xorist | 11ec85d272608f8881938b99dbb33bf50ba28c73792bdd1c09a916807c2ee832

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
16/12/2024, 00:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
Size

209KB
MD5

f68315e570819c3d18ef132ffc231242
SHA1

fb55b76cda3d3bbe60ecde74aa6a1a7be22a1a9a
SHA256

11ec85d272608f8881938b99dbb33bf50ba28c73792bdd1c09a916807c2ee832
SHA512

d2c8408925272720c9f64eb28f3e9c872ca075e354d7cef66ae1f6e44468824ee63f7aea4cbf47381816bb50755f57ed7fa34e2118bd501daca4a3ddb03c7cc8
SSDEEP

6144:XQEOMq8yymOlLq0cxiz1oIF6RAN7d3lnPL:XsMq8gOU08MeCNNJ3h

Score

10^/10

xorist discovery persistence ransomware spyware stealer upx

Malware Config

Signatures

Detected Xorist Ransomware 7 IoCs

resource	yara_rule
behavioral1/memory/2876-12-0x0000000000400000-0x00000000009FB000-memory.dmp	family_xorist
behavioral1/memory/2876-7147-0x0000000000400000-0x00000000009FB000-memory.dmp	family_xorist
behavioral1/memory/2876-7148-0x0000000000400000-0x00000000009FB000-memory.dmp	family_xorist
behavioral1/memory/2876-9110-0x0000000000400000-0x00000000009FB000-memory.dmp	family_xorist
behavioral1/memory/2876-9111-0x0000000000400000-0x00000000009FB000-memory.dmp	family_xorist
behavioral1/memory/2876-9112-0x0000000000400000-0x00000000009FB000-memory.dmp	family_xorist
behavioral1/memory/2876-9114-0x0000000000400000-0x00000000009FB000-memory.dmp	family_xorist

Xorist Ransomware
Xorist is a ransomware first seen in 2020.
ransomware xorist
Xorist family
xorist
Renames multiple (2193) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Drivers directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uC72N75WnQhQ53n.exe"	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\prnod002.inf_amd64_neutral_a10c656b6c7c053c\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\rdpbus.inf_amd64_neutral_3b741ca76444b9c3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Comment_Based_Help.help.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\winrm\0409\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wbem\xml\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Language_Keywords.help.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Session_Configurations.help.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Session_Configurations.help.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_operators.help.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmcpq.inf_amd64_neutral_fbc4a14a6a13d0c8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\migration\WSMT\rras\dlmanifests\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\migwiz\replacementmanifests\microsoft-windows-shmig\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wiaca00i.inf_amd64_neutral_de104aaa48ee4b00\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Command_Syntax.help.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_do.help.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_While.help.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\dot4prt.inf_amd64_neutral_e7d3f62d0d4411db\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmolic.inf_amd64_neutral_a53ac1a125d227fc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netefe3e.inf_amd64_neutral_b71dd3dadc5c3e27\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\eval\EnterpriseN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\eval\EnterpriseN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_providers.help.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wiabr008.inf_amd64_neutral_27d1c9a28eac4eed\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\eval\HomePremiumE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_transactions.help.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlx003.inf_amd64_neutral_d1510a8315a2ea0d\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wdma_usb.inf_amd64_neutral_7bb325bca8ea1218\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Special_Characters.help.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnca00c.inf_amd64_neutral_510c36849918ce92\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmdcm5.inf_amd64_neutral_0bb09f3e5a59f3a8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Parsing.help.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnsv003.inf_amd64_neutral_1e0c4fbb9b11b015\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\_Default\HomePremiumN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\_Default\Enterprise\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\migwiz\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmlasat.inf_amd64_neutral_bc1469ba40fe2114\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\OEM\ProfessionalE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Automatic_Variables.help.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Foreach.help.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_parameters.help.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ipmidrv.inf_amd64_neutral_1cb648411f252d13\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\migwiz\replacementmanifests\microsoft-windows-audio-mmecore-other\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\OEM\HomeBasicE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hidir.inf_amd64_neutral_5b48c4b1b49ca54a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmsier.inf_amd64_neutral_622ad8125bbeeda8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wiaca00f.inf_amd64_neutral_f7f7e179d99acc58\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Foreach.help.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmmhrtz.inf_amd64_neutral_10affee00545fb45\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\_Default\UltimateN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlx008.inf_amd64_neutral_75545721835fd863\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\slmgr\0411\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Language_Keywords.help.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_WS-Management_Cmdlets.help.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnep003.inf_amd64_neutral_92ed2d842e0dd4ea\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\InstallShield\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Path_Syntax.help.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Throw.help.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\migration\WSMT\rras\replacementmanifests\Microsoft-Windows-RasServer-MigPlugin\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wbem\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnky303.inf_amd64_ja-jp_b054bb0d59e0a3ad\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnok302.inf_amd64_ja-jp_708c81a8b0ad8846\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Path_Syntax.help.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\adfcfiiknppcffhk.bmp"	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2876-12-0x0000000000400000-0x00000000009FB000-memory.dmp	upx
behavioral1/memory/2876-7147-0x0000000000400000-0x00000000009FB000-memory.dmp	upx
behavioral1/memory/2876-7148-0x0000000000400000-0x00000000009FB000-memory.dmp	upx
behavioral1/memory/2876-9110-0x0000000000400000-0x00000000009FB000-memory.dmp	upx
behavioral1/memory/2876-9111-0x0000000000400000-0x00000000009FB000-memory.dmp	upx
behavioral1/memory/2876-9112-0x0000000000400000-0x00000000009FB000-memory.dmp	upx
behavioral1/memory/2876-9114-0x0000000000400000-0x00000000009FB000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01607U.BMP	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\rtf_underline.gif	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\TABOFF.JPG	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\RSSFeeds.html	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\asl-v20.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)alertIcon.png	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Games\Solitaire\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\UserControl.zip	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\help.gif	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\41.png	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierCloseButton.jpg	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14867_.GIF	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\calendar.html	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_s.png	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099190.JPG	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\attention.gif	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\TAB_ON.GIF	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Games\FreeCell\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_bw32.jpg	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384885.JPG	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR14F.GIF	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\720x480icongraphic.png	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Program Files\Windows Photo Viewer\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Star_Empty.png	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0227558.JPG	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)greenStateIcon.png	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground_PAL.wmv	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-background.png	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PIXEL\PREVIEW.GIF	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21503_.GIF	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Media Renderer\DMR_120.png	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_corner_top_right.png	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VGX\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_divider_right.png	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SLATE\THMBNAIL.PNG	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\ActiveTabImage.jpg	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\whiteband.png	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sw\LC_MESSAGES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_65_ffffff_1x400.png	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\js\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Program Files\Java\jre7\lib\ext\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\performance.png	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VGX\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\GlobeButtonImageMask.bmp	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_spellcheck.gif	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..ediadisc-style-full_31bf3856ad364e35_6.1.7600.16385_none_ce3a164d3f0fa152\15x15dot.png	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-dns-clientsnapin_31bf3856ad364e35_6.1.7601.17514_none_d87694fddc641eab\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-f..acefilter.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_b69f8a6e1a0e8d5c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..ibinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_f533fa19c2545bfb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..ents-mdac-ado15-dll_31bf3856ad364e35_6.1.7601.17514_none_0e384c71cee8c9e1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-powercpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_b903a137d3814862\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-rastls.resources_31bf3856ad364e35_6.1.7600.16385_de-de_061fe20a9aefc90e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-t..nvservice.resources_31bf3856ad364e35_6.1.7600.16385_it-it_a37364712fa6d3ac\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File opened for modification	C:\Windows\Media\Raga\Windows Ding.wav	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_11.2.9600.16428_none_11b913172f0cb26f\Windows Information Bar.wav	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-acledit_31bf3856ad364e35_6.1.7600.16385_none_67b7d66bbde58bb7\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-usbui.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5f8461ffcf3b4029\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_server-help-chm.certmgr.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f0e1c30ee39da2c2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_server-help-chm.sys_srv.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ef079b506bfb0485\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-e..nt-client.resources_31bf3856ad364e35_6.1.7600.16385_en-us_e5c3d3ec6ff64de3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-help-artcon2.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0c6738f8a382c2c8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-iis-metabase.resources_31bf3856ad364e35_6.1.7600.16385_de-de_3bb0d8e9562ab8dd\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-pnpui_31bf3856ad364e35_6.1.7600.16385_none_bacc830144fa7791\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..s-clientactivexcore_31bf3856ad364e35_6.1.7601.17514_none_8e140d2bdc47c0be\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-hbaapi_31bf3856ad364e35_6.1.7601.17514_none_b18e5ca4be201fbf\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-onex-mof_31bf3856ad364e35_6.1.7601.17514_none_c6f691d4b7641c87\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_MSIL\TaskScheduler.Resources\6.1.0.0_en_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..iprovider.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_99195a03b9496b17\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..rotection.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1b5e409ca9d9e556\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_netfx-mscorsn_dll_b03f5f7f11d50a3a_6.1.7600.16385_none_6adff9151d65c2d5\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_3342e6899aa0557f\cronometer_m.png	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-r..rtmanager.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8836b2d4f2350b58\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_netr28ux.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_fe0c970433c7da31\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_avmx64c.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_b3b5201f217348fb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..g-jscript.resources_31bf3856ad364e35_11.2.9600.16428_en-us_364d9e699b7893bc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-s..spp-tools.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_cb414a40d328b0e1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-icm-base.resources_31bf3856ad364e35_6.1.7600.16385_es-es_47b30300d9b33c14\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_6.1.7601.17514_none_bf4980401574a899\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..lperclass.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_903492adae06cd88\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-shwebsvc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_317486d807bc1a5b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..iagnostic.resources_31bf3856ad364e35_6.1.7601.17514_de-de_9607090a62996442\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_Reserved_Words.help.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-recdisc-main.resources_31bf3856ad364e35_6.1.7600.16385_it-it_9298773bd53a98d0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-i..ingconfig.resources_31bf3856ad364e35_6.1.7600.16385_en-us_6ae8dba947450861\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-wab-app_31bf3856ad364e35_6.1.7601.17514_none_44b0c76c35d4b76d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_mdmbr00a.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_344b463ca3d98840\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..-nlsbuild.resources_31bf3856ad364e35_6.1.7600.16385_it-it_5f2ec58e71d68339\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ringtonesamples_31bf3856ad364e35_6.1.7600.16385_none_135e536ebbe59c28\Ringtone 07.wma	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_scripts.help.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..tx-xinput.resources_31bf3856ad364e35_6.1.7600.16385_es-es_01eee11bdf6f7755\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-fax-common.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_d473fb8d0da700d3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\undocked_black_moon-last-quarter_partly-cloudy.png	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_bth-user.resources_31bf3856ad364e35_6.1.7600.16385_de-de_24133cd2d8214d5d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-dns-client.resources_31bf3856ad364e35_6.1.7600.16385_es-es_18bebc54f8bc1876\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_netfx35linq-system.data.linq_31bf3856ad364e35_6.1.7601.17514_none_c7e615d52227d49b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-ie-infocard_31bf3856ad364e35_8.0.7600.16385_none_db9f62972951c844\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-r..ienttools.resources_31bf3856ad364e35_6.1.7600.16385_de-de_58b732443488136f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-s..extension.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e023b9032130c1b7\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..epremiumn.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ed75d5ee87c3a271\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_split.help.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-w..-provider.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_85f69edf628269c3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-usbperf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_647fce6df7a1a6bb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_prnep00b.inf_31bf3856ad364e35_6.1.7600.16385_none_ad2d68ddc89d49d5\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-powercfg.resources_31bf3856ad364e35_6.1.7600.16385_es-es_289c11decbcd81fa\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-c..t-xpsomandstreaming_31bf3856ad364e35_6.1.7601.17514_none_0d3e7fe8fbc0cf07\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..onal-codepage-20280_31bf3856ad364e35_6.1.7600.16385_none_b124dadefdf62593\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..p-utility.resources_31bf3856ad364e35_6.1.7601.17514_es-es_525b928fb5be15b6\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-t..k-msctfui.resources_31bf3856ad364e35_6.1.7600.16385_de-de_1040a190ea581668\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_he-il_3ebf4d44318de6de\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SUJJAWIPRFTXWUY	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SUJJAWIPRFTXWUY\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uC72N75WnQhQ53n.exe,0"	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SUJJAWIPRFTXWUY\shell	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SUJJAWIPRFTXWUY\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uC72N75WnQhQ53n.exe"	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd\ = "SUJJAWIPRFTXWUY"	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SUJJAWIPRFTXWUY\ = "CRYPTED!"	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SUJJAWIPRFTXWUY\DefaultIcon	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SUJJAWIPRFTXWUY\shell\open\command	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SUJJAWIPRFTXWUY\shell\open	f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f68315e570819c3d18ef132ffc231242_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt

Filesize
314B

MD5
e0c385a1ae89c994721afeef39d106e5

SHA1
140ea8805f6ba381d121601e8e7448de3a7e3050

SHA256
f6c79cdbb8d10c2419ae64bd98f837da80acd9b30a5f58dc902238309d914849

SHA512
05d586abeebe98cd0c89013d939dbb0e33687b85004809c66f8bdc7a5b094093d71362050d277645833d7f515ef075a1849b1ac26af27f32156c1088f7e2db30

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
341B

MD5
aea1b30796ebcb1fdfb7c8915017e7fe

SHA1
8977d049d7c9c4fcc96a24b3152cbbe2a066eff8

SHA256
dc97dc0ade7c4f87d6eb15d8d4f6350bfa270b9e35367e882f94790b3d463e61

SHA512
b1e66b14fd0004c47d65fc3de0a6666582599b0b60a362c7f792f0adfe9516959951b0d212e328b667bd5c99cd00fd5b6d3b33ba295166e457e817f184633ca4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

Filesize
222B

MD5
a18e61bc0e840fcd4b3770ea667339d0

SHA1
a7922991059f8dadc2aa3f88b09aa9eacf60afa0

SHA256
98770c15dbf4d6418090a94e95df057741683c96b5145a7d5b74710cedc5b2bc

SHA512
c7d176e2f8f5f8102ba48172e39eef27bd854d1fdf25b4c1b792d3b229328ad30bd62a5b71dbe7202803c0f91e943a31904e78885e9f389f1b6d59ca105c82ff

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\BG_ADOBE.GIF

Filesize
24KB

MD5
08fe63559e1354f4535b46dc9ff80d1a

SHA1
930b033dbeed95b1be2747f215febe5445d0d6a2

SHA256
ee56a6b388a2ab32c8b06c6d21706e669ad908922a2ca5cb23a02c93d2af8966

SHA512
63e4cbf9374320283891a355dc959da7de34a18a0ee7e3aa9807c5fda8267f95d90e317082fa8054e56053015ca74886edffb12702811ebb0b2c09582eb5c3f1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\BUTTON.GIF

Filesize
185B

MD5
8126c87a334f15d6b8c97767de36b0a6

SHA1
6c2460d5af8902006fead4773daf98ce3541829f

SHA256
ba1ca4d03009266c63c19507bf390ae48e29e575bead94fa99e19bd7758be33b

SHA512
099e45676e4d50d3d5542ff733f07ecb8d1be2b8842ec61fd47e9a5f0feeb9b6400a95f77b5e3d62b52386e97a7231174531cf74c09b0e90b5cd5a3b81c478d3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_OFF.GIF

Filesize
496B

MD5
3ea5b050b43cc9357db44b1f6693bec2

SHA1
bdb94097957f705210b1a6c37d9af89e179dd4aa

SHA256
ed0625769dd0ad65b5e3d0db4942652ec4c69a813c201448347ec35014e00de4

SHA512
ef41a80700ffa5a025778e38483f5d60eaf90d576a0af41b51051591ee3328b80040ae608c7e72ac671b437cdd07090acfcc252937c08850a01cceb2f301ff74

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_ON.GIF

Filesize
1KB

MD5
4523753a66074b99a648c88fe0ec59b3

SHA1
a50ef1ef8c5c93a9a21e8f2905ee5d9b6c19b1bc

SHA256
318909ea7e3580a657dfdb8b4130b40cff2d621f38a34eb928bd9705fe5458b1

SHA512
83e687d7e59ebeff6c2824669a751966d56289768ca59e9ee4d8f38771a1635fbe1194c58d35ee19521f88cf36a5015af6d339b1c5215f3d51da11bfac55d5b4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_off.gif

Filesize
341B

MD5
03747ff1941a903c0491a052ebcb92c2

SHA1
2b158594dff3e731758aefe466c0d47573fda20e

SHA256
5818ac11688218ba2e6549538eff2772a19f420e11602a5cec105efb6e8dce73

SHA512
5c5fd11fbe0f8aa2b97e6a2bbe413e4a89830f8c660de6f0331534aa5f46c69d711b7a8aaec2df1e0da2bb186ad3a9764d1fbf182350eb1dd43cf2faf19d5a61

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_on.gif

Filesize
222B

MD5
1bc4488cc78d53317f2e4130c9283a3f

SHA1
bb463a43de036cc0c574b61b7a99776b8a1cb272

SHA256
68c204d0ee4f5e0e11b4311ff2837fe461ba4b969f706d94934ffd292e8264b7

SHA512
63298e54bae3f6c38d370c94d04c7f55298cd062c2aebd92c37ee432ff414993f61c7ba5f336659684d80a178175a8e06ae92500e68b9591cf802df5b1683047

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif

Filesize
5KB

MD5
ef4cc43a5bfabdbc98d5711de8fe8d28

SHA1
34cdab50ac90a13ce578321fa9a152738a3bcbb5

SHA256
4b2bcaaf9d293f2297a0779f30e51dfecbcc9673ef0c3703af32dd04b3decbc2

SHA512
d04e9fe91a11972208c9c52cc397e6c9c7c2dae6297bf4ff0227f13c0992b1d5d7755d59264645cbf3e60fc70654673420fddf02baadfdb0fb6f90377158261b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Country.gif

Filesize
31KB

MD5
75ee99b998397dac03e41de6b43e07ac

SHA1
538a18efe5301d8fb8925b4208324b4288f731f2

SHA256
d1aca92c09640df2e15e8c335745d3e178796fde648774336212c744b95ca405

SHA512
2a3cf1f85ec676a9515a5e9a230227ddc6f5687ec959144b90e4c9fb8afc9bf6780b8fcb02979b00c887c3bdb5e52003377556d6abc46a50ca7bd6fdd3c9d64e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif

Filesize
4KB

MD5
b3aea318c1082781f47405e0ad6697e4

SHA1
adbbba629b91d60168d7255dd86b066c1ce6e528

SHA256
9a0f0d22a7f271c2ed1ffd3d85f327d8e14dcb3adeb5437d423437fd4ac8bebc

SHA512
367576ec5a46ee7a1d4858d74efa2ec701ece6236bc795a6ae7d989e4281074d8a203bc014e480af167ddf194cea9eedbd416e7fdc971babdd325d88a4172318

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif

Filesize
21KB

MD5
8a3d5beda8a39d8b4cd5bd6a749d904e

SHA1
d31c06edaab7feb5812568432c760278b17e0eb8

SHA256
66fe8bf28e70c41c61cd0afb9f795f2840c3d16ffb4622c824f250b18b6dcabd

SHA512
f69d468cdda53c10d1e662b43f1d8a67287d901faa337333c13e796195b06552b48ca1168844a246c15303c738820238c709e0b009738142d5de6bac4f1aad45

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Groove.gif

Filesize
106B

MD5
59d8d4698565154c859e7cafbfa3611e

SHA1
7da4aaac99fe39836613d410e0643775ddd198fe

SHA256
a4d1be363e78e5bb09c76bf454165aea635905d1c57d2d2946efc2b10ce80f39

SHA512
2807bb74df11587a6dbec721910df885b5c14261c3cd46d76e7a2718832e0dfa2bfb3ad6a1fdb27d624b7d12284e9f9ee1135965ccc95acf4667820c124dba91

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif

Filesize
8KB

MD5
646f6a0ae0c81a65b5ea9d0dc939156e

SHA1
e1396482995d07b286b1e5bcbb2c5bbf8f42bdb7

SHA256
8e1cac1c28553a6687cd0602af91207b62eaa7d7124230e8206fc4dd72e9f56a

SHA512
b841a8fc25607b81bfef4820d92fcd22ad934ae43640d2aa1549e8b61e82127ad0b0ff8ab8acf9ffbb3bf569348654014263cfcf7628f0801a46d30e93400548

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif

Filesize
15KB

MD5
d49a09349ba3a4b661b5aad9edbe34bf

SHA1
c587cbddae5c65747262ac84d34cd4f505d1d107

SHA256
9c503672c448c79a1f348a47963389929e76df48035d402fdacfd9253873fbc0

SHA512
7613acad5d9d5080803289c0a2ffee94878e3950d3f14d2003e2f6e79eaa904eaf00c771c732019fe5cfa07218b8d540507e32ba668fb01f8f57352f0d1fb9d5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif

Filesize
6KB

MD5
ff7202fe0a3a22d10c27b3a42f6014f7

SHA1
2946486f56dcf94dd2c453d9a6ff932e204e53d9

SHA256
03d71e3375c0f71b61797f5519d20a0e1c982d91e427a16de52d0ae3e66513e7

SHA512
e4be5b77839acbb9685fa7e4dc2d7d62bb51722e2786f0a688c4bb1b8126fcdfb828d41ee6a18bec0e88b676a231302c8b1af391e9817bf652fc92f14cfe6e4f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif

Filesize
20KB

MD5
c1f1f45052c38c2958739220d7499af0

SHA1
4584c79d9e22683ca50df6b820095e08aa289483

SHA256
6e664f84a792cea3cbf09fcf1bf1c74792837fb6b453e9dc4e9cfaa6e58ee972

SHA512
8c131f4d9e0e8f4aa107d770342becce8a3d7c659fd434a037aef82d9af8678c21255c4083080748e9cf8882bf62a33e05ccc7328f5a5aca995405986d2bd4bd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif

Filesize
6KB

MD5
2f93eea794503033eb7dd560d45748fa

SHA1
cfc4ec7acb1a406d68352f0953ddf4cbf545c437

SHA256
700c40e26ad0c1a1cc94dc4bc402794cb4437414836d68cb8909d88db63b0584

SHA512
ab57b1f2caf9ec4af2ccd172eef2fc2a63dacd8ce4cfd765ff14a4e92c9e2126047266ddefac7ebb7b90426c3bddb96382aac1ad3cdd6d7c010d1a793d310dd6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif

Filesize
15KB

MD5
8232cea8742adc2558a5f0120ca8f27a

SHA1
52a1cae41870f765ebb0530678ea47028a80f3ce

SHA256
d94f32616e3ae7ede549828f57cb8f5184aa9bf0652243b2363f6a1e65f177ef

SHA512
f26e7d0ad53d75402cf8b4455bc9858b3b1ac82cf42935e578a22e6530082cfdc057b4f9af612cb66c50d3e709b9c8829e1122be203672abfd2860abf68831ab

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg

Filesize
2KB

MD5
d8c2210060a8b95fab883b975460efda

SHA1
79500de9ece5b31342e98b36e8721584f45287c6

SHA256
e40daa392c5255492791823322de6bc0f0701e6023faa8bf19336986dc4186cf

SHA512
b764aff372dfcec2f4bee9a51760b1650680645ab1b55b83fd51872820be01ac64d33ba683e18dd548200f457cc0d0ce4c6ea5ba2ee26137620fb82ad1d099e3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp

Filesize
2KB

MD5
75e7c023db7ddc1d80f7ddf163c690c8

SHA1
200a5fa7b8219f5e5220df588921a6c753af4918

SHA256
cb7517ca18e2d23e19c5c4a797cefe4a0392fd5ebcd4fb4c6a1a255447491a01

SHA512
c59949ee496c7a3932714e0940896db5d23265637da47d41a6a395f37ec001bf4a56d895f320c8dfdb82798c7b45c79e30cee15af5a105cb04f5c4a837301488

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg

Filesize
6KB

MD5
15bafc8f781f1570fcc461e9efaa9837

SHA1
976a14467384f1085d9de9e256620baf1926017d

SHA256
75e09cb9cd3ea62844f2a9531877aadb48adcf10596bfb2270a7bc7dc6f6f30f

SHA512
044603692262bf5daaaa3b29076ff0e4df632c1c7d81a3a85fd2c7bb25793b18b5585dc38d365b8d0b6f49c6461a6448feed3f1dda7e79e492af4fe9bae376c1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF

Filesize
255B

MD5
b09103144f7f4a65b9d7409875239e4f

SHA1
02e624afbca67527c6d4e80dd4a2183e0bef21c8

SHA256
be5692b524194ae22616862dec7df388cacd0a435b0087451deb46a8bec77836

SHA512
c87821c2c438c4e2a9b0197c0d0ffc63c140520023e79738038fa24ad6775117db8c9a524a68496db31ac7c8b4f15e174da21922362d9332afe606cecb1bf8b2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\background.gif

Filesize
323B

MD5
5c8b8c397782fbced1f6086aeb493d1c

SHA1
a76b6ca860de3ff5b7ee852fb6257ce5c61d209a

SHA256
02855ec31c59251552748dcfe50d97e09d8819d49981a5a56293871075c0720f

SHA512
4dda5b73d2c7af226a6d75d8022fa39639dcfa498c57769323033be4b255791eb06df8ea27b5557ec73f25b36769ede8070b88f5232b7e5aa918dbcd323e30d5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF

Filesize
367B

MD5
98f7b71f8f5eb5694f34bbcfca45c935

SHA1
0d4845a1d16a1fcc25fa960b1d8bbfdb2c29bb1a

SHA256
f09cd0daadce3856c27d1da2909d0d6edb435282d1aa4bb0b133c071ec8947d0

SHA512
d1287941b43d222fee40e274069724b2cdf3f56127bf4abceb697cbda885e3af78320fd341494d9be70702058b00e13cfce7d7e7042270db9155b6c55123a4b2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF

Filesize
148B

MD5
905c189d422e716cad26c37d419ba952

SHA1
2b0635bd0389127cea39d94bddeaf9cb408219fd

SHA256
f041599058ffb3c53a1498b4dbd3c0a2def5d6199d2395515b4eb3b97694ebb7

SHA512
ae5feafb44bef26a67c0e820ac761d03771039f86b88ca7ec368d7d4f5c7df92045db10de14a60f7f764af9c520b340cc3d072b10e57d1a3c0e8f54dead79dd7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HEADER.GIF

Filesize
440B

MD5
b658626f51c191cdc1ff3212f885e795

SHA1
12526ab73ba751c8f597880ffc88f2c6783b6571

SHA256
5a2f97bf5cad9ed78f6773ee724dbafe4f84065ae016b407978689d25cb32448

SHA512
2c8b1858eceda04507fedd4795690a6100e27df9ee861544b2674a78dd390d0b2f90a6149a25acfa2c3a9787e291f751e7a7f5e410f8f0b3b6ce06195c507445

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_OFF.GIF

Filesize
462B

MD5
2e9cc9fcf111794fd83a8fcd255bc52f

SHA1
13572d7a8be101561064f297b19f8688b2c2d2e2

SHA256
70a599c5d9381b03e7af0ff4f6b41406fac6accc0214cdb3627cd19d9295b18e

SHA512
f2d420843270b81e4d411961aeb0a36a304792f9cb15a4705b83f7052cffa8e7a27410647bc7dbaf37ac8c7f22ed5a8ff5468a0d0509917dd9a1b7932ead46d2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF

Filesize
267B

MD5
7880d255f3c30db6676e3ea381a8f871

SHA1
873a9cc05852739ce1dc277d9fd94d27bf7df347

SHA256
efa3d8c22a88b57ebee76b73fa0c9695107faf72b4be0a50f3f3b98e1a4a75bb

SHA512
a47055f1e618d565dd5f6bac3e1ccb3023fae931923cb384bcc68e4e7da725d0a1cd7b03eab5b471616d3a920b7b59e9b82693bc7022d79836ad9fb948a1e781

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HEADER.GIF

Filesize
2KB

MD5
70b241bf19e89a92a48892f289e55f76

SHA1
d34dcbd5da0602f017323b1bb33045854bc342b9

SHA256
3f23f779345a3af4e800170bea2d3e25c8e21f0b1152d9ac2020f37dd1dd2781

SHA512
fe1d051685571ebd9c28ed45fb65c88b64c75b2e791780324d7c27a4f09268a3c024b162dd95a04bd2be526509de1996733798f25ce842218ac9adb02402b64b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif

Filesize
233B

MD5
56ad4005851d2b79eb2a1f4c53b98591

SHA1
7c808a528463721ea969aff652557ff1b595d7f9

SHA256
d0e333c524a146a244ebe1be680773d9335ede361aca64a3d1c80c9f794fde39

SHA512
a690a2337453323f74c10505aab6376305665db3abc63f323038477c082433b54533ed902229b264f7301da123803bbc19ad10561938d49a2588582cf8889449

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_OFF.GIF

Filesize
364B

MD5
6272eb6232d8e4b76c1fa4f1d0c64af2

SHA1
c71341653a27d9af1507b22d6db13435da59e90a

SHA256
0861a7746aa8ae12e5c22fbde4f84940697140d1aa748af42231010025e6db2c

SHA512
ffdd7254d87de0874d1add128ade4e159eaf7c729d77d33791a5f8eefa1e9befd7adbedd40b6479df8a0a1613eb64f35f87a7fc59bce09f3d0ef939c284f6db5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_ON.GIF

Filesize
364B

MD5
dd0d91e9f1ba540e5a054fe4eb4f277d

SHA1
7f586043d884a2187c3427a9feb4413e6fe262d5

SHA256
2b95e17d84986f5cce15a375a028006daef0c3873d1301a2f71a3bbf5a752990

SHA512
2a2518e1b352014184909685b691b9027d6efd5421cc30ff63a9e1fd61e2e8b158b269464eb760271f3fb687881869cac1249a1bb0c77ea1c4f15c182f206029

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\background.gif

Filesize
6KB

MD5
80f0d17605ba7dd229c771c321c99990

SHA1
d9e330eb81b864f29e1fb22e0c97c75362d4ef05

SHA256
b2f65a336663e63a8583cea6840fe017c68fdb84d408a4ba31155c53d0857ffe

SHA512
a835799da2644f59799c307367f557069170f9f42fda8e25beadc7239534905dab403d6b4d75794f213bd9a868be42c9c4786830293b056747314eea0735dca6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\BUTTON.GIF

Filesize
428B

MD5
8df7fa6e302e5fb581f676610f914271

SHA1
c99cc265b10c4e92e26e4b641471d10589215a2e

SHA256
b72e104889bcec1ff3bf71591eb352cf246af9abacf65a38f9b2a28e8007cfcb

SHA512
ae3de956e61f7cdb49848d4dfa751a5ac551f2b3d675a603a8fea4d14127366b6f15ba2ca4144117483aeee348f4a6045fbaa1e00e4fe79c70e6c25060f585e6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\background.gif

Filesize
815B

MD5
a49d612d553b91cbcd24b2b47aef9c19

SHA1
a40a1e4e9d4a4fe3737897236711bed93928f37e

SHA256
4b235fb0afad35b123b8adbb9be2478b3dc5e132e1b8e0e51b1f524b23813af2

SHA512
71eb16f19e8799074facbf288e30a13e9e0beb076c6c1d95b42e86ba2487c70d5e2a0796049b2a46adf0947369beaf4cd6075ea1fe0a4656301106e1c88455c1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\RTF_BOLD.GIF

Filesize
870B

MD5
a4ddace21b0878219e18a36704642e41

SHA1
40d3ae8e9f5c47dd6e2ed26bb1cf33b55398573c

SHA256
1001811b2bdcbe8bb9fcf0bf7cce7768a0f6a47a48011745ce3e4fe5735c8bde

SHA512
bfb7a850b77ad09e01802a53539d152381749eb5e48c443524b13b4a0926a51637857b2854ec2b6efa85b6dd193ae196bd44bce960341fca09113adbf938ec1c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg

Filesize
3KB

MD5
b418ba3cae8a509e8549e18daf8b3a09

SHA1
d2d3f02ad129b90dda385936b08d6aefe49e1c92

SHA256
0286db148961409f04b00a00d42748edc98fcba6ea00c1e0a6ec0bccb3c1ff3d

SHA512
800fae454168624a7242314d5b2e40ae6468108bb0e1caf450fcbb92cd18480db9cb8edbd8caa6066b0926e1684bad65593ea4ad2d7c9038f9ce63fd6cb603a5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif

Filesize
2KB

MD5
8f1ea942ae73381ee78966ffdd0a9371

SHA1
382a8a7b16823f3d09fd3dad68decff270fb2377

SHA256
310a7dd91d9fdad415a7c72cbff7be51ae276138375618f4a52d737ed58cb07e

SHA512
cc4eb82f97d3ad9ade4c42c67ec1724cdcc756161ec8eeb69517a1e547dbe3ab7a57313cf864cec0c5c563bd3f8d7c0d7fd144687b11abac9ec8f6abdddfb9b9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif

Filesize
19KB

MD5
b23527e4f1151971e12465b29661bfd9

SHA1
35959ec0e4c654385b7dd0b07aaab7d4576ec30e

SHA256
175c7a7e5f7414aac2a4684a58142b8a707f3a399eb11603a1314b8b59c5fb16

SHA512
5aca4229ae29e3d19cac74dcb86f24b6dabc7cc8ce813c0c6d8cd05a193dc1900e968d971841834db4627906c48f7c12863097108d97a0281e2dc2c55edf0798

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosefont.gif

Filesize
890B

MD5
6d2af7ec4a2b7af38626d25f04d85c4b

SHA1
dd962fbe76eee526fcec128b38f940ea3ed64d3d

SHA256
0e236a9c342da959cbf168223593cd8d22b6d107e2c103f2dfe71d21696a3edf

SHA512
d9025d0a4d9e71cb87fd13e324fb07e9455905b6204cb65c32ac85d3b90913eb95fb1ee111739f5d52bd937b20c095e74d5948a40eccbc70ad7d3bc7ae88acbb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif

Filesize
852B

MD5
6af4469deecb9cb6e3bcfe41a8d8aab7

SHA1
1901ce9df55c6d8b78c132a7b77390b54c91ea47

SHA256
56aef748ac1e0548b01cd3a92ab27cd4837170945aa0af54694939cbf3c5f102

SHA512
55127518902ba58fc3e74a5043641415e2f7f37da7ac60f762f30cc5c4f501ae9005b8c0d336d5337bd1c5f0fd70dd5e9e84ea5ab3edb7ea074c4938c9d03da0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif

Filesize
860B

MD5
84afa1634434aad8b25921d1c114df9c

SHA1
92bac653da5d217fd115b2de7b75416783b1d84e

SHA256
6f4d0001ad84ce4706d485ee40d4b0ec1e49dfbb8807275ed44c87639a5c88d5

SHA512
0949a32e3833a624731a7cd92186c4ab2b5d50bb36bcaa4a8e7c94150c50c437a8661960a3e04e7fb524bc1dd933472ce5936715eaf059aac773c781eb7654c5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ADD.GIF

Filesize
580B

MD5
8f0880e6d33932c1b07bb6273dad3643

SHA1
c039ff333704bef6b3f418c9e00ff208e3d8b769

SHA256
7b4a321c1b4789cbaefacfb6e4698a3aaf198a6c92b6c6b0bb635ea49887e17f

SHA512
700c367fed580fc37dd54e2c4e572f7da929b27e2e70fe48f51e2073b92d15b767994307cea8a0a3434c94af1eb2bbabf9f2d0f79e4af0bfb41d8cd859895f64

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF

Filesize
899B

MD5
7139ebe6ec347f0ea14883c225994d73

SHA1
f6893546a6856a153519b9c472513379c5dfd419

SHA256
a9800e433e696d55cfa729a69e238fb50757806e1e8bc49ddeff41565ebecfa8

SHA512
00f37ca6877025e7a2b26d2f1be97882d9277ba4dd7abc0d68eb0ce5335811067f860620b1675e39f1e6d2b49ed88d1676c74867f6c61750cfcb31dcc10521ae

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIF

Filesize
625B

MD5
2687a1b6527b63bee98f9ceb3e4e2b57

SHA1
a845c6a545fa2675e94bd975daa4380dfb2ccbf0

SHA256
8eaba5a279a2a94185c907bff98bf85adfb19296b8c4523da0687ef98908332d

SHA512
4384ca688a0e7b00c4215aeaab33cd79bd5292dcc9a349e3484e48a4135865f84eb05dcef385572b1520c35f6640dc1553fe3380b7ab8175544abffd7000c4f8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF

Filesize
873B

MD5
410d31530fd18db81e38a2f25d1bc5ae

SHA1
aa92323711073e4f98d5a04fa6fbb13b31f24d99

SHA256
3df3a7441f959136b6e1f1c7d59a1f7ba5a9e2c6b2e649668660424cc2cac585

SHA512
869ba4cc414d14a5823a307cb6cef4a356c134980c3768460ab75a6358929930aa00cd00ff46004a960c5970127659fa6f4435cc109ebe6f4004238d41eb0aa6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg

Filesize
5KB

MD5
fbfa48ddc39ff10d7dd56a5b2edeff11

SHA1
daf546896ca13c2e16e642b9c7433ee80afcca34

SHA256
cdf9a74758563a161c05f6bdb8fe83e080e0568ca4e97da1e5f33fdfe6cef0f1

SHA512
5f570d7e437b354940678437035dae4677a97e91e3a7672c0864c9ba99764d2cdd9a0023dc6158761b977c6cb122e1bd910b8ab489690716f81e1a0ca4c2ac79

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp

Filesize
1KB

MD5
bcdd2a552c604735fc916576a61c6844

SHA1
3027b5f31efea8c02e085686f92d6d56340d5bc9

SHA256
64fa403759149f1050e89fcf74dfffae07917cd93287439c3e791ee6ef7a9a4a

SHA512
e6c324a1707baafdd50b41fd5faf9c53b1da56fd16a63621fef5315cdc867e96fbd9fec31b064670cbd012c04f2df64ed0d098b5cccd7a943c97e3c834351b8b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF

Filesize
615B

MD5
cedd34c5e67943b6c788cde5c0d79d42

SHA1
52cd92a860cccd456908550acfd6dedca0d93f67

SHA256
8c0b7537e6390f52275bb55d606037a48597102b6e1fec647f2aea99db4950d4

SHA512
c2f981fefc3aebd9ab9d40ed29d4504bec9ea33febb4d1044c79c85c11866d589a449c7d2c1bd4f8e46169273662e53c89b915cf80c18233a59ac2d56281f051

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

Filesize
848B

MD5
4a0c88815f48423039f0dabb775d84ae

SHA1
dcf6b40a953dbcd5ebe2311518331062dc83b64c

SHA256
e06f5682c9b584f256c701dbd98bcd51d2a006637f21cd02b13ebfc63be5b135

SHA512
a887ccb2239120f7eb7daaf6513d7c93a8562498b06aedce17c26d4eb490686d3cb038ab2b014a5db5f8a9b6581e98be34d5a0e57de16c428f9abdbb568d0742

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

Filesize
847B

MD5
d3f33065fa52d4209d418ad770ded72f

SHA1
0abe10c5ad24fb4864335d4ed232c0d6293fd1b4

SHA256
45afa7f6085d658a272d88ff7e9a06d740690680b26aab4d0b1a299547fe17d0

SHA512
a8721f52e0aaf4cc566fddc82f4342dfb1e8358047a4b59df84355b3786b2628e4184983bb902215f31613d9a94a8a403af5e939045c5941f6c81f6d54d7b4a9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

Filesize
869B

MD5
173f0e82981510b95275ab3f81d113a7

SHA1
f1155ed646ebeba4f6e7efae4783a0af0a40409e

SHA256
5bb75163c1f3ecf212170bc423417db9818f11ffde1e7a8f02cb4c4d93065d76

SHA512
7a271b332e88d6924f07564b4983ab2faa7ee448a751ab0dca31dd743d93849a77e70d8dc4503d5e818b469088ffba9ad287430e62c599475314a434583683e2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

Filesize
847B

MD5
c0c2709f4792b71a5e2eeb92c7f4d74f

SHA1
e1e4f25ddc52c696d8a30a7c93d61c7465ce3848

SHA256
793fd9b221ecf0b07928f204ce49ed7676540a363d3ac2b3a6a13adca68a7e41

SHA512
d46a62b23152d4ab2a4fe8f1a37ff6a0602d9a8b9dff820bd4509077d4dff5811daa026a64acaed3e85c8fc2a2eb3787652b61728a1130c146cb5a15e285acbf

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

Filesize
863B

MD5
48fa62b729074f0e3e28f3e137889351

SHA1
32c853c22f3a6434c83195a729c6ad5689177502

SHA256
d329c22cf643e16931f20dbdd5047fd17ab26686ba4698277a7a2cc71cea51a7

SHA512
bb489783720bcdfda4bdcba0d2058a6937876f07ac942111e155e462ff6925539f01ae3f14a932cec1e8243833e1ab065dd8a20313cbd78fb377df42c767b964

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

Filesize
861B

MD5
dc7f6051869e9fb95994af5986c50cd3

SHA1
200a4688aefa659cbcebf986bc8d059710935357

SHA256
44cafd32ccf5bf25f1da570460067efbd1e9ab486623cf323af62304d1f18cfe

SHA512
68fdf7b729f7cbe98d973438ca092b31f8f628e3840db1de2a9e6b17deb2ef0c44c6891fd4f1e4e7e02aaa735a75a5fee80ea9d1a50095cb68131d2180976f15

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

Filesize
850B

MD5
d61c173c3641bb9872dfeab6975b7a40

SHA1
774d9ae9cb18763224aea7a5d6f545d547cf29d5

SHA256
0b22af673bb7ea801f0fe4fdd7524629d2be961a1cc7b513074f46eda2653500

SHA512
80ce4490d4c012085bcf6b8cecdccfb8483b6a91c53f6101420d29b92a39ff529fd9af5776820f853636018059cfa43932557065a537bcc588f4b398f3685b6a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

Filesize
883B

MD5
709387d2dfe9350619926a684d6f0f86

SHA1
54234286c998500b264638a29113b723f9dc453e

SHA256
6eea6af2afbd4002b8ec54254ba1a7a69ab7c3b60472ca6c34286a9abe93ca92

SHA512
887c197f7c627f9d175358fba57a198a8d23a5eb23056bdabd0263d122667a8bae140cc54c82b0f90cc7ac67cb11b81ecf59e8b4c5e06292ffe8e9edd7a1f339

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif

Filesize
153B

MD5
b1d26bb60b14c01f0ba08f33ddb54776

SHA1
afe278d8f1cac050af2f535e3ce2cf49c7d6463b

SHA256
1ff10901bf6f7c286efd5388abbd18fa6e8241666422777b057da1e19d69f2e7

SHA512
6051f18ed2126f5c19903b73d132e1bf7c7ff3de080b232bc222b0814f64c9a59512cbe345321cdebe81ead17544467be64b2a54f604257beb3c36bc54717752

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
105166d5c59c5d3a3b76cf9881b38c26

SHA1
892760f1f88c30436f8718e25f3ae5b6eefb5cb5

SHA256
6b64ff18b92b44e12d64fb5e458c2db1b38fd4828c2709ba8e60f50dead97b2c

SHA512
f8df3fb7c7d72f04c9a61f1620a31c51a6461a9187ad32eb31453801214dcc0bdf4dc55356b223ef2419bc19588d97c6a9b03d4adfa6d5944a75b385416f9e04

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
8KB

MD5
03f105e1c25c5d66084d7edd92921dea

SHA1
88f96c2fbfca686065db4b576077f383202562ac

SHA256
fe897f0c0d849d9948b9f5ee3baccb760d0f21cb6ef1295cbe574a2f524407e8

SHA512
f2aa835c013e1e591c3db259520da389e001b9d4f54af57238676c83d371804a65e4e85e571d28607f666d26de13ad6f80439aa0e06ae64d3c9f89020016dd18

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
964d5c014ace6ffd568274497675f8ab

SHA1
f1d0c80a048e9031bef4b5c64227087e3e628140

SHA256
4ebd1a354b274594a891aa65a6a847f8215799940f04dea74a2e06a4bd7f3daf

SHA512
18632e3156a2f6b79f61ae1d047f4fb76eb6f76155f9120acbf41b84063c607a845a921503f2181d0d3473211786897968a7d1560ef91b7f9c4baba6ef2cca9c

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
7a04afd36bbc33742e754b619cca6026

SHA1
06b896407b3337d718382b906321252328ef7f40

SHA256
c2c258d4a1d403e89a977330e0cf5338ef4dee4ca8c63be67547b14ec8de7bab

SHA512
512281471f003f38c24acce56571ae406b9dbf0ffd5b41e315996fc12f08c8c41026212907332259f935593f6dc1705b8f80f9e15fcf555ce845d05c8bb6099b

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
172KB

MD5
8d6876d050c6b770f53617d97ed2a03f

SHA1
b03fe83f7d4b8a5ca826d1adc7cde446685c9742

SHA256
9b64e618e5c8541e0d028876b90772d991bccdf34c9d71f0b57137810ad6bebb

SHA512
c1265ceab270e6035a756ebd80395b1e088a1f3ab561c4526b5c556c565afee7ffaeb17494a123f9853ff844a47b59ce415255781217663e6192f481e9dbc779

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk

Filesize
1KB

MD5
ff86d07afe260625723d0e40ff889b2d

SHA1
6c7438ac7c82dbe4ff58788c1e02275f45583193

SHA256
836e1c4c62201e3e81138c53410822f0c1acc94a95896e38288b3c8da688c5b9

SHA512
469253efeedaffdfe5f9a68f5f0abff9e7b22ed0d5fe93fa130f15cf0c27dd739b94b53fdbd79b402013178ad393e5e76a20400afd496d53fcb23fdb5877bc6e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\selectedTab_leftCorner.gif

Filesize
65B

MD5
cd43f10f293437ed98b69feed71d30ef

SHA1
16c84001f49586daab1eb7042bf2c74755c77183

SHA256
9c41c70255e2eb65dd4f0f1d7452da3b621b856bd49aa56f6fe0b0a4ea80fe91

SHA512
fef0c266717c493c5132e97976d276b3b101000cc0e1a241045e833c5db1ae99fe4b03c3336873d28e18d378efe3c047c27b0d8ddbb9b536bf9725be4343d1e7

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\selectedTab_rightCorner.gif

Filesize
65B

MD5
0bb6bc70fefb5d6ef27e28664b39b1dd

SHA1
511f31e41e564f6220b8a332654010bc96c4d5eb

SHA256
d244035662ba0c12d001fbf619bdf30ec4569c264b99e9804e02339942a13ebf

SHA512
25362f4a6a0fd36aaaa4e779c8fee68b2c114c96e593f2cf2657531de39362d63730c43678582be05cf3d41b0e6901fe6bb23fce52735f66655f0b1c84ce02df

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg

Filesize
21KB

MD5
a90098bcde06bded1e5863cf6f4f4143

SHA1
f2589c8bfb92529a9c21863d03937746c294dd42

SHA256
545335675c2ec6816dc01057f35af96fd0da4e5dc6df99c5e7110e053fc6827a

SHA512
8a68b960f9b8d3999ec729566acec7f92eb8d22fe12ff911a76ff87903193c4faed3db9783eaf1b5e9ca6d355dd148c10f2ce2c0e786bba84ccc36355a3943af

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\HelpIcon_solid.gif

Filesize
1KB

MD5
b405e089ec3a58e84fd121aa8a0027ce

SHA1
8af599a9540475e75cf532d0114a331678a5e223

SHA256
176098cbcf167c8cdc883dbe06e9336baf3eec461e08d39f634e6fe345111cec

SHA512
8ffa99ea2bfc297869f140ab98951726dc3fb4ea9535e86d7d40b218dbb5b5ea0d8f1778ab6016f64569fbc24ae455911a82646551d0560a99c653013fb09840

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\alert_lrg.gif

Filesize
952B

MD5
5c37fa32c504777b8f679a8985109c64

SHA1
cb88ffbfc707d3bec3f81719338b7b17fb0257b9

SHA256
31f1e5823886caf5b9d83767be6e97189af56ca4a35d75b4b4bcbb643e6da82f

SHA512
9b88d2cee50c1d03872ee0fd5130b3bea037a34f4bf543864693b3a05dc8ab7e7cc3478e5294e3e20bd84f196f2bdcdf5b32152f352371bba11a308d3c628de7

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\aspx_file.gif

Filesize
121B

MD5
1db47354d135ccec25d967a6ce47bfd9

SHA1
995ab713757a7e5ebeeba761fff4390b86dacb98

SHA256
1ca5285e3d68e65e723d9289d592d4c8fb3b8351dbea1df554f4613b6074da2a

SHA512
291ad3bc1ae316fa2bde0ea32254ad0fdff8970cdae5430c8f3f372024a55237f02005be1afde66e2d1e454aecd04cdd84f2823008beb4f8192ba1416b463318

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\branding_Full2.gif

Filesize
1KB

MD5
71a9993b15a3cba2d7255f6cfe5dd596

SHA1
ee6c306005dde8896468f2889c7361b080c2e2d0

SHA256
261d6d6c0204370feaa21815410a1e751a937d4af09b19cf68cd5bce3c52881a

SHA512
5cc03bcf1cb0c4d443dab323613c70f3c870c17d2d6a0463fda4cdc2739b57535b4356e7dc267422a8e34fdce5fb14797e01eafc2fb58a23744629288ea73c66

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg

Filesize
8KB

MD5
cfcdebc7e9766a4c444ef4c77f6d27b4

SHA1
adf9a2d15156380a1b70ef0f6d446cede8016324

SHA256
e5a603fb89021ccb8c1d41fbd770204c8b362e1831de60e5d55802f5aed3f843

SHA512
9037777bf5574befafcf9953183afe735c75ce03159a58626ac9f9f78016bb8e43e54cb6fdee2c10bc30ffb05f2798afe46a62ce5d7c38cbc8c9274655e399c6

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\folder.gif

Filesize
914B

MD5
28d69aa91b065f653c65fdcc141f0ba9

SHA1
2d252d5d2234686e3afb769d8c006630a99ca7a8

SHA256
057bdb4cf3f646d101da79ad3f60b1a07b785c88aa9b2f886acb722264c55011

SHA512
7f31852959cfd148a46c36145c75b01ccc931977b30fc95f255383d070c11d741c611bf5d9a4e7b57225436c5de08da88406f2c67a2dba91bbac64c333e3d26e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onBlue.gif

Filesize
90B

MD5
37a4683e689a130e24b0a2f20281f5e7

SHA1
2cae5f4dd6380a0c82f1b5f79579bbf65cfc13d5

SHA256
43a8301b4c6e30b34f0cf20c1a1d3d537b8ab9b9cdedc8a0c3985b564279c199

SHA512
2d114cb1babe784af32cc46d123996cb84e681f51cd9ba1c1da00b3ff36a16cf943ba1de1f862ff7295995e8f06ca86f5470631c2316ce1b41c3a8b275ce10f5

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onWhite.gif

Filesize
90B

MD5
a3f4b1c6734335dbdf2e6e9001c1c7ce

SHA1
e2cc5b832688d10e47fd1f9de0b3b2a06be193a4

SHA256
b7d9ac60367e0f7e5f489fac7025d27ebe3f0751618e00799f86fa309437c742

SHA512
4f8b3e38e70b1869abf87b7e11acd079d43c3a1386b6ce76d9a6b0e056e2762c52bc5b037b56c1f327f0d5062f4613a8dc58c1d10d01fe44dc8cdd802df966f0

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\headerGRADIENT_Tall.gif

Filesize
328B

MD5
f25383a1a58c133c26b244088e5a7d11

SHA1
e8546e6f0959673d54a19f10067285fc452b4597

SHA256
31fdc240d40a0a9881d0bafacb2336677e6d60ce3f7c5fe0d86d70ae5493dd6b

SHA512
4db4e16249e8a75b16c6be7037802de5c8f2b5dfe345b8d29d76caf801ace6bfa8edb0df21d98703e2fb11240e1c504a0f7d5006facb5a9b755a7ba79079e76a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\help.jpg

Filesize
1KB

MD5
ca6a01877aece0ab5fb449c7707b9313

SHA1
d7c320984c534d9f8371523752ff2cd1887e5ba5

SHA256
ad5ff56152838fe0978295cebbe44a593f61aeaa77679d6c13a5a3e00e438606

SHA512
194885890e825ba82964ab42c2f15d7281244c93d033119847f0417c7483f53cb8a19457a23b0dd74fa3e83022e88a3ab8fd2d0b89f34d727f33dd6b1d89e497

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image1.gif

Filesize
162B

MD5
6d98c73b0375c214152161ea98f3feca

SHA1
d1102d12c13f45b51b4d3c9d2e82d9333c60b00f

SHA256
846a8a750f4d96daae6e5335a64dfd81463cc0e119148cd673499ff726706669

SHA512
085041dce39c7c383e0f1c387779fd16153764ff44583ac88e0bd8aa28b6fdaa50dcafb82f002d58fdae45a0f2a7a43edf1b0521329643746bfdde2bb3cd1429

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image2.gif

Filesize
586B

MD5
b2d0b743bccfc611cfea5c6910284218

SHA1
dcc5b1e3f8a28b3c3669563b82c11d44a6174724

SHA256
d80c7cbc11b2e3f5d9b31206dd94fe01069d0f550bc39bd5a89cbbfe989b5f8d

SHA512
6b97fab70b8527db89aa4b4c48ae0605a8e4c473ebcea7e7b75158245abe3e614c1a5d51f0f6ff254d210cf4318d3cf3ee7824d4a6a8b395946894aca421daad

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\requiredBang.gif

Filesize
124B

MD5
e324e9e00593b0f5ee6631ee5f9463c1

SHA1
02d3a078c49322e226a9760cdcdf8d4e9f007ba6

SHA256
82c2e8efdbf099d35e9ed3003da0ba13672a7495efef733dd7b8a370b0aa0b63

SHA512
66897d5ed8c0b9a6088fe9127009011ff913f99233c9b56e753f026e220de62f7b04f208ba4288a3ffbfa0d34e747b2ac3d78cc78c71159c4b47067b2bce557b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg

Filesize
8KB

MD5
933fea165d97d730d8b88a19e447db00

SHA1
d06150a1b11f7e77525674a9589082fde9befa76

SHA256
2ce92f2666a72e48eb347134c06b78f627db0a25ef035b1743a162c9f98007b5

SHA512
edc02b64601032728357e25d0948580a7455f7f9883d91f0a9665e82375efc9f311509e62e5840ba6268caa497eef26c109009632ecc6ec219607f60cf9327fc

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\yellowCORNER.gif

Filesize
880B

MD5
3be9a0d7c08e0eb7acab592944399267

SHA1
e97c1c6187c6d24e6b292bb7e273f02c661d7f34

SHA256
6fa799c08ebddeb697f950cfceae0b25f476678da5d9b83482ac87602abc6e0b

SHA512
a3ed562b6f056a8e126b4d17514b62ed190628b3e1233b376d0380253d458d716c1e0c46cb8b0a54a06fc153405d51673acdd824647db8fab15f8973bc47d094

Download Submit
memory/2876-7147-0x0000000000400000-0x00000000009FB000-memory.dmp

Filesize
6.0MB

Download
memory/2876-7148-0x0000000000400000-0x00000000009FB000-memory.dmp

Filesize
6.0MB

Download
memory/2876-12-0x0000000000400000-0x00000000009FB000-memory.dmp

Filesize
6.0MB

Download
memory/2876-9110-0x0000000000400000-0x00000000009FB000-memory.dmp

Filesize
6.0MB

Download
memory/2876-9111-0x0000000000400000-0x00000000009FB000-memory.dmp

Filesize
6.0MB

Download
memory/2876-9112-0x0000000000400000-0x00000000009FB000-memory.dmp

Filesize
6.0MB

Download
memory/2876-9114-0x0000000000400000-0x00000000009FB000-memory.dmp

Filesize
6.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads