7bb40acf3aadb46d5d7f7de1d2e8e81739aeb26c7bbe7c4248fa074e3d6f456a

Resubmissions

17/12/2024, 22:47

241217-2qskcasmcj 10

17/12/2024, 22:25

241217-2bx7aazqet 10

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17/12/2024, 22:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
Size

12KB
MD5

f9154b290dc8fbf1bc82065d656b6590
SHA1

cca6c6b00d6072f08aad735cb559839f333fcb9a
SHA256

7bb40acf3aadb46d5d7f7de1d2e8e81739aeb26c7bbe7c4248fa074e3d6f456a
SHA512

62dbfb6cb8025fe80c47fc076964cd33592f7a1bed2094554522d46b1a7b04b03056343be59c0180543b0097735564e35fa306c0ef025f0d7434bda44a80e623
SSDEEP

192:5/TrG62a6B10k3g4fXk1iTV3HGc7EkpAqEjaGpsHcxUw4h+lfPtRMUsRgHMMC:5ebFNw4Pk1itKkpAjjJs6B40WUsRdP

Score

9^/10

discovery persistence ransomware spyware stealer

Malware Config

Signatures

Renames multiple (2204) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Drivers directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ZFe6iILss4arp10.exe"	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\de-DE\Licenses\OEM\Ultimate\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmelsa.inf_amd64_neutral_374f9d31af832d6b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmnis1u.inf_amd64_neutral_15011483bd8465c4\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_functions_cmdletbindingattribute.help.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnky307.inf_amd64_ja-jp_e40bd14f18e8ff7d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnsv003.inf_amd64_neutral_1e0c4fbb9b11b015\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wpdmtphw.inf_amd64_neutral_a7a22bb0bb81abb0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\OEM\HomePremium\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\OEM\EnterpriseE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ar-SA\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnms001.inf_amd64_neutral_9fe8503f82ce60fa\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\_Default\StarterN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\PostMigRes\Web\base_images\WindowsMail.bmp	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_do.help.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Windows_PowerShell_2.0.help.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmcomp.inf_amd64_neutral_e5ca2f01ca47bddb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmpp.inf_amd64_neutral_a9cb77fe1985cd2c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_modules.help.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Signing.help.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\_Default\UltimateE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ehstorpwddrv.inf_amd64_neutral_ecd233d7cabbdebf\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnky004.inf_amd64_neutral_5db759db19acd3ae\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_scopes.help.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_WMI_Cmdlets.help.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_execution_policies.help.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_transactions.help.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Dism\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\angelu64.inf_amd64_neutral_3d6079dd78127f5e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_hash_tables.help.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Arithmetic_Operators.help.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_PSSnapins.help.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnca00y.inf_amd64_neutral_64560c72e81f6ad7\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\tape.inf_amd64_neutral_c6a6811d3d827dba\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\IME\IMEJP10\APPLETS\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_regular_expressions.help.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnin003.inf_amd64_neutral_3a3c6293d0cda862\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnkm005.inf_amd64_neutral_c03c9e328608873e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Break.help.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ts_wpdmtp.inf_amd64_neutral_daa64ca27846aa23\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wiabr007.inf_amd64_neutral_442d902f3f3dd5b7\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\OEM\Ultimate\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_hash_tables.help.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netxex64.inf_amd64_neutral_77b02fd738dca150\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Speech\Engines\SR\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Comment_Based_Help.help.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_properties.help.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_debuggers.help.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\OEM\HomePremiumN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlx005.inf_amd64_neutral_f65eeb9bff6bd8f3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_transactions.help.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlx00e.inf_amd64_neutral_0a4797d9b127d3a7\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\tsusbhub.inf_amd64_neutral_c67606b3f53ae4d4\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\eval\ProfessionalE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-OfflineFiles-DL\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_pssession_details.help.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_functions_cmdletbindingattribute.help.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmsier.inf_amd64_neutral_622ad8125bbeeda8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\OEM\HomePremiumN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Line_Editing.help.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hal.inf_amd64_neutral_232b95977cf6d84c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\_Default\UltimateE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\eval\HomeBasicN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Notes_loop_PAL.wmv	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\PreviousMenuButtonIconSubpi.png	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jvm.hprof.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Resource.zip	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\RSSFeeds.html	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\System\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00011_.GIF	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0315612.JPG	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR3B.GIF	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\button_right_over.gif	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\Panel_Mask.wmv	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PIXEL\THMBNAIL.PNG	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\system_s.png	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\24.png	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00142_.GIF	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\StaticText.jpg	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\base-undocked-3.png	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsBlankPage.html	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\currency.html	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\flyout_background.png	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\picturePuzzle.html	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\MessageHistoryIconImagesMask.bmp	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer.png	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationLeft_ButtonGraphic.png	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\locale\th\LC_MESSAGES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00139_.GIF	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR2B.GIF	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Program Files\Common Files\System\ado\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02746G.GIF	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\27.png	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00158_.GIF	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02077_.GIF	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\THROAT.WAV	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_matte.wmv	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationUp_ButtonGraphic.png	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\lua\meta\art\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Program Files\Windows Media Player\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\calendar.html	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext-down.png	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\eclipse_update_120.jpg	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\Media\Characters\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_a415063899c742ab\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-a..on-logger.resources_31bf3856ad364e35_6.1.7600.16385_de-de_f07dc9069aae7249\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-docprop.resources_31bf3856ad364e35_6.1.7600.16385_de-de_be3fbfa99c9fb6c2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-p..ui-pmcppc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_a7940a6b3816d139\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-t..minsnapin.resources_31bf3856ad364e35_6.1.7600.16385_en-us_080c156cf8c8e83c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_prnca003.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_0efd8e0c7e80662f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\winsxs\msil_msbuild.resources_b03f5f7f11d50a3a_6.1.7600.16385_it-it_e19f40eaf810c322\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-photosamples.resources_31bf3856ad364e35_6.1.7600.16385_en-us_86325df4062acda5\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-photoviewer.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7b53b5a54ffb797e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..ktopini-accessories_31bf3856ad364e35_6.1.7600.16385_none_480c0d8bd31ae43f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_netfx-msbuild_core_schema__b03f5f7f11d50a3a_6.1.7600.16385_none_41170ef266aac7f4\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_prnlx004.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_c4e5b550a8b88123\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..ragelayer.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_2d0643b056296a14\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-lua.resources_31bf3856ad364e35_6.1.7600.16385_it-it_d72a84d3502b0701\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..etip6-pro.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ef3b685a403b1b83\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\winsxs\msil_smsvchost_b03f5f7f11d50a3a_6.1.7601.17514_none_e6b622bd1115139e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-dataclen.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_61d1faf26e443c07\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-ie-vgx_31bf3856ad364e35_8.0.7600.16385_none_07c7aec5c1108570\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\WsatConfig\537950d9c71af966e1d8c9deb550f842\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-explorer.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_90b7c0fb4a98d0fb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-hid-user_31bf3856ad364e35_6.1.7600.16385_none_32a13a14a11faede\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\default.help.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..edstorage.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_fff3e41327434466\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_bthprint.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_eaef03e1cf7295fa\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_netfx-mscorrc_res_dll_b03f5f7f11d50a3a_6.1.7600.16385_none_7d01426b4419737e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-g..howgadget.resources_31bf3856ad364e35_6.1.7600.16385_it-it_fa282a13eee96e21\slideShow.html	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-rssfeedsgadget_31bf3856ad364e35_6.1.7600.16385_none_ab6782291b0ca7be\buttonDown_Off.png	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-i..onal-codepage-20108_31bf3856ad364e35_6.1.7600.16385_none_51239d534821560c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-nslookup.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_1c2b1939c935ce04\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File opened for modification	C:\Windows\Media\Windows Startup.wav	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-dot3gpclient_31bf3856ad364e35_6.1.7600.16385_none_d648d8f4d6289ce9\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7601.17514_en-us_540dcf6ac28b9cb4\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-w..ender-adm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_b8b5f50fea3a170d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft-Windows-H#\ba0cf5858766f7bc9413b1d4af6d69bd\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\inf\MSDTC Bridge 4.0.0.0\0416\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-netprofui.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_52d5b890943b007b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-r..iagnostic.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_b90767b8f51495f4\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\winsxs\msil_microsoft.visualbasic.resources_b03f5f7f11d50a3a_6.1.7600.16385_es-es_cb6f41e8557e8420\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\winsxs\msil_smdiagnostics.resources_b77a5c561934e089_6.1.7601.17514_fr-fr_76dd972d5d03c086\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_nl-nl_1bac0b4d803e969e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ie-mshtmldac_31bf3856ad364e35_11.2.9600.16428_none_ba94b5aa0c2bfe0e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-isoburn.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_5bb3643f0c3357bc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\winsxs\msil_system.core.resources_b77a5c561934e089_6.1.7600.16385_es-es_933bc5e3ae7a00d9\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..omebasicn.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_936f7103201721b3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_6.1.7600.16385_it-it_dc658d0c024781ab\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-t..ork-msctf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_d60bcd26d7def25d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\Boot\EFI\zh-HK\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-font-fms.resources_31bf3856ad364e35_6.1.7600.16385_sv-se_eda9df32202cdb55\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_6.1.7600.16385_none_73076dd9cf3a9dce\Windows Restore.wav	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\winsxs\msil_microsoft.build.tasks.resources_b03f5f7f11d50a3a_6.1.7600.16385_fr-fr_aa51ef0ab20d731e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.1.7601.17514_es-es_8bc1cfcb2cc9298d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nslookup.resources_31bf3856ad364e35_6.1.7600.16385_de-de_2cd60be19fbc2b6e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-w..sh-helper.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_bf692d6d471e02c9\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_remote_FAQ.help.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1f581fdf87449006\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..nt-client.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_182b735d4eb966dc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ehome-epgtos.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_588756b8b7ec6ba3\epgtos.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-w..-provider.resources_31bf3856ad364e35_6.1.7600.16385_it-it_e9e8ae320111a0df\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-winsrv-adm.resources_31bf3856ad364e35_6.1.7600.16385_it-it_4cc945cd375c7f73\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_prnlx003.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_970691bfa81203bc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-w..utomation.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_9d8d9ea57931bc7a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_pt-br_59b90943c4d9db88\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YPZEZHCHKRGLOLF\shell	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YPZEZHCHKRGLOLF\DefaultIcon	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YPZEZHCHKRGLOLF\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ZFe6iILss4arp10.exe,0"	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YPZEZHCHKRGLOLF\shell\open\command	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YPZEZHCHKRGLOLF\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ZFe6iILss4arp10.exe"	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd\ = "YPZEZHCHKRGLOLF"	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YPZEZHCHKRGLOLF	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YPZEZHCHKRGLOLF\ = "CRYPTED!"	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YPZEZHCHKRGLOLF\shell\open	f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f9154b290dc8fbf1bc82065d656b6590_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt

Filesize
282B

MD5
69a98ef655778f1cb3764a923acbae80

SHA1
22683321e95c9a631039d15fc49ac5d3e639ac54

SHA256
2ff127d5bc4c7333c8f522aa4b456684eca97c06d452bf7d00b6a99b49b11b0e

SHA512
610fc09f40124e1a74ff303ddd95ad5809679be9e0c381e5d367ecf8e1e137c3da188142de7a2c5fe2b1225e12482245f2b5c417d43d73618108bfb1c32a5ed2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
341B

MD5
3792927f3982fe311aaba82914597269

SHA1
9a41f615c927fece33b5f5ad6703146ab0648a25

SHA256
23f067dffcc7245c179612692e4dccc7c529d500a9aa582eb5c91b1dfce9d9d3

SHA512
8e501aeb450a4f5a7792c6fbbf05dc16a11a6d799a4169f7950c93c77302a15934f1add087dbb2e4c2218711a85f9557b0185f4f161dbc35e2f445093f13b369

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

Filesize
222B

MD5
ba8cf2d7f83f252b7ddea47907c3b1c7

SHA1
a92e6f5d42f34d76309d8576d38af2f7b79d9495

SHA256
6036d2eacfae71670caf74ee7f009f8021b3444cb2392e1b36ba070c008c1cb4

SHA512
09355d9be4ab6c90e7f066c90c51cfeb17156e0ec677d07761518da9e332f7a524a8dfc32a49aa7cbaef9b53f7a16ace2d8456d4323647f2ff6e4eb20054e181

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\BG_ADOBE.GIF

Filesize
24KB

MD5
f2688cbaf29039a8cf4e90b2756014be

SHA1
65e33a784d7b24ba4c24095f0912a3693bbe3d4e

SHA256
630b25b768b7f76c5b7279c0de9263acb90c1d9a316bc5e836e451253af5e3e7

SHA512
497ff157294345db414099b77de1c459329ced1253b87d9fffdc2cc66fa78270fbfa4a5121b9dd4a4a29a039b6c4405eebd6443844ec00ff93b3f026c7101d7f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\BUTTON.GIF

Filesize
185B

MD5
d4635567df44b344008fc88bb8903ff1

SHA1
d271772617e0c7836021a7df027d50af584516cd

SHA256
cf16000fca7de3b8bdf56c785d8aa6e66b20850422efc6a63d77a1692660dce8

SHA512
7655499cf0f79a7f43d99c588f0a3ac6a7a447faa751d23f4b4a4c6e8fb6d4079629bcdf5d2b96c14361d549596a200aad207f5eb6a8997db03e4a976baaed79

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_OFF.GIF

Filesize
496B

MD5
9b7ac78a3da348561911bc58c142dd5c

SHA1
416ec08d1e3c34f0709558bea3f0303baae73e63

SHA256
3eb4af96def563e46f70042d1aa7cea4a0bb4923d5a8a4aa0413f2e4bbeb3dd9

SHA512
dfa295342192ab17038c02b22a7c8257aa5575ee09c16a33326700eb15a22ce6643f523b8bfcd7720805ba7df61ba70af8f7ba7d3c10c655d5812d311470ba63

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_ON.GIF

Filesize
1KB

MD5
54ed69f1c649c5f12d1fd461193eb46c

SHA1
86c6cb40737898c3cc6deb856817d84e9255bf5d

SHA256
efb534d57d4690f9288bcb9195d56bce87649729276e83438e3cfebd99b027cc

SHA512
7706814f474dce22fb31fa2340ba00ce8a34bafe51fc985dd1fc71497f061eed8e1b7e68562164856efd739a9e2ff232c903ea860e172ebaa88974b8320590ca

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_off.gif

Filesize
341B

MD5
ea90c461d5d9d6d14d102e200f05c7e9

SHA1
38a25bf9c7c917586f363a85923ed9d1f3ae25f6

SHA256
a230824512ac20a1823c0774993e48a7ad0bfad89ce64d924e1da071d9d33d42

SHA512
23beb409ce75329950e9cab61ac8b5062942a656767eb65bba29bc7a9d54975a940041eda5692d0d68be96b7e9500db35afcfa240e6db7f5f74410d15e9c35bd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_on.gif

Filesize
222B

MD5
af31a57cc80e010d2ddc1ddb03412b7a

SHA1
e5b18e6ca147ba27d3a08bbcd78d35cdcdcb0854

SHA256
4f144e46d67febc8cde54b482c1e6832b2e382ace81a81a0e71bf23e4576b62c

SHA512
092778e59b0f160807ba4539993022140146d7aa45b99ca136a0475c3cb4c13f9d43ff6c8827847ce271a8151c68bf67e301fe915a175b040b67756158da5cb2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif

Filesize
5KB

MD5
4715ae75544b3f17547b877686b94163

SHA1
b04a111617addd66311b58bf7ff18e3a5449e6ad

SHA256
0f1322b01594b316c7a2de84c66acd8e46df4fb6c25436ad551b13509ce82429

SHA512
3452d5f1dafcd8cb5ed61de21deb695e60976da8ecd869543813e00e791c4f4922d0865f0277544beb334231610384118b970c2da9f2ea751a183e075537c3f0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Country.gif

Filesize
31KB

MD5
953505514a42144093fe4360b60995ce

SHA1
2c7c44a8c1472c5575ab513682a54b0e22f33237

SHA256
4b29f0cc404e6a5580d20bb76a61da3fc5733838eb205f5ad2048027e8f2ae1a

SHA512
038c10e76b89f0984228415572c1af70b185e73382cd85d8a453be3d8e47b2d3dbedc9de625fa1c506e1a6e7e398fbc4de5df3d4531d0708781c195fcc6c2a28

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif

Filesize
4KB

MD5
992f1912e13c0133cfb86b65261c17e2

SHA1
41d4ce978700db33233d30e7ac87ef91ef2ce7b9

SHA256
c423bdbf9c01dab77fb9afa10eef646b69f0444e24eebd0298e3c850dac3e053

SHA512
3d6501512e9d05ba46ea2c4996ed167c1a4ec5184a03b7113f27834a64561f587f3b1c5b1d43817efc9201a284f1e5f21be1daec88065813941914f5338d783e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif

Filesize
21KB

MD5
0867149b3b5d3d4295f20d29c8d640fb

SHA1
7f79f570b457472a04b716c2cf9421d0be34bfac

SHA256
a698e09a89a1cf9822aa922d1282fe89b59a816ae5062c4da3b491e7c70085db

SHA512
f6bfae8ebabd6c28f3efe6d789e082c3b60f292fdad2b0e3895c3e0ea7ec5705822a66d9ec644dd96056ee84d13d35eca08453f0c517c46829d6a1b7c3d30653

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Groove.gif

Filesize
106B

MD5
b756a551e31bc4634de1cef91efb34b0

SHA1
c6584e6067cdac1319622cbea08ea207cab9a768

SHA256
63f4b971b5145807ad15ae9d69e321eaa059e8bcf4b9adeaa53549569e738bd2

SHA512
08491921a9859596b4b72df5adef91e498fbbd5dd576af82f508ffcee9742e8377b16d62fcf10ff9f531fd2ac6668d6c69ce11bb5264cd37e32e3f21cae67c3a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif

Filesize
8KB

MD5
c6a972964667e8e3c2c452c21d6c5208

SHA1
85b54af665ec7ea136c4d0aa60620a748b7fd3ea

SHA256
ecc296a77adb3dba0526a5d3f224deb8a9f04cfab49588483c19ae53905781e0

SHA512
65919a106d745a3c0a7d59d6c37cae9618d5f5b08f29946b17cd07f241cf8e8201afd38baba17c8a81d090baa86a34c48ed95982d8f632a2c6fd412c6455d4c4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif

Filesize
15KB

MD5
b105d8926b788427d5b306881e54e04b

SHA1
a03444581848339bb171692666c3bd15590490a6

SHA256
19d6de021a656a6eeb666a3b734fe0444eb0c0feb30f5e50093a07d489990dfd

SHA512
87b25ab75ef7ca3fc5834f85f61ba42ef785a16145986d75ad1fcbb10dc926e2394525d211092c824453f31a444ecb77afc7a55879cb38e9b396b8ff81252708

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif

Filesize
6KB

MD5
5aca7a24a4c9cabb6bdc14f87ed2f9be

SHA1
6c6ac80172789d4f740a24fc065e38f33e11814b

SHA256
aae20bc71f4b914bd0e38526e75728d04ead94c5f31bab4b7c5cd74b0fc3d698

SHA512
b021e974a8047d490e36abc8afad74cbb80c3e8708b83159a4b0c0d39ec819c87a00fb8a03bf9e8ec44012c2fe6fe97bed4b18955ad144afb9f1724f25cffad7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif

Filesize
20KB

MD5
904d2a9feee18e4e938a290a4386f13e

SHA1
16dd41a51dfec0a96a8e4a921cbf3195c281478e

SHA256
565f61434c5ce2a23e9ca5fa43bf855f9f774814205c4b69329a55be5ae492a4

SHA512
e287e082e3b66bb4adc3eec0def8772e662ae6773bdda4828f8a4c62a929b148539215733db6902f2bb4a44e50ce3b118519c179fa9132aecaeaf2442a8f6ef0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif

Filesize
6KB

MD5
95bb397163a9fa8fd912e4ff8bac39ee

SHA1
45c43d8f5a110844852d2a4408323efb69f48303

SHA256
f8da9dc2b051db62259e87b01ca420aae35ad3ccc6aa92b4456a0677344864a1

SHA512
7d370428676d543e958fb128b3b6731ad762f9c4e9dd76b3edf8f9aa3da8fddb26441e42036292a71c1eba31eccf74fba9598e763a8928075dba95a260384d5b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif

Filesize
15KB

MD5
41b5da77322c5c61877efe867dd0a10f

SHA1
ad0a298eda0a21826509c1cff93710bbfd99e7d4

SHA256
8fad15de6a581c1a69594160d9889aa21882a9fe8abfb23eba88587848653e2e

SHA512
c1d5150ab2bbd807ba628b57d98afecb2864a561e35a59c256052c254d97ac0611c6019f6f17a81004409a3b7796d8ae3623e0adc35a6665479d786de04a13ce

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg

Filesize
2KB

MD5
009f4f75cf9be339b1468b788bfb58cc

SHA1
ac1d1817365ec782a9943df0b3650881f4fee2af

SHA256
1d32d53186c0b84f2fbf2cfa1ca7b28be110b8369ac25b24251451a8b30a843c

SHA512
ab38355acc322ef95566b88e4850e3e3da0d5d3cc0de83e6e6743f3f14ff2d6a9f12a05cce9402747d109005551d5a0ce2cf5600b561bb28c80128c8a91d675b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp

Filesize
2KB

MD5
eb2648612607e45d518a6665320b860b

SHA1
d2104c5110aa2018fe4263eca154b3a9e2baab6c

SHA256
b5cd6e0e19114ec443d94ce18fd14486c2a8552c62061e7870f69371ec8cdcd1

SHA512
aa3d2099a1dd564f5906b437d799945fa41339360beadc6a5fcd350a965d112dc084e6fb9c0700d8b5be922b2ceed837673335fc55c2d81b654e8bb4c08092de

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg

Filesize
6KB

MD5
7e1e55c595f9c574005510f37047cd54

SHA1
9418329d9078ee887cd9e87ea10e348ad8b7338c

SHA256
d0fbf351d2af8f698eba30058475d1ad29ba615cd877cc283d7495422d34caae

SHA512
57901ef155e3a00f2e313ac7604a8778eca996b2479b9933362ec7abc6d8a8bb2858a39fe9a461c803d0e7e088229383be70c0d74a1f1cd8be3e695606b2001a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF

Filesize
255B

MD5
26a6c3ebb11e067aa1c41704e86aaf00

SHA1
a89e2e4ada4512325cc8678aac957a69cf3da17b

SHA256
99421ee9248b62debd893cd09c841b0d2c5979d87b05a8adc27a6dc9d42958ba

SHA512
a9e04fd0747e278e7954a8471be00e3bfa45159a3b6c42127ee0d634947d33408a57b142c8212fe7b7a7de6d077137cdb32e32728faf9906f9f7f5ec5f70f87f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\background.gif

Filesize
323B

MD5
b48c1dc7fc08e394f37686a3a7966c09

SHA1
97e79f4dcda08b0db4e49fcb88ab4b6039ad106d

SHA256
a063b0d161975e8585b0db906a10929fb0ea237a37228726a6a7a4123044808f

SHA512
a637e1a96b75070d0cc88a8a27cead8fcbf66db3e9e408810fc8fdb6833f5e39b8a2d3b3a7b710367ed374bde885719ec087f5c4c13668a9f50711794823bb07

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF

Filesize
367B

MD5
65523e3fd9b13602fc71b7334260e0f5

SHA1
f824b0747aea78df672b950bddeadbd3e8201604

SHA256
1dfaa7f4253d32124d49ee011d30e568bd95f0f18a9a7b9fff7aa5a1c22fd808

SHA512
015eabe3519c7c2d65c52530a0be885a68a88ef61166248fa02e394ce1bdbd582f32e87d045f988fb8a7aeac99fa22a25c91e6bf63dd03ef5e832130f8bcae05

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF

Filesize
148B

MD5
5a20ff4a281ab7fd81a7b16bb33b3aee

SHA1
5340975655a31415cf786ccd0bf8a3680b925a2a

SHA256
7f882f6597dff6e5cfa85401a7cfc1aa5207dcd10d6dcf8f674a424c76fd49d7

SHA512
a0e8c8a826e7cadb7417a9f68d97abf394375a09d1303f7946a6b1d6d36a3c5ebb5dae3354e314c9a17143cc5af921b6d1b44ddb2d64b611e291198b6feacffe

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HEADER.GIF

Filesize
440B

MD5
b2f575951f55faecd29a914f1a09e299

SHA1
cf0cede6180dfd0f207561b0b2c8e7d2e4abce2e

SHA256
3786c1773431e738b4db84454474b0e0aa8de998d86ba460636146172ad44e82

SHA512
9c6ebc181a16c2e5ad82078994814da8647966b9c1b32e8bf635b9c45669a0f9114a70ba1ac480677327e64564bf1b2e6bd95255d6611a5af5dd3f17382d2365

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_OFF.GIF

Filesize
462B

MD5
93723d57423651ec9bd23c2ab4f9c5c0

SHA1
c3334d8bc87541e3c71d08c2e350ba7d1e4947d0

SHA256
a3b8fc72dd3249cb9119477e2bcd368830eed32dc13ffc10bc3c2d6ec2935ff9

SHA512
708f442fb3996214a38a9969baaa51f0bb0d6cc1622ec011de07ad195b7103cff06ffb44eeb5184fb2861657e0ea719d7494f94bc4ce2228b32ae915902bfcac

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF

Filesize
267B

MD5
6076ce724436635b22f2a4aeb4df3bf0

SHA1
4015d8a0d0247cfb1a53904dbb3bfe6f86bba2a4

SHA256
1375336d51e6be3bcc89996e241386791f7a758098126659fb8038bfb82e52b0

SHA512
57a58aa1681305ba1101a1a5e47acfb35b95d9a8fed3e894438f27fafd8163fa15a1b491ccb449b08ff1ce3f84cfa434d255a8218dcf365a99ee2fd2c0786da4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HEADER.GIF

Filesize
2KB

MD5
698c29c21a52434977827107e8febc2f

SHA1
be5811fb04d7723fa3a734a065ab5fa2d39cc58b

SHA256
efe1b85966fc73ec6a07cafe9a66116bf50a40695e79fea78cb938d351b0870b

SHA512
257bed8fa1199106d97c5ef41f44af2306b0a7e5ca97d54310c1c90e93d6258a9827b6ff3e887d2dc6087d1283fa225115680bcd0c33795fd712df725dc48029

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif

Filesize
233B

MD5
c76ee34ea5f89ce4bd1886aaddc0cc95

SHA1
bf89b0ffbdf34f50c80542b4f140c6c0dbf0440b

SHA256
70b0e1a46df5093aeaf805815c6b74e18e1d7752d9e31b3169fe98380283afda

SHA512
c2dd2af708fc86ba620948f03363b805fbe22653150814f928ec6369088ec4eca8e33d3a2e05a4f7bb32bdca75c6c7c628b5b1c9045736d9ca53879bac15d3b4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_OFF.GIF

Filesize
364B

MD5
1887231c6c7bfcdc3a89e9eb0df32a70

SHA1
ea167214a681e01af5101a7335613926119dbe4a

SHA256
a51ff5268dace7c1ee6a850a343cb88db42fddc0a495d4f464242cb24c411d11

SHA512
3f9e7cee234d5bdd207f9620fe5666b2557fef56525debdada404809643b1338b9dca608b430224dc8d649602df0037d73f9ee3483d8a420b53ccb6b853ba748

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_ON.GIF

Filesize
364B

MD5
8d1bc71c2fcab218fecabeb8f196adde

SHA1
c98f99f9e2f49e644a73397c938325deaa951598

SHA256
1f5d9847bca29c1d14d12dd3dd410aa98829295d2f1d9d61f0bdd2a51ff0ad8d

SHA512
2a78d630f7ce010cc9da212ff74e3d5da521b1b0b0595fef2853807204de525934567295dce550b9ec94e201ec29e9a5667c54ec53dedd46516e2ad5ec7f3a51

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\background.gif

Filesize
6KB

MD5
0339d37dd7721840f25a7b64ebb64542

SHA1
895050affbd555ae5a86af2eec9dea9b4214e300

SHA256
ca2afe4373d18fe61024b84c7f0580afd059cf681c5578cfe10dbc18d03afec3

SHA512
2d9062ac3a3c7203f406f2cf7027f5372b43798f86600c7e00619f520f79661a4a26f18355d99cc3829d0b14a6e18c4059b31338a75c0114c23af674afe5e80f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\BUTTON.GIF

Filesize
428B

MD5
747101fed4ea7d9c7506f8a74668eaa7

SHA1
27a8574aad96c16ffc164190dbcfb0b20d0dacd9

SHA256
c66ad2ca849cd0824d744d5273964dcb382c6217e2a4e1ecd71d2d0d062c51fc

SHA512
ed5cd2c34da3f4e0036e270bb0d3e474ccc220ac0919abc8e22cb461fbf90426ad82f9aeefa65c60607e0863478d5615803c2cce8e17b4d0c59d317cff57e2a6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\background.gif

Filesize
815B

MD5
1a051928c97015655e1d92c34b9c523a

SHA1
3fc8f7333cc1c819fd8f636e01852b9120f39a0f

SHA256
625b96ae312a8517aaba77f91a6e683340c8332c00c09c01a4cc24d65ffe9ed6

SHA512
b69bd0df1c77e8b38a9b63069a3c522218ffbf827a0802173d066052b424ce86a7aca1fb29824fb7aa1b83af2b93b607470a3d65aed097f2de4ca9c6e2b54cdb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\RTF_BOLD.GIF

Filesize
870B

MD5
97bf02dac3bfb4994d4e6b73427d71a4

SHA1
e26097a0896796e2ab42c22fd231566bbf992ee7

SHA256
9c2177245f2938f0d01bf55c48e0ecde58aa219254ec8dcbe2a4cfbdfcf95fe5

SHA512
3fe0915b32d07cdfaf3dc712ea300e5d4a65c0b7b5fc3a8dbed8f001fae8bb3af7a18e50949d114bc5ff3ffdd1799d7578c920068a11f9dd51726f222d8da115

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg

Filesize
3KB

MD5
3b40fccffd27beffd9c3fe5e703ab76c

SHA1
044d7ef1ce2d6bdfb848abb5e55d2bc61453c265

SHA256
8193b9794b11ad370c4280a79086a323b795edfb141f0f614273bc10a6d4488b

SHA512
257f5a5e76fcbc71a27f489bc37c7b93f4644fdcbea975151896bad91324b8a554c56420013a9b13e2006aa972e79535f3f7bfe69f680580a2bc808c5d180b59

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif

Filesize
2KB

MD5
4b184dbfd2bd0970b01df0f6b7ea825e

SHA1
788fdd29c58e95263e87bb74f6f25abb9cb3604c

SHA256
b6a836e761055c2372c57da80a59ff0d144c5916ddf91eb21babc7ec66652552

SHA512
8368df2c808cfe9a008c3c0f66011fb127ea2c9656651b8ec191b3d0def539186f2aa3f148cccd9ba8ad9479033d2d0f1c0a43bfb78d0e6226fb5fd6713c912d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif

Filesize
19KB

MD5
c77c2c866fdc249d3e7f439f13f043c4

SHA1
3e326f458d09b572cfe30e294033ef20912e3fbb

SHA256
24028df7d570ba428c02ecd65eb2c1e3e19df7e46f57fda2f763e6c3c60f5a31

SHA512
cae9a3c7bf84684dbb0b971f268e4a7d40c68347d1b54f808b058bd422b1af3072b0a7d2cc023127c195ff211fba832823fc18cb23eb378776831426eb6efea5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosefont.gif

Filesize
890B

MD5
af0eec27cedc959809ee14943c436004

SHA1
9b296330556b4c05f33ef7703c3b175fa70c63be

SHA256
63688c89945ebc4684dd4ab7c130a79535de1992a4ea2705c2d08e1c28c5c905

SHA512
a603d17694c4aa99c9a6e9ef4058487765f00047ddf45398f2bbef9de49f3df5abfc4e0f69f107f33ae335dce1194dab31e6e2329a91b0159b99772706a39579

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif

Filesize
852B

MD5
7e5724767b7817800a82eb2f9aff15b7

SHA1
0e57798b9331b971d8b66b20f3a5eefbf23348e2

SHA256
0c59b2efa84dbdde4e8f8d13e4e4b267628bc7d4e8ea5b316d6654565b2ec7dd

SHA512
b2c773ff65d3dbe63328cf6cdaa2279d9dc4f5e730a78d5e11dc7ba80df619a8bf6705eb9783f754bc88f595cee4d56c13688dc81158a9115b1b5666ce61378d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif

Filesize
860B

MD5
61dfaf3eb4c69a3f2568aa0ff17a3ee9

SHA1
11afefe8b09ca679657dacd28e7b6f8bacb9d189

SHA256
be66e6fb48328a734124bf84a8f334f61a6fb18f0c99a655f4b1ead4a92b7495

SHA512
a19c0035d4f3d2784510c8f77f9e722cfd062c866eac952d409506f703b3dc455ef5ef7e8d841de46a1e7f0a6373dcb1e477dc7be9363d06305cd56b3b9cb155

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ADD.GIF

Filesize
580B

MD5
4d40a88f6652792229efd86cf335e366

SHA1
aa0a002258092b2434c331917a46db6a268c524e

SHA256
cc3305befaea380da41197b442ebce6c23537c3ca355ebf4d549742a038f24d0

SHA512
8237f34041e34b7f56743b7dddcac1b276676dd8b058a15392663dbec13a4f17db876b7867c408af9e8eec98a3ff1d1614eb5787777ada0102e2b15785f8f6c0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF

Filesize
899B

MD5
e0d7436fa39b0fad5ccdffb9968702e3

SHA1
3004119752a2d86262d9b7ecf36a3fb1b90c8643

SHA256
f32d756fcafca55b3525b05698728969653c4d4cc76b7ccec27c49e61e0dfae7

SHA512
82b36959a49b3f4f8830012f85fcbb8d7998d8f1a01755b741e985d1ad799eadaba58c526fd43070374448420e5a52b6b4c6c4895207acfbb2e8bbded50f216f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIF

Filesize
625B

MD5
3bab0e0c805e21ad0d9955e295d18186

SHA1
92762d851d3bfa990713d5bbfd9e8d614d3011df

SHA256
5704bab458c9edcbadb88fb876293fc86689830a3a05c1da1f65c774702bf9b8

SHA512
d6f94f3416a67a1e0a1911d47a4e0a287939f98a69d555857d08b8aa20d41941bd259d93ad7b4f775bdafffebafe3688d840716db1dc9fb4fc3f39441e76e3f7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF

Filesize
873B

MD5
7d9baf84d5d9239a8f9e3c34bba1119d

SHA1
a51a387b0c1391cfa7ecc5a594e63b2d9917ffd4

SHA256
674aa534bac824be6bc30f07a084c86a8877e526ca22dfa1ecd5e0a155d4d0b3

SHA512
187a5f22b16d5018f95375ee72af80959463351cdbd601f84fad7b2cd74583146e997d86e5c10d1ea490ce431af432a0969b9a1d8b8734da07d8fb301f316378

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg

Filesize
5KB

MD5
37aa9077682d457aff070fe13d8858d9

SHA1
7a3d02131337a4386032a51f9ecb42b1689089a7

SHA256
84307da966e431e2cb12c86c1df84badd70982a14e49b79cd9c5bc3f2504aa18

SHA512
3d22f61d8fa5f536c1b32bcbae054e35015de381b09f9b5c958f93592cab43c8c9ad5ce692afe8aa58077859e6a342e3b3d5dc3bca842049b2d11b8b613158ef

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp

Filesize
1KB

MD5
4da829f5783f0d05e723cef17fbb700d

SHA1
bc2ab46a1e6e6b639b0f0ec17e16650635e227c3

SHA256
947489bd810ae05aaf13a27132805b439204b296e8297b2415c83b9853ac4173

SHA512
1b473ac2ef960f2e477f939dbd780f797d475a252a4427220a81b8e6d9985d993fa8f5c1f40f250b1ec2076f7741df8c6b572155629c84dd9be23b205033428c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF

Filesize
615B

MD5
a088390adf07eff692d962356acf6e34

SHA1
9e5932432bf70a7d6cb15c14c8584cea35d285ee

SHA256
43a02d7e20efbbb998947d273bfd67ce93b16763d47c3e55feb836779ceb37b0

SHA512
f4ddeb99adaaa6ee8451701863946caa01b55b68014e9fee54240ca129643865cc01d4f7764fee52db27d4faeb4aabdc3a49a321fdad039d07326ed581525384

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

Filesize
848B

MD5
7f8d19e9ec1bdcef4e29e7a3c3043f0f

SHA1
49eb78515abde8175840772c6bb9027e703a870c

SHA256
bac44777b7e06b8514f6ca6a1a212bad83101330fe2cbdb291fa53039fcafef7

SHA512
de0bfa10f7eccc70ee6a2e0f98e0cdebcb31d5970537ad451dca2a89bbf7ef7691d81df8470e7baa0a451cd671fcd42e91672baf7cfda60df303e2925daa00c4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

Filesize
847B

MD5
892b362a2a7cd5f80b41a49e2cdd577f

SHA1
60e2c56fdd05092a8badc8ec95b6a9e3df18ac50

SHA256
ba3b6ad8c0d2bca283f9e734152d3c7efdcbd7a263954e9e17c4f45388cc4292

SHA512
204904b5548368245508943c66c4981e59d8f93dd44ebc946d899b366705dfd3f76acd4e676d41ea3b1ac30ce2ef62c5104d7d9e75a78bb97dfdf30564bdeb29

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

Filesize
869B

MD5
787036f72faa2e6d137f4341f9f48f10

SHA1
d9b84fb739e6f87c431ff7ad8106e15db67baf16

SHA256
7df399b90c0cc567088ca6ced116fb54f92f5585c8f37c73eff53cd30fd19e42

SHA512
f3cf6fb4632cd9d132c6415f980f96fbeb270db96681e48732a290f276e225d04daa54ecd6eace637731329ebbf5c7e7f2e1107f0bf7830fe3c6ee56225e903c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

Filesize
847B

MD5
e236e0c61b71f9c2fb707e82c1b79401

SHA1
2626a2cb67f39ec823b9eab40f9a3c91c14b5a10

SHA256
af471dcecf6a7b71f83e1da85271c936f7694f10c11097edcea409d2580b6dbf

SHA512
752487340df5524777d0036237dbeb653f856076abc6aefa507a42477913f2f8cb86d4ab971bcb3758c8f57a5de43dbb02ba7b8a2fa236628873dd02a91569f6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

Filesize
863B

MD5
fc454c1fc3adc7e35f2c12e40695b06f

SHA1
669dc65ca8f8b3e713fdf2d4349700b2e632887a

SHA256
e5db9fd0354cb704f29afacd91a721a58e74b61ad6ff701e54f247877e5c2da9

SHA512
b0bc4fbe7a816eb63db4573d369e22171547bf30172d42289013d6ed160630fcd4ed3b3af4a18e0887bb2d9429d52fade824def29577a8fe8775107bd5d686f9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

Filesize
861B

MD5
f162c72438dad557d4f059b26696cfa9

SHA1
45073179d7921cfb578bd5d122dfb58d5d3aafa8

SHA256
c12bad5d104cb0f646d8bf6dc11dbac0736192cf3015b1caf8f0ad73258e8766

SHA512
b3333e648f04698e1307bcfdcd8f0ec190f22ae24b54aeec2c7ea1af1e53f15226f0f28f34d96be2bd7792b023a547969a4ef3676c7cdbd94f321e9adf22608a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

Filesize
850B

MD5
f9f4baff7c2b603de4c1d955c8203c16

SHA1
ec960e4584203ac2afc7316d603b87d3c71abb24

SHA256
cf2466ba7dc6c764bcfa6e13c3b9525491ba264e009fbfe45e329aca4098fd70

SHA512
f8070d24f09110bf4e7e56a3da811d8798dea1f44e172a6def36b1aab2116092a0b616ac4aa3bdc60cebb875bfa56a45665f26019254e1dbe79b10b4c2d4231e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

Filesize
883B

MD5
7a80a57ff04fe6c564d84598fc1ad568

SHA1
fabe1b82c5bcf61bcd375d7c3e6a2f756a797a70

SHA256
4af2e139d8a3474352e292e207126b03fdb386a73d82c892ef4b378e77aaa5ba

SHA512
8ed9753973beee80b1a731d807c3fcc92953562d0b0d38e60802324d755b92870ffb366bd61586b8a05bcad51e470a76c55418cc50ab4457ddc47bf3ffb85f17

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif

Filesize
153B

MD5
2d0553cc205a3841d14e2c7efb3aaa3e

SHA1
3d98712d43a0e2aa9f02f6e5ec7850811fa34f20

SHA256
b333f3e18552ab51d04b51c76d3bca70e67628be2225aa60bb72d90d4e417f9e

SHA512
4c8447ace4b8a5c1cea65d57341b299e096861ccc58041659c936a6c3e855198c9211e6f5b223bbecde48726317bbd4c43e0042be5669f288c9117263e4f94f5

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
9d74128c54d1b40d6fb8e0a97a33ed30

SHA1
803a03e7028a17faa6edbb10918f7f3c4e559caf

SHA256
5561e435d9d192f0caf705d2311e015b36f6ae2f952e2c2640f9bd86f1b5d5d7

SHA512
02f0380e57d5cf2c61b1778b669533da0e404257cb94cf5e0b15d191487540e39a3191f965642a930e977a74c916c0a69314535d9c4584a50cd20595027fea5f

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
8KB

MD5
1d06211f697a4ed3c42b15f3aace7308

SHA1
2ca1fca8045448e02c81ced6c99753912264b778

SHA256
f3518e7d70d124423c0a569fabac85fff280b919b7ef7f9849b0881072671002

SHA512
384f65ba348cd32a4bad7dd2b3ec201c155e1334e678d23240b756f56958752a864dcb0885ee62137b2a13f7bc1a479b55080695b9cfbe8088b19701218b97a5

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
e338428d8627d76effd429086c0deb1e

SHA1
fa2b8609b2ca483cb4c0db4389b7f4e0085a7117

SHA256
0ce4c11420066312663c1ca573d20191f3b49530c11fe7fd8bec6bbbb4e74e59

SHA512
af617ce20136251f4d21985e74f026f69c16119be4e30144b4a38f6ef6cc9f7780b05911634d60b53258db41a48473b4fde4265440e5cfdd47d06844f601a40b

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
39fc2b9231ca87b0c5d2d7d0df719c45

SHA1
36117900c8c06c4e8f4768f218f78f02a5426c43

SHA256
dc569766c6279440c242de2c7b03d2702d786d2840792350b8ba2f26cf227662

SHA512
9a1c1b6fbf8508c9279c6e44e0c1655d48fd59bdb3b92dffd8354a586c89464429237ec21a16d0a2ac9d9d7efd369139ceb6d2b4a2999b470669999e2436bbd5

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
172KB

MD5
4ced51849cd780650d92d1587d022c10

SHA1
26669d3f7590836c04180df54279e7b477734b8b

SHA256
b97c379fe3cd1a53a79ba0c60ed5ba40b8506ef3c1d7cee1863069f440e7800c

SHA512
cf7ad14ec5b7dc726c7b25fc74a497ab50b1ff740a52555bdcd8e5a40db925093723b93adc9c7b0b9508862155e3dae50d3885bc08c2a37524d077cc6714a978

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk

Filesize
1KB

MD5
e63af58a4b74ca250edcad319b634fd7

SHA1
20c6574240e75190884e42af5f819e4fcfb352f4

SHA256
1c35987f25df6db8367afe56d72800b8d0d097188c760a48aadad41f2944bb13

SHA512
9c821d961a80fb84f8dbef6b357cbd675b6d9c3af89f2209add9d947d44a34c80e760b3d82be30ec13804478b1366261c9772a3d9a5d4d110896e7c6478a78dd

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\alert_sml.gif

Filesize
49B

MD5
2fb408fa4e066829075e6dfb2619464f

SHA1
70c0f86d13275c907454c37bac1299f3034d7bd0

SHA256
18d2e0ca13e6b8d7ba690d203b3cd2fce231301b59388de6da59cf697c331450

SHA512
e95a3ba73a2a432e51364dd4dbac30f568ce8b39022c120012ae7fefb94e0a922a39897c8b7861b8cd5ebcb5274ddfaeb1d18ad9c67b7eed8721b28417388a04

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg

Filesize
21KB

MD5
a85df0e4b9ab852dd8f188f37855015c

SHA1
b5a19c5a83e95df865cabc781077fde569d9adc4

SHA256
b672a7f39a2ace9c7d75508030eeed7baaa153ed2d472dd8189e88e6f11bc277

SHA512
122d0c73abf014919acb5b9005b43f25d1df66835022b0c322abf5600bece7f76b9564f418b379130f59c9776e6257238e0911f1f2b3214bd79f98c7d4955c70

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\HelpIcon_solid.gif

Filesize
1KB

MD5
3fe7e7080a0376e6837ca7aed886cb58

SHA1
c8f0bb58f25a2a9b6d3ede835b46b553cd293371

SHA256
5b951b7fd62f1168c1158a166f29616fee8038c49e3d0f55c1542ff118c1a245

SHA512
414bc5542c86c1e8061ad8a00c895fb9fd32fa3246f6affe653c55445214cfbae30f1f54a35bda86d8bc846e7f458a19b4421d1fc151c7a89c1fb3ccf48ec4ea

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\alert_lrg.gif

Filesize
952B

MD5
ec30102a0fd6d076373b38f149a0167a

SHA1
554efa00939e1c247aaed9ad938aa0382ac8fb72

SHA256
37bc25513c64745d36b7191fd2a6df3fab814406f0745597fa619363b0d965e7

SHA512
96e6059cb05f33192cb7a462418482efff8ce08fd8089a2a7af1b183beeb1ecf70ab745bbc25fa2c7614d5036635e1124a7f980424df84c0d43a2b6e2dbbb7d2

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\aspx_file.gif

Filesize
121B

MD5
d8a69df7d67ca613881b2e35e7c6f7f4

SHA1
b93f49083e65d5bf1ee0998b344fc97d21bcbfc4

SHA256
ea9ed7881a3a521fe7e4269160206cf33e233b04505cb0b2fb03e30b6c4e7c69

SHA512
50935176980a930ae8381b00e906084d87620db698aa53586e6e88c0a10123abf6431c67a02d3fb423ef59f5309c2b8897e1616201637bce96b48bf614604a91

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\branding_Full2.gif

Filesize
1KB

MD5
64944c2625fe9dfa4b718a3893470a60

SHA1
fcedfc9327e10525c33187f4a1e93d155b1a5a65

SHA256
b20fb5250e2d77467afac6ac336e4d4cd3d79a3739df06a9d702a25dd18b75be

SHA512
37a9c8ccbd0ae55a305fbc85e38e5f5398f3996fc951cebc6ffa48a3fd01037e7cb3eb60a10f798b113e6c70dfd4e86f3f95c41c495922610751fbe0aa8c69ad

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg

Filesize
8KB

MD5
fdad09ee7e8afa89f3724f9dd568f572

SHA1
47e5167c4cc1a2e70a6bf8981e86d701e184c73f

SHA256
ed0b07167a916e674e3050de518488de8a341f8e9aeb6eebdf7e0bc4bbeece0b

SHA512
1ee08143735b098c49d9a388c6acdf04370b98e29bcc240f63b4121dc7714220b3fa4f28b402b701ca300297cbf6f4580701a7510129de53d3d1b44adef687a4

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\deselectedTab_1x1.gif

Filesize
61B

MD5
8917a4f0a9569288b79cbb6de9841284

SHA1
13662515502db57f02e5d25f56ccbfa1c66f8f0f

SHA256
e72e1dd82c5a7de127d2fd82ee8b91a97086bd8c9749feab976f784b98059851

SHA512
1fa5ce6068fd34e41dda560fe83e6df2897990527704dc93838ef9d5720aca942644ceb4dea29d9e4f2acd94ec138b359d3ed6169f2f9eb10ba8e7866df8086b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\folder.gif.EnCiPhErEd

Filesize
914B

MD5
35e9128d06ea8a57bfcdcc2ae4b8565c

SHA1
96e9a5628e67869f79109e52a8f57df76e96f443

SHA256
49ebc466bc8680fec5fe2ef28e4cf72e989547c616ec0b3c614526c877ca8f22

SHA512
c83305a8d3a7c0db3ce08184bbd0a6c80cdbf964c3ea2c59f53d03f5fe16c9cf3c0787ecbed4ee467d641968ff730a18125a2af4e81e092b8f3cbdff03626f26

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onBlue.gif

Filesize
90B

MD5
22f08cd0e5008a7a82f1dcc1ff01cc6d

SHA1
ce8070e90f65037e6b40fbf0f89491590507db15

SHA256
72c4aa30ce8abf0808b391aea9b253b9a1fb4417b14ddf83db5ee2bf21828178

SHA512
9ac15fa0361f040649e79b774a00e410baf32af1d493e2a11f426e89086e199076f5bf46591bee49dd04e2e7f2e9ef0cdd8402f8998b64927c7eb248cbbadef1

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onWhite.gif

Filesize
90B

MD5
cd1c39cd44504bb8498f508272d82966

SHA1
67365e3a95eb0a0b3c465c5473518c7dd3dce328

SHA256
49dcf3a3dc4beae083a51eb160ccaeef27a9b3f76839f1c82d5f72568c1d3569

SHA512
b31625c825cd56f144a4ec8f483ef07bc0337ee9b44d3002c63f9808d7e777ad38a9b2c18c7a3d1187944944d6e435aea80c13e48b3427631d83c2b587de8f4b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\headerGRADIENT_Tall.gif

Filesize
328B

MD5
c5a135130450a5e1306d7fb7d8fc5eee

SHA1
91e96e62e281503c94226f2c9912bdb9700c0f6e

SHA256
0dffe540ff86b0cafc1041e64be9f647e99565bca1dee9b97ab6ebe96e4cc3b1

SHA512
881240815890a1e4e150b8de6718e8433396b856415f328b3b665964dd89370c5c18b52dd4229e9ad719494c433e8dc2aeb0b521f7969f53e636a6a90d94cb5e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\help.jpg

Filesize
1KB

MD5
5842f15d93dbb2c2363af434d399c9e7

SHA1
57c9b22a23508799bd6a5651639544cc318911dd

SHA256
47168925d21909073ce8bcce27d03bd65a800b0ab201776e57adcc232b9b3a9e

SHA512
c6ace1609f5999c1ce8ed5d72db734f4d45c2b31541830b847a66875ce22767f4d8e4eb3aee81ebb43869b622d522ee8c3d201e890f0bc4b63ac8c58b10f32f3

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image1.gif

Filesize
162B

MD5
d00ff2a55b13927a050196b634ce28c0

SHA1
ccd30b19ae7399e4fb4774b5a19afdae30629a1b

SHA256
f629d5291b004ebb863dd2e3e859e47ea3bb73426b6794ad43d6fcf929e99c11

SHA512
9b160b77c197a2d7bf48800b7e6a050add2801cd721439b12ebd2a4b4ce79556fb2912b6b5c59ebf1f559d790a9ea53539e287e5c6a2dd102126c636bc2d0f07

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image2.gif

Filesize
586B

MD5
e3de6fdda983fa80ee1a5d9f9a9cee17

SHA1
ac59f9983cb92c3d9167b6c40949603b1e4a6782

SHA256
90470e60cf050eca1a2116fa8ba0fe341ee914eec5ca7052e67e2a84af3d7ed4

SHA512
809a1ba8c086c5092ffff7a31147369fe1feafa2b99c687fa428cc2066986ddf80fb5655148f56f909a99fde7d2875953a3a51fafa7f68c7a1f81030205a04bd

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\requiredBang.gif

Filesize
124B

MD5
09d5f8f26a0294cbf4aaa5c29ff35d52

SHA1
dc008919c825a57e8162022cff3ed5f4fd462746

SHA256
44b14bc153bbf622d79a735238e5869fd461751facc5987d66601300491b637b

SHA512
f25cd8fb71bb3e9e083a9496953127c793fe2ed08b67301f7a1b85df800509e2044950d866fab7d833648f4dce27967f321dcfa52a463b2763ee5fce9ce5da48

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\selectedTab_leftCorner.gif

Filesize
65B

MD5
948228282eb5c491b7f6a972d48cb6eb

SHA1
22762f58e2c0456f8f8c9c3e83155407edd192ce

SHA256
b7b1970628a6fd80d602a9771228762239c7d91cfd0d4b95b0ac0fff92219dd8

SHA512
b7e0130dcb2d103883d4b1288d82d5413e4769f65380a41f7f4035708873e6ab9b802c69975fc2351ddc074f7a8648f58f95ceeaad7eeee5a97f84aaa1ab91a7

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\selectedTab_rightCorner.gif

Filesize
65B

MD5
545ae7e0323f9ca8caf0d14c85fd985b

SHA1
41296bd50cd9aa9d91cbf9cc147c358395ae3682

SHA256
0c0e49db37c480bdeeeae2fb2724d456f4211275a67f36dd89c2f8754adaf4f9

SHA512
625c9ad077e0a7dea12955d533cc2c31afcba637d7602f3cec4987ff94c925b2d272e02467f7f4172c39aba3ca6491c8448e00619ce7f7adbc5ca37b6c7c1a1c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg

Filesize
8KB

MD5
99096398e2598a36478b95087cc557cb

SHA1
c8c365b705ef26eb22386fd7451b0ac2ae26537b

SHA256
a5d07da2d0a152f27eb5bcc27ca3a8ff5b3431faf0b93a011dd6e6e311ee5fd3

SHA512
61921098edab154b7fac4fe56dec75123a7abd8e003d8326b1240c9aad574db3cb403cdfc94e4bbb7f384b92d876e077d191fd4fadc61f9ad628e428f283c7f7

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\unSelectedTab_leftCorner.gif

Filesize
65B

MD5
a389f2a76aba1d17ce144f2021c0a790

SHA1
d25209d1ce4cd89d6de860e5d885b949f88c763a

SHA256
272c48dc58612b22ae3464004de8b4293a62d8f3c55a93f718c158bbfd4bb231

SHA512
3d551d49134bd21fc92247ed3376002c953d638f6db4ea10815b1008b1d1ac362f7b6b4e465503260c84d2ed49cbe296c1dedfb0bf44a247204481ab06fc0e27

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\unSelectedTab_rightCorner.gif

Filesize
65B

MD5
b693124a044473c227ffa0d4974a88e1

SHA1
8002f88bbeb435a637a63a06b6961a752422d019

SHA256
a3290c6d805329a2a9a750743bdf8391e170b28a1d0a4afbb9e26afde103d673

SHA512
b82410e248406989b45261d1c49dd1a314c1d62fc485a479388a61aadf3d24ce82d91d5102b08e508453e40cae1d5f6aa3d35dc34737d58dcaba0a4e529e957c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\yellowCORNER.gif

Filesize
880B

MD5
9507723eca58ad43ad4898cbf53226d9

SHA1
93fb54ac26cbca2609bf90c5976ce9dd7aa70740

SHA256
2429679ee1657932f856554aa7b4e0125010860660f033234c1b82e790a71aba

SHA512
ff643bad0d2dcf7208a69a5590d5878cea96202364a1144cccf6d254f6ef8be8c1142d82721058fafaf88446d35585cb4654c4122f47da5d9b4e50ae7c289d55

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads