xorist | 01ff93c24ee23fd5842e7fb3890edc8684aa91d241b3deaa9f6aa3cc316a3888

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-12-2024 02:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
Size

74KB
MD5

f9b35851b1df0d9c5dd5c0538b983265
SHA1

ce61134ea776e13ad003ea110ea2da513a241833
SHA256

01ff93c24ee23fd5842e7fb3890edc8684aa91d241b3deaa9f6aa3cc316a3888
SHA512

412469517e411288e10df11d5171cffd3cdbf468aff95bfbb208734c758fc1875c18030ad505b51eb2ae75dec0af52d2c344703f1aab4aeb75b4751c3bae18a8
SSDEEP

1536:yr4ljTjLvEhAmusWU4YF59sNQTUbNrLuX:yrszLvEh1WU59sNQTUbRq

Score

10^/10

xorist discovery persistence ransomware spyware stealer upx

Malware Config

Signatures

Detected Xorist Ransomware 3 IoCs

resource	yara_rule
behavioral1/memory/2644-3665-0x0000000000400000-0x000000000042C000-memory.dmp	family_xorist
behavioral1/memory/2644-3666-0x0000000000400000-0x000000000042C000-memory.dmp	family_xorist
behavioral1/memory/2644-3669-0x0000000000400000-0x000000000042C000-memory.dmp	family_xorist

Xorist Ransomware
Xorist is a ransomware first seen in 2020.
ransomware xorist
Xorist family
xorist
Renames multiple (1848) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8E5m8RbwR5qceHG.exe"	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_hash_tables.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_pssessions.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Foreach.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_requires.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Session_Configurations.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_History.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_functions.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_scripts.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_prompts.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_History.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_split.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_functions_advanced_methods.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_regular_expressions.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_If.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Windows_PowerShell_2.0.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_operators.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Throw.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_types.ps1xml.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_remote_output.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_wildcards.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_locations.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Assignment_Operators.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Assignment_Operators.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Parsing.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_For.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_methods.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_pssessions.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_do.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Variables.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_job_details.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Language_Keywords.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Signing.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Comment_Based_Help.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_transactions.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_profiles.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_requires.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Command_Syntax.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_properties.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_functions.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Ref.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Ref.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_trap.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Comparison_Operators.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_aliases.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_pssessions.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_modules.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Reserved_Words.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\default.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Path_Syntax.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_eventlogs.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_History.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_functions.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\ja-JP\about_BITS_Cmdlets.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_environment_variables.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Throw.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_prompts.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_remote_requirements.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_scripts.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\PostMigRes\Web\base_images\ClickDownNormal.gif	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Command_Syntax.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_While.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_profiles.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Variables.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Foreach.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2644-0-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/memory/2644-3665-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/memory/2644-3666-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/memory/2644-3669-0x0000000000400000-0x000000000042C000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\NEWS.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR13F.GIF	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR35F.GIF	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\TAB_OFF.GIF	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-full_partly-cloudy.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BOLDSTRI\THMBNAIL.PNG	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02742U.BMP	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB00531L.GIF	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\1047x576black.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationLeft_ButtonGraphic.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\11.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR41F.GIF	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387604.JPG	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15061_.GIF	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR50B.GIF	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_right.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00103_.GIF	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341645.JPG	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\performance.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_divider_left.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0337280.JPG	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\ARROW.WAV	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_MediumMAsk.bmp	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14691_.GIF	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\J0115875.GIF	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_ContactHigh.jpg	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14753_.GIF	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\TAB_ON.GIF	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR4F.GIF	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\MessageBoxIconImagesMask.bmp	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143758.GIF	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataViewIconImagesMask.bmp	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\delete_down.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_alignleft.gif	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport_mask_right.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\8.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14565_.GIF	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21312_.GIF	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_choosecolor.gif	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\rings-dock.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\add_up.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\3.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\37.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21302_.GIF	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR46B.GIF	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\file_obj.gif	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21303_.GIF	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\Document.gif	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\36.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0149118.JPG	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\OutlineToolIconImages.jpg	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_OFF.GIF	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.jpg	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\SoftBlue.jpg	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02291U.BMP	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143744.GIF	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_VelvetRose.gif	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_over_BIDI.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\topnav.gif	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\about_regular_expressions.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-g..picturepuzzlegadget_31bf3856ad364e35_6.1.7600.16385_none_725857cf41f74c3f\11.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_4db0b909695af8f9\undocked_gray_foggy.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ehome-epgtos.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b661d7abc4d159c8\epgtos.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_3342e6899aa0557f\diner.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_Comment_Based_Help.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-quirky_31bf3856ad364e35_6.1.7600.16385_none_e55404efe49bb9cb\Windows Exclamation.wav	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..l-soundthemes-delta_31bf3856ad364e35_6.1.7600.16385_none_fbf7e0678b64a4b8\Windows Battery Critical.wav	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-g..ets-slideshowgadget_31bf3856ad364e35_6.1.7600.16385_none_253e8c58002c48e1\play_rest.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-g..picturepuzzlegadget_31bf3856ad364e35_6.1.7600.16385_none_725857cf41f74c3f\5.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_d7244b05e242e449\trad_settings.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\Media\ringout.wav	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..adisc-style-babyboy_31bf3856ad364e35_6.1.7600.16385_none_f13596916b261f67\LightBlueRectangle.PNG	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..calmediadisc-styles_31bf3856ad364e35_6.1.7600.16385_none_dac1eab162daeb45\4to3Squareframe_SelectionSubpicture.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-tabletpc-inputpanel_31bf3856ad364e35_6.1.7601.17514_none_6fb51b358e21d75f\delete.avi	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-usertiles_31bf3856ad364e35_6.1.7600.16385_none_f385bacaa98d1e8b\usertile28.bmp	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\about_modules.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_d7244b05e242e449\diner_dot.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_4db0b909695af8f9\2.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\Media\Calligraphy\Windows Print complete.wav	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\about_eventlogs.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c02a16e1ae17ab94\about_Parsing.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c02a16e1ae17ab94\about_Redirection.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_Break.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft.backgroun..nt.module.resources_31bf3856ad364e35_6.1.7600.16385_de-de_424b857064f5bf26\about_BITS_Cmdlets.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..disc-style-babygirl_31bf3856ad364e35_6.1.7600.16385_none_b2bd01695c9021fd\bear_formatted_rgb6.wmv	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\btn_close_over.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_11.2.9600.16428_none_11b913172f0cb26f\Windows Feed Discovered.wav	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Roses.jpg	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..calmediadisc-styles_31bf3856ad364e35_6.1.7600.16385_none_dac1eab162daeb45\rectangle_specialocc_Thumbnail.bmp	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\about_Reserved_Words.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\about_script_internationalization.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_functions_advanced_parameters.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\Media\Festival\Windows Pop-up Blocked.wav	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_debuggers.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\about_scopes.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\about_join.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-e..rtingcore.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ebb345e71aa87bfe\erofflps.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_operators.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_types.ps1xml.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_command_precedence.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_locations.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_Arithmetic_Operators.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\Media\Sonata\Windows Battery Low.wav	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-currency_31bf3856ad364e35_6.1.7600.16385_none_679a6ba79b07a3c0\icon.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_script_internationalization.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image1.gif	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_type_operators.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..allpaper-characters_31bf3856ad364e35_6.1.7600.16385_none_bde0eaed84920a21\img19.jpg	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_functions.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-currency_31bf3856ad364e35_6.1.7600.16385_none_679a6ba79b07a3c0\activity16v.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\Media\Calligraphy\Windows Information Bar.wav	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_3342e6899aa0557f\flower.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\undocked_black_moon-full.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_logical_operators.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_pssession_details.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_Session_Configurations.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-shell-wallpaper-scenes_31bf3856ad364e35_6.1.7600.16385_none_a4393b1a254aeaee\img29.jpg	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\about_hash_tables.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\Media\Delta\Windows Hardware Insert.wav	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..c-style-performance_31bf3856ad364e35_6.1.7600.16385_none_1d8aecb671a2bda5\Notes_loop_PAL.wmv	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..iadisc-style-travel_31bf3856ad364e35_6.1.7600.16385_none_f2a7c66510a5395d\passport.png	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_objects.help.txt	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd\ = "KXTPCQKJWIKVFRE"	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\KXTPCQKJWIKVFRE	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\KXTPCQKJWIKVFRE\ = "CRYPTED!"	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\KXTPCQKJWIKVFRE\shell	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\KXTPCQKJWIKVFRE\shell\open	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\KXTPCQKJWIKVFRE\DefaultIcon	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\KXTPCQKJWIKVFRE\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8E5m8RbwR5qceHG.exe,0"	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\KXTPCQKJWIKVFRE\shell\open\command	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\KXTPCQKJWIKVFRE\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8E5m8RbwR5qceHG.exe"	f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f9b35851b1df0d9c5dd5c0538b983265_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
341B

MD5
08b1d5531eb3765c87805f58ff2bd361

SHA1
c13c736b0e9d283d5ec9c3e49047ff39d14021e6

SHA256
c4354b861a2b43c041a1121710f7b9c085c7174ee0c2b810bad9597dbdabe0a8

SHA512
67506ad6874a0a39f7953c46e2c7edad890c033640e7c96f3a102e1626a468c413afd6930aa7aab715758ff9ea1bfdea1380840a604ba3359459dd315f4606c6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

Filesize
222B

MD5
109af57c7d314d67477b29781468433e

SHA1
5e12216ec1fe806c07b6b63a539e879fedde14f3

SHA256
8c74c97090c25d7d805e21a834aeaf4c79711b2be50cba2e8aea33b01104e500

SHA512
2009d9fa11d1add0f3cd7d5f8f440152716b755a7783f9412f3025e2bd8b8eee46fb7d33b6f5ea22ac94bc20dbf9bfd5158f0d8b042a3e703b572d7c8d223a27

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\BG_ADOBE.GIF

Filesize
24KB

MD5
35d2f79331c6e7ef4a19e8c1c5eca180

SHA1
828a7b890ce9ed2edde5ee76deef702f99515295

SHA256
0380f3e2cfc53808235a43ce45bf1513b8d7565acc940f6200f67360a07f42a0

SHA512
209abf2447716fe1cd978f009a2e18a14d15497c6d19ec354ffbc90150d41863b8942c1693adbef422d34abc64f6f5367da60e71169b66179ae835fff0cf8f7e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\BUTTON.GIF

Filesize
185B

MD5
202a7f4e247bbff1502399e26d2caa65

SHA1
24d20d161cc2697fc8151ab980f160c0b48a394a

SHA256
c34a87092497f316d9f076eb0716eafb7a758c49592061d6e3cbdf8ca5836376

SHA512
f730e57dfbd6f97f1b01a13d4ed69f5cb5cc674b91ddcef0271e9055076c1c1cb19d4fb08c1d2e6044a3edcd09c96859861b02cd900060a1315fc1e8cee5b8d5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_OFF.GIF

Filesize
496B

MD5
b56b07811dde902937985fb199d192d3

SHA1
531ad51683871f4f2070b3ca8fafbbe88c7d5263

SHA256
31aab72ae1d0c1fd6027809f26183a7af265a5ff540cbbeb1cccb6b3dada3de2

SHA512
badb3226ea013e45afb3c18c7ff9b5975596a51b47d280e0f51d1047d806290b7261e83b523ec751175e0ce69e1eed5b831a708a758e46a50a74d5e8ef336568

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_ON.GIF

Filesize
1KB

MD5
349bd51d97217ccac5209c45b7096e62

SHA1
ab2f39d3cfde33cc069665e36a3311efd7c4cdee

SHA256
d2c8277322c295e716d7e00c0be5bdcbf0fe4608bd53960d9a773ff84e3405c4

SHA512
f7ddd3532e6d6f9d0a43dc208369f59965b821f78f78b31d4d3862872e7a7943d26e9004d3ad562cdd6edd294777e9b74db91462063731443822b4edaa78012b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_off.gif

Filesize
341B

MD5
18f7ef059bce9049832ef050a3f75ec8

SHA1
676acb9ec611fb61c3d48d5c54b46dd92072e318

SHA256
1b830dc0a40a8c43ab52f26e1123ef73a3eb1cec9ba1ff5f99288fe2eaa7453f

SHA512
f206d00f90ccb8724f6fd57323d3cd99ea236ededbc1c96fc08fd9087a08237b143e8220d6e164e5981b5f3e5c25dfe1ae958d04fbdfd9bc55881325cefbb03f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_on.gif

Filesize
222B

MD5
626ba21dcf598f961a7b4737493ae0a2

SHA1
371b234acb98430e00ca1a28792da3b3be80cd2d

SHA256
776d6f0b755f5a02020a3536740480cdc7c198abecb39c7956488878a9094ac3

SHA512
33b293fcb4e1456f2050ea58e91d4e161243481ca42136425a5683e65c10d5fcc6adaaca375030aa5bfd59cbcbeb4ba025421066db5d8a6857a5b5142777b642

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif

Filesize
5KB

MD5
a1b3902d1b62e6497c35ef615b4e7438

SHA1
21224dcc24343cff9dad43c0814f8713f4f582a6

SHA256
88e396587b720df9e65c7a75b19f60d7e6f19ecdb04b9174e0f151c2e4cbe198

SHA512
2568f8689e74d0f1aa8ed8113c45bc4e29c903d01abd75261e6a6c7d7f553b5495e375880e2e7b1c9217521f662c997548922f5c497d15c80b880b4c39f27882

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Country.gif

Filesize
31KB

MD5
0afd641d3fd3c09e1573927cbf95cb1b

SHA1
84d2facac95d63c5862dfd6b132f59088f7124d6

SHA256
d0e0e0ff68f87f41a7427ed6579c111d358b7d0159becfbc7eb8a30febb29e23

SHA512
455a5b62e5d35c0d1d05721b1cfd8940396308922d588c9069c27968aca6c7b0181ef0b8cd1e40e8624ea565c6cc60bed5bd565e16c916d8fed77357f941aefe

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif

Filesize
4KB

MD5
18b87172caee2a9a68b2eca4526269c9

SHA1
c45e7432df6d2d5db2ab03a245ece87a766969fa

SHA256
c7c7e3d16922b79051dc211e190df5981ea074131cdc5f2d7cf559ad3dac87e6

SHA512
342356d8e22de18b874884f89236de98ae8db84d17896e95488ac7c9e27ced5e33725d2b2b9b7c26347d42be605ed9bb39aeea6a643be59c5852612d95eae39e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif

Filesize
21KB

MD5
9a93cf0d19442463c067398415e2e7ba

SHA1
6d3f4f02f378d7e0a9a41d63c2864a07408cb07e

SHA256
099d4099846c1870b353a2dc6e1fc3d8b31b25c18e274fa92a858246adb4a36d

SHA512
be18fcb43ef8ce7510c113ca1a45f01cc2001934453c947d4cfca29c4b5581f4b2a30cc5c35d7fb7874a3673f976b574023c950d8bcadda04ec29517e4deb71c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Groove.gif

Filesize
106B

MD5
8849165907d0980b6533eef790acc766

SHA1
1e27096982c101c42010fcaf775fa946b091d9df

SHA256
0909dde55a99c315626e34a3912d0865c506de393bb46a4de16ce7b749a65f9b

SHA512
8e7ffe19af2b9c0a9dd2bd6f5f93d11662dd4f9b8f27160deef03710d6c28a3a6c87ad5e34227c910422fafd45289adea5c5d6c956ab24f5ab9f6e2be2787670

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif

Filesize
8KB

MD5
948b61dcb8a29081f77456073a19648d

SHA1
92d3cc758d7e05bfe58c224ed5fcb0c1db366c5f

SHA256
8ac3ffaa7b95445bed182747b8c880442beddb77a5d2fe9ab0d306bc2a0fab4c

SHA512
ff76e1a5a63c1cd14154b197f55565f8c1b5ed1a8dc5fc19953843ec94a1348bb20516a14ec22538bb06450b97852e5eac350a25e8ea9a0d908c07dbe26dc2bc

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif

Filesize
15KB

MD5
1e9ca7c4e23d37697a5ea841a549a8f1

SHA1
cadfe43c651348f1b31542bb8f6cb9a2f6ead022

SHA256
44158a28d546283978dfb2116f2b9a3e2c7507c7ccc78d52ab5719bb19cfeb10

SHA512
4f0a3fc49d84d0e9a2f6b59ada5fcf4f015876e54b5e2a91aeff0314a4f27420ffe1ff39c0bc2c59cbe2688468660535c4d7f0d624aafc2549a220714b9f05de

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif

Filesize
6KB

MD5
23eb79526e1d0f5e96fe024f100478bc

SHA1
5e0559562cc8ffcf9d3c4a14f43fff92344bd256

SHA256
64614225ef63252e479d6ab0857249e257cebf8bf982af40baab3c9a3394d2f6

SHA512
e528f9a3ec0868c3e143082597f5c54d1b9cba3ef378f8e9bea4e12c35e9e53e38f4cc558d6235400cd994b130d7dfab2425f562ae5ba1a0e7e5911592880a1a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif

Filesize
20KB

MD5
d5a019bbfe4dea5f9b7ae6ceff59159b

SHA1
d1ebb5a1eb962998664d0b3e3273c8bb2caac7c5

SHA256
4576f2c0a7a62990ea4713d1d6cc5222bcc198b396c0ad2ae8d2a15d86023e87

SHA512
0d42bfd2eacbf6969d17020dd6d28f3fca7ad38e634072425ede427a3559f03f853d1a2db3db6663f38fb90858f14851734450817d41721201a627c5dd4c8ab2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif

Filesize
6KB

MD5
cf1f74f7a40f24957e1c8f5946c15e6a

SHA1
7ad542f892e7e8c7b1a3af6691db7b0b01bb3759

SHA256
cb590ece6dff5b819d28b35516f1b697a2e83d157700acd9f5673b6acd52f415

SHA512
6c1a9e7e79b0b29de52c9b3fca1cc52fed835874b3fc8e8fd4efe1238e7f3b998b2c79306ffb9c2ebeec13049af737ce1088dfebc0e33d31ff119c4996907f56

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif

Filesize
15KB

MD5
1356306bffe65f61801b9cb039d1d38d

SHA1
65e762b829ac31ab52eb8f3d98d62fb219b5d774

SHA256
2c864df7bd9901356c93139bf602b668a4aed7741b4e0eb55fa42b1201a69717

SHA512
dc697b3ee0f68c5c3deed40adbc0ed9dc5997ea7bbd7fb40d05785f7601859f1394632887aa583b345dfc61fad3174354fc2f3c67563a7796316babbcc1b5506

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg

Filesize
2KB

MD5
f03618df1fde0e5f43a28a9033c13926

SHA1
c9ac51385fafa46fe76c8370a237ac1e15ba41fa

SHA256
0535ee22cf47085e0910609d43312e97dfa01aefb834b9b3d027a1349c1e28fe

SHA512
86fcc9e9b6127ae199f32e84a7bb78f7eb3a1e8e6678fed0fde497066bfc0ad19155aae3fa3fc1a23589c3f4242e10e1a6b7b80d899a3d02e4daf4a098692d70

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp

Filesize
2KB

MD5
5e348d6d64d03da4469c9b04a5b848e0

SHA1
80339b33a7b28cfac276ebd2955d33acc658e0ab

SHA256
89701fbc5a9ce5dbc9643f8b335e0facba78b88357640c942d67bbf73189581b

SHA512
96744c0a20b342fd8947d109837a55ee920da0494008a3201b00d5c9f16d237d1f3d79062c3e10d1e465459391409207962f83f75ea18279a5884fa88bbb828f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg

Filesize
6KB

MD5
e69f00eb7eea0708c3849fa64c89790c

SHA1
acdb0797a8adf4c06c054c8aa75aa5653373c2bd

SHA256
de064525c459c2b194ed25d8951be5b039fe429d7f4b213b8761c51897349f9f

SHA512
f5c7dfe84e25128d4b793ba089fbc2c223edc780510887cf87b3286240d0f989171f1f2a49c1b92cbf69bbbc0b078aa56350aed5136b9733e7148fe99b3a27d7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF

Filesize
255B

MD5
c49ab1fb739f9a6b33a9f96940c36292

SHA1
1a91107ad865b626da5c74d93fe6a9ae078ce4a2

SHA256
12eaed3aff196f19c04102852b32a79957f5d99c9fa2cfca51f38a97697c0c63

SHA512
51b5271062b49ff5ebe6a5bfdc082e8ec55837fc68d0b3ff7e169e06e76dcaec996f01cc6a56b6ec3983a13ab8432382bb070a113a53a7806ec87440211664f8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\background.gif

Filesize
323B

MD5
1d402c2931e9478702fd9fa062bc4da8

SHA1
e0b3d8c92a295e1c6bdd5b54a88a7ec4368f4c10

SHA256
3c1d6ce88dc2949e4ed29f2d25fc4e834727c4a82b6817bd1dcb44129e6e6428

SHA512
7211be86a703495e710bc088ed1999ec27b35ce2eca5660ae533d365708cb68e71bb46e42ed772aa69fd78db94ca05c42e5aba6f0ff1ef1459f428dc9bf32f51

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF

Filesize
367B

MD5
8128679cee9209203daa940759566812

SHA1
805875914cbd8ce7fa574a7446048f6e4e2478e2

SHA256
09735197e3a2a527624c6fc929fb38405abe133842f28fc0901ce462b7b328a8

SHA512
a26da94826ea180e969ce94a2ee7ddc8f0352146ec1e74a2557bc5b695a74e0a70d65a34651f3032082989cc36293b1f9352f9d9f569514566b380bd61a2957e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF

Filesize
148B

MD5
08b905d8955c42ca3a84e3d3017963a5

SHA1
bba5d3a90e4c5607e865a257da29b6bdbb3332d5

SHA256
457cb19e1ebc84c5c78b7695fefab4c8a5f2839e8c24311763bda846b3ea0aac

SHA512
4bfcc0b0d5716b9ab352003c75b1011c7bbc9685d3af7596524b05a66a5b9daa6c43a342c51bfe9cd9b51ae9aacc324351b32a3c36aec1635a2a227ce25989d7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HEADER.GIF

Filesize
440B

MD5
a638ac073a9b3710b2b642843101c0b2

SHA1
2829baad46378af3de1d24725c91598d0561f356

SHA256
cd00f2b6f8b9c54b223794b3f6ced53d0f753401b1ecd4f24d842f744cf9e091

SHA512
510f874c990fa3f55394abc31a7db556c3abafab91e0c33d3093ef4fc09be7c7bcf3c26b1c0bb64b3fe882466e9eccf74ec3e9219053087928a06636c85d253b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_OFF.GIF

Filesize
462B

MD5
dcaeddaad5751c9336ccdaa4a67ef1af

SHA1
1a3a325b08ef1b16643e9cf8294691b6d89b183c

SHA256
a931effb2970255a26aa283759625e150c77a00bff347899955ebe13863c7d35

SHA512
20cc5b5427d6c4df798a396e952e384b085b60405db886966b68ac62b5ba2ef98fc43ed69a49ced5ea7aa013e81054e49c55867de8326b65766c319f1c8def4f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF

Filesize
267B

MD5
4bdf13134b81daf47021c29711ee028a

SHA1
f5bad065b7dc14b3c6f36fd5f77456724b07de94

SHA256
d0c392d7ead2856f5f4590e2ed02ccd90653e9d26f528617d68cb496d1a3f50a

SHA512
bdafc5a10c34ab4d555f9020355b4555f1260d09466868f5e0ce9505874d1ebb899f9d272eec4e96e4d0f4e650824a36a6b3661a1307e1feb17dbd3f7492d7a5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HEADER.GIF

Filesize
2KB

MD5
1ed415410784e405ea3ce9515eab8251

SHA1
8827aa122feae1feb1d77d431bae4a5fc0095782

SHA256
31b7e7d62cbd279eada0a77cb8b48ed14695fa691e16e5636e6b2869721a6810

SHA512
9e67470b96d8bb24c814aae34e990e1a4d0384351a1d8747674fa2c26dfe9f610f9c2ef8c8b13ccf816e4405557c1ffe4f7813dbf5526a29a4d6f08c55e7c5f2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif

Filesize
233B

MD5
293876f0bd8c6cadb2fa43da9d5845f5

SHA1
ae5c8107bea9542a726833f026117235ecaf50f5

SHA256
8b008f9558eb1f92c6903aeb202d53f288ed526355f9388a13f6335b39ed2a21

SHA512
9a23e2321f6bc425f75e5c890ea0d696ca48a7c89b8cae90d983b40a64069b46f8f449a1eaa8e01553d4f394471174215ff190cfeb5688f7886e2b1e1b2cea38

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_OFF.GIF

Filesize
364B

MD5
2aae85d1e274696eb8fd24310ddfe303

SHA1
17ab0e1581b7341f27ee270e9c5e91beaf570f72

SHA256
13885925f224d052426c579efa7e956d7c8d504dc0984589ed23a773d07ab5b0

SHA512
ae380b685f9df6d17ed0d05981caff754b5d3fca8ce698a5190b4a0971acb1f2500480b67d7d523bdc694de63fa60b4442214dba2655e78de18a5fa6d23cbadf

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_ON.GIF

Filesize
364B

MD5
312d1972838130915d00943fbe65636b

SHA1
8f587003fe5c77740e80301fdc510cec45656704

SHA256
b8fa3a71a3400e416e9ea1c6ee286f06836c23bd8b06b0d8ffe1050d8f30344a

SHA512
77ade7b99901860e14d603521ba01cf84224c33ee5632a5bfde30946db912d0e6c719d07fbe50965362700818dc3b0eba9b6f2548ef52d93541b5d74bac377df

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\background.gif

Filesize
6KB

MD5
bb0c5053afcabb461b384f029e5371ea

SHA1
e5736352b6e3e61d825fa2f289146271e5de3708

SHA256
93b3b30c2e4a2fd9c8a62d836ad8146ff561a7668460d619c5daf1a145c093d7

SHA512
c9bb843744576db62bb26ca569959ce2b0e928c425ea4542a9293076ff2a7e2ceff450a19610e71bf2a522ae7add9edc7d1a5a0ae071db72813dc1b380485744

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\BUTTON.GIF

Filesize
428B

MD5
763a26dd0e9e7175bba8edf2e84bad1c

SHA1
35b3fb14d5dde2d5e0bdf9e2c56bdf460d53293b

SHA256
3bdd33f05793d278273faf59b408dcc3eb9bfb969c91ce65c886b12fd70f7078

SHA512
fcd8c483e5bfa5e131acb33e12654741c3a56fa1c26178e7185ac55754ec1a7efeff2947bd5b5a8425974a2a1b607f1ca2212c4a39f983fb9511cf08b25d8460

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\background.gif

Filesize
815B

MD5
e19f9ff32f318daa4c6fabef47d24ab1

SHA1
de1446c81c4b6e8909b6014932cb31cb57f4ec7d

SHA256
b98438d2600f32f8fc25ff3a01eea5bf515b7f769663491ec3f7f90f49ea3570

SHA512
98e5e8ec3162be06494effc1b9c42f6c5fb8d2eee307c00c56462fffaa91ba08d82a2a574098a3d311d516b59634da43e79ec9922bf16f25314481d10b92d05e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\RTF_BOLD.GIF

Filesize
870B

MD5
ffe8c8eae8527701f978cb2559d39d97

SHA1
cd90926dcfdcfc71654cf87290491dd25a3fc166

SHA256
d8628ea0798e920e071633e26039c814d84fceec3f33802cb3c008fdbf3a31db

SHA512
41ace74225b1d9ce01d987f965f66189c77d9cfa8de7483a6b71ed1a9c07e4852e2ec917074bc218dd0cf7dbf78d8b9da1974380da0307124e3dade5833283fa

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg

Filesize
3KB

MD5
022ed0a10c8597abbf767b0b7c983133

SHA1
96b49926598c4fa4e39043ce0f393fd119ee93b5

SHA256
9c6aec56fa4d48dd870effd35395ba10bf6cfa471c6af1a1c68903642af8d6dc

SHA512
422cdf277ab751e6fc3d6a054c9987e243248d036080b0163d2bedc8975ce2c05c28fde5621e8c01aadc8f2e64483043d9ab93897dbebf850b1a86fa11b6b452

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif

Filesize
2KB

MD5
a693fd998e4ac0746a820809829f0328

SHA1
bc8629781e2f4da46e7c768f8b7eed7ea8b5bb03

SHA256
0f3fa3b1ae928988726765f3a8cd1d5ebf1c0842e3167bc9fdb1981a8e1cef3e

SHA512
56b58f64fa3b5110d1ace6c52ab5db64b4fa75fa368e95dc0d34d13702e6d6f28b8633622da96ab254496ceb56c5ec15a15a61998f2625d6cf737c9c228457e2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif

Filesize
19KB

MD5
e0252112268028d76f83b597496e3b09

SHA1
b9df3fa59bf2bc1f762abc1743dd2aed7862ea3b

SHA256
b70b3132ed9b1c2f314b30f1888b863ca0defc58e288c5c2e301868fa41b2598

SHA512
8a4c2fcb6e404ceded66ccebe47f28de8617930e0364f1ea4ef80624922b988bb37d933a3c8b378a7d1f9efe4cad1c01fa26b4d608adb9be2aa14680f766014f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosefont.gif

Filesize
890B

MD5
24157b2043d8113cf96ce5b82b057f55

SHA1
0418cfd0d897c493fa12644c0d95c1707207e8ab

SHA256
fbec1e53ec429e3ae7261464d8a7bf71648e6bb41c6ad7663308b0bfe5294141

SHA512
c453e3280b9ea084eec6f501e71b6134565936667ab22c73477cdc574075db6a5472a42d948fb1b381e4427efafd1e856e95a0ad44899f12274805c70d39c11e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif

Filesize
852B

MD5
74046d684db21489d452f802cc3e5bba

SHA1
a2f7637bd700c92adebbb6f336b3e7b4597e984f

SHA256
c6a74f1d611fe18db8f6fc8a4469985a19c2c02c8d9837122e55042cea18fe7d

SHA512
619ef894fe176f447004e63e8a9a9ed0b9c725d8e9361c3d5fd852c56662505be178410b88a0308795ff56cedded7fa43ebb354dde8e3206f3a8b23092447bb2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif

Filesize
860B

MD5
309b8cfe1e3fadfa1560733ca63dbefe

SHA1
6f07797ff096003def301dc9fdc3bbc7880c7032

SHA256
d569678e9c050351cf6e089192dce73c38956d5070a5c631ce01353b52764a9b

SHA512
434f80f72379c91cc0a4440b5191050225f8509936b9705479925a27ffc43f16cfac345c01543f5dacedd1a4c642cfc98b52627bf61c8415b4eb67632f2924ae

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ADD.GIF

Filesize
580B

MD5
5ec882c77f56279760f41dc4ded0e59b

SHA1
15247ed3d797d622a3b162c349fd5f2f9c726959

SHA256
8516fda34e6a6e2d219d5e271882b7da483031e0da1c5ccde2e815779d2435a9

SHA512
84dd2695363ff3d641fb42c755c4c2b63ba50c8bb726391098d0f9b9da32cc83df189f517522646c563fbe47c947306a0b26ea9b798c3f3fda4db972988bd6f2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF

Filesize
899B

MD5
d8f197050b99ca49e270636c7c8c57b5

SHA1
477a0e736949e71212ede57dd6ee25fd92e0b536

SHA256
a86ee6a832d9eaf9b4e1afdc4e08e421ff4e52f5626ea0fc7ce666c2daeb3c77

SHA512
f4df697ed12baa4a2f1edd24f3165b0363fd8224883fb9983d4d8cc70cb0af4bd51ad227cc7120f521bb0146f764948f3eef6515cc979300c6e95e5926a4c8a8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIF

Filesize
625B

MD5
272ab2e09250f93fb4890b734f3a9510

SHA1
c33e6d1fe17145e2a4bdf7b832aae3d3fc8c242f

SHA256
57a2544635111b6001c4f40d0cddbcafd254b46f590a6af9bd0d8baac813adfe

SHA512
2046346f747c5cbebfff36e8c9e3dd6b33b87b331dc3845723e5d7e5b65d2cdb33b322133f83d73c04631b60f2448520682f31ea542fed7e2a89013eda720922

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF

Filesize
873B

MD5
b2e7bc1c8cb737ae1405dc17420da852

SHA1
6b20a5665a9a3dba08dff2a5aff304ac3fb7f1db

SHA256
9a1a398b7fe8f36f372875878983dd74458859e6ab221183fce2deb627c9289b

SHA512
0dd921387a8531ca2e18e9221cb7fbe54c77d33d529ba8d13b71818e87b55331d2512487247ac836202883bd1676d3e52a801cae84772b9b795e9bd0fd7a3804

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg

Filesize
5KB

MD5
d43d59692e685cb1d4e573aadcc099eb

SHA1
43f5add269fa879631ba9f47d9503e5106b68a69

SHA256
5636e71766c9dc4a7050974a5a2e3c3f12723ac23dded97a18701a5e25e70f76

SHA512
93a5c7308dbf0aa71145c89504992e4791ff2993b3fed35d4560a8985616ed11010dce7e0d3517d4593e868f98a038833c27282297318d0b84a1452525c6b84f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp

Filesize
1KB

MD5
83c6b884c93c8ca05eb7e979c16e9887

SHA1
24f43dc2f41f24e897ad4c91241eb2ff02fcea34

SHA256
39ea34222ac9beb87044471863eec96e6fea872d9406659e4d6bd57d80cb4b5b

SHA512
121b8837be6a0f3f9b953d80daaf80fe604f01f7eea1097cce1cfe7ebce027fa82ad24f60c77d58d04b2c192984e6ba122d6fdff0faf1ecf9a5d870f4b14277c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF

Filesize
615B

MD5
2382e1a5f1006dee3824e8106a1d9f15

SHA1
4df32d4ba25f7983f89bdd591b229883ad19de55

SHA256
864b903aa0f1210e9b2eea7ca70f24828d637c39c678f1f553db086bac33ae45

SHA512
0d6dfe4aea744aed15c933dbc3e489440a65b8952233c04c3b013cf6a62251a319b210f71c047ccf6a612f73d0fd38fd360b4db45cf88a4d2f66f4e17b317047

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

Filesize
848B

MD5
94f7a83c098001873b460a866e1102b7

SHA1
65f0cd866a8b994859b70d1894ba125fa562b75c

SHA256
f0b593d0f26b802ec7a8ab50e2558caa2132ace282ccf2e1439e7fba05c5a4c5

SHA512
1a49c875b7c440486b550edfde81ab03f2dd0877cf4a0abd015b6eddade8f2be26f7646a782d01bb9a8ab4a17f4fc96f6040b6e1cf5d17384faf435af9991f39

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

Filesize
847B

MD5
a7b6f12cc5ce5815e6764388fc44210f

SHA1
62145fe0d0f3695cfe8b12cf97f3660885dd3cb3

SHA256
443ded55ce27ab2d8e6cfa302c0c63ae16d1184226da906112c669a3f02bc9c1

SHA512
26ea4a55faa8d23ed42ac0dd45e68a58d60ec28426e62c3420c6f803da4a5060fe97b37fc4e3c21e45c16adb7943e8752b50b2c5c7095a9e55515000b4e8120a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

Filesize
869B

MD5
b48d8eb040292d11e3a70452a99af070

SHA1
655c117379190e84e095807f21398357f58830d2

SHA256
49ccb6a67b62fd90d5b9fdedc5935354215a3e6c86be37b71590acb66192255e

SHA512
872dc6689ddbc9a2ea71c1fb761b7fe1a92f12eb014a4d6b45710c9cb7573c3dbb30b781909e45526bd6827d98026a46b19b9eb52664cd9084c2d362cf2340b4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

Filesize
847B

MD5
67e3c7ab67e9cad5154720876b3d6f26

SHA1
d6bc3d2ee31c3464ec6d6b572cb779adc52e40af

SHA256
dc5e0fa65a0a9de6d479f61c06d7b3f95acc4d5741548d44bf2380ea7d207a1a

SHA512
bfcb71338cfd0158bf981cb095b0afbd99d509372ce385b0adf5ee76f790a3a11681c2fa044e2b38007cba243b2a875fc16503a80ff1d17141135d53d099d0c9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

Filesize
863B

MD5
cb3c1d664e1e5ac9f86784c21e7a7e18

SHA1
fd233d35ed32859a6bbd14533a0cbf446933ef6f

SHA256
ce1b1833de0757e6e551d10e8db26317409a8abc31b473c83f55fcc712419801

SHA512
13e8a8aee347d8cd0b9420d4e69d49f46fdd2eaf9b3da599ba243e98542437994688e7366feabbb429ea7871248e86d701e64fd01929d4b8bf4c6e33479f5824

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

Filesize
861B

MD5
4d72c098d161ed1ea140e6e85e38b90d

SHA1
1430bb1553d89873a63572bc72b8aa6529f141f7

SHA256
e9d5394c4e7b98ad3aba133d73141238e638e4180425c913224be0cbd07bc679

SHA512
630b5b4d32dc0e09bfe915d84f27ba041fc07faa764d8a6d6c8d916640190e7650af5f48debce3b98e6ad53608ac924ad4d9e7072a04ffef69e6e197e4d92194

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

Filesize
850B

MD5
c440f04ba393a4652ac720f802ceef4c

SHA1
281d3378fba6007f9a061df1c039c6ac1dc89185

SHA256
5d1be811b6727ba523a7ce5ff1f30f26ee052f0d9af7765ced34542b59658152

SHA512
d38d51e1adac27cb13358366d50932d3e7361fd98a27bbae896e6ed14be54f54b820cacc2209cc2f2c27a19b82ecd79248823f295181aa98cfd66bbcce03729d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

Filesize
883B

MD5
406f3d6f4619c58e25c6edc5fb00250b

SHA1
3137b238aca41683858ae814b20bca4b294f47d3

SHA256
4aa35be81457a91bc4d366f2c7be3500a03c969b4884ce1b13f7247653f26274

SHA512
241e3ffeaab7caccaa757b901aed6aab4bd5f50bc73a723d1eb1a9bbc0835aaea1996ab1ab485e5e0a97eee8a094105f810fcba9bf46f56f8ce9e66800b01336

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif

Filesize
153B

MD5
02fef62ad3481696efe34e6d9bb8b370

SHA1
4907f17ab4077ff3b76919026dc53f0a89796222

SHA256
39efa0d0d116538de4f1dc36fce2b8af6b82b6984694889ba7048de9daa5ad3d

SHA512
f2c0152db123bd66f6362e1fa56aea0fc319d2c5fd774d8e9a428ed1e2932ed7bf8bf388e2ff0fbfd173906a9fb38655bc2b9c50a679968bd3697c33caa034c1

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
e5375465bde6ea94fa0eac7f05ae00b1

SHA1
75fe4646cc1dba808dba1f9b9c0648a7fce71178

SHA256
1001e55d0fdc088d9688254209323eb79ce955736c3b91c5b20164b9179d6958

SHA512
d02241bc6d89b715fa7f07531fb9f9f1443f8aafa4aa72aecda7f3cfd78b8a6251687ff2908c3a10b64868145a67e7a2fc16df17ce7c5a8d0a61a47f9f19beda

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
ee020e5e08455e32dd7e05bbbbe309ef

SHA1
76ce173c79185685d10aed01378c5628b2ee4572

SHA256
7519421d7155d8351460fdc99b60f435d5b3bf32d6caf561d1a226fcaaefb1d9

SHA512
eaf78ab5a67eaa07a31c3bafecb3feb86029504c23205b88f9e3cc1935f3290e3c2aeedb0233f2a66478321e49a12063fc0f5c1f3a3bd9f2a74047101a4201ff

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
172KB

MD5
5c2f4c87c589253a2440474673550990

SHA1
f051513d29363288de0d4eb3c5115c067b75cc8e

SHA256
dea7f27b5821349ffd1f989d9d7ccc5abc8ff5e1275254ba659d5d12d2a288de

SHA512
b945682fa5ad6dea392d2793dbb41418bb5254febe93c932d454749f54b127c1244d99fd3ef8ac38eb63140bea859d5795311c4ed714ce57fe3bcf241dbc57a4

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg

Filesize
21KB

MD5
a8a7da26fa1f0bc45a3079204dfde344

SHA1
3a303eadac01d909c64be7ff85fdeb6ffb437175

SHA256
a1bd6e1ac8920726196d08bdf2f06a751513806b28454fdbb2377b56ca7a4213

SHA512
471283539a4a9e478f2f554d1a6797661737a284294c58df232f406a64e136f0211d0b62baa89c0d1cfd8b59696b5e7109344f83de38c78626a39e201b6935e6

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\HelpIcon_solid.gif

Filesize
1KB

MD5
7ac7e5e540c27b7dff0751a22302973f

SHA1
e1d25781b0b2cb05e91527f9a1b82dacd2fc6bd0

SHA256
c49deb1ce40c27909eeac1b81c1f6ebe7ab0305e03add1ef5436a0e1eaf541d4

SHA512
277bb042db81a1a7b710701bb495ef8681d9f195f47b5c2804da687971fa9108e9a2abad11f9feb0c771012bb4a419c3fb137245b722b788acfdbc1467723e69

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\alert_lrg.gif

Filesize
952B

MD5
94d127cc4f6f7e54c253660a179adfaf

SHA1
7af16a31f64a3fb6cc502895dbb9cfcbc877d95d

SHA256
a9fba161052312ab5bfb533afbfbed38fe17446f4e6a058b6714afb695a6a4b5

SHA512
9b60601d34560660bbf67560f8df7711f436dde28ac41c43c33adb057db78e0044f3391fc869585f4077d2721b93e7338d1326fac8ffb2a43aa59035669800f4

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\aspx_file.gif

Filesize
121B

MD5
692ae26c42436198cad6454eaae80fdc

SHA1
5c77ece4b45ec8a01f2cff0fd9c507f2ca45b838

SHA256
d676e80242774e53eb98d3bb63a1e8b17a01d09f6a178412f2a76345df2310f0

SHA512
ad3d9549e0b86d024fa029aa0d6f621e73c875bf822c17e54ab3e5a74a519b66f081aa6a6719c49d1391de3c5a5e2dbbd7b5c28184898cfa3423815c11623dac

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\branding_Full2.gif

Filesize
1KB

MD5
a6eeb971a28dfd6797907f4d4aaa5127

SHA1
e722d698750314a8434e248a78b44a4961c0a6dd

SHA256
aa3514ad53472b4d0e61f6679cbb70e44deea29dd85edb658cfec26a3a2c7ddd

SHA512
74cd05a2882ddf26003448ffe106abe38826d22b0daf37fb88e666c3a387f26ea0224e2f487334679332732692e1085307bbc76db1e1fdc3d795cae4d38723c4

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg

Filesize
8KB

MD5
77d23f931d97d9fa42116a882359d526

SHA1
f2f9948501bff3840d09d5ee47dc3d07971a0e15

SHA256
0cbd137b2197b29de14170c24af767f44c1ee64a27fdd1645426078bc8ef2991

SHA512
4f43439e936e6da499777d1132e1b527516bf03be0f4d1f183e810500a8f6357529c01cc1438dcc271dd86b127b69557180fbbf7adf3bb149ed2db73b2ed5190

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\deselectedTab_1x1.gif

Filesize
61B

MD5
72046d9ce2b319185af8e439624582f6

SHA1
46fbb2926f66469ae85f39082fb46dc868dbedfb

SHA256
fb5859c33f7084e9209e94206f2a1354c4c466e56b9c8bdca668229b2fc713dd

SHA512
17724e6706666ff62dbe233e05b299e52e96ee83685934702204a80c582df11fd18857adb2621f6933104c791450348d358b77150ce739cdd3010f0a4017585d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\folder.gif

Filesize
914B

MD5
260d37d22255554e0519fea070c929e6

SHA1
44f6923c2d798587b2861a1857e620ffd287d3cc

SHA256
a3efc5ce41ce5a4a3d17a868f9c5f45a1839c355d1ea9ec064d6651ea8afb87f

SHA512
c73e0162d5b601b67465af295aa8ec7bcea1a0947c404e079ea7c635e0291919bc97e12b1332c7cabee15949fcbb362c03c6e928bfabae11a9223bf6e4123384

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onBlue.gif

Filesize
90B

MD5
b6ae0514b9869c5264cb814d14cf81a5

SHA1
bffbc4925cfb4a9fcf203b8b7f92337f0e4628be

SHA256
d0f7d2d739bf7ad0b261085bd5ba95ca0e2c93b88323a08f1ba6f0d53667ab55

SHA512
d1f2c13f4413d0a546ea00ba27a93af7149bd9120637538459c738b81573f946143efbe3cc9d7d7c44164b5c85e41297ce9f5c400a65f7fd8507de02efac3645

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onWhite.gif

Filesize
90B

MD5
9938c4009be9b47584e1159b830184d8

SHA1
067900881552fc20df4295a0c2250222de591f05

SHA256
d997a762db4a3738a6372013eb3cf1aed882e40a6b0a3ed15b511eacc58a8f8d

SHA512
22b378c05c42deb626a8dd849ed7f5277bb8ce6ada42c45b783a72432ddf133fd70522ba47e9fb5c55328e5cdcc2e8c8d2b738ab5bcf7edfbf0de90a2978686c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\headerGRADIENT_Tall.gif

Filesize
328B

MD5
56eb668315e65c8f725457431bd6e357

SHA1
3347fe1e0309bc49bb0035ff2829eeee2b1d46e7

SHA256
914c842bf18e6e1cb4ec704c20c4ec5193d9479251ef9e592d9a2e3afac9967e

SHA512
f7d5ad6c638284dc4af5706b3781316b29bd964e5c8b091effd713d2541767c39bc2bc0e89c813d0ca09f44324feb0c819dd2724374f0921977e3abb12c738e9

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\help.jpg

Filesize
1KB

MD5
ce25d8215346bea8042b02cf05844482

SHA1
dfadb5392cb6552ed748b653cd1d55a4dd350f4c

SHA256
8efe3a57a3db1b591bd7a8e9e2c668d01e7b8e4a17c9dd3c2fb55d80118c0ae7

SHA512
c639bdd3bea3faa1c75892e38012f20c459cd81795e7f1d9de4107f1855659e4558922a216820a701e4ee773b128c7b9d1586a94889935d7bd1486af4e7fdeeb

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image1.gif

Filesize
162B

MD5
22b6fdd6b60a87c956d2ecf75acba170

SHA1
931d6dc3cece85ccc95dd3acfd4a6495b0c3c49f

SHA256
c9bc43f67f8e987a09b95f803c143678c41cef8b51c82a5a7fbd790c44f3c28e

SHA512
c75225133770ebd3903712e323ee77cd202481c9ecee5d8fd25d8699de46f4fbabde5b9cee84871ba32b609c7ba9497542d7ed136fa9ef8764056e4016e20904

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image2.gif

Filesize
586B

MD5
bf7f10874675d4a600ccf6f46d72326a

SHA1
500c45d51068dc938aebc405a07f6c86c3aae0cd

SHA256
347b483e34e975231741aa2018bdc55bd7471c10ce3aee795b9c82f512257e60

SHA512
836aad6ee49ee19f7a3f8db0f5fd676850f6c2866d90d66fdc29a9798e4983535ac199473cfb3a9363484cd0c55b886256b0145caea4733414b8de548bc914ea

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\requiredBang.gif

Filesize
124B

MD5
47361ef7742f17dfe8eee15a8c1e9386

SHA1
07a96e432d36fe9e1c80f7df2e3aa1347f4f2036

SHA256
0482b39af79795f12f1e3610f261423900c63501ff2668481360079b70ad8c2c

SHA512
91fedb9d7c521913e68abc7ee23777fef1d4949e5b866af9c26c46d0c695f405ee1ad354fd980bf7e78cc803a1259b4dc5a7c5c5aa0ad84456c6034d6e84edc8

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\selectedTab_leftCorner.gif

Filesize
65B

MD5
278fa77a21ba3404103d52ea1c441bc7

SHA1
54e7f44f9d3005c035b66e615f686cc76025e0dc

SHA256
6af5dbffc43cac4b6f059213ccb69482be1a545ab3814710695b0328737e8833

SHA512
9925a5e4e15a9e13ccb1da4a64d70b4d36a23499b11bbdb82ca927c11a5b92a1f9a285f06a0138fd55ff78b71737eb896aba5a3854688ebce3bd5ad6ee1ebfe6

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\selectedTab_rightCorner.gif

Filesize
65B

MD5
725f8d222b747209c56b6e871d806e36

SHA1
bb47a4137ff9c11dfddffb27312c2050cf5dac03

SHA256
c0d260b1769d558f84f04f8ab0aa884e90e9dd456ec052460ead7d91af35f583

SHA512
b2618b27624a869748eddcd2465cd58f73d9aec1a5f18d2ae437ad92fab5548175039408dc0cdb1efc33c3d5fc27b9c964b14d429dd69f6edf89f7ba92b45f96

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg

Filesize
8KB

MD5
1a33c03f12a0407f05537d1d3081e41e

SHA1
00402da2515adbb80bb613c83417b6feb2ef4c78

SHA256
0596cd6ab0305a5e38c51e4a0dfd70d1317255489a2819799b551dd4cd744d47

SHA512
a7b12c61233f4a1297fe3765ca822e8f7b8f6d18453394a0e20359d3ca7bfe7396f6fd43a4689b63790b3d24397767fcca9a163907ade3ea973925090905a22d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\unSelectedTab_leftCorner.gif

Filesize
65B

MD5
d375c679def93db979ce1307830dbf5a

SHA1
5bc836709102c44a8b9923cd902dc165d2589368

SHA256
ca2af55d5bace7b77767cce9fbf4589111f67c978b3abdb053b2262c95f114ee

SHA512
e99c0380ef006222bb6afc3d9bf4114cefc61108b5aa4179a3db6135bc377e89299124cc503750f37caa111cacb39b1de07dc8c8e8ae8d5c8cbd8c30dfb0e59e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\unSelectedTab_rightCorner.gif

Filesize
65B

MD5
8d8d95e40029e92c8038ba48aad0ce66

SHA1
84d86f871118e6281de83df0ca8ef946e3fbf11e

SHA256
edb597578c0ae00a81a12c4bccb1f80ca824d69d8badb9abae698fc0cf996db9

SHA512
3d9e0d880ffef8d1b29aafb39dee0802288875762f0f49a655eabea523abf3ad96189854f3323e727190dd1c2ce96442024e2b5407e01307b9325d890bdee23d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\yellowCORNER.gif

Filesize
880B

MD5
eb0c3fe954a5d84d385484a9989ccf14

SHA1
2e65947644b25212646dd5d13c3160f3af100e3e

SHA256
b959e6717ebcebda6e91d33cf653af3a33cc01b30541d8e79f571afb1d9fb4c5

SHA512
fe8ab3f57f8a2985e32e1acfdb5ab19397127e3ecbdacec10f38fc5588d59cf823679e61e9fd2d5623d444f6fae5ee4fd8f17c79263ad8416d8a2ba036fe1ab6

Download Submit
memory/2644-0-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2644-3665-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2644-3666-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2644-3669-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads