42f7421772aaa11388caf9c971432d

SHA512
d5f708106872b157a370522b9ea537d71fc57478175a532cee21a1aeee114146f5c9e1615c25d7c8f2c54c74134706bfc577b671bf3084a0aa8ab1b97197a542

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\en\SqlPersistenceService_Logic.sql

Filesize
23KB

MD5
b1f265a99bc7decbd7149056029de05a

SHA1
1abdb6381b8f5546ae2b3f7d5491c858707780c3

SHA256
4fe6af3082b244a57e3d3d13bd2152ff3a724c69ddcb7c052f2b65a7f69ed622

SHA512
eb372f01e3530e5c7f9a6c8fda4b8317ef1f966c73dc64fa7f5377959bd32ffef5b7f2bc0c141ca5cda240f7e8999bc42c419dc03a553035325b9de6bec198d0

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\en\SqlPersistenceService_Schema.sql

Filesize
4KB

MD5
eba0f1236a32b0908c2d59b4ad7802eb

SHA1
8545a10beb2aca9393c7a86963a32e942427f0f5

SHA256
6b75af745c95d23dc641f95dc257e00d83b5ee8e7c4950b029c06879c87cd897

SHA512
bc3ad1c8ae735357d60294085a780f443efe6753f418b1fd221c7ff014b1829c76967d759d11df75bb1ffd918e18abe2fce7484ce238167a96a2aec7b40a379e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\en\Tracking_Logic.sql

Filesize
372KB

MD5
cbc7fe675cd619ff9e085bdee48f34a1

SHA1
b7beb0e5ce5ea8ff6f87c30c524fd2f0ccd7c5c1

SHA256
c973fb484621e398c3ee4f4ee7779e8012c1bb8992add5ba633a4aafef8a52d3

SHA512
f1e6960ad7b49972b7c6bc17ba72636dc49097a53858b7443932a9eac9470c8e28258c53809ae8e131e924ea5d366e2ea1cdd848fdeac8528cd972eed4d9493a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\en\Tracking_Schema.sql

Filesize
49KB

MD5
2f8137035243f883794af0c7487d29bf

SHA1
e84900a6e75b347c46414ea3d2aa4138d59886ff

SHA256
2836550dd82ef09a45225b1ff42fb5162cbaf68310e53351092098141df51450

SHA512
00a1cc48976b24a309b4beae9c996eaac00925c630779e9a29be1362d25b9d413577dca76db42a7e35a2e08050d60dbd9bb69fd9f657351c07be3b8a66b33a93

Download Submit
C:\Windows\Microsoft.NET\Framework\v3.5\SQL\fr\DropSqlPersistenceProviderLogic.sql

Filesize
2KB

MD5
8c19f0110527835fa7cb4636ca89cb3f

SHA1
917e441248181b19772a73b055bc8e9cb8064e33

SHA256
54de6ff987682096f635cc240cab77f16574ee773e590c2fa2b5fe8a5f5b032c

SHA512
b8eefe3f582d9cc9b216ee39a5f82359bf93d77a6a6e95826a26fa587bcb6e855d5586a1edf8ac7f8dc9876a53bede3db21d06d9c39d756a2d2c4cea1166352d

Download Submit
C:\Windows\Microsoft.NET\Framework\v3.5\SQL\fr\SqlPersistenceProviderLogic.sql

Filesize
13KB

MD5
ea78097e2d5a1747de7655a13062035a

SHA1
e7c0e4dfc2acd655a675eb7c9bac033166495ca6

SHA256
eed0454beb5294a2b333786755e86db26340368ef5aa4b3a7ab530b175dc2cfc

SHA512
80ce816db5094496005c1c86f49ea1ee35f63813d9abfc8efa33fea8a0565ba47f9561b05ed42b0e24ce2a990687b450bb9261783e467fa7b348c9cb4febc53f

Download Submit
C:\vcredist2010_x86.log.html

Filesize
81KB

MD5
9d2f60aa9596646be4811f64c46b934e

SHA1
8465fa76078f03a72c7601a50635cb3e5af0ff48

SHA256
e2fadc0fe552276112e45dc0cb882fd6ba584f8400ab045b98b81d9d54ce33a1

SHA512
b8525331e43d57ff558592291eac4d496e273806af30b42d0e71e8bbad22c9011785393c5a8b45bc2059d9ae117ac98ba7b7eccc741453bb3025ef2446466410

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads