xorist | edb8cfc935436689c16d3471b10bd5d0f8094fdb0d75dbfb659ec40497e4defe

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-12-2024 06:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
Size

7KB
MD5

fed774bd34f2f29d0617099a280e9961
SHA1

d2e73b672d3f80398a2621c87ae202119bb5fc07
SHA256

edb8cfc935436689c16d3471b10bd5d0f8094fdb0d75dbfb659ec40497e4defe
SHA512

ae224c67e36b72d9025ada85d25db4d8f689ed94a83102e4800e00a49b09a6e35ac9b4582fbbbb4ab5becc81d0333fa7a1f27ea99c480e18b9d482a76718e2b1
SSDEEP

192:Tzdrr1FG1WDCgmjPZBgtbLLzdtPB5Nj6MUA:Tprr1gkDCgSUtTTDNGMB

Score

10^/10

xorist discovery persistence ransomware spyware stealer upx

Malware Config

Signatures

Detected Xorist Ransomware 5 IoCs

resource	yara_rule
behavioral1/memory/2412-8875-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/2412-8874-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/2412-9107-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/2412-9108-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/2412-9109-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist

Xorist Ransomware
Xorist is a ransomware first seen in 2020.
ransomware xorist
Xorist family
xorist
Renames multiple (2206) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Drivers directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2lHuhG9B6quvrxM.exe"	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\prnky002.inf_amd64_neutral_525d9740c77e325f\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlx00y.inf_amd64_neutral_977318f2317f5ddd\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnrc00c.inf_amd64_neutral_53a58f4fd7d88575\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wstorflt.inf_amd64_neutral_3db956c41708f7f5\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_remote_output.help.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\eval\HomeBasicN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\oobe\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_PSSnapins.help.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Path_Syntax.help.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\acpipmi.inf_amd64_neutral_256ad642985694b3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hdaudio.inf_amd64_neutral_ce7bc199c85ae0a0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnca00z.inf_amd64_neutral_27f402ce616c3ebc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnep00l.inf_amd64_neutral_f1fa021d2221e2c7\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Signing.help.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDiagnostics\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\_Default\HomeBasicE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\_Default\HomePremium\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_remote_requirements.help.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_functions_advanced_methods.help.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\eval\StarterN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmvdot.inf_amd64_neutral_714bc6a3a28b9f0f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netr28ux.inf_amd64_neutral_54f2470c084714e1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnrc002.inf_amd64_neutral_fdb6f2e252435905\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\stexstor.inf_amd64_neutral_80ee226e29362f51\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wsdprint.inf_amd64_neutral_f91980f20f3112ed\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_format.ps1xml.help.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-msmq-messagingcoreservice\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_types.ps1xml.help.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_execution_policies.help.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_script_internationalization.help.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\UltimateN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\002d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\PostMigRes\Web\base_images\Failure.gif	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_do.help.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnbr006.inf_amd64_neutral_f156853def526447\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnrc302.inf_amd64_ja-jp_64ee91a0bf7b132c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnts002.inf_amd64_neutral_ad2aa922aa11af2c\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wiacn001.inf_amd64_neutral_b7a0b2f53d745b5a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_While.help.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Comment_Based_Help.help.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\default.help.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\atiriol6.inf_amd64_neutral_bde34ad5722cca75\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp004.inf_amd64_neutral_53f688945cfc24cc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\_Default\ProfessionalN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_parameters.help.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmnis3t.inf_amd64_neutral_857ff0fa9c73850a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnkm004.inf_amd64_neutral_d2aee42dc9c393ea\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnky303.inf_amd64_ja-jp_b054bb0d59e0a3ad\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Command_Syntax.help.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_format.ps1xml.help.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_WS-Management_Cmdlets.help.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_parameters.help.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\61883.inf_amd64_neutral_a64d66bac757464c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmcommu.inf_amd64_neutral_83cc415156be45c8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netxex64.inf_amd64_neutral_77b02fd738dca150\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\eval\HomePremiumN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnep004.inf_amd64_neutral_63b22bfb6b93eaba\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_try_catch_finally.help.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_script_internationalization.help.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_scopes.help.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\_Default\StarterN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmnttte.inf_amd64_neutral_16d100fb6ba2e40f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnsv002.inf_amd64_neutral_6ca80563d6148ee5\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\_Default\EnterpriseN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2412-0-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2412-8875-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2412-8874-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2412-9107-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2412-9108-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2412-9109-0x0000000000400000-0x000000000040C000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\currency.html	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_left.png	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\index.html	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)grayStateIcon.png	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21535_.GIF	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR20F.GIF	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR33B.GIF	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\content-foreground.png	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\1047_576black.png	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\search_background.png	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00038_.GIF	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\macroprogress.gif	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\js\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01734_.GIF	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\settings.html	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\720_480shadow.png	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.lnk	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15133_.GIF	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\clock.html	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\js\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-first-quarter.png	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\logo.png	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\dragHandle.png	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\dialdot_lrg.png	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_left_rest.png	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\TAB_ON.GIF	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceYi.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\PrivateBrowsing_70.png	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\base-undocked-4.png	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Mail\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\settings.html	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sw\LC_MESSAGES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUECALM\PREVIEW.GIF	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\spacebackupiconsmask.bmp	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\add_over.png	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\2.png	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287644.JPG	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01750_.GIF	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\settings.html	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_SelectionSubpicture.png	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macGrey.png	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Program Files (x86)\Google\Update\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01239_.GIF	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02085_.GIF	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\4.png	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waning-gibbous.png	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15171_.GIF	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21313_.GIF	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\winsxs\amd64_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_sr-..-cs_690f4f26ec911a81\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-quirky_31bf3856ad364e35_6.1.7600.16385_none_e55404efe49bb9cb\Windows Error.wav	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sethc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0a96df7a928a58ba\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-lsa-msprivs.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f3df4dca246f6746\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_mdmbw561.inf_31bf3856ad364e35_6.1.7600.16385_none_ccdcd7e1bbd30d11\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-i..l-keyboard-00010426_31bf3856ad364e35_6.1.7600.16385_none_f2e17aa3a36de94a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..epremiumn.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b9961c3b23422616\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-rpc-ns.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_164805efed52ef24\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_MSIL\napinit\6.1.0.0__31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_bthpan.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b97fb4751aa13926\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_bthspp.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_23060661b312bdc9\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_iastorv.inf_31bf3856ad364e35_6.1.7601.17514_none_0d3757e79e6784d0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..ntservice.resources_31bf3856ad364e35_6.1.7600.16385_de-de_c36607d86529d1ff\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-pnpdevicemanager_31bf3856ad364e35_6.1.7600.16385_none_7a20366b6d92814f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..iagnostic.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_e5966adda19f72b8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..calmediadisc-styles_31bf3856ad364e35_6.1.7600.16385_none_dac1eab162daeb45\rectangle_photo_Thumbnail.bmp	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_usbvideo.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0ff02be6f0eea6bc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\winsxs\msil_system.identitymodel.resources_b77a5c561934e089_6.1.7600.16385_ja-jp_bb8820de7e355f67\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-i..siondynamicbinaries_31bf3856ad364e35_6.1.7601.17514_none_f08b571e7ac4826e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-msident_31bf3856ad364e35_6.1.7600.16385_none_741a2b216666e1a9\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ntlanman.resources_31bf3856ad364e35_6.1.7600.16385_it-it_246142242c393ad2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_sr-..-cs_e977d49ab747fe93\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-diskraid.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_63003de9329c96bc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_ar-sa_f1795577af1fbb6f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-v..cprovider.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_52ff7e4ffb5387be\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-w..ouppolicy.resources_31bf3856ad364e35_6.1.7600.16385_es-es_9a8df06e2599ef3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_smartcrd.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_e233d379b95a43bf\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\winsxs\msil_microsoft.powershell.security.resources_31bf3856ad364e35_6.1.7600.16385_en-us_412109d66c5a5017\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-tapiservice.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_292f069d35f52edc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.5\1033\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_megasr.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_c1ae6009ec8c7566\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-a..lprovider.resources_31bf3856ad364e35_6.1.7600.16385_es-es_40e393ecc1dcde45\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-mpr.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5cdeb702884cb6ba\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..cyscripts.resources_31bf3856ad364e35_6.1.7600.16385_es-es_73edc4b92446fa08\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-mail-comm-dll_31bf3856ad364e35_6.1.7601.17514_none_d7d72fd96f2c2eaa\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_netr28ux.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a0c40d032699f093\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-i..odbcloggingbinaries_31bf3856ad364e35_6.1.7600.16385_none_819eea0aa1e0a91e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_d7244b05e242e449\settings_corner_top_right.png	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Transactions.resources\2.0.0.0_es_b77a5c561934e089\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sysinfo.resources_31bf3856ad364e35_6.1.7600.16385_it-it_4cf7162d05c9a0d0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_prngt002.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0ac52b15cd4a9350\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\winsxs\msil_microsoft.build.engine_b03f5f7f11d50a3a_6.1.7601.17514_none_0cfd67f8cb24384c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-snmp-evntcmd_31bf3856ad364e35_6.1.7600.16385_none_b8db1dc46558b805\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ehome-cbva_31bf3856ad364e35_6.1.7601.17514_none_2c49a970e066e812\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\winsxs\msil_microsoft.managementconsole.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_a724e6819edbc021\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-i..nal-keyboard-kbdfi1_31bf3856ad364e35_6.1.7600.16385_none_c32196e3190fe638\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_4f6b8363c57e4032\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-codeintegrity_31bf3856ad364e35_6.1.7601.17514_none_fe9df6ad1b5f6e87\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\404-1.htm	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-v..mprovider.resources_31bf3856ad364e35_6.1.7600.16385_de-de_127098b7be06ea5b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_rawsilo.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_d5c276ad141427d2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-w..e-utility.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8bde4585eccdab34\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Net.Requests\v4.0_4.0.0.0__b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-proquota.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b1dd5830a5a06b3c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..et-server.resources_31bf3856ad364e35_6.1.7600.16385_it-it_c5db05929aec1b67\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_netl260a.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_37d5568c6cab39ba\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_windowssearchengine.resources_31bf3856ad364e35_7.0.7600.16385_ja-jp_4d808c9e1f75f2d7\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File opened for modification	C:\Windows\Media\Festival\Windows Battery Low.wav	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..ls-nltest.resources_31bf3856ad364e35_6.1.7600.16385_it-it_fabc16bf01d9c7bc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sysdm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e93e24da10560bbd\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_server-help-chm.scanmanagement.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_5e2c0ed3d4f5ff3e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Presentatio1da2af67#\49f9ffaadcc9844e70ffd2ef770f07ab\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-help-rdb.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_bb1cb4c71e2eee59\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Office.Interop.Publisher\14.0.0.0__71e9bce111e9429c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ZIZQHIWULZLKEOJ	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ZIZQHIWULZLKEOJ\shell	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ZIZQHIWULZLKEOJ\shell\open	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ZIZQHIWULZLKEOJ\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2lHuhG9B6quvrxM.exe"	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd\ = "ZIZQHIWULZLKEOJ"	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ZIZQHIWULZLKEOJ\ = "CRYPTED!"	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ZIZQHIWULZLKEOJ\DefaultIcon	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ZIZQHIWULZLKEOJ\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2lHuhG9B6quvrxM.exe,0"	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ZIZQHIWULZLKEOJ\shell\open\command	fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fed774bd34f2f29d0617099a280e9961_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt

Filesize
355B

MD5
281312225c1ceae6b600791ed4953741

SHA1
55df258ec9dcdaeca68f3871c72eeb6203bf1713

SHA256
44923ce57d4dbead89464d37471ebc805eb275418bdad873bce6be9cd1c69e89

SHA512
acf5760790f49dcb978419a381c7ca798dffe0fbe61625de625be896d895d3a423fb28a5cceee675cdca529aca20b704ffa4fa0bf92c8806e04c9979251f9c72

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
341B

MD5
2d07a82b09fbe1de71a6cb6eb31569c0

SHA1
308b48c2288a0fbedcf3ec8b133623d1ebe0c289

SHA256
b62e90c83a2eb7e3412282b5f8ba792ae95ca8ea76727a2b0e4b348115ca6227

SHA512
70d57b158d69a8ab9659290d1d3626754e26459dc996d8943513b289e52202b64434496e3c8142b488f1ddedfe3bad091e7aa6b8897425145dd5059cc83c0794

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

Filesize
222B

MD5
552fce5cfe6df3522b5ef41f51e84f4f

SHA1
aa8cc6c40d4b052a67fab4593593c5e9ed25f343

SHA256
a47614cc3f2bb4e6a383128f8fd50e7466b7c84e941115b266ea3b99fba8e308

SHA512
c76a9e1350c4ca225715b2bea77e5edfdb06d64e552274228b3f866128567009a7b6d17e5b0e2af1659aae834902d0f86980c6595fd917fce93a46b7b8a7d7ed

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\BG_ADOBE.GIF

Filesize
24KB

MD5
09f53384b42aed42e315fac87a3236f5

SHA1
22acf285ff7ec7732f9ad70c323554d8444383e3

SHA256
83ab73af19afd588afc4190cc229395bd11bfc04204ab0ff68dadac2bf7b296f

SHA512
b362bc39470998dcb6c72e4c8ec299a107bd1bfadaf534bf8337479d3f26dca84dfd8117db824cfeb351d7328b30640bdf3df905e35d33a79f31219a3f6cb1d7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\BUTTON.GIF

Filesize
185B

MD5
bf97ecd7dc75762d5345332ea0d48c45

SHA1
0f6d472bdccfcda2244e60be30de838e9b32e19c

SHA256
8e9d3403fdc5a285ec2c9e4dcc1572c7d21d3c67a439f0412c32f861b8f70763

SHA512
b369fdc82da7933665f6a3af73faefcab1158dee1882b16f01110977b51915a4341a4f00dd76f129f053b3d3f9bce2c79ddcc9b33510d5c99c0c955eb8e88181

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_OFF.GIF

Filesize
496B

MD5
5411f38020e54c09e04701ce25f6ab5d

SHA1
bf3c9268d3d4167cf8205f28454b98aa2c1a8525

SHA256
0ef683b0acadd850befc043fc05c9f1d20c740a56e207c35e253ef8173edd194

SHA512
dda0df1dbb3dea052f5d2b7be40b1c40e832d2bcb9858b423afa66fd35c7e6cdec17c89677dd267a25773d5a9fa941ea72f6df833ede43898a250c286a8d124d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_ON.GIF

Filesize
1KB

MD5
6b25fa8925cdb048e69ff3052ea00540

SHA1
b1431c6c7771aad0fdc88d29ad8c8a4539c0c4d8

SHA256
a6932474e4c60bc528742afea4003f2db466d6e1cd280b192abbb28f67b21463

SHA512
db2238947c4838216a778a75ae8668c042592eea55a501060af877da5d6fa1927eb9e59ef5fee6c7a69a715e5e75e44ac68b535d278b07f06253d06aa3523c11

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_off.gif

Filesize
341B

MD5
e79e71641b8ad34ea577896cbe084825

SHA1
1a8cc235ec2c0e2241ead887cc33c0ba65645472

SHA256
ff4d5d8fcbee7aa9dbee8b8962ae9d87d6b614d41a46a581f148ed0a498da1fe

SHA512
e1c16ebc5e72d18cea3547346621a19a5c79cbc74508850f64ba97a817f5c19d3e3840af3d2aa86bb77c0ab303acdee04a635a1c8bcd87552fcf1d81db118c8b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_on.gif

Filesize
222B

MD5
7dcaecb89c755554cb780b9ebc0e2b34

SHA1
cb0137c00747523aebb1c92c2d3423b509816240

SHA256
32ea9a77fd2c2ad0ca780e1f1680d0e3d06bf5d5a5b32f49405f9fefc0eeb606

SHA512
cc9d0d9a7872c7e8dd41d2a2c27ae4d053d763281baaff0e4ce9523ed57934fed1cd1ea1134a1b216c814688f52b88bce0d31b6c4787da8d94795194afb7634a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif

Filesize
5KB

MD5
1c196a2ec476e114ce60839fbca98fca

SHA1
fcd564b39f0293e61d08c76d3d3f36a1ea94243b

SHA256
369c71c882a5e76f3410ae9fded276cb6190194061eb8d3e2b492e62fe2c0f78

SHA512
2d7f98d48be04932d8359be2087ec07713146a35a242f2567be9f8b02936d70082f3b0fa44990c88655bd7f6413c39f2c7da45bbfef82ed8d79687bd2a04b80e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Country.gif

Filesize
31KB

MD5
eac753e6fac570001b917562a7e3caa5

SHA1
0dadf8c2a34bb54fc60d2f308d3449956486c5eb

SHA256
9281e04fe2b753a1ceae4e9f708361519186e1563547d9bc3a6ae5f6fb823087

SHA512
a7a088b22bd6bef43ea4055a2edded82c3d984c6ae7cf5876a0d7a91ce51c4cb0f18ba7495d1bbd089ab4e9e9504ed7f2d312d25638a401b4b9ce2ff1aff1242

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif

Filesize
4KB

MD5
e99004695508269288159594151453c6

SHA1
edfc4f67e0fc442c9995527a46f0f5b813eb2c9d

SHA256
433109144bfd9bf4f0a78d4cfbaff0e072c580a54a37eeddf84196913725ba49

SHA512
79570ce4be260d05e063d78a8ba252acbd27cc206d3a821817509bfc7773256c9d9aa3118e3ebd81220e76fe094f6eee7b60e4036034bb28d56eb0ba00f8c38b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif

Filesize
21KB

MD5
7c970bb9eae47dbb98569aa89a63b00c

SHA1
5d678ce97e96892ece65f522f975a308e929a29f

SHA256
58dd82fc5c94552b8da459825b0947446be4423042fc91a80c5caef232b90201

SHA512
d05b830d5c3a7cfda2176756071fcc953ef5e118ed12a5493eabb9e7366c0102a90fd77dc455623078b1551038fad7cb2e2774d2c1667cdd9c46946c23a22429

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Groove.gif

Filesize
106B

MD5
a3cb6177fa53261333084b451b63d75f

SHA1
9c414fef7c07bdfb493f3d95e43e59d0e82ddf5f

SHA256
13a50ae6b84e9c02645d2f746943695fd3f1d821164050d24acb92a36f597bbd

SHA512
dd4f3e09699f279c88983b6ef35d1878df07b26162459aa8ee0eb3af5f59d828b3b76f0feda45fcbfcb279ac3deed309ba5df35e691f5479161d0c8a7ddf14cf

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif

Filesize
8KB

MD5
5c8f0422c26d84b51b2355a88a3b6238

SHA1
2dc2045059f5d5d4c43e2499ed41d7f4f3cb2dff

SHA256
4a46b086ac56916db7c7882790b51e051072b80a9f31855d5a94c3c8ca8d622e

SHA512
9b4f864463b86a5238f2d6bbe9017a733f60ecb3e90e984e5f094106ad2960eaa4b98955d33a87d52c333bcfd818dc99c2e26ffe91fd45b6a44d90b54faf20c5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif

Filesize
15KB

MD5
3d1346b11afc540a62970292bee10c54

SHA1
2069a8165badf8f4d74a7d73626fe4064a3d927e

SHA256
7118da02e53b9cce18c6dc31a721786ecace5b6849401f077c8a6b9a8424a366

SHA512
5c3491e673c2dec1328354070781767090ce8f309cc886bdcbac2400a94c5bbcd084b268c656c25a0346cd8ad864f7d1d69da87827439450ef78a75047de321f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif

Filesize
6KB

MD5
84d8a224f288deb08a6b222a2870f1e6

SHA1
089f626b9aa12f2ff0f1e94f95f625ca0781505f

SHA256
36aa7b73542a1417d3a50d6d470005675dae5d5176b9d1ba170d5051c3034b7f

SHA512
f03a9845d6fcbc012a1c452cd8e0a4453b56cfeea76ff11014101ff8e1905a5808e0c39f1c169439d0087cf83efde1979dbf16741c739f51d222437234bcdcfa

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif

Filesize
20KB

MD5
e20c386836b8d9fe00f7bccb3bd087f6

SHA1
8f7c4f2817c27ba0cb9c70149cdc5f84bc29a65b

SHA256
c7e18bd08c46b1fe8409ef3e1e4724a24b2d0e59c4ade6c44d23356030126007

SHA512
ac39eb444bbd0eca690357238dbaac6656d9510dd51a0f84ea714753eb9a99bdfb27a47226d533a305167aa2c577a80027f8ca1acdd66049f229722625df6622

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif

Filesize
6KB

MD5
a6ad9f7020934ca2ce21946b56df2ea7

SHA1
74cc0ad2016e159def419a7d626c6a069af6b0e9

SHA256
bf094cec8f604b673cc8a44ad3fed79c86f87c9738922a260f266a5bf29749db

SHA512
c08da2e66d1c28a560f7ca8f226bedaa8f0d19d7bab216c4b2510232f9de255b4bdebfe05122d4adae427f9a4f1fee375acd7174e471ff4cc526423010712574

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif

Filesize
15KB

MD5
918a21de1dc2e1470e4ef64e0db92d7c

SHA1
5199bdce3e5238f62f61ac7e58e758afa8db551c

SHA256
745c7fd687790aa1fea28389d5108573cc138fa0d297b2644f43785e750f646f

SHA512
eca4577cadbfb1f90b49b35b74bdfe72970d938af395e788f66c2288d748413e4e0a95c74cce12cdd116db8636f45005787f8a022eb11e74dfd92bf2de59ba84

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg

Filesize
2KB

MD5
81b9b9ae041d36bb6be5e3072d00bf51

SHA1
4afdd7319f42fd1d936d14cb10cf26d24507295b

SHA256
21c72a8979848ce4b15a04d9cd02f79efc5b5513b4ef4cb5d05c8b946a8c3196

SHA512
31274a8cdc7bb3854b76bad9306e84b71c139071e539004e54701ad5f0d2e4bd7581cc40fab2ca5724597b5f6693ff2457892709e638e78324e7461471063f82

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp

Filesize
2KB

MD5
ae462b7e7793e87441348788fef160cf

SHA1
9528c3a64755f4dd668177a8d51baef661d2280d

SHA256
37fbe8224d6d578add844efdcc8cbf101b448c1410bba1ece416ca28fcd6e509

SHA512
dd7d11e0a2f03ee787199cae6ebf468d0bbb2cce362ea2450583a2a20bfcebf87b9c8ccc7520d9469a6cba485bd05e7b4a6b4360ec46109a0c25fdf15fef5296

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg

Filesize
6KB

MD5
8d1aabd83977de2aef3e5d051e30d754

SHA1
80f50cbb292720f9a7d6d4d9b9bae7622bae0664

SHA256
2496d8b6f54cfbd8aa89caa82378cecffb3609a50abfc171816e1866bf036470

SHA512
3c939a1daba02d8a52f3d1915979689a9fd3f0ddc7861efe8c5ae319bb983ffc5807a0d00a4ffaaba9c177f74fe4c0d2468e86c6d6b6d1d828c710b9a23c7ff6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF

Filesize
255B

MD5
a93eb0bd6af9b063de2cf973d4d59c8b

SHA1
1ee723a26fd1ef13705c26b4474b8a0326f21ce5

SHA256
e2896f6d6bffed9a4c52ef969c250f5e2b216bc43a1e29c76222cad967d0f935

SHA512
05e349e1b452804e89bb49844562ecc7677e2987a79c83f32c495c72575d53ab50bbbbb29bb1be0e2f38e00c14dc3450491bdb0a5bd91d40ae62501499583808

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\background.gif

Filesize
323B

MD5
b2bbf26142affe78e13945e3d5829000

SHA1
697b1663e0bc6a60e9b866d9cdbd45c24b950a7e

SHA256
892c05cea74420de9d962c0f5e73ed14d3cf0d91778f2ad1bcb365b3f193e74a

SHA512
801abab1f967915e27c1998b8f81bc5605d04afef8ec361c5d9b03b654ce1ce8a20f56225cb26b13d8714ce914b6211b8a828e3412bb5f64cbbd6d11e262b71b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF

Filesize
367B

MD5
5f19778f64b917703525631a873d4e22

SHA1
2f4ab28f0b5a96ac534f4eff75885f4ade55fe93

SHA256
dd7c761da70048e9a86df23a0739ce63d2c69ab2d20747dbbb7f6f9fdd225453

SHA512
bd591d071a09a6dea88dbca2a42dc80bf548ca88a0050186aa26c4518b77fd082e728e620c2c89ca9761962f768b44abc6cb99f41f85fd1c02bb6cb4169f6927

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF

Filesize
148B

MD5
2fce905bf8a5b45e0feb9b27987f5069

SHA1
e522f91f324c7df1c9d7b2f91d982a7044c82c46

SHA256
a02507f1d482fe84deb7b4efea2733d2c598590381ffb626ca4a512d67a5fd9b

SHA512
63d769f0cc0ceec9899c76845663091276db64a3837bedea1105bfd5da9a94481ff1aa9ecc700ba02c04e6b2a2b1365efc31287dd01d0d7e5f0d80bf7e34bcbc

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HEADER.GIF

Filesize
440B

MD5
1c05dd234e2a33f09b826fb184207fcd

SHA1
9f23bc0577549f57420d529a04c486e4bc33250e

SHA256
ca4dbcea37bf7b6e10d82cce4419013ee58b3729e8a42470e6c0203d34eeb1c4

SHA512
58e16218fd4b78b3b4ce7e6b32bca7da08353b9e78f4941c60683a69699a044c5746b1ab74fc8e191da08ede6bdd921a0bd59ffe059d46174699c9340383885a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_OFF.GIF

Filesize
462B

MD5
28bba635cccc62c35f0f41902d84e7a3

SHA1
2b956b14ca6145b10c84ddb787fa74a07fcc3f18

SHA256
e6264c85d8367ceb1631957677d8704ef5d0a0b7c23e5fa1919ef0818e7318bb

SHA512
2d43df9f74f1d3186388b1a1e59518ada61b18399d0e7cecc11986df71aa4106b769cec3d7a1083466759a727655492c09fd3a562cdcbd75135b2959d23daa38

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF

Filesize
267B

MD5
9f6ac9fc9b4f2aa6fe6dd5d297aa6a19

SHA1
a29375cb1c4c7b7948c456b9af25ef59ee0261d4

SHA256
9b8cd9d23ae1ea392c9b77de2b6e1de004ff4952fa2ee635b03119cf4c639234

SHA512
d6e724f264cda78d0aea283faec3de07b05a1e73a12600ea2ee37dc36026e3c2a298e7a411c2734ee29b54c84f9b36319b4b20b82be8aa079c01ff27990f7f8c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HEADER.GIF

Filesize
2KB

MD5
494d855894fba0d3ffceb8ed20d7e23a

SHA1
85714a545a45755bac571ed84a6cbe041ec68027

SHA256
84b9cc98cb1cc1695cbce1a4621d0fc8b8b610f42ec1b9e7e96b4dd76fa777f7

SHA512
aad132bb3b7f630a1f2878c0ca59c3322000f765989f4091999ab2460e577aa451b782418b9d60eb8bf114a94404055e856e7bc262a064d12ff3230b49f63592

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif

Filesize
233B

MD5
0e03ec72fdeca7c6377d51b29c07d9c1

SHA1
ac57d4ac73ae2e2860a48992479ca927eac84662

SHA256
6d421d91f7ce0c0b69ce7f22b78e90431d393a88fd653ee7ba4d971d89ddd204

SHA512
c4be92f8c7ae8fde24c5e2f9a3d57761917840960da7bfcb0cd687df8a69565896829ce3dda362621f91274f4d94292a8d76d8fe5d2cd6baae928062c03e8019

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_OFF.GIF

Filesize
364B

MD5
3f30a9adeffef1435be5cda032aecccb

SHA1
d2ace35592f493e835cd2436e02097a86da9e03d

SHA256
543588d686d5e961ac98942acfe1c30d042e4ea89656982e90f1857118fe9dd3

SHA512
afb68c5deb3d62f6c9f60e52823d83b7c2d697b9126b393a8e668a72e4046a6f268b91a953670c2a05373f85ee8ba096d6369e5a054c1c7d1978043b3f7ebbe5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_ON.GIF

Filesize
364B

MD5
16daf3cbf82c965a74a47f8d4def6d66

SHA1
1d403883f7e7304f214e031ce2556a1a8cb4d5d2

SHA256
90f2d265ac947ecbae2249a0f6db2c6274002d8ab64f293cea8a937cd6d79590

SHA512
04bd30097dccff77e6df443e2db7a60e6cd1be1f52c2ffb56dc6d8ec8c84d9a46b319a12b42f4a7df893dff7e6debc0a4f1de86abefa7ee219e3089d08e3a7af

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\background.gif

Filesize
6KB

MD5
8e3c83ac5767e58d2715738c2454f894

SHA1
e17e9d2e6ddc8fcf6f071b16b1063732571b0981

SHA256
b24f999216c77319f0fd29821a8b971de548fe8cbb22e3bda2759bfeca9af380

SHA512
ad1e52cbaeb5393d865a7425c4929c8b75cebdcb94a74e5d99567f3f611d8a7ecc73bd59b38cb7dc9e42e5da4c1b3c2fe826837f6ec2fe10da7aa6e68eeecc7e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\BUTTON.GIF

Filesize
428B

MD5
5b390bb87a5ebd1c4a698cc752edc980

SHA1
2e0c719343c4f10b205fa6dc4dec25be2248ec93

SHA256
0f6be91954053d6c8df2665e41d6c10b88f413fc2f163b29923719fbfad11f2d

SHA512
f1d6406efa284ad88aa5e5672841a7b64b3b1af8f787221c0f8c12c83d0b51c9e929374ab46c0df0e01f50e4f5fd3531f2056cf52e100b1ce0deb0508ef7986c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\background.gif

Filesize
815B

MD5
902f2f3366908dd7f125627b6321aaa4

SHA1
ce5fd39b961fe58cfb59231143e5f605bfa65ca0

SHA256
f852c453defc7dab76edf7b16e87231b5961abf0f58fbc206afeb092658567b5

SHA512
923ae65b85350d65b61cf6e59a538dc8b9465508c3946fcf152722905d69b17f81fa12b8e64b4e10c9235951c12c214b33f9c3ba6549add3dafcff7bbfca90f7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\RTF_BOLD.GIF

Filesize
870B

MD5
cdca58febcb7e6696b682b8f31600244

SHA1
8422e7bcdbb1a9584d58f17b229ae2b29f406c3f

SHA256
f7e4417a23de45a3abee77d1f2083579458a814fb2bc14020067696e594550c3

SHA512
ada47e83983a865a07610e4a1f14571b579b689ec9ee7f5c3e4291586b348dd0515913b7d3cdb955df7917053193ea9fbf6fb374313128e6926737ed76deaba4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg

Filesize
3KB

MD5
73bed5174083b442a5ed0c5fadce6099

SHA1
3e30fa14da76a300274ffeab87451e72918d53f6

SHA256
f407414020969253c3702a9ee74af29a36046ebb2d5b1c34e0fef6e0ad7563f9

SHA512
a4921e199aba87ffc0b4e51a0dd23873365185bef2a47ab97fbdf7ae1d8f62f1aaf33ba0852ba52422b74c680a0a28103c8ff1b1cb736fcd84a99961a305b6ab

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif

Filesize
2KB

MD5
e86a7a34c8c8bc032162e76ba2846c7b

SHA1
4528fc1e0ed0e429e9ee02d41da90c35a8b569b4

SHA256
57c7fc9473d3d7e23426c1140769d4d9404b9141de12fe16369f59b227e52739

SHA512
5d39a74932cef5d40da218b9a584fb227ff04e06a760c26b3cbe23e4ca5281bb48edee8e90de75a8e8e68ae223fde5b50b214f4ebd2c2efed3a827b6ef23cb9d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif

Filesize
19KB

MD5
f95fbfffe3ffca57d4a4e4afa65c67ed

SHA1
79afbd3ed64516dec29d6d6eab89c83d8152c5e4

SHA256
1854e23ed88f2e586c4772af21f10f3122d20a877371b9355af1142832ef52e0

SHA512
3d3d743af3264116fc6efb0e249cc121df73140f06073dfad471aaae2615b64fc58e01e1bd8f412d860922cd892ba0826eaa48f902b4e2adf355fed382c2c069

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosefont.gif

Filesize
890B

MD5
c502dc8968afce4fa0322ae566d7632b

SHA1
1c692febd8dc53ee02925476a4fc072fbe71b851

SHA256
ddbb9398f628278a194d5a9b5d2f0ce81567a6d5c56431e26e983834ba1a97eb

SHA512
c7e6a1236377d2ad6ba1ffe8f7f8ef73b5f56afeea55f9e4104310f21d9010218094b660bd3f4e3a4a253b07ae84bcd90e95e22c5f7739c6e94107c5fbca21a2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif

Filesize
852B

MD5
90ecf59fbd78c27ca4905d9033edc8c4

SHA1
e45b11f3b1a5d9da97eb5d2b6c1769348068399e

SHA256
46a1dfb9294892eb4a5db6001b1abfd59b0e6827cde40d1a4aaacd1bc6e2200d

SHA512
a951f75bf8812545114f06bf5a34b4640c390b3fd5e6606dc54da0c4d44115ada1cfab38bbc7b2c75ae3d2d78c553aea946562fb064800b8288af34c0993fdd7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif

Filesize
860B

MD5
f40c65e14272a03a57a777c0a6c40866

SHA1
c0d9e4cde8cca6326895c94ad4e4086430853bef

SHA256
023da94a763d5736549e12fb2c11f664cfeaa733f9f4b5f8b306778034ca1cb7

SHA512
4b9e610f0a9d4eb0c78f656f7fcaa099efd853d19ddd55580d960659f6a905e64e4299c488ff67847200c498c717abbcd8705c80829e9d5cf923cd0985dc6c7f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ADD.GIF

Filesize
580B

MD5
bea072bdc12b8498f39850a6fe984f44

SHA1
2c059650b4f54e0dbb2dbf078fa074e273fd6bb2

SHA256
c2fbe798dc999fe7a4416ae6aa28aaa924025b7254340e220cfe4bb69824e8a9

SHA512
e7d21753afd4c5fbf80dd55e42b7cd8b20415d11cbd2f534eb0eb34dd68cac73747f4ef039a1e14ec22edf5a3dc689e9d9b84b49f110d211f587f54454a14c71

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF

Filesize
899B

MD5
a9e09f54685d637367d5b527cf20d359

SHA1
ae850fa5d2db29e9bc0097c4fc099e89e434add1

SHA256
26fe0cdff681ebf2d8f7adec266df2d594a5e3faf01b2569821acbfec09d2067

SHA512
9ab3b6aa6518b2a94f404f57b38e2fea3fe86c29f9ede40149ec448f8b240226ac08ee2d92914e5e93de7fed3ca73582ffebe40c5fefce5ac51c02294b8b9bb9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIF

Filesize
625B

MD5
40d868bf6940c0f335de99d972c77a15

SHA1
b59923be16a610ab2cd35b08b8214b8ca3b97f5d

SHA256
d24823810aa39cb654bb8dd7caae48ee8035ecd69b9f1f4d652b93bbffdf1e1b

SHA512
f127b2fb33f5918ec3aa7775b32cdd313c6c99e1d83cbf3304c2275b21430b9232707906879e0c40fa94b3e629b8d73283d30e295dfbf9f70ad9bc81fc5bd6d9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF

Filesize
873B

MD5
e26a8eaafdc9a847c941cde07d04f8c5

SHA1
4e6629c1d3724c2084da0b3959b7467b8d335ad5

SHA256
0d18704453c700a8f2b3c0a86e8bbba3589079f7de7c7b6bd7fc3ef207ee26bf

SHA512
27388a401a3e8553b63fe85e9e2426b430c06862d72835c65bb15e96e42b3700edd080fae743c4053356daa239697a8ece2ffdab974d3e804e1b2b8bb08ffe3d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg

Filesize
5KB

MD5
c82cfbfdd9e1f69f875ea84e2b631f88

SHA1
b075ac354a81457e1f2cd1cfba119d2e502f278d

SHA256
61f46edf7e7a2b5de6b42dd93f688cafd3f953ad7d47e7f5f961ad6c7922d818

SHA512
07052d95d9839cdd708e7f1801b414ebea0970dac5c6a2b2413f4c9597ab0e3cbeba2c4235f10d5fb3b3ba9231c5dd4aeed989ad51bd0b40707bc698dd61083e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp

Filesize
1KB

MD5
31a5cf5bc3ae68e2be0b0a676915ba7d

SHA1
ff8b2b18b5ca8dcdc45d10581055016d904e03e8

SHA256
a049d5f548cd44e6fc1187a8a28d8889c49bf1947d54a8d5fd95bacb4783bda7

SHA512
37147b3ee6506ff595926b8af65114b4f8e802b0221302dad548df2b50f9a26d4bfe7a8b714810a0997e82b90cfb529a02d59a4672fb62aa9adf168dec197a34

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF

Filesize
615B

MD5
15b76a5865a58958da716232dcc0fdea

SHA1
a3028dc5a15f99bf4b702e186f31ae550142a5b9

SHA256
e56f8a3eb1f6cd9d8431a0d3520aed8da41839bbe795f148ba17ae020ac3c841

SHA512
21cd00229f273b38b16b6a0638ad7aff3278bfd10c666de7e81f32dc385e45c5110e862f1da4daea8094157c6ccba56dca0d099d1563c9d0c6e2ecd320892e97

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

Filesize
848B

MD5
914e65655533a4fe70616c076b13f563

SHA1
f37ba00e6cace014e7794640f77c7c3cd8f0d256

SHA256
100668cb73a1ad1f9fa8f4f4b0cd99e68cd12423f61f3c46034d7db3cad9102f

SHA512
f9b7b8fcf9e64e92b9460e2c90f8d52758312f0cde4b82fde9298dad4ec7be39811c7503b4b1bedeb9c174f5c766d6d5cafa4efe6e21be89f76666f3a6000872

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

Filesize
847B

MD5
013249e90df2ee397a3277fbeb9f477d

SHA1
d8611fb3879184208b78035da2b846c537b7635c

SHA256
4b8c7aa59f26605e90b7a0a71fd9828cec3739b7ed45f1567a2caf07b42292bb

SHA512
0114fffcb16dfe3fdf47132d667ed4f7ca0d69345bc1b3323ec9525ce4afdc4516e45d8756f18827ab17f4c02ed5669e181bd8a34416ff1c55eaefdfa7b3b22b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

Filesize
869B

MD5
372cb7aa962beeda12ab94e5498d605c

SHA1
6fae664094a7babfc43ef36e00cc29a240f3b009

SHA256
2367fa3a6936094411d540e554f418f73a3f9961d731ccc4f736df3e4f62552e

SHA512
6f4825475f5cde0eb63e88cb5a0276437ed2f44f82d4bf8018c01f24f25a0a76a701638924edb6c2757e3eed188ade37790003a7409621ad79faa33464dd1092

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

Filesize
847B

MD5
210fb5fc914cd788f7d42d94bc3c6590

SHA1
77b5a05b368957dccb0cd2c9c761b3dd926edddc

SHA256
7b5388a070240c204d8c0a846bd4ebf5a0be17753c32b29b7215c015a05053c2

SHA512
ca607f3401d5908831bc187b4f2b170cfae3317cb609b4e507d397fd8bbaad2bdb67dd00a0ad1a1b264f56fc2998543b299ec3c4e8f70a75ca9c8cf47498ecfd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

Filesize
863B

MD5
c413ef038c546c77fa4bd44670f304c6

SHA1
f42afaef7025ce1d323a3bd333c78a9045195726

SHA256
584ec8552e653edc4929b539f916eb113e56dcc541f89a81a2af0677408491f6

SHA512
bf3e9d2efcbaaac01988f6c6750f7419f2d11d5a5c7600c196432d16f29e622b3490406bb52080a58446292989bb992d2a01a5dc7ef876b870824fbdee322451

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

Filesize
861B

MD5
0a98b61837b1c73b64055c09db724245

SHA1
1a3a2ea8cc19885479c2243a2962c9fe383a7ad9

SHA256
eb2eabf77653913d225d12323ef3fd14dc791de1ee5acab0e08a9e543bfbeac6

SHA512
7037bb8944774be55acbc65175bdcb3328d68dc2d656eaf556faa01154963319377c03ad9a32b4dae4381e018a74838e6599f0cc0fea46df27ac7f419d60af8a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

Filesize
850B

MD5
ebdee837e78af7006c19cc58e6682b70

SHA1
7f27f640f5d0edc452083f19d2729729cd28bb38

SHA256
a6f9f011fdde3e49ba91e6fc0e5990dcf9e5485f22f240793ffaa132b65dab63

SHA512
fab4dc6b62213a515888ef5897fcf7bc2c087d27c1d7b5ce9e3fb75631bbe9ce7dfa3a98d3342b12833725df7c7c021a96ab7d92a6c0b06a00ead56d792e996a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

Filesize
883B

MD5
0e2d09b46c6913bab5704dd0174791b9

SHA1
73cbd1d5e947e80313c4b414acdac3388e98424d

SHA256
4e22e545bfc1d52c2f5b1b94da3a227d9a80e59141c799288530b48a7cfa95a1

SHA512
892989da00f2d0b6de59398ad75e3336db2a103da3999364bb4b2e8bc4886156b3f4720cd259a4e0a50f6ff30ee868cc205ef9502953ae8d48e95efe5f993664

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif

Filesize
153B

MD5
b39c0f00406acbff91088f7be2793743

SHA1
4a6764c49d32ef2225a60ae07484a1a988573db4

SHA256
2370c86e8d41574d1e428d5ca21455def08c374f657ad1f80f511b732d539e72

SHA512
7f26f866b119b6e999807f85c5e2ab1336fc0505e89a9c2dbdab63b50971572ea979cda876267ed64c4d7789417709c335292c740f34b5a16070d14202a4008b

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html.EnCiPhErEd

Filesize
12KB

MD5
1ce6adf39e3bcfe40355727bb311f1a6

SHA1
96c8d1b98df010d287710c0b29f07d3443434739

SHA256
cbe9a25a0bd94b5a8972432a450e72b4b73e0d0eacd4e387907d4f4f6c299230

SHA512
a76b1c6ebcf32c21edc69c26ecbfe205ed8102d9bdfe713d9d1c6a596ec4c5cec7e871a57f9f22aa0c2042dc1e2629e79696242de60370aded1e09f5b9e49d87

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
8KB

MD5
0fca7adc9b3dcdadcdb5e4a634e821ca

SHA1
f6d024bcb54e1024cbb67a2c77907d9e1c49156c

SHA256
baa9687bf48054d894bf0bb9e167b5816aba6ed86471669b9586b04a62dfd480

SHA512
adcb0ae2702b45d88f5f6c73385b04dd0a9c2a3207dcc8ce36108ef7c9bc2268c9192f617ba4afc328afdef6ac771b2d7a28c771ed64836a9a35c2d3d1fcce0f

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
087bc815eb19d6bf4b04b53eef61d198

SHA1
6778273b90dfb255c934dce312bde572039a879b

SHA256
5381fb7a9d1f4feeb69eda92575fe9607f0b14d2b21bb2fd12d36abf63467f9c

SHA512
380a801235141db6cf2ee03826e49fefb660d76e5a48309c49397fdad9a2fd595ea80c70c0386ecbcd24e94febb90d8de7361fc060b7e3204f2681070ed3df43

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
c63a6db868044e1ebc75086bd1b54014

SHA1
5e85cdc072106b2e70ff97e154fa898bf5a819f3

SHA256
f00a8c37cbd6572b3872fe02db83495c621ac45bc5732384735c5954a5dd0f32

SHA512
3d2d6ab483f3b2574a27fb7d08a42e91e623728190acc0573cc445fcee1a405dd78532366a2ab7a5cb0a241ef7ebad53e025d4d5a0966f330564539dbfa6e204

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
172KB

MD5
8c681c3167750545a6f0051dcb7ce932

SHA1
de8fa27008c12cc95ad507772fdd0321058103d0

SHA256
6dd56a113fa86004b5c1e07f0c2936e091e7c177c0ec0f30df41170cb3575ba0

SHA512
a705f1e4ce3ff548871459d1ce0e8a733c53c3c39aa5640aff61f978a294c2a31aac559ceaf6712a2ade9b227ef1cac5743c47f6e157d19d9e55566f49f5e378

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk

Filesize
1KB

MD5
2f3a3169a71a51cd6b6a775b3d179cc8

SHA1
5bceac6a3e5669fd5f7c4d638e5789dbf39114e0

SHA256
92a1bde4539be4f8e62df6f6df589cf38285668c5128191ece54b331b588e178

SHA512
082d8fa6d56b71a9b673374548dcc010f532f33da97e2e4520218fcf7e761028e46a532dadb19cabb0c6ae43b1c8463645df760e1c95fa44133479135e580d95

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg

Filesize
21KB

MD5
49a36c571b9e723199ec2b574db53580

SHA1
f59ff0d593b880287fc270a5ab7650cd38d15e62

SHA256
94aeca44073b4310b295c557d87170a1fe8729a4ed2c93220d038f29623b4d4a

SHA512
35c78136bf9cb0357be4887285d4f52b1a01c708a7591144242d9b2f15ccd566460edc1eb1b0d1cae31db2ae2ead3cef4d250aa583db6f7b4ef793ab6a086750

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\HelpIcon_solid.gif

Filesize
1KB

MD5
03a61a64f2bc20b9f02aa665a52909b1

SHA1
836214e7faee9239c4178e22d8214efa8bff059c

SHA256
a68490871acf88bd72a76921077254d7da4ffef8dec20f4026f4d77501360a42

SHA512
6506c03814f527e193e00d78968a15e7b9a03bcf4e63c5e7ade2f8f299e221e707b9ba8c29477747cb57a10b684ad31bdc8b727624841abbdcadeccc0cf973c5

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\alert_lrg.gif

Filesize
952B

MD5
d26ec30f97d58a3621a59651338ed134

SHA1
565956571ccbd5cdb49e32b1c144b002e0250975

SHA256
5100f44f01a1b61311c086f26e0d6e21dc4927052cd2862ef4a5637bf35df958

SHA512
d9862b3c5092d156627e4a8b2c25326412fd7952753bb95fa5ed7b6c89415991d108b2bb3a812fbc3a0c47d9d46825c3c8d31cf72a40fceb8e707180f22ee467

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\aspx_file.gif

Filesize
121B

MD5
d139ea48f48fe64eabf895d2d518b557

SHA1
ee9ea1ca35178dc5936f0be0854b5d02748e7342

SHA256
dc5ecf20133ef576c710f27d1c4cdd6c1fd66c47b1db0a8d115d5be84246f2fb

SHA512
070fe9cf4af2b01213687186d13539184d79e4e48bbd2c6e8fb1139e7dee8bce221e1ee4963554091dbdba9445e3dac6b05ce98a64f634680c199d958caeb4f7

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\branding_Full2.gif

Filesize
1KB

MD5
80413241871ba43398c68c3716b1bd44

SHA1
1049f8158b717d548b8635088a815489dec2e56c

SHA256
2e9f62bc389ccb8533286d159d0ace1775fdd597b4562a63300b69357c5b6590

SHA512
81a64bfe02d02652494e131b7bf77943cb04f0ee256c379de59719089ffa899d099dfadd547195365ef843a6b6c454adad4b214531236d1ab63c130f8ec959b8

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg

Filesize
8KB

MD5
4c1bc3f61c2eba27447f07730491405b

SHA1
8265b3d0a5173853a014ee2def3f1db99228213b

SHA256
200e545dacf036c919fada9746ab45635e0389f8b8f3594f0f726bd1bb96e79f

SHA512
0968c2d5274e12c36f636a85b2ebfc30f79f207d174d0a64639621d481fa990962c27815b7b58d29905e3da3a76555d452c48710e94a794355ac058eeef57569

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\folder.gif

Filesize
914B

MD5
9a85dbed17a799fcd6e8661344c5baf3

SHA1
fba133a526218423ecb0de4cca500d1c88cf1cfb

SHA256
5c4513c7529104451ac3a9874ba60c3d03a59649cdde073a9e6ba044ca13cec0

SHA512
d02ea730f781ecd6adcd5441f9736b72c2d04ad7960e5dd3d41f7c1e358e197350186fb27c40a3a354506e4051ffeacefe135e2e91f6a1057c4071d60b27d04c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onBlue.gif

Filesize
90B

MD5
b1ff1916b28fe3b5fce231bef22bbc5e

SHA1
34d382895812ef9805050ac5312d32f91b435fdc

SHA256
b71766c8af8555b22e7533622b75909cdce25c6717a5897ebba67cd857a6f556

SHA512
558608ff11a6c411cc6d9655072321308f418f4e0542a370ed10afbdb55e713eb5485c90bfc5b18711e62dfce77780e6bb749142c33cda97737b6a3fe06b504f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onWhite.gif

Filesize
90B

MD5
c79fc3ba289df3c0d9a54ec2114e4bf5

SHA1
dcab6539b8a02c69a996c077563d4c6a407809c5

SHA256
5d481fc86328ce8c46e4adbb1d1187a8c4344673fe7443b18dd8f7123965d9f6

SHA512
e29730e9dcead9955d2e86a6774e4a6e436548c5349ebd25b5d3c6f01748b79c7c793ce6349161ce1828fb1bf2b207f58f85694678816fa2d948b5ab524fbce2

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\headerGRADIENT_Tall.gif

Filesize
328B

MD5
3f0ea126d842b5f8481a276da6fc277e

SHA1
2b7a2e95afa83b2efdedf0f0b5adcaab09acd9c3

SHA256
7ff80b06ce325802f054e9b78301347d4b0681df0ec7dff479393580a32d1984

SHA512
516fb606ceea8fa596952d64858baba9f8383f3382b9f19f8e90f58abe1a9545047dd0549a16dff6ea73d0c0dbe7106f97f54cdaf0e68d7e8d6da51ce6b96cdb

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\help.jpg

Filesize
1KB

MD5
7fe6627895be9384bc31e47d082fcadf

SHA1
2869bc8214a5991f3d653d9147c32b3ae924d5d4

SHA256
bdcf8449a87b58809f4ef22ab0244afb668ab2291ac107168b1b80c25abca77c

SHA512
515233ececbba6663db44ab9b0be5e055224c3ee07f7deefbca444003643e5c562135a328f3bc08911fe241703b4ac6bd0721ea2c03b68c96bcde48457b7e1d2

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image1.gif

Filesize
162B

MD5
b54aef8493e067839ddaa3bc5f066a9e

SHA1
7b0fca184ec3cbf76bd729a52bb00dd541868ec6

SHA256
bf32f8afbb884828ae4ea25dec1064e841714dfde59ea45425651eb3c2631d5e

SHA512
29ccae24d0bb16ae44b7eb570c2c0df41a8f423b2f404f3c8aca7b88e476249d7d5e515dd9724748fdfdbb311ced026753d35a7618cf927d2f190661d83d6d26

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image2.gif

Filesize
586B

MD5
8186fdcefc514e5fe84c7138479bc0b3

SHA1
939900ebeee753dda0089ab8c88b34fa9d8eb69a

SHA256
a30693f5bffdc95c1f8ffab195b1a26e639226afd1706f837df4b0fc0adffc91

SHA512
b2feafdc21211e4d7718f20c891510ab177b93d8aec70b7fde25748b728f16b00a3f0461ca18fb7c08df763548a02c90b3b5158b015df4a0662b044f0c3741fd

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\requiredBang.gif

Filesize
124B

MD5
2ae8ce56076dbdda11f6b7801e5241b5

SHA1
26fcd2c4353067eed8bc0ce67257bd99c9f69fc3

SHA256
d5790fe1719427a4d199b0e74e665b5299392b922e961ff340a0fe4ad3261518

SHA512
0b5232a237eb3ff78013e464b5259d4ef98398a2bd938af22801371e93767d1bf3ca605f19dee8549b64a8500eeeaeda65b40e497019ebb1a6631d201a2f0ae9

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg

Filesize
8KB

MD5
25ea9c6dc4348825bc8d36719301c559

SHA1
54bd19257a4d36ef1ecebe31f66a285e1716508d

SHA256
f3b647ee1a760b63f929119261076444a49d32265deb60624851f750f4e8b998

SHA512
73ad10dcafb55979d79c063ce4c07f286804162b04d009ba39c49c2dbb63d302ed72285fcc089605359621e35583193fb72c8ab89498ce63ad10f70c8809d672

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\yellowCORNER.gif

Filesize
880B

MD5
7dff36943564982ae11109358dc0d8f9

SHA1
dddb0c4d8bce152e9b1ae14e211f21775cbf63a7

SHA256
fbdf1e7f3d9682035caad4065aac676d7cbff22814c45fa63aa8db51226b92ed

SHA512
7e7b4a0037870f7bbe11d048584d12466508571a70b807f0e590285f2d8805174c0dce9ed0e52913d4fa5f5910434bd8618b957c5e74bcf6ded402a68de260e2

Download Submit
memory/2412-0-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2412-8875-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2412-8874-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2412-9107-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2412-9108-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2412-9109-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads