xorist | 7fdd116740268868d984970e0ebfb93dc3b8b6c1061bcfa2ec1aa1199a0ffebc

Analysis

max time kernel
121s
max time network
127s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
16-12-2024 09:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f8739cc4e90cdde68b4eb7c8341fef60_JaffaCakes118.exe
Size

726KB
MD5

f8739cc4e90cdde68b4eb7c8341fef60
SHA1

3f08a26309e93801a239033b32b7edb3d1de5892
SHA256

7fdd116740268868d984970e0ebfb93dc3b8b6c1061bcfa2ec1aa1199a0ffebc
SHA512

a35567f64c94b856589c0f0eb68d797346ef2c6f9b913cb235d24d2dff7c3153016d2b9ed79b7f402d4c94df0cc1075cddc5d729b31179a82461250cf4fc56a6
SSDEEP

1536:hgOh7c5IGaHvo/8dhvPrCXf8E+ZJqnCF+7:hJ7ca7v2QOkEuJwCo

Score

10^/10

xorist discovery persistence ransomware spyware stealer upx

Malware Config

Signatures

Detected Xorist Ransomware 13 IoCs

resource	yara_rule
behavioral1/memory/2700-2179-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/2700-2172-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/2700-5115-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/2700-7145-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/2700-8682-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/2700-9016-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/2700-9017-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/2700-9018-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/2700-9019-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/2700-9020-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/2700-9021-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/2700-9022-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/2700-9023-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist

Xorist Ransomware
Xorist is a ransomware first seen in 2020.
ransomware xorist
Xorist family
xorist
Renames multiple (2161) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Drivers directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\SysWOW64\drivers\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	abxd.exe
File created	C:\Windows\SysWOW64\drivers\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\SysWOW64\drivers\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\SysWOW64\drivers\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\SysWOW64\drivers\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe

Executes dropped EXE 1 IoCs

pid	Process
2700	abxd.exe

Loads dropped DLL 2 IoCs

pid	Process
1064	f8739cc4e90cdde68b4eb7c8341fef60_JaffaCakes118.exe
1064	f8739cc4e90cdde68b4eb7c8341fef60_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NVEux3c6nuhNCn5.exe"	abxd.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Command_Syntax.help.txt	abxd.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Comparison_Operators.help.txt	abxd.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmvv.inf_amd64_neutral_14cb440c800fe9fe\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\SysWOW64\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\0024\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\SysWOW64\migwiz\PostMigRes\data\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_functions_advanced_parameters.help.txt	abxd.exe
File created	C:\Windows\SysWOW64\fr\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\eval\ProfessionalE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\UltimateE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_do.help.txt	abxd.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Comparison_Operators.help.txt	abxd.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_WMI_Cmdlets.help.txt	abxd.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\_Default\ProfessionalE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\_Default\Professional\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_prompts.help.txt	abxd.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Core_Commands.help.txt	abxd.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_parameters.help.txt	abxd.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_hash_tables.help.txt	abxd.exe
File created	C:\Windows\SysWOW64\bg-BG\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmsii64.inf_amd64_neutral_d7409fccc5ef4078\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\eval\HomePremiumN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\SysWOW64\Speech\SpeechUX\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\SysWOW64\XPSViewer\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmmhrtz.inf_amd64_neutral_10affee00545fb45\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnms001.inf_amd64_neutral_9b214cd9b78760aa\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_preference_variables.help.txt	abxd.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_preference_variables.help.txt	abxd.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Foreach.help.txt	abxd.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\eval\HomePremium\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\System32\DriverStore\FileRepository\msports.inf_amd64_neutral_fdcfb86ce78678d1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_neutral_4616c3de1949be6d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_PSSnapins.help.txt	abxd.exe
File created	C:\Windows\System32\DriverStore\FileRepository\synth3dvsc.inf_amd64_neutral_bccbc5fb46a05558\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\eval\StarterE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Ref.help.txt	abxd.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_join.help.txt	abxd.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Windows_PowerShell_ISE.help.txt	abxd.exe
File created	C:\Windows\SysWOW64\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\System32\DriverStore\FileRepository\angel64.inf_amd64_neutral_6bed16c93db1ccf3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\eval\Starter\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-MediaPlayer\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netl160a.inf_amd64_neutral_f8bdd2cbac28a8fd\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_locations.help.txt	abxd.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_For.help.txt	abxd.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wiabr008.inf_amd64_neutral_27d1c9a28eac4eed\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wialx006.inf_amd64_neutral_ae607a72b46f9cfc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_functions_cmdletbindingattribute.help.txt	abxd.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\ja-JP\about_BITS_Cmdlets.help.txt	abxd.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrtx64.inf_amd64_neutral_410e89ed86071c9b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnep00l.inf_amd64_neutral_f1fa021d2221e2c7\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\System32\DriverStore\FileRepository\termkbd.inf_amd64_neutral_e561157e16aa2357\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_pipelines.help.txt	abxd.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_remote_FAQ.help.txt	abxd.exe
File created	C:\Windows\SysWOW64\zh-HK\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\System32\DriverStore\FileRepository\1394.inf_amd64_neutral_0b11366838152a76\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netr28x.inf_amd64_neutral_c86d6d5c3810fc04\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\OEM\UltimateE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_pipelines.help.txt	abxd.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmnttd2.inf_amd64_neutral_9dcd97ab7a913b7a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\SysWOW64\IME\imekr8\applets\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\SysWOW64\WCN\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00080000000195a9-3.dat	upx
behavioral1/memory/1064-5-0x0000000002980000-0x000000000298C000-memory.dmp	upx
behavioral1/memory/2700-11-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2700-2179-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2700-2172-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2700-5115-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2700-7145-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2700-8682-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2700-9016-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2700-9017-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2700-9018-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2700-9019-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2700-9020-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2700-9021-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2700-9022-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2700-9023-0x0000000000400000-0x000000000040C000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_over.png	abxd.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm	abxd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0174952.JPG	abxd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14791_.GIF	abxd.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\tile16.png	abxd.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	abxd.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground.wmv	abxd.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\33.png	abxd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPrintTemplateRTL.html	abxd.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Program Files\Common Files\System\ado\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\play-background.png	abxd.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-first-quarter_partly-cloudy.png	abxd.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\js\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Pine_Lumber.jpg	abxd.exe
File created	C:\Program Files (x86)\Common Files\System\msadc\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\delete_over.png	abxd.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\reveal_down.png	abxd.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_LOOP_BG_PAL.wmv	abxd.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\item_hover_flyout.png	abxd.exe
File created	C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\LoginTool24x24ImagesMask.bmp	abxd.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\15x15dot.png	abxd.exe
File created	C:\Program Files (x86)\Common Files\System\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21313_.GIF	abxd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\HEADER.GIF	abxd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewTemplate.html	abxd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\SEAMARBL.HTM	abxd.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_divider_right.png	abxd.exe
File created	C:\Program Files\Microsoft Games\Solitaire\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21319_.GIF	abxd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21325_.GIF	abxd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SpringGreen\TAB_ON.GIF	abxd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR17F.GIF	abxd.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)notConnectedStateIcon.png	abxd.exe
File created	C:\Program Files\Microsoft Games\More Games\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf	abxd.exe
File created	C:\Program Files (x86)\Common Files\System\MSMAPI\1033\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15018_.GIF	abxd.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\trad_settings.png	abxd.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\21.png	abxd.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_left_hover.png	abxd.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VC\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02073_.GIF	abxd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10264_.GIF	abxd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_bullets.gif	abxd.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonInset_Alpha2.png	abxd.exe
File created	C:\Program Files\Google\Chrome\Application\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14868_.GIF	abxd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer	abxd.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\AppPatch\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..ellextensionhandler_31bf3856ad364e35_6.1.7600.16385_none_57957a9eac0fb1f5\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-w..ction-adm.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ec0ec9ea68d8a9ae\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..plication.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_640c560c977f8955\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\amd64_wdmaudio.inf_31bf3856ad364e35_6.1.7600.16385_none_bc5c4aba33d6af68\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-dpiscaling.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5c8d0d556bb09757\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..epremiume.resources_31bf3856ad364e35_6.1.7600.16385_en-us_4e9d378fe10f62e2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..indetails.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5a6758686ecd5550\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..ration-ui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_bedc147da5afe521\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-afternoon_31bf3856ad364e35_6.1.7600.16385_none_2a05e57d5ab3659e\Windows Print complete.wav	abxd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-securestartup-cpl_31bf3856ad364e35_6.1.7601.17514_none_b5ac5cc3a1b7e9ef\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\amd64_avmx64c.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_84e4d7e8642d499b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..lperclass.resources_31bf3856ad364e35_6.1.7600.16385_it-it_4a2daf2473492ce3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..mcomputer.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b71bfd4b4c162d49\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\amd64_wiabr008.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_5eba1ef020b81811\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Design\d6d1ba722a664cd9315cb28715ed3468\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-appid.resources_31bf3856ad364e35_6.1.7600.16385_en-us_921f7aaac68bcb70\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-tvencdec.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0311224e7ba1a3d3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\amd64_prnbr00a.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_9f03a13cf3f79c4c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..rshell-wsman-plugin_31bf3856ad364e35_6.1.7600.16385_none_d3042fff0275f347\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..-whitebox.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_38ada5dca774cf59\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-speech-userexperience_31bf3856ad364e35_6.1.7601.17514_none_7a2ff57a626c29fd\Speech Sleep.wav	abxd.exe
File created	C:\Windows\winsxs\amd64_prnlx006.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_bf74a39f319db515\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\08d608378aa405adc844f3cf36974b8c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ie-infocard.resources_31bf3856ad364e35_8.0.7600.16385_de-de_49651b6146f25613\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-n..tions-adm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4ecd34c61883da4e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..disc-style-vignette_31bf3856ad364e35_6.1.7600.16385_none_cc1304de922cc585\NavigationRight_SelectionSubpicture.png	abxd.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-ie-ratings_31bf3856ad364e35_11.2.9600.16428_none_4dcab5deb96bfb37\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-n..installer.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b83a75d8edfe951e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-s..-msscript.resources_31bf3856ad364e35_6.1.7600.16385_de-de_25b9e97c2ba93664\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-calendar_31bf3856ad364e35_6.1.7600.16385_none_0dfaaaec65b0831b\corner.png	abxd.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-mpr.resources_31bf3856ad364e35_6.1.7600.16385_it-it_4706ad495f7e9c38\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ie-htmlrenderingmedia_31bf3856ad364e35_11.2.9600.16428_none_a0d7be346e5a380e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-offlinefiles-adm_31bf3856ad364e35_6.1.7600.16385_none_b5ad7c45b213fc02\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..y-secedit.resources_31bf3856ad364e35_6.1.7600.16385_es-es_84bbdd9ed0041a5f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\wow64_security-malware-wi..-defender.resources_31bf3856ad364e35_6.1.7600.16385_en-us_f79fbfaddeffc610\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File opened for modification	C:\Windows\Media\Sonata\Windows Battery Low.wav	abxd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..river-wmi.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_74bff82ddc8da91b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\amd64_prnrc004.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b1922a3d439d9ff8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-help-mobile.resources_31bf3856ad364e35_6.1.7600.16385_es-es_50534a5d13cbbc05\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_Assignment_Operators.help.txt	abxd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-wmiperf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_6cde063e889e1847\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-console_31bf3856ad364e35_6.1.7600.16385_none_962fb0850dca9554\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\fr\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-w..e-utility.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8a22601698462e45\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-wmi-management-snapins_31bf3856ad364e35_6.1.7600.16385_none_f7dacf5fd4a3c2a7\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_For.help.txt	abxd.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-n..entclient.resources_31bf3856ad364e35_6.1.7600.16385_it-it_85f771eee716aba2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-a..leshooter.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0921a65f928dd6a5\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-dot3gpclient.resources_31bf3856ad364e35_6.1.7600.16385_es-es_74a70aa0c41bc529\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-mmdeviceapi.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7ae84a042fc59c3d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..providers.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e6e8c38d9c1cd5cd\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-r..ry-editor.resources_31bf3856ad364e35_6.1.7600.16385_de-de_add558aa2d923b8a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-winver.resources_31bf3856ad364e35_6.1.7600.16385_it-it_038f935c6c1f0aea\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-i..l-keyboard-00000454_31bf3856ad364e35_6.1.7600.16385_none_4edfe3e6b16f0fe6\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\amd64_usbcir.inf_31bf3856ad364e35_6.1.7601.17514_none_fc6d9caf132197da\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..ionplugin.resources_31bf3856ad364e35_6.1.7600.16385_de-de_a0fb5042174edf56\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\amd64_nv_lh.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_18e2e60509615248\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..roperties.resources_31bf3856ad364e35_6.1.7601.17514_de-de_9859d42f9e3a4298\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\404-8.htm	abxd.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-deskmon.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6c8df7416ea4326e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-i..thorizationbinaries_31bf3856ad364e35_6.1.7600.16385_none_b1bb669eff4ff586\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-p..shell-mui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_a6fe5e61c4685e4b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	abxd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f8739cc4e90cdde68b4eb7c8341fef60_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abxd.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd	abxd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd\ = "VJCRLUFDMKVPTIU"	abxd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VJCRLUFDMKVPTIU	abxd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VJCRLUFDMKVPTIU\DefaultIcon	abxd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VJCRLUFDMKVPTIU\shell\open\command	abxd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VJCRLUFDMKVPTIU\shell	abxd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VJCRLUFDMKVPTIU\shell\open	abxd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VJCRLUFDMKVPTIU\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NVEux3c6nuhNCn5.exe"	abxd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VJCRLUFDMKVPTIU\ = "CRYPTED!"	abxd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VJCRLUFDMKVPTIU\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NVEux3c6nuhNCn5.exe,0"	abxd.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1064 wrote to memory of 2700	1064	f8739cc4e90cdde68b4eb7c8341fef60_JaffaCakes118.exe	30
PID 1064 wrote to memory of 2700	1064	f8739cc4e90cdde68b4eb7c8341fef60_JaffaCakes118.exe	30
PID 1064 wrote to memory of 2700	1064	f8739cc4e90cdde68b4eb7c8341fef60_JaffaCakes118.exe	30
PID 1064 wrote to memory of 2700	1064	f8739cc4e90cdde68b4eb7c8341fef60_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\f8739cc4e90cdde68b4eb7c8341fef60_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f8739cc4e90cdde68b4eb7c8341fef60_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Users\Admin\AppData\Local\Temp\abxd.exe
  "C:\Users\Admin\AppData\Local\Temp\abxd.exe"
  2⤵
  - Drops file in Drivers directory
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt

Filesize
335B

MD5
90e1d1f0d1fe153315fc40723607dddb

SHA1
ba93dcad39e699dd5dd99643fa105dd3237aeb32

SHA256
66ad45695d485a905e74df82a43d6e8fedeba94cfde41bf53ab93cce21194a17

SHA512
f5c7e0f0e474326b4674770ec9a78efd6a9daf52de72cbbca72d7ee49bc568ea86e3f1d0e3b5d1b1a47957b1495e462f4d99642d8b9ca8792ea99ff2a9763915

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
341B

MD5
24a005f5208ba1bd08320fd7e98bbb97

SHA1
a0ff9205647d246fbd0f062a37ada2843b6878f0

SHA256
d49b150e65291f6bc829e15a61f6f5c84240eac9a823f4c938d358bb463f6f9a

SHA512
97c8e4eb7e09487db823bf7881a5ed83330613f940e2602d157277bf7f4f2d36faacc03adc69930a209b886807e481e3b32beeae7bf6c137b368ac2e2681f810

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

Filesize
222B

MD5
c342c6a462d95c20ccb8d36ba10d71cf

SHA1
1092800237b0b656dc5089badf0d88ce8875d075

SHA256
0fb48cbab518d21f77518204d0d4ffcd9a26fdcb121bdfe4fc70a9cdc43ca3f5

SHA512
0434aa397725e9bacfad67a1a8b2984cbb3e7390b82405a5e068ecc5564efcb37152474336b0ec99c77a811205c6eb859180478d5e22c831bf3c4b31cdd7c961

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\BG_ADOBE.GIF

Filesize
24KB

MD5
c27dd0754c1ddea7e708dd5a6d3f5cc2

SHA1
41e57981d242ecf240e8a7003d3850858e11c731

SHA256
c7ab64d88d58b4cefb3149dbeae865ded008c4e9468445bcd2c11530ea52350a

SHA512
c32b3373107d874ec3a9923dc9d86897167b0767c38252962802291dcb68e2e6e6fcead05be6e534afad89ae988b62a1eddcc0a5a80b17bf031709827f6b639f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\BUTTON.GIF

Filesize
185B

MD5
73d66df543c2d3686acba210558b3c75

SHA1
c82a454c7b3fc90a9cc02490bec611331ab56084

SHA256
11ad23781cee934b00999c61f199480f4e375c6c6e37dc8450752d7f022e9328

SHA512
373788f224fb14652080d63f113475b8991e465ca97d89d555cc448952d0c9aab9d050ad621f38242fec114d64ed251219bf17c6e8f0a2d9a7104ead95da793d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_OFF.GIF

Filesize
496B

MD5
77e762a64ed8fee9d0d5a44046434a6e

SHA1
04ccc2ea994b9b358f5e3ec8b5ea39a1a7b1c293

SHA256
11852e62a4198a3e3405440642145f637cc8f2a8ea884d9b22d0cd33857d1614

SHA512
7f0ee12cc233a3b82440e229adf32f5bfc0281446ecf6a72765bed3d53425f6241646923da91d9ab58a5c011f134ec478932b168c1d22ef7f4a98765bf34b904

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_ON.GIF

Filesize
1KB

MD5
c3439cf4990eed9e24d94ee0978e76b9

SHA1
23cce76a70d0a9923c81e727b323390c93c4759e

SHA256
8349a7fc042823e9fea9cd4a7ff8b1b3297574424f34c797c525f4441e9576cd

SHA512
df2c9d057b38ffae915a1b303f784e9d8578749f24889841bab87792fa875e067a8ac03e2019900d2191b90f350a0c61c19ee0f4d16bd74c48795e25548b0058

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_off.gif

Filesize
341B

MD5
97c2e77cb09cb876c03d0dbd5f990303

SHA1
6f4299b7f567b9ffd7515751c5a7277f928d9a3c

SHA256
77e7edec898dd3d8fb1360df64ff3344297017585180a2685c9b71db23875dd0

SHA512
1276ac9851db10288583f21ae2c369c4158f14b80b01df289404104931431e7969c6ca01f70307936c4d2d1770f4c77e23af4ae2ece49d8a5751c6eb6f89392a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_on.gif

Filesize
222B

MD5
949116bb7e8cf6becaac6284250559d9

SHA1
9ea9e3228bb42184e04243a21ae99cb77ad93ecc

SHA256
58f6120753a40996df345e50e53133048b651881f63dc6bc57169f20e0184351

SHA512
9020c41ad9363a91b45304a86434ef2bc13cdb0485bf0600332deb3efc1290d335f6d90cccba26e84f5fd91b6bebf15f5ff1e65d447fdf4be332fe7bc3db55c2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif

Filesize
5KB

MD5
66180136ce25013e2997e6b89707327b

SHA1
c07fce2aeab0c02b9602463fc827100fd7d4621b

SHA256
fb82128e566cb8c02b45273b371799897d1b0c178e469710ac2673ff822982e2

SHA512
cec4cdc698f21ba5d5fd341eb37b7115a7513a010dd0cc62879ce1fbac1cc0def5525c0ec9b8a1b95dd52addb06538e7c7cafd41abcb22760b74b53b76ab9485

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Country.gif

Filesize
31KB

MD5
3d4a4d0b6997e79521a8fc2a27f9c29b

SHA1
5db40f1a54b9e3a76fd7f3f280da5fa61c94e76e

SHA256
ad096ed10285a6e6780a7e329da96ee365ef04c92350c3faa64eaeb6c8d160f7

SHA512
14c7424f191c45c50fe2bf78ae01fb5ae5c79ebc2b4cda2ee3bcbbce848db3570aa03eb6ded8c9500a8382a7f047f860916613fc9b08044d3fdbf0ce429cfa1a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif

Filesize
4KB

MD5
22942e1fb7afbdef961cedb96112fb5d

SHA1
2fdd7bf18fdee2d1c6732a199e7ee8dea573bbfc

SHA256
62d79d31fb82428ec10179c3c063cc011cd6177c8d7503c559a98c93ac7a3365

SHA512
dd4f95b8331e182ed16b87cb96c7efc5f9051b55423c3872e91f05b98c6ed8850bbe84622bd251a64620bde844eea641c9b6eccc557b376e805dfe34580bf569

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif

Filesize
21KB

MD5
eeb40d969c97d31f5a970a6832b747bd

SHA1
ef9d27b97fa976573eb67a5ed561eef9d596bbb3

SHA256
baa9b3589cdbaf637e3f59816bdfd4de73e8dac094aab8f89c86003abd300074

SHA512
6784b4d6a6332af9da1457fc9084963bf9aca165386326aba70d99e41acd79c857d9ef8762c323683c76aa9db46cd51275b76611e1432d71fb26dffc79e24cfa

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Groove.gif

Filesize
106B

MD5
21c4b68ea4f848c312ab1aa642dc3722

SHA1
171f4136ff6e9e3af617494d6a672c5a9f222eab

SHA256
1fb438c3323095836b737ca1ca6be9b3632a586378a7680bdcfd68444d6524c9

SHA512
eeee58d495f0ebbfcd51107046d239a7101d1c8d3fcd4f43698b59bdf61c7e6d925a7edaf515a40b59209ab73291753b0f608717e35e0df8d8f4cca324b60cfc

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif

Filesize
8KB

MD5
d4bdddd47c31c53c740c35f5d97a1761

SHA1
40e6f0cf6dec357e17dde4cfc4be0a68c9d70572

SHA256
0ebb3a18c9b527aa1029abaaec98280f4af78d5eec4c7e3561104a3a9e90f180

SHA512
58a0d0d5f56a4060cd9c0ee32a30f365e00dbc7c9f9cbbd7efc08c3339b35f8c4b40a39a0842d79cfedfca84d03027e00c64584a799f9cda16546bf2bff37611

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif

Filesize
15KB

MD5
91e59c39262e5c3a2ce3de5997248319

SHA1
91d31772da8a427b4a507b23d48e67bd7f3f4414

SHA256
62b4e46b97c7f07fee2855f38d2e4872572f3f614c78dbe5c151df1094b1bc12

SHA512
bc53e936b0cf969f9949405cd9b49d3a9f97054530a448118d22cb4084df273c761546f14cf2ba1d22fb0b064c130d181ae97812ecc5197c9a7096ec7ace02d1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif

Filesize
6KB

MD5
4fcdfd7b01ed6c257b33d011af1ffe3a

SHA1
6df9addb778e5d0ae92bfada076e4514bc211175

SHA256
4308118e0f1dee7dc6f56d3e6708eb9ea8ea59d752818d29d2c9490bc24b9af6

SHA512
761365b8e429f8a854af8e2b1e9c9d5876a6c0e4e782a507e95633abf0112380409751dbef36e06f343902361781a4f221d8be6f698d01e224576a3dd4a565a9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif

Filesize
20KB

MD5
fbe79e194f0be8edae5ee5431ff04c3d

SHA1
534cf612d19c018baafe6605cbbe0808e108e60a

SHA256
b194c2231d4238249171ec43d41bbdea1e48e0d42bc78fcfcae7bcea68b2ef6c

SHA512
50a4a99033bf554072b4d5d3f4f9374ed03d6915267566084e81c11b232316ae8f792c94537abe921b1e90c55ad68653f08f55360210c446a025e064dfae1a44

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif

Filesize
6KB

MD5
442aa6af760d6f95c3d585a37025f301

SHA1
5187fcd3aa700f5d1dc9e7a10ce4f06a6e0d6a29

SHA256
d79b354352996965584c1ea44bda6bea8b676fe5a7d717bf5229e11ac4ffed30

SHA512
f57d4d9973b53cdac50530065a106768ce75b24a4518e8c1e9790d7919e1901a1a9ace4c3720716b010bb5166a46db0d9fd7167feef789f0003ad4af35cb4ab2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif

Filesize
15KB

MD5
b5eabbdeb9768f8216d6963abd339e72

SHA1
9274578b216f30962cc9b3d48f1116a6ee863e2f

SHA256
664b70429b4d466c6c8ec2df0f50d158ae5de9d7cf00b0d5ddbac4cc2d6618c4

SHA512
70fbfe421d22b9d5c2f181cf9ba1d0e0d76faca1061e104b76e5e881fedb214a38de49d088ababf4497e6b56efdf127973a42e277f08b62f69ebaca6aec4a77e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg

Filesize
2KB

MD5
1cb64de5c9a5b36a654d2f2931a81dd1

SHA1
f24f33ca33ad70f3ef0179b421d6401898076184

SHA256
4402d285974e7d660418d26cc463d14999fa1d3e740b4ca9a47ad1a7632a2d3e

SHA512
ac4f965e340fe532e69d83bfdddb45aa30eeeb9b494789bf906049ab25cdb2570051c5f87b7147754f2fd5904881af63d34a84eaa0c69af6a80428df3879e2ca

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp

Filesize
2KB

MD5
e49772fe6627b4db825f870ddd77e602

SHA1
c1ff9b2c0528e1bb7ecb0a5ac2314f0b4d573b47

SHA256
d4f4ecef9b664d3dc5ad0227da2dfb88299b178428c226120076f77dd82c54e3

SHA512
5ebcfb670e8fb632049238c1f1e613d450793b06bf59da83b5cf632351ea669db64e54798970567d2e535bf1f354c564e7e4edf168bc1ba14c9f7d8e90dfe41b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg

Filesize
6KB

MD5
8b0aca537669c441cf75d2449a274f4a

SHA1
f91d1daa8f2119d2e9b0a2c758ed712d045f00be

SHA256
68984170eb96fe380dc12a9932d4c803113bb357ffc5ad27290bf262ba34a35d

SHA512
7cf31d04982e3476f8d44c0f0e6eae276f9d0e680bcd5ba2aa05b7e356e092d3cb338b1b6b855eaab1f97afbf4bd146aa623fc7eebe90d85c0e6fd8c63b8eac2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF

Filesize
255B

MD5
d678553eaf13b16a775e48b1824f938a

SHA1
7a658c7f4927c8afb71c45c4a8e112a5f5611782

SHA256
a7c34b27555e969cbf6cf0a30b139a7b3e9165b91e70f19e4e1f14eff279b5af

SHA512
5e85f2a403653aedc49dd526c167f85ed86670a0d29d4966aa85e6673854f92d9039966f752bd0bb062ef557bec624b0412f24c133f5f10e2b4fe61458082783

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\background.gif

Filesize
323B

MD5
1065c7e45087fe0db9a488a2f1e0f017

SHA1
07aea79da364bb36f9881522979b3ed7aeca83a2

SHA256
e8f504bffa5c1898650c402e3c5d4462e0a8bf13957056efff6a8d9dec217893

SHA512
09d866281e164ce6d5f85efc3623c0abb720fb96a3ed911bad420c73df56e3f48c0d025692ac3b401fa6a107116c7c1fcf8c5a873da3a4846d8e05ac90aeb051

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF

Filesize
367B

MD5
f2ad59c4ca000c33e62a14a475a5225b

SHA1
2da3b171ebcd5d44d4140efe19372803a058b39a

SHA256
4aa8b8f30032d3981717ca018ddf5a164b0b552c849b4cf29116be023b251c8f

SHA512
dc231e9a281ae295afdc161431f6d4d6bee738e3b3b055d4d2f6c79388b34f5d296890f87e558cdf1cf30b8ebb5c5f386a0284fe5f44c735dc2de183324c7a6f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF

Filesize
148B

MD5
7ff1d2d7ce8930925406e7f9cd0826e1

SHA1
2899770de2b48319946a6fd63fdda3474f841a88

SHA256
e781c7ce32c6c77cde0c5217d0d8f2fcbd66f642aa46f97b4e84e405ba5ad2a9

SHA512
a24a6c124bacb6ee2bd6b3a778d4d6785b0e030ca2d4d70699584ab6e092cb379586befa62472766b4fcf42585261e9150fe9d3ca14175231ed69c963feba0db

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HEADER.GIF

Filesize
440B

MD5
a645506ce0517db02c59df5ced1f26d8

SHA1
4cd7f81bcb01712e3f288f4ea960119871cc4885

SHA256
8c4009f3f320029569fbb21775bbdf8c68dfb756c1b554e8364e48c7152663ea

SHA512
d544cd57885f07a0ebff4d92172ecac6cfe7ecfe53ddb654a63f6720cb513bd894b453a9e6b91a172cdbfa0b6324a2d286386e175ee14beb209d5ba76fef1b8d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_OFF.GIF

Filesize
462B

MD5
4b4145bc37f651d1a98a44c7bceccd1f

SHA1
cfb9870efe3e1c604e5345ea1a4e176fc1b6ee00

SHA256
de7423a4c4bb216679bf819578c2e2e2ebc759bfd572aab1700283f3860f1a26

SHA512
06ef74036f8b91ee1cc23991641ea9c97f4585bc9de50d744706c7e41b1dfb3bcdc04808ab47c0f30f439e6d381db6a826a4b7460a8c8b7a72ef9d73918c741a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF

Filesize
267B

MD5
b91f8eef8acf9fb4632771ca4a632026

SHA1
f6ad4f1fb7d87197cdd5dce0c0396b1539378181

SHA256
5fe86615dd99891c7df07495dfe0b1e4ae856b59d53634aa363cb403785fe7b1

SHA512
7f36ebd6d0333ae37d2eaba3c015b11eba7d262256ecd60cabf0a2276b938d37f6db6a6e39fc7fc4d35d5569263c1811d0d08d15ae24de2c2bf6d480b17917ec

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HEADER.GIF

Filesize
2KB

MD5
bec402144f596ac89e371e99654bddf6

SHA1
821c9c53eb17d3d57e29d8d01044e3e672a993a6

SHA256
29f172503881e61d124d1831eaadd6d753eb96133a8fdef829407cef3a8bfd08

SHA512
c4b4adc26c3ac20707df116ae826bef15a3ec2535d1c49e62168bbad8f587e80782ecaea7e905f2e78c29deff7a7421018202ccefde64f8813b2b4d22811ad98

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif

Filesize
233B

MD5
9084001020ef2383169f1eaa84f2b5cc

SHA1
6eada6221b5cf0c5d53798915c5f62a13722d067

SHA256
efa9a74b610e914432b33aef7cb4e452a69c1a042ee94ea90780c8656d754fbc

SHA512
b3eaa83a8a263a11331b28ba2e8c690ec393c8e998ed908a564ce3a05986e0cc9c7a0ef39cad5a9f023d669e82c0718d548fe837f3cbd30b7a9455cfb88c6ddd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_OFF.GIF

Filesize
364B

MD5
e4a35f042a20a6b18702bf40b3c72c70

SHA1
a1cc0c2d864b225be62c3a6629e71a32a4909dd6

SHA256
99ae728580e40a5bfb97191fc05e45724bfd7308e8cbb7b258b800ec81ed1613

SHA512
2d16685fd5b8d75cfeba5e829efa567ca6782f4a33ec4f2f75112cdbd76c3ed10b74d33dcc9e1196287d122019a4b30c8510ed1769e3fee7d44053e4387638de

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_ON.GIF

Filesize
364B

MD5
cc35468d5f11bb1ba69830ef426ab1c9

SHA1
ac95a3ad816962d063889dffc96fe1ba6d3ee31d

SHA256
88c45089a0cf9258b1d21b268dbb9cb82aecacba757d4b59e9459a10d8f2db7a

SHA512
45d46e4f3714f9aa61f2f73639289e1bfe910fdbe1803f67ae5e1caf104e27064d09c2994d64b72d3a027afc65ff33569e59d09f6c623fd2852f703ad6f29f28

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\background.gif

Filesize
6KB

MD5
5bcf3969ca2b730c03b62f00b51ab57a

SHA1
7b10eb0dd8b88bff9936ddba1baa5181be972825

SHA256
f9b17cfc693da769968bddc12ece27507120887295ef38395b214ecb6df8d356

SHA512
a53355a84dd6fcd3e45550981ff0070a8e303a70ae086a4a0dcf9194db78e99bb72524c2537fff903500394b233347a542dabcd84604dead79010fd8bd5b3e43

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\BUTTON.GIF

Filesize
428B

MD5
710c5e1f0df38c1451d6071e8b174be3

SHA1
f05096a728c8d372aa4e548fa38e523e51cd1304

SHA256
3d36774bd8927f9845937f48bb3949e4c6c3bf8fdb82ac748dbe95a9e27dfbeb

SHA512
ba317b9f73f7e51c89668e832980332814700cc3fecf8ca5d0d73681fbc6d0fe6c4d1d4ebc037681780b3daeb4d3ac31690be11009e92766b04a916773a8b04e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\background.gif

Filesize
815B

MD5
eb0d520283a2e03ca29b14f42688997c

SHA1
089deb9034c89c53a5b3d3398f9c82a45eed7762

SHA256
b633489e437d0452df5af6958fb03833b064e18fe0c9d09d6a5a1232a82de159

SHA512
914f8d96710dd68dc1dc05862b9d02823384b0538214b081794a83782901ff3e519e17471bda0db0c6c0dd20f43923c45393bb6c0f639285d9f80bfa94adcf73

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\RTF_BOLD.GIF

Filesize
870B

MD5
a75d33b9392e6b60acf5aa9001535301

SHA1
1d225ae275d7b740ceb9cab0f784a458f0316a15

SHA256
023fd62ef10427023d500e3f0604cb845bfd18310c28d7aa9c510236b4006485

SHA512
3cfdfff68373f372ff7473ad76806f6acb22d09acc132eb6b6f615646a66193212b7f69ef45443a26112fb32120fee9d19f4e595939ee28e6acac20c344a19af

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg

Filesize
3KB

MD5
a3f2bfb3284fab740afe1b16081b12af

SHA1
03612fcbc780552eb102911f05212c81e21aada1

SHA256
3021a3420af6ba152c4ef3cca2c8b1aa4a27bdf41e370ad8f43a57a06e3679b7

SHA512
964061e62bbedf3a7c47f6f1a4c03a6fc80b1bf78224c38f5c7d4f8a7ca50b678e28e024a851d0fc2f32c300b4155bfe86023fcfa8c41c2ed4897b0e70012867

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif

Filesize
2KB

MD5
dc6b8369c3a4071ffbc51cd78baef519

SHA1
765c898544e426622b7b9948891c0d76be525806

SHA256
33fbbc9f38b315ec1652fbe33380c5fdcf511f571c132bd7942192e9bf70cedd

SHA512
5d09b41216655c9a0fe2a7d901a4328c40d83f5066764c8578cfa3ef6a774e5a9fec0d20e2e841f8a4432ef57e63a755586eebbd77f76a5371135fc591f33aba

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif

Filesize
19KB

MD5
b0ca3058b304af45485a0916b9b49d8e

SHA1
c6469684f8a72192b372a1218487f5b8d3d024ee

SHA256
5b196a38f61762f26e4cb40d1516ebd2a9ac6d12ae150451aa8a1c01eed6e541

SHA512
64880d8b99c26eee1179f30e0a581d05fb32f9024ad69f71dfc26acc4a2b6a09beadc491bf4fb6139608cbb1a941c8277f0830ccd0f37ad88d62ec32df0e0efc

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosefont.gif

Filesize
890B

MD5
3c6f6c860cf50ad5a6168afb13dbf975

SHA1
9baa33ba0c85fdd62141e6251af3386bf00bfd02

SHA256
66fb580531a63d5c6fb8e6d0ca1391af6135c730ea63f0aa831def1aaa328b65

SHA512
1b2c83ba9bd04bf3f57adb8df50d1da0a0c81fa1be5727beda4d66c2789df8e495ef168010f162e74af579912742a02ea0351cf147464325b7ba3280f1b4dca6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif

Filesize
852B

MD5
5c05468c29f36fb3200983af131aef95

SHA1
eddce97c7f6fe524167aac2a8ba470ac89a2fd5b

SHA256
06f0b0b02971304f3ee0576f463b2692bcfae55e49e0d5f104a9673d85bd0d77

SHA512
bd3910063722f4e76aaf1eff16eea7d4922a0dd116ee0a94778ef307f09b55c90815531ba2c171e48e5c09159d9b8e8545b98c8980477d6600454e0347b58051

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif

Filesize
860B

MD5
1391d0e3acc6624fa703dffac298b306

SHA1
95e724ce67484be29b9fc93b0272f4026e6b4982

SHA256
c53047fe31afdd84d9e54b2f79a9a340c244d79147a77e59cee5fbc5728677c9

SHA512
97ea3e4475629a136d5c8946206fcd4d291681159f060efbd98be0a2eba524e39bb31819543bc67efb0583bdce4d4e2ddb6d0aa95383a3eb8a4ef94c6b985eb6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ADD.GIF

Filesize
580B

MD5
5e7df73e2245427f66249850b6d6afda

SHA1
1f0cfe8dd13217f99aa18e20ddb22d5ca6eeef1e

SHA256
ef34cde669402db33952be4255f6679816543ebaf4c47e5980c3248046e11c08

SHA512
9868c38b179034830cee25376ea3b3f3ddab03c12dcd1a30517b43c45e6611ba20b106977eae82400ad111c5c4dd69f9d6dad45cc00b36db2ac57715f83f9a0f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF

Filesize
899B

MD5
6ec1cb29fa2e744d43f7fb451a86a1e3

SHA1
b0bad08b33f25a5460226e2540f1caf35fc2b4dc

SHA256
b7919c214ba0497e462c045ad3a6c8eedad3c6957024e2b8c259a7bb34a76260

SHA512
f971ce371a188c9d99669c994bdfc9c02aec9ee5afd146c59322097b706e44986b50996f8fe79519464a7222fe6f7e3f3c18d5b0b643f69de642faad86f78016

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIF

Filesize
625B

MD5
ffa16f1c37e4845286b479033a730a1c

SHA1
8b38b7ec62d860306da1b6f81dd46a9299507893

SHA256
6ab689b42dcc9e5d81ef286f8129baebc662a613fb6d3f3d5cefb5c02e546c4a

SHA512
7fb6f4425ecaa17770a918361308fe176f4fcda0b7653c471adccca5e71521f6c19aa0261fc98e463575ea8b23564f8bd969001140424878dd33063d73fe7837

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF

Filesize
873B

MD5
43486e85362c40127fc6b376454631aa

SHA1
a17d90633972456861e4a6400cac119186cd476f

SHA256
eb8f4a290ac2bac108a101624563bfd48b10864be6af944722c7f4439f52165e

SHA512
e7daa6e0e98b19e93951b99c00ef43adda1190f67cbaa291be1bc2bf7105aadb355288d36cb741d4c0ebb31cf4fdf558c2bbdaa1bab9e5e21c49cf7d97f81808

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg

Filesize
5KB

MD5
32a63bd1d15c4ccbe47c5ed46c95bd07

SHA1
0f1d9b3c9a06352537e1aadbe3d81c1342fd8067

SHA256
59fadfddf61915bb7d62986a2220b2b4ab41ea1debfe13e70602a1b79fe3bb4b

SHA512
78a7db94c698dfea4d6a9d3b8efbd92cc6a0d085bed2e47ca132d448a96e173e96fb733395c4b750d7beee8491fe763ff9c9d21f22b3e249da0396a81fc13cd7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp

Filesize
1KB

MD5
42196118f77c3239a689bc397a7995a4

SHA1
27d01b2fbd44794822f208e42a08471cfe822fd4

SHA256
53f9cc857602dcc1090308397ade5b4174179576f49bfb17f2a3eecf32a79c8e

SHA512
77e29f3f5d78e02a0393d6bbccd259ada1950e44e27aea3f118651f5e3369746c826ea86c143311fafb83fefe81f1c350b37dc5882aefa07604a403763cd02eb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF

Filesize
615B

MD5
998f7f1b20b158fc3947094cf916a22e

SHA1
0fecc083844530e8fad655032daf79c9c7ba9077

SHA256
cdb0acfff1ca8883c4ed548edeab63d281b28eb545dc1884a9a4bcf9f31d1a7a

SHA512
e28749cd402e82b559dc59e60438b5090de5835f4a0b6ba24b9033e41c09c5da9810fe4b66ac1280b3221841170469b0b82ef58a4b2ce6a1dd1b5bc101ac0c6c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

Filesize
848B

MD5
4fc0ba45a38bb26fc20cdd1ddba6e8b5

SHA1
65f3a78f594b6a215ae35e33387b8fd5dd75a126

SHA256
8a435e3a071002905c11fdfecdc32fdb972d04e5ba7ba1c743d5f60b991e97f5

SHA512
27f169d51bbcd7a152fb440de14ef5537310f40585fe57b955ea9ea4c938b96805859e5c1242b2f22d8d829001f1f76b34de8c45a329aa9975885326fa48d124

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

Filesize
847B

MD5
1c1524bf61f015904c37b594fda0a223

SHA1
3c4651018d5dcc997d628ee233bc10dbf64a8b26

SHA256
437b18f8515ba5ef93762f87033d50137e57f1588e83024123eaa9969651f62b

SHA512
3b217e39ebf96f3f24b100711883146816e95cdee087e1333b6ac6822b48137b6ca1a9a9fc3324e5ee170434c280cea563b2622b46608337d6cfeea222b7e24d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

Filesize
869B

MD5
2060b7c3c9ad57aca5f25724fae348e1

SHA1
e69ed1890f390bd294d80ddd6ff0c6efe0e099b8

SHA256
d53567122cdfaab0ae87b0e033057474b0d29a6a07301d368c031041342e8439

SHA512
b65891b1f70656eca89d3012a732c8395e4e56a570f906e16c9f1e1b9037bf274b1d10613e68b03dfb3e9aba89768006acf2373261547238fa530ca88d13d996

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

Filesize
847B

MD5
07bf74a2f2752e9ef1abd26fe7d16723

SHA1
aa4610a5ce12da472d7b1def060bf2a897c5a70d

SHA256
2bc240d4a65762bee29201741e5c142402a018ca4fe783cdc4eafa1b8a0f4f92

SHA512
01991ae293e39ccd263f6d0f43f0beb71c20b64378149b97c544ac21a4fc55a3ca914287d64036dc09ebb8fe217d723e06faa85388cb5b894599174ceb253460

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

Filesize
863B

MD5
667de05043dd703692e739467337ab30

SHA1
a5fa9911da9634960127795f946f086d09e3e3ef

SHA256
b3b4298cceb3e40896ae2fcb0892cf6a9e868ed7dbdb0973a9198086a3acf37b

SHA512
447cac3b9703a420367b125c3a18dc965026783c6b1c37b6a5ebb1050245fd34c117f8ac334054468ea4397a5c5058576bd18eacb1c296030395d2ddd2898d7b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

Filesize
861B

MD5
fb38400572c6ff0e0800d9e3f70aff92

SHA1
8679a539ecf738cfae85aee5805da997eb94c0c8

SHA256
c32ae800ae863b52b190ff0b34eb80e8a1ec0c5dfd0290abfa1999c04691f371

SHA512
34eba029efbb1ef6a0058ac3787411f36c2e353c9d351547c4b75430501190127bb3246b297eb287d0e129dcf4535fa6eb78da5fb9dbf09a59d4030a9168363a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

Filesize
850B

MD5
671564d1faa7e376594784286b194c21

SHA1
9d7befb45adb2f079a97f1d84031ccedffe63c0c

SHA256
28b0fa19a58041e2087b84eb901d57df0a28d9dc3917e7dcefbb75b26ed258c7

SHA512
1c1448fd3febf72ff2ee11056ac0d769358d87d4f3d2e1417724ea8b25caa4ba5779d20764cca0cf1a028f459204aeeedfa4a8bcd079ae81f5caf160a865a4fb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

Filesize
883B

MD5
ea790ae5696ba97a1f31c900b4c3404c

SHA1
49fef0f89b74e47f70b1c0a8feec9a919eac6cef

SHA256
d0207f89b5e394ecacae3d9f9fc22a4ea1f9b4500fa5f91f87da14e29e6b122c

SHA512
b10a5d2612b36b5203fbdf9c8bd95bda00a3e747f95e4e5af309bba96d6a3ce889003b61687104ceb3684c30c95cf3e49caff9afaf01ca1c36dfaaf3ad8c34f3

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif

Filesize
153B

MD5
0d86c6fe0d9ca1838909bdc3fb3ab026

SHA1
5f3d9ed880f31e48fdc03b6887c79c9e7577c002

SHA256
28d8eaa5dc0a0e02e4fd4e1028edec1b34618647a28fb39d5dcaa7d950806fcc

SHA512
4dc4e0d58fa1374d1ff49bdedb82027d5e45b069fee887a085dafff91575af712731833746d66bb285a8d76a51d282a51e7b2c9e321c0d68f3ef1f9865d438fc

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
390584453519eacdd971e591f05a180e

SHA1
f9b36cf6334ad840e49952cdbc5258de2aee9441

SHA256
ef383fa97ac19cf67ee3d278879142919f56e0406c9bdac99433864d6c95677a

SHA512
17e661c18fc14ca6bcfc616712df98f31f5db3c2ab505fc9feaaec6b183a757860bc71a7fc2cc25036315093117f9dcc5253be75e965ed1b7d39b83187cffd7f

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
8KB

MD5
e21763425a0b97c8c11c8b7f31620881

SHA1
053b9d4747c3e1f43aa2f5016df8b552b8e011d6

SHA256
b1974ea8b541101ed4ff7d0e2552eef1366a91b766f6389b2584a9c112fe5e95

SHA512
712ce0129a64654367b5eac2ea6b27d8b8d10d3b145d506495de9c07d1f75f8029fa4501fbf3e6d4f09e4b00e8b399d9b4f7bf6e191e1e7136845d550027d7ac

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
ce45dd0c8c73da40456b654a6e16f458

SHA1
dad7ed1a1d63824ae326e21791230eecf94cadbd

SHA256
57d08ec274bacaad4a34ece2d957a2b6e8fbf7a773a90d2a0d1ce24838202162

SHA512
bbbcdac456fcf948b49d78f5bad728777410cbb9de199a245667577b24a9a1a7004a10afd0a3e11544e20314b48d92cefd64d755cf2d6f4fd76f8c0214e541f8

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
56608895389c1c2470830f860f443f81

SHA1
16f6a11622761d41ab6ce381e604a741f942c254

SHA256
b60cc3929fd19be1dae665741e1c8fa979cda5167f41dc1ae7a35810a6428239

SHA512
5642cd402b21fbb8eacb463a7c90a19fdc0be47b172ba8b17dfe33b140f92962c90cd9f5642987ec41a281d5224f3bfdc1c2c2f0d2c7157b0a2427123b2d77ee

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
172KB

MD5
bb8325a1082ad647c48e3abebb965df6

SHA1
8a21c0abf705b1cae587aec13032f1ea36c7cc26

SHA256
a94a9c55af5fd6639a6e709e7091c86607df71c7b3e0492d65021d013a8baeea

SHA512
dbce7558202ae7db7c9385c33b5714e89fa78e47f96e5ebdcbf04e1e236e6fa645a0b37bcb57983def33ab63bc865f6c69aa13d1b3bb84f33c94ab08dd1864bb

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk

Filesize
1KB

MD5
4e33e87180ca69b06048f908586b4bdf

SHA1
e07501cb774653018953a33edec12a21e33c68c7

SHA256
5a09fc7109819ada02e4c799e8632c3b5b0bf63cbd7d7afddfb15cc26308a0b1

SHA512
b37f3bfaa3bfbbfbff51076273efba149ea4bdff021d3eab7d9a2c19717fd552c8320b8a4d0e0f11b125c585a0d81a034c034ae1592ed1d79edeebf3787bec18

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg

Filesize
21KB

MD5
74f40ed2c15071e54bd7daa5f5e95d76

SHA1
04097d123f44ad7edc4790c225d2e3b182e3ccec

SHA256
55e77829039bbca8283824b658b6c7e8988458378173a1418b51756a8311f2b3

SHA512
4152b300747b4cd608fc9d2747e255f96bf4a7e289cefc6ad311dadc7c9c860fad92c7467c370e8193c032382fa66ef19c72f0bd14997fe25ec3d4413e08cd77

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\HelpIcon_solid.gif

Filesize
1KB

MD5
51b82c874f39b8f498e760d610b206de

SHA1
d8f14e83763f061494f85389fc09f817e465c36a

SHA256
d0f4491fb7cf0ee972948fa1dffa9b1905029a50590ee0acca047bcbb0f9c644

SHA512
308838610d8403a5087d3e11da7b468b6786c2aad224e796a383a72095a021850c65c5ff6861c3b78eb51d62cd94eb64c06fe5eca0eb5ff7c68e3295f105a4dd

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\alert_lrg.gif

Filesize
952B

MD5
3719dc15cbf9a76dccf29ed12e10c2a7

SHA1
5dafacd01e4b3db9fccbd6aeeb1979835935a43e

SHA256
6b151e3f151397dc31e943e37ada5be155659d30927e229919c702d78db85cf5

SHA512
7f6efddfd8231b674a7f8968c9832967439002df4bfb5fc9cdfd133231efa88395a8aefff028b312918c5976e6469b6acb1a371f1a20c8abd4f70f65dfbdf4a3

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\aspx_file.gif

Filesize
121B

MD5
2768a7a4be7f853cf817f85cffeb565b

SHA1
f1d5d65dba3fb1db78d1423be25f48d53f04ea63

SHA256
5441debae8f2221f04e5d96394e24ccd385a3881ac250d234170fba04c7b8914

SHA512
4a65a9543a03e4954e5565f4a85306714d6340a92489525245458c4a701bb26ef227915c720dd35828e723c3fd1cd2b6e03808f6a3204b93f690da8800fc69a8

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\branding_Full2.gif

Filesize
1KB

MD5
f76936fb112568f14a9eea6225a12337

SHA1
9da1c8fdf9bc8b4b9031f91dddca325477787034

SHA256
47dda8e08d709d130d092bc8d186ac5341a76e6b3acde9874b54f45be0898add

SHA512
18bf11353287c897bcc3a15468c764b004090793e2c3f4d4fa81716c24a8713f5394d1dd1b63e6237fd9e397546435ac0db523cee8c4ca16d50b9d67b2f0a136

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg

Filesize
8KB

MD5
c97ca4f00840f401f44cddd424ba5cf1

SHA1
0c8fff2229036eb5af11b8d3c7ae040789f08758

SHA256
36e27f2944ee5015ec3df30d053e9df1b5cdaea9b65057ec1d6f5828f0bd52f2

SHA512
f0b5f2812dd6ba98af0e1b05722f76ce7bcd918361efd74fb42ca253a67ed63aa38ceb06856202cfa67b0e72493ac6ce3e11a927fd9aaeabc2dcad460d34be03

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\folder.gif

Filesize
914B

MD5
3a78e5aefa5303792743bc55683fb3d4

SHA1
28e3b6085365c1038088522ec273ffb708aa7fa0

SHA256
de51c18aa28e808c8fcf9d033f4a57b0f5667ca5c62ee3378aa2cd338efb7fe3

SHA512
495de55fbe7ed2b1c211876ad692ba67dcdcc13dfb93cab546b13be7b424e1acebd6e5e15c6df04fd518b616c13acb25067192391cd40588cbae49e69e1b9365

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onBlue.gif

Filesize
90B

MD5
e0b1c87d53e15a6216290456af5a4f55

SHA1
1a3dff0f38222776dd6989aeb8b9fdedbe29b005

SHA256
41c1f950a7d7fd53a037c0f468465a086778bf48d0571125be91a82885b81348

SHA512
cc87b8b8c1c76445d39237ff9aaf82d4b5ddfd367f717d6b1f25a7d3947d61614c931e2f27bfa35a32ab80f74212d0ed2fbcb78853836024a320038aaade8cbf

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onWhite.gif

Filesize
90B

MD5
ec488425a145c66571e6acae5459eb5d

SHA1
f1cdd1727929db1ffb91196cce3e7f60415f0398

SHA256
47c8eddf310347816ea57fc16ba5ed84c4646c04c665c3020aa18e9d6bb97d4d

SHA512
4aff26a1c2d6f47c240f34bbfbefd5edfa9939c44531d4a413a8d86aaf57ed835625dea3b44b291a1b3ff99b007ec9bb2c34e7ffe2730105548a706823299e69

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\headerGRADIENT_Tall.gif

Filesize
328B

MD5
e7c2fbd6f49833a4dc1e44dc253f8a8f

SHA1
0bf12d8b09094053355c876f970e5f5c43acaa82

SHA256
1fb6bebb574fd45bcb432609ffcf7f1b1a67c005349cbff05359ee60bfee5634

SHA512
58214717f53b4ef8799b58a7a410df6f2ace6c116b22516881a2708e81a13d18527443cf1802116ee649d44a6b7ea94c8f1ada79767eb1cdc2758c5cb2bd69af

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\help.jpg

Filesize
1KB

MD5
f328e703e45b6eae68a1918c27591b07

SHA1
b99d060db889c8a29ca0b9fe722ccfa4f6da11ff

SHA256
2214216004aeaaeb06a4517d2edaec90f0568038e67ce881da6187d2e076e5fe

SHA512
f5bcb5ae05ebf503973a615338ffdba0f2ce70df8bce80c49b8113d02a3b8658d2b699a144e62c3afd9d806f77e9b1e97581c56f5beaea148228d2c55cd93af0

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image1.gif

Filesize
162B

MD5
45c9f2099b4059e29481e1c7fcfbfa5f

SHA1
ca898f50242d75ac8f4cb0c2b1cfe185994c743a

SHA256
6e95156a78e9503501cb6e5607700b91ce0c5b603b49f15c84bc628b57990122

SHA512
8fbcdde99e1ca2d72f16ac320003b8dc8ccefd2ee548054e28726723b131a5676492c6d1ef8e7759fc21c8f5535a9844eadf8b4fa2f2bc1139a36313b25cb5bb

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image2.gif.EnCiPhErEd

Filesize
586B

MD5
8593eff0fc9b3de9235dbcca9b054448

SHA1
ebe7be8fcf85a003792c4e28a43aaba3af624873

SHA256
941778d49620920f66aa90e5b7e5bf92fb9f14132c38bc2cf90b3840ca1a93b9

SHA512
48059656ba3675087c8d4e57de1fb5c1e8f2a36cd4d8a5dbc3f1ff7ae187a09bbd8d698984b05854cef1472267621c6074915a01d40140ffb2edb1cc487f09ff

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\requiredBang.gif

Filesize
124B

MD5
3a3a0a236f4b3bfe956d44e1d61e8c2c

SHA1
70af6da4d6039ffa2c8de4308c644a086d180971

SHA256
871901e9c8660f05b9300ecf5e38d7ec1b5e5304be1eb608080f5669a609dd25

SHA512
a9891e91abf211c8cfc5376ae2218a59481837c2c11df0e61205c2ac676f943bc082961eeceb62a966c2a3ca3605ccc3d1a1470180d0fc359e0166258f1daa57

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg

Filesize
8KB

MD5
19d54cab01a9f98395493a6dbfbde6b0

SHA1
cbad37eb8be4409d96f6c26d41de8db20f635dcb

SHA256
3c20dc5c607091dbf9ec09c58bf74b0bf2bc8164173043b1a1075f32f8e4df66

SHA512
faa1a117778af4ebcae13ef641b356c5574b9d394644122ea89daeb990b298be71a8f798ce35ae519f2c5ca228301498a8d257c848e231dfc488eb60ef0c2b6f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\yellowCORNER.gif

Filesize
880B

MD5
aecb20258b55aa32f7d9f74211179f8b

SHA1
66987ebd8dbfcf82538c50eb5317824f26676b43

SHA256
386cf93f756f95f696ea0a364a8a116b17c3a68179c14f9a31695f0ab8eb9c69

SHA512
dc4c926553db9bb0a915610b8a62659c2d0757e6935d721c7fb13e8862fa5f18cb182d437eb6e676464d67a91ca032959127df1b45615589e9febff5d6f0aa33

Download Submit
\Users\Admin\AppData\Local\Temp\abxd.exe

Filesize
7KB

MD5
a1d121ab07f4a1aa4b616a40a2e9d9ca

SHA1
f01318ce084ed79c39a441b50ea6a5a960e24afe

SHA256
bcd79036e5b04304f16dd88aa5f971fe07b17c93607f4466b476ef79cfeea518

SHA512
c009d2ad02ad10cb1991859e80b95ad8191e864168b62216ee3d13efa5ec416fd333c1eaa6cadcbe94269fa398d9ca7340b0d089cc7ead8d65acc382076a5787

Download Submit
memory/1064-5-0x0000000002980000-0x000000000298C000-memory.dmp

Filesize
48KB

Download
memory/1064-0-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1064-675-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2700-11-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2700-9017-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2700-2179-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2700-2172-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2700-5115-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2700-8682-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2700-9016-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2700-7145-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2700-9018-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2700-9019-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2700-9020-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2700-9021-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2700-9022-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2700-9023-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads