xorist | a2aaac413b7545df1f50f7e2defb0e337e8fd75877476d4e7145bbd45e27d61f

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-01-2025 10:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
Size

39KB
MD5

6bdacf822ede3e544705fd537ddf1b00
SHA1

907df0dc2112b8d64a641e63f3c5bd3a3ac50890
SHA256

a2aaac413b7545df1f50f7e2defb0e337e8fd75877476d4e7145bbd45e27d61f
SHA512

7b78fdf8a2264faef6caeaa287cff151664a9bb1b5f4ace962c6f59113c6aec2efb8938fd3fbf4788a66389528e75f9c79f1933ed82303af40e3eb4749d46ba5
SSDEEP

384:2ebFNw4Pk1itKkpAjjalrkJQqYvjS3kDCgS6zNMB:20FmBkpKjZ7Y7fDCKS

Score

10^/10

xorist discovery persistence ransomware spyware stealer upx

Malware Config

Signatures

Detected Xorist Ransomware 3 IoCs

resource	yara_rule
behavioral1/memory/2380-0-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/2380-8618-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/2380-9100-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist

Xorist Ransomware
Xorist is a ransomware first seen in 2020.
ransomware xorist
Xorist family
xorist
Renames multiple (2210) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Drivers directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\SysWOW64\drivers\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\SysWOW64\drivers\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\SysWOW64\drivers\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\SysWOW64\drivers\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\SysWOW64\drivers\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gaoP0RsCEv8mTNc.exe"	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\wnetvsc.inf_amd64_neutral_548addf09cb466fa\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_data_sections.help.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_wildcards.help.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Session_Configurations.help.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\System32\DriverStore\FileRepository\bthpan.inf_amd64_neutral_024281c0e4e954e2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\SysWOW64\WCN\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Variables.help.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\SysWOW64\migwiz\replacementmanifests\Microsoft-Windows-TerminalServices-AppServer-Licensing\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnbr006.inf_amd64_neutral_f156853def526447\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnca00a.inf_amd64_neutral_d64d696193e69d7b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\_Default\ProfessionalE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File opened for modification	C:\Windows\SysWOW64\en-US\erofflps.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\SysWOW64\migwiz\replacementmanifests\microsoft-windows-shmig\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_escape_characters.help.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_pssessions.help.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Assignment_Operators.help.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\eval\UltimateE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\_Default\UltimateE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnky003.inf_amd64_neutral_fe7ea176f20ab839\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\SysWOW64\migwiz\PostMigRes\data\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_format.ps1xml.help.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_prompts.help.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\eval\Enterprise\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlx00z.inf_amd64_neutral_aea50acf04a2db1d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\eval\Starter\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\es-ES\about_BITS_Cmdlets.help.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\_Default\EnterpriseE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_objects.help.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Foreach.help.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_History.help.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_job_details.help.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_requires.help.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmtdkj6.inf_amd64_neutral_8087946c82068597\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmwhql0.inf_amd64_neutral_23613e3dd9401f10\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-COM-DTC-Setup-DL\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\eval\Professional\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnge001.inf_amd64_neutral_cfffa4143b3c4592\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\ProfessionalE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmbr002.inf_amd64_neutral_ce2134188ab21f59\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\eval\Enterprise\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_regular_expressions.help.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Automatic_Variables.help.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnca00y.inf_amd64_neutral_64560c72e81f6ad7\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\default.help.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmmotou.inf_amd64_neutral_eb1d978f38f35bca\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnsh002.inf_amd64_neutral_42b7a64f45c7554c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\SysWOW64\migwiz\replacementmanifests\Usb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\OEM\UltimateN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\_Default\EnterpriseE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\SysWOW64\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_try_catch_finally.help.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\System32\DriverStore\FileRepository\adp94xx.inf_amd64_neutral_4928c8870f6a1577\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\OEM\Enterprise\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_functions_cmdletbindingattribute.help.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_split.help.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\OEM\Ultimate\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnky307.inf_amd64_ja-jp_e40bd14f18e8ff7d\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\OEM\ProfessionalE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\System32\DriverStore\FileRepository\lsi_fc.inf_amd64_neutral_a7088f3644ca646a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\SysWOW64\spp\tokens\pkeyconfig\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_WMI_Cmdlets.help.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_preference_variables.help.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\TroubleshootingPack\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnin004.inf_amd64_neutral_c8902ae660ab1360\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2380-0-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2380-8618-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2380-9100-0x0000000000400000-0x000000000040C000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\plugins\keystore\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\25.png	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101861.BMP	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\scrapbook.png	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\license.html	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\js\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01244_.GIF	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePage.gif	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyScenesBackground_PAL.wmv	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Program Files\Microsoft Games\Mahjong\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\equalizer_window.html	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02470U.BMP	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_m.png	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_hail.png	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_blue_sun.png	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01839_.GIF	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_OFF.GIF	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\TAB_ON.GIF	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\TAB_ON.GIF	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-next-static.png	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Program Files\Windows Journal\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\graph_up.png	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_over.png	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03012U.BMP	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Program Files\Microsoft Games\Purble Place\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00142_.GIF	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\SplashImage.jpg	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\background.png	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0164153.JPG	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB00531L.GIF	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02201_.GIF	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\logo.png	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Program Files\DVD Maker\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_LOOP_BG.wmv	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\JOURNAL\PREVIEW.GIF	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Program Files (x86)\Common Files\System\ado\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\js\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Program Files (x86)\Common Files\System\ado\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216153.JPG	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Americana\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\speaker-32.png	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\curl.png	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FRAR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\help.gif	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_single_bkg.png	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115835.GIF	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate\TAB_ON.GIF	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\SPACER.GIF	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Americana\TAB_OFF.GIF	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_d7244b05e242e449\system.png	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web.9c7998a9#\ab42fe6c2d968bf5eef442b19382be06\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..homegroup.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_f674612e35113616\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-help-deskpr.resources_31bf3856ad364e35_6.1.7600.16385_de-de_8d0bfa965be3c584\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..estore-propertypage_31bf3856ad364e35_6.1.7601.17514_none_e907844a97552799\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-http-api.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_f7cb8489869c1df8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..-wmpshell.resources_31bf3856ad364e35_6.1.7600.16385_es-es_d3c91bede0a7dd8d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_b591afc466a15356\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..gement-ui.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8119e5e9dac23aa8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..p-ui-libs.resources_31bf3856ad364e35_6.1.7600.16385_de-de_82ea0b7094a46617\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-snmp-evntwin.resources_31bf3856ad364e35_6.1.7600.16385_en-us_d6af84b382037a00\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\winsxs\amd64_wiabr005.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_c263f89f61a04fb6\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-msxml30.resources_31bf3856ad364e35_6.1.7600.16385_it-it_2cb346e85f09f71c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-installer-handler_31bf3856ad364e35_6.1.7600.16385_none_3acf7ac36580942c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-rundll32.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_4b43474aa60ecabf\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..oundthemes-festival_31bf3856ad364e35_6.1.7600.16385_none_121f20b55f0bde68\Windows Balloon.wav	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.17514_none_14a49c11b2f4bfec\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..re-server.resources_31bf3856ad364e35_6.1.7600.16385_en-us_e7be835328ef2a06\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-i..kitengine.resources_31bf3856ad364e35_8.0.7600.16385_ja-jp_2d787e81683b5f11\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..-cpxl-dll.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_c834cd23337b1606\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-o..lfeatures.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_61486de82ffb9ae9\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-rasplap-mui.resources_31bf3856ad364e35_6.1.7600.16385_en-us_903737654479090f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.5\es\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..riptcollectionagent_31bf3856ad364e35_11.2.9600.16428_none_981e5b1badd89cc7\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-lmhsvc_31bf3856ad364e35_6.1.7601.17514_none_b0e6edd606f5c524\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..age-codec.resources_31bf3856ad364e35_7.1.7601.16492_nl-nl_b7ca4d8b5a0ff58b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-rpc-locator.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_a96eb731e9ea5ea0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-wmi-tools.resources_31bf3856ad364e35_6.1.7600.16385_it-it_3016c13308503634\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-p..randprintui-printui_31bf3856ad364e35_6.1.7601.17514_none_de3cba55d23c9ac7\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-w..e-upgrade.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8e513e4f107f4beb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\assembly\GAC_MSIL\SYSTEM.CONFIGURATION.resources\2.0.0.0_it_b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\inf\MSDTC\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-advapi32.resources_31bf3856ad364e35_6.1.7600.16385_de-de_cb8d93e1dba7ea79\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-g..howgadget.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_f86c44a49a61f132\slideShow.html	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-c..-migregdb.resources_31bf3856ad364e35_6.1.7600.16385_de-de_17979c52942a9094\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_d8216ed3d8746200\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\winsxs\x86_netfx-shfusion_res_dll_b03f5f7f11d50a3a_6.1.7600.16385_none_7a97f0ca887d1f24\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Te49ad7d9#\9620e555dd2477358732a139f1724c57\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..essionaln.resources_31bf3856ad364e35_6.1.7600.16385_de-de_745636f29d6bffe3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-mediaplayer-wmasf_31bf3856ad364e35_6.1.7600.16385_none_03aae2475a1913f3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-van.resources_31bf3856ad364e35_6.1.7600.16385_de-de_23bf497e17cde8ce\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..ctory-rll.resources_31bf3856ad364e35_6.1.7600.16385_de-de_8c2f9ee004904c05\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..p-service.resources_31bf3856ad364e35_6.1.7600.16385_de-de_a7ecff97273c066f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-w..ilter-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0227bcb6ade494cf\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-w..lient-aux.resources_31bf3856ad364e35_7.5.7601.17514_es-es_1ea13dc975b56b36\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_regular_expressions.help.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-vwifi_31bf3856ad364e35_6.1.7600.16385_none_bb899fc9dd3605e0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\winsxs\msil_system.servicemodel.web.resources_31bf3856ad364e35_6.1.7600.16385_de-de_756b86892907ff7e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-qos.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_442f1acaef62f611\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-a..on-logger.resources_31bf3856ad364e35_6.1.7600.16385_es-es_f55897674210e0e9\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-f..-truetype-gishabold_31bf3856ad364e35_6.1.7600.16385_none_f50009547b049b77\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..rtuimedia.resources_31bf3856ad364e35_6.1.7600.16385_it-it_690b104007e5d376\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-mobsync_31bf3856ad364e35_6.1.7601.17514_none_5395ac706000af2c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-mountvol.resources_31bf3856ad364e35_6.1.7600.16385_de-de_da57fdf93790b115\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-t..nvservice.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_b94b6e2a5874ee2e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-wwanhc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_17647b4718b125a2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\winsxs\amd64_prnle003.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e260fe41bf46a687\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\winsxs\amd64_scsidev.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_80ad6afecadf6d8c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\assembly\GAC_MSIL\system.servicemodel.resources\3.0.0.0_it_b77a5c561934e089\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-k..-plug-ins.resources_31bf3856ad364e35_6.1.7600.16385_it-it_a6b1f87aae54d065\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-netprofui.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b052e5ada141f874\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-tapi2xclient.resources_31bf3856ad364e35_6.1.7600.16385_it-it_d1ae371ed95ab684\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-usermodensi_31bf3856ad364e35_6.1.7600.16385_none_d8abbed91585a944\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.5\1036\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe

Modifies registry class 10 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd\ = "WAMKPPFKNUIKTYD"	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WAMKPPFKNUIKTYD	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WAMKPPFKNUIKTYD\shell	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WAMKPPFKNUIKTYD\shell\open	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WAMKPPFKNUIKTYD\shell\open\command	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WAMKPPFKNUIKTYD\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gaoP0RsCEv8mTNc.exe"	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WAMKPPFKNUIKTYD\ = "CRYPTED!"	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WAMKPPFKNUIKTYD\DefaultIcon	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WAMKPPFKNUIKTYD\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gaoP0RsCEv8mTNc.exe,0"	JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6bdacf822ede3e544705fd537ddf1b00.exe"
1⤵
- Drops file in Drivers directory
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt

Filesize
282B

MD5
69a98ef655778f1cb3764a923acbae80

SHA1
22683321e95c9a631039d15fc49ac5d3e639ac54

SHA256
2ff127d5bc4c7333c8f522aa4b456684eca97c06d452bf7d00b6a99b49b11b0e

SHA512
610fc09f40124e1a74ff303ddd95ad5809679be9e0c381e5d367ecf8e1e137c3da188142de7a2c5fe2b1225e12482245f2b5c417d43d73618108bfb1c32a5ed2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
341B

MD5
08b09d726e3ec091f00c9cbce06618f5

SHA1
4d122f796994827b8259a898e3f4f93d8ec3865c

SHA256
d7aab863a5a42326cc44e063d026fb41b3fb3c62e7ca7d683efbf8b7f04de7ee

SHA512
0dac5398af8bdf6a03d9df0de3d77d6173146c36650bc4a7436ba40fc433f6434b6ef8197ab84c7a346038292c8edb0193ad5b11f999ba9d50b4d86fe8e6c262

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

Filesize
222B

MD5
da07da506496f4d33366dcb365fb7226

SHA1
c32ccc10c683635fea3566a0ce141e4b63f565a5

SHA256
994a79741939ca07f77746ee06265c3ed6829a2a560faa990fa2145ac9305da8

SHA512
bbd01da8cc353101f03cc2d5ed586b96ec472a72480a823245ffcb2993d7f769f30fbde13f6b5d83973aee04fc24e69863804e2e847ecdb22d777d6b719d3433

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\BG_ADOBE.GIF

Filesize
24KB

MD5
932700addd83cc0e30eb310e51cf2e44

SHA1
483dc99f5f47468c7aad7cbda6b66eaf1a1bcc17

SHA256
8aa53d043472225d9e82aec4a522011f6683b6833109d0ba1b13de71d969f969

SHA512
1539c88200929c1a9983fc81c6bbc7d4dffc9126a1aa24acfa23a0c4a04f1521326079a7e7997500c2fcb326d295ea58296850aa04550968253dd7fa0dff1e15

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\BUTTON.GIF

Filesize
185B

MD5
8d7c156f35e1a6d1afdb6ef6d1b45cf1

SHA1
7a9f10eaac5eedab9a341276b4589e197896afcc

SHA256
e480babedac6639a3fcba7c7f48161e9fa344efcad34bc5553a317162e2d7ce6

SHA512
5ea28e0068d4860d13771a622b31779d0e5eb8679951c89de9166eca6eb3706e3acaf80e0c5982425ff59301ef5d4c795e0a37dfb701c6c3e0e4b08a9291f5a0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_OFF.GIF

Filesize
496B

MD5
998b5c5dea235f74f25f857a1dbede13

SHA1
235a1d3df3dcff0da95a2acec43ddc1fdca1fedb

SHA256
12f0ed3d71d37aabb3988fed60f1b6fdd70d4f7153c7b0c95aa5cf3681ab9715

SHA512
a57f5ed5575216f3d6d7bbcee89672cdfe1ff175802fb7acdfa5f7f98b9f16ea5143cd710eb1a40197a4c2694052a5964793b3a992e3777e9d7689556239de36

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_ON.GIF

Filesize
1KB

MD5
ceae8491fb186908648718fec8fb028a

SHA1
1691ac64e53cd95f5903b00af81ad0e7fe8b334d

SHA256
ac755178b36c65b445d32e7e099e9d5d71404ca9b8904f3ba3431ef4c931c33e

SHA512
ea79a658bbc3903032d360232fe6c6ca7420e5bdf59f4843488bd5dccac7c3ff060db5d27e3ece7600b0acea34dc84bee5904fc6d1d0ffc9b637b00542e77d58

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_off.gif

Filesize
341B

MD5
d3fad811904929a7d3823f083167f092

SHA1
3fb132117fc94a880ce40e4469c5d5d2b96d24b4

SHA256
bb529f26a9171199b1ab1dc9312496191274531686e0e973ee537c27330f8cd2

SHA512
2b25d1834ac09bf8db88513e3b3320b5b56ef53b4489b767a8959a4aae9c60f412ff20e5a7e94ae0918c94acc327c47888688460209de74b7f8c1503c5c3702b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_on.gif

Filesize
222B

MD5
07f336c6d22b2cc47b89e73cb3be6a8d

SHA1
b9cb964a2184b5c69ab980b49733c53e19081430

SHA256
ff01db5dff4c4458952d720933634536d3b8413c46ce54c3c368508ad4a78b37

SHA512
7413936dd3299a17d30eed757c7829c86f304b3b09ba376f7094c066907dae399e0f3a01528b1aa8f64cf85c90fbbaf25de4e8a38c9cbe81a615fa39b967e140

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif

Filesize
5KB

MD5
3c46c2840ac678d8ffb786c9c5aed3c6

SHA1
ed1c5a7a61dcb8b158a874bf4987db0fcf4bb4bb

SHA256
a4398a4f0032c75e07f6f2eb0976043cf33ea2b508be0cfcc9e391e309b215ba

SHA512
818fc29c6ed2d8cb10a19c2535c3778968e830ec17e0b3cea7b9302da4918693959bff875cd82c8f6682cc046c4adcb1d47025d7604b2cfb72c34d8e4dfb8a7e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Country.gif

Filesize
31KB

MD5
f882ad4ea384600e56dfaa38478403f6

SHA1
3d7189c2ec3d28aa8aedc7e11afe51d1498f7cf9

SHA256
7f5f21a749d64fee096b70a0bf2fab87de8558ed3f9c3c65b0dc6764677c4e2a

SHA512
ed5442040afbdecfcdfeec3d7aac6037328bbf7864bfa2bdab9ef22157dfba787de4847fbe957627456902783b2835d5ab826b6986b8574cca3ae419516a53ed

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif

Filesize
4KB

MD5
ffde6773cfe863d1c77bbe0a62d7b6cd

SHA1
f293c30648b59156e5e3da83ca4d5ed768c36b57

SHA256
236c8bb12b9e7a843be650a5dfe1c7ec8a5009f2d27287d33484b66f29674cc4

SHA512
73f9e7c35f58b8440b5bf03b3d36d05196a8de5eeab684b6d403db7df61d3b6abbfef01d985f86b42622505acf204943cc83511ba89ea8f4272c74e3ba191ab1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif

Filesize
21KB

MD5
279ea9c0f8e40951ccd60aec3a6add88

SHA1
2079d31b69bb789ddaa09cfee35deeefcfcbcc2d

SHA256
ff5f211ba6d51cb2434bd43c633a07af8f78886eb7a6c6632cf9a93f4425d2d6

SHA512
1c3de532927aadf6cc653300af0a34e175801f2513c6071060a1defc5829582f879b107f8d7dbb580819f36e8a76ee35c8fcede2a8480912f3a3eaad9a94df46

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Groove.gif

Filesize
106B

MD5
dba41b9e5d6fa7efd5edb2d24a5842f8

SHA1
c161aef2eda8f93d36dbf4fa832ecb5c26b69aa6

SHA256
dce854beac0cc8f93eabfc50db10962946fcda75c24bb73ceabfb8eb288d32d8

SHA512
14296faa6e857911e2efe15076667ca7d502084ccaf202d28adfdf64c4210d6c62390e961bbc8312aecf2d99a9d3bf926ed2fdd0b5dbfa1b00581be51e0a9be5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif

Filesize
8KB

MD5
7b86e98eec05b1aafaff6b3ddb4d5413

SHA1
34ab5387cd905cf4ea3b8307f679a520c6e416c4

SHA256
3d1b42b3d7cb3860ee52ea03fc0815696265f3b0624e9991db6ebb548c25ba41

SHA512
e99b2fed79787e554c71088372104662ca4780aa7b993b599c5fbd90ee0ab8f9dd703c5aac03365269d5d690ed2693d0f98cb800a2c96cf4c422a98f6f3f3735

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif

Filesize
15KB

MD5
efe770015c36b03e7186c3c1d6943aea

SHA1
b25f36708b2c2b0f6da805a29248849d9830fc7d

SHA256
44f1530946211a474c660fff6189a5a94d28f1a838ff425b3e666c581ac5859a

SHA512
e828cc356bc649e45cf931dff52a97e48cf682e846c407a51608baa5d7da65e5bddbe8ca28a5320d41dd111e67de8a3e4f5f6ca93e2555c297dc5d5dcc86a6ba

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif

Filesize
6KB

MD5
6d222392d1bf40071235f996bfd6ed84

SHA1
a12b2216d4545ee076fada7937c6cdddb6df0482

SHA256
76c815a8336bb12e717921b46daaf76bfeee1d5354dc8b5cb47b41f050f6478d

SHA512
437517cc77a621037254b12f441056082e731bc3fcd5070e9cdd28ee150031b0c1d62a62074b35615b5ed4c6fb6b3d7fe1a46b7b51793f7278f0b37e9e1da9fe

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif

Filesize
20KB

MD5
8a5d57699b766b982500a4b80c772b75

SHA1
2af5ef5e89e9cfc734132950c3f3dcc9897dbad7

SHA256
c04e06b7c4fd718a337f936332267ec158b03088f434c18692cc2fed1589069c

SHA512
74d1412f07f4d009da57fd17385582c2362f7a54d56b21e533b4524216cc00926a84a7ae96e0af90e1cddde803804c64f71a0df4be082ccc665677b93e0329bd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif

Filesize
6KB

MD5
96f04d62c94d037f97d597b97b483df5

SHA1
aa8398196fecea5e8d824e75cbe4639a2d77aa9f

SHA256
748c515807b70a024ad9a60057fa79586672e838f3018b9a93f5b2a9647c2fad

SHA512
627dc2e926995baa064d9e926688580022d8c1781021fc62230427830d83eb551eaef580103c7ea19e0ec707dc58aa42c9f3c07526780f95ee3fed2ad53c50a1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif

Filesize
15KB

MD5
aab14c4eabb61d33a4fd6674e934a161

SHA1
ac3d9666655966ef3f8d880518c17c6f893fd5c1

SHA256
ab62910bd5c640036ffce2caf8439484c51112e4b17e78069580d7e16b05383e

SHA512
7b5677b01a229173dec3a494004520b2c7100587ed9224908151028d052e618f9371e13676a7d4d226d92eb24a1f19e5e608f25013ccccd957e3294ee820d555

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg

Filesize
2KB

MD5
e398b75bb7fcbb63cebf4826285f83da

SHA1
d45b9e5ecc4f68005f09c7df443f70767d72de43

SHA256
220f39785977ea7be540640fb47d4b20b00d75c74c512d3713f90dc1c9496d80

SHA512
c8604c154a46f78ec0c4fe9393b92109a4b077edcc996fdf2162eda9a17ced42f12f05486cad9e0152278ffa8a2fdb5425405c4e819a9dfa3b0ff3bd4aa1cbaa

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp

Filesize
2KB

MD5
0bf64725f6d67ec9aceb45563c52e6ff

SHA1
faa274f03ddd3e92a427a07263b5277577824f70

SHA256
4ad041460680535cc8b88fdcb080733c8ccad89a6d20a13d7e97fcef22cd9028

SHA512
3b3198cee47f7598b1d66db3178ffd592c3abcb8ab1eeb46d6b2c6555e3009caaaedf55f8c89e62ca0d7b3e750816ab0321680752c4b33a6c4ee2650c4f204e7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg

Filesize
6KB

MD5
b88cf2aadd4e2bb8247692b1a5a42a21

SHA1
4f0597a5f5148a0a0f0bbd531d229c13cae7a0f4

SHA256
6111ca575bf636375e8e6f305380a858e0f5a823c547865491821a662efbdc86

SHA512
f29d13b2f95f89c91b205a38cff7ffd7870a54d60a56b11557568b3ffb2b9a8e36bb54546b0671f568803a40ba7f3eea5517c7ee8c5735682cc9e021d785b782

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF

Filesize
255B

MD5
b9b4f3b49ba37f513e8f79df82c80f1c

SHA1
26e99b140e1ba3a7b6b3d9e0a4f1d7b46a2087ca

SHA256
a886113b3e9beef70741e2bd8c6723d8293ec4871740f742c70250c654029b95

SHA512
279aae27b8c9182498c8e54c504ec4aa37fe1e4f2bd835c3493979142d7d237e2b6dd87b18279e167a02c91d4d04c9f47ac3021056c72f3a938bc8e5025bc0b8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\background.gif

Filesize
323B

MD5
2736127d1e7faa937880e518f6575902

SHA1
43def84c1c0fb0bf03b1851f30c0084d1ea15726

SHA256
aec32cabe2e16185b74e3e9ba60bc2d8a55e16154b175f42e9e1479ae6857d47

SHA512
98c94c44c065a70e092ed33a8e2f722420fe8ae4a3ab4189b539f78c17f315e83e54d549742896b015c930afaa23e744aa7e867ef31b6cae85d9662c17a60a22

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF

Filesize
367B

MD5
ef7e4fd4bcae560f27fc13d9e53d575f

SHA1
0320cf5e2d149fb161085cb8a2c902a51a1ce808

SHA256
28a78af85fead47a96b402056a0d43dadbe2432849efd17f4c53ebd985c0dddc

SHA512
a0e2556b66edbf8bccc31b0271e46d3e353580a7686af952c6043dd91ed2a736219d5f6e499194da8ef31ecdd3d867dc8860ccd9eefc387edbf10bbaf6ce3c0a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF

Filesize
148B

MD5
6ad2d526982621acaa12526c8b6b4616

SHA1
e07a63ba563a1bc92fd47f640030d11e7e33325d

SHA256
f7ccf7a3c61e7fd05aec558bf3f741a38a22e31a8db03e391b2e6aaa3e1cac46

SHA512
2a0e05546ee1220e6684e7b9c72c5a6b7000b54e489868803bbb2c742d94433c7526fc19abe320f23eff34667f13ef83520cd4a8d670a6c154a9712aece7540b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HEADER.GIF

Filesize
440B

MD5
cc04c0aada64a1b636c864f225eb06c1

SHA1
8b0938243fdf819222af23800afef767091a94e3

SHA256
316d8cc20bc4c583c288cee39e234a28c75f6c91935b9078d1a5c555e8cd638b

SHA512
8a2cc95f5f1f38a883b5023c6b601263432fb8af0744298bb51750024f8b3a9bf82bff09312a5e5e3bae5d5a3716c72a8b010565b3a2c562e3cc9e19570e75d9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_OFF.GIF

Filesize
462B

MD5
e31d2c5d5b3b885c8a453955d9132a00

SHA1
840712d7f52ee5de66ec089aa6575e7e59e19cb8

SHA256
b1e9b764b6252dbe456eb95abd26ccaaa93b278cc7d1635f24cdcdc581673fc6

SHA512
edf6358c20d2bdfb9e7bed88e164d615b043f72df0e33aef8d7d342c5ed3b7d0f1067b232c49fda748c6bfe5bcc0c3f8ead020d09c6da8599bb9fb75c08c0623

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF

Filesize
267B

MD5
59b2bd679b85c7b0a4407ae66d495c5e

SHA1
5f87caf3390e61790c50639585f10df3e93b3c85

SHA256
91826105d38f894765173638a17db801b1f193e71dcb7b666aa3d142109662d1

SHA512
7011e6984feb8b69a2e6a8f6c12db82fcc29a8687b6e96fcdf7600da18d818b59110ab001bae0563d143406eb993a9c4785b77eff32f6fe23feb0c9d837d8680

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HEADER.GIF

Filesize
2KB

MD5
e40f604c9b7fdb3367544d396e6cfdaa

SHA1
aa409d95a6b3eedd67dfef4e28d3b8c9f4c1d236

SHA256
82bbf389668f43b5c22ed66d3f47f1f89c96a489cf6e20a3d537927d351af98e

SHA512
14048d9b3d5b76e5b160114084f298c4d6087359b0f093bf6fc9588cad312fe712aafc9f75b169ba1591cdb4008b8ad4b36a5216878865b6e90eefb07b8d5fd5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif

Filesize
233B

MD5
77b9d44de63be2c6bb8d82f8008ea910

SHA1
7f18990dfcfa67719c357dc175d0d9180312cc18

SHA256
ccbbdf95eb3322d810f29bc158f21faabe5a7c5ceb9e1569946d2c31776a0f1e

SHA512
cf487793643d2016d9493ffd5b386080d3973cdc1392161ed4ef5125537cd19e30647099586037f1dcbbda2720c1b2914ff3f15a3a3ddb1120ec0bb167382fa4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_OFF.GIF

Filesize
364B

MD5
825b1c10d911cde818f2b7b831991a12

SHA1
0db5e8d1235cc717cac86032bf1c563d6f759ab1

SHA256
88fb76114cf63a272cda773519c0b3648c058f1d616aba15f213749732e776aa

SHA512
48ca30eeb9d110a51ad1aa6e901e976dd7bb47f5c28285d0b4d5a74a3238a2734f486a5877627faaa594cac60207dfaf95e910468a74b278366113c9c82bd843

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_ON.GIF

Filesize
364B

MD5
7bc1146b6286138bbd3b263e42a96731

SHA1
442fecd20f234c62b401f14b524716a7850d1bbc

SHA256
de1a31aad8f1cf15526d90e401314f9778514b60074f6b9b6c8777ef2cac2e5b

SHA512
76a91d796b8a3990d16324da7cb011830a6d900ed5d78569f16a6a649768481b1f1bad1b868a04600e5d768a9561a62ffc72c42416dfb21e9376c7d9ec83e7bf

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\background.gif

Filesize
6KB

MD5
973f7a5b8eaf6a127d2cdb3bfaefe0c4

SHA1
9e5b5e066b1a8f6fa11335f41cf7a4aeb233e8b8

SHA256
ecc381270a9bc4b5feaa52970f247b733d7331031fa6c68de0dfa3f0377d5583

SHA512
6f92ea5f8d7393747d096375086b079064c18bded6efec26fbbefb26fd56af2b772b1d0755f0438ecc81395d904e8059c2cf514d5448ae35f1d6f98a41464fc9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\BUTTON.GIF

Filesize
428B

MD5
9174d0cec145cef28d372db0cdf13fa0

SHA1
350aaf69b073b47d7f159d0d71971da8fb8d51c2

SHA256
53915f5547a5dab8c7d98acb8f676191d65419fe08a0db041e68734c604eeba2

SHA512
4b9face09d031a73d927660f4f5801735d7f1e04594cebace6088e2281f7d85bc138f97fd45294833d5c81d18b5180728ca1719bf2eb0f3960901015c1c547f5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\background.gif

Filesize
815B

MD5
aa41143be77bcffc4d1f69d2ed6fe2d2

SHA1
079aa9e2cfde023a12b58199d91cc5e10d06a3af

SHA256
ee81daa7de9fabcd2b4e905a40f52d1f6aa66ba69a08e9b50741562740ac1110

SHA512
db96db8a038598b3e92cb7b3509c4b8a0cc855e37e8d26e4d7aff4eed32648685f8b9ec9d8debd3632535b5837ac1cbe6adb6ef6f9636cac66db332b50974186

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\RTF_BOLD.GIF

Filesize
870B

MD5
f192d92a34bd2b1f746429f4532f3d22

SHA1
f61e4e12aed61bca563f0c2bd8d37df6b048b3f2

SHA256
ff40c709c5d71bbddccd6d14cb6e82cfd51b8c46127f885bcb335f165bf60af5

SHA512
034dc9fb82637ce4e9de5e18318daa7746d94d5afa9de9bff2cd012163fbbc36016f09052c0e7c536ac0374ddcb818e42925ce94177bd9bea702146c2342b570

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg

Filesize
3KB

MD5
2f7a8c798e4c488d6ebfbef77a4a3ebb

SHA1
c6e676d3a6a0c3a0e4f1868ad34d3271b26987e1

SHA256
aa51c2c1a46de0580e0d2690cc1c15e1bd01946a86f339fbd53d4882bd012304

SHA512
6d82f7877d7f046d7b6a925836514af7abc692c1e0525f7d6e376f786f58516b5c01bc515f2a08fe4ac73ddee12c01b64d9eda8319b0d51baa5489366822c269

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif

Filesize
2KB

MD5
4532ea0ab17dec235c0f85d27d8d3be7

SHA1
0df488ff8839959295d15e5fe414b24321b9de49

SHA256
a16a6b2a57d185a7310eaa4401109c23985ae38ce6fc31ee2a491a612fe2ccce

SHA512
88cb8df4d9476ee14ab1911d70fb75d1ceaddc519881ce0b985c1ec351f72844276d39f952c62e1a5cbedb76895973dd2509d5034802e7471f3d71aca3ed5862

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif

Filesize
19KB

MD5
59e0a1484b34e15a8bf86289f5e373de

SHA1
0f19f1bc12016fb6e7ba69790a62b6b4ba33b870

SHA256
93443860cf0a0d672340a9cad7c6679dcf34478aafdff8aafae670c770ee924b

SHA512
7711945821363fee6375d28a2d9e3e941dfa53360a9890ef28d1af39239a5d3b2748bdde0c82012576050d5685a0c17c0584b0f441e038e904481f3b1d7b1531

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosefont.gif

Filesize
890B

MD5
79ab3a072441c1675fc931553e2e940d

SHA1
262ec636e55d6ce69a0f4f73f12077837e043d4f

SHA256
702473345b297d5c44c1011ad8915d4c831de4934d568e6280cc5006210e5562

SHA512
eb66a0476d4b60d03806a19d27e32b1e3869494abdf0d29313dc4a0a0ca859ea9858745ceccbf43c05bf18bfaf8fd2a1334d3622284dd10946d1e30296d63356

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif

Filesize
852B

MD5
0affaff119a22f5ebbcaee030a32992d

SHA1
38a8aa5e2046dde339b29149d5444e26395b0c23

SHA256
81a997c96fade81ea90a722a1de0fd7950521fd217847975b8abd53c09134743

SHA512
94d5cfa5be60013bf9f52b87af9c504e8b6b2baa8f7f5915f672fabf518dce91c3779336c1965290d6267c98e68a2240c78de0fad95e50d1baf10df3ad6d3b7b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif

Filesize
860B

MD5
e3be1934396cd0d639636e3c9961fe34

SHA1
01acde2cf75a6d18b7af9873a65ae0c17aa505e2

SHA256
93256f315c5efd69ec16266559b6266ab60ccf345b959452a06121be5ac6f199

SHA512
a3b095eb417626afa277a68d7b267e414b03e074c4da16e296186a881bbbb9efa17dc6fcdbc09308613c7cf3509fa1bb697d2dd22bbbf6e22df27b086a4769fd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ADD.GIF

Filesize
580B

MD5
5b30fb75adc2d89b4ee59e5cec33d55b

SHA1
09488b1165c77d567b3956b0a45e3cc2e2dd6981

SHA256
7eb38bc0c45fb4f7a1795a402299d121be4f9b42f480c81036b771058c5cc9fc

SHA512
767ecfc459e6a4469a3c0bf9a72103f0d165be7c16795849b44859c62943ec3570935cda2567e4503214d5d934e2977c607bed13c55c989c41045981e41414e5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF

Filesize
899B

MD5
58742fa8351668b2a39ddd205e557bfe

SHA1
ef70e08ff24ff77c168713f6c167ced54c795781

SHA256
fe69d35dd6af131267b130a6e7e3aa1f9b8b96ba032aff8bdf7d5be2263de135

SHA512
a99eb7089d55688df1dd3963fec5bd4607333b0fa7d20dd50a46b9e98b182de259a05d611f111f140e64e404b866f42705a8661ab3e41d33fd3c0c82e8c058bd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIF

Filesize
625B

MD5
5648485ff84c18d4e09b3b881671aab2

SHA1
2101f5fe3ce2455526178808a3e3b01c2e37c06b

SHA256
b19752bbbc237bf29841702a842c6565cbfc89f80be79176ff9bd8b6d34b6d6c

SHA512
197bfc6c9091f56e80bec16a86ecad91aa410b8ac0d959624bf5343a4bb5a2437f8efe3cd353976b4646e63e0ab40cc290863da2f72b0f8964f2a292b16c6920

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF

Filesize
873B

MD5
e547b77746ba922ae2646af3a1f25570

SHA1
adf6ce7de69982243e1e7748b254b79418ccd309

SHA256
3faba0228deec46db591902c44580490b5493989147ef04bcc3cd928809e8aeb

SHA512
e7628d4b362fd4b6301dd6accb6cda2b87c67dac3482af293e1aa38bdf768d85baec65b2a1c2b54c15cf6cd1b290471bee29d71c5500b2c5450b04c64f687336

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg

Filesize
5KB

MD5
55d1bd4c9a074c0fcfedbbac37d458f6

SHA1
bee1c60ae395d85640ccaad92ddf23dbecc2e19a

SHA256
6b7264bf2494bb914620889d1200d3bfa64b46401b67553d176de5009f5dae2d

SHA512
06053b678df393de534ec00d1a6f31eb7c675ecb4c49101da4c151972dcc4a3e76ea116f43acd4400dab84253d7d23acfa72137461e8fb8e0b21cac6e0700a26

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp

Filesize
1KB

MD5
faa96ae55baf0cc4a53e861f431ca93c

SHA1
e9373bbda90f6c2aa43acd53f011b2427b15809e

SHA256
887669e6a93c0a9c17b7c03b21991c58bdb0ab98367bb50569f1d78f518c65e3

SHA512
7e74107e35a716ed7bd1162987abe11c35fc0b416d9284dbf02f05d26491d1fe8d5e5be11caa852bb75cacb05c38aa6549ca011742ff6046976444d1c658034d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF

Filesize
615B

MD5
1595f119a5506bcab3adc3b7e8f5cdc4

SHA1
2273bc6435e2626a3528df48bfb20a346d7a1de4

SHA256
58438d81232d7f745e48821d6c3b6ac7b0c80e6da348042ca168847b5a813ecb

SHA512
d1343ab5b4f0bad6961ec6448e2ab82df8c4169f042da281e8a73b319537fe85cb79b587cee76e229795722031c4a033625724b6ac955e2f2ea595f68dd9c896

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

Filesize
848B

MD5
f8eec6f2bac9a0d283a6436eadfb8ef4

SHA1
296bdd955100a46bf9703a20954357d0b88d703e

SHA256
9d2a286ac5cf10a0f00c0682631b3e8af8dfca87785af952aab8a1a27088faac

SHA512
acd376dae8702fb75e34d7df55faef63660149f57e2c3b45651024ee487a1513c0ae8c31ff6031e8049f0005d56f0920dea293b46905d8a031aff1325f14f781

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

Filesize
847B

MD5
bd04c0cbe597157439c1813c1a5d57d2

SHA1
e6992016bcbc5df0b1ac40813b8c16d7539fdde9

SHA256
1e4a99b41c1250c8696ce879aa35467da22cdc34e53781dc45166895d7256764

SHA512
e3654caf34f3c8edaada00e8503dae156144286e7976de5a3928b105add1da2d80b7bd5f72c64ce651d9a7f6271c0086ff35fca9a3127f7115cebba429845e2d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

Filesize
869B

MD5
6187ad879a578052c281fb67ba13327a

SHA1
1a8187be4b4350e3b344e52689a6162273c537f1

SHA256
d68ad88feb73c3f03b92433004686ee7f556433043d4aa82eb90a67aa7a0ade1

SHA512
a5b57ab992dc97590e7cc47d7d2e09fb50ebf2e635f14986dd82e42d6a6b8444a6df81bca98c26bc586c6d8ded8173e9aa124ae433fd3b1b6c9a698d0c298853

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

Filesize
847B

MD5
16608b52abae304f18c86ae61b63dcab

SHA1
18c2fe335c9461efad983db70084648088b86f3b

SHA256
506eaa83a0f8aad34f33b84405b01e67025f45e16d4b23e04777163c5710990a

SHA512
5c6d1e602288da710491cdd144c75a31a9983d4a9de24b9b15642074f69da5385bfe0a8623130a4e1cc3f876421e3e8570618991c2d18d08dc0f1008888e2b2a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

Filesize
863B

MD5
1849b5e66dcb29439200b1ba2830a3f7

SHA1
b476804a4f5ac07a4bfd0693295abc5c5b040460

SHA256
7bbc22ea76c6ac74e48560716b8bfca9b519fc25ba674e718199e74b556c516e

SHA512
20289f4a556e828f33dbdd8f4111dd0da5d26e033a21777a93f7db58c4e2a1aefc89be6d4a8d501bf7a2a1262aa16d8d64067ccf8216bb361bc95054791da44a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

Filesize
861B

MD5
e13ca1d29c3b8994e293416dc57eac7f

SHA1
45635c8189053874df4413afbb3b36247e6c6f50

SHA256
abd7388c80fc8f11154de6275ad7a4cd01da0ff354f81430c4dc526277a0255e

SHA512
21e3a15c0e478861c3a31162fa49f880c2eed2d900171c25ca23c6ed54f9793b7dc41bb160addf2d49a00cbf7eed2203eef48aca69a4e9bbc5ca9ed660c9b6fd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

Filesize
850B

MD5
778f365cdbded97fa92fd3ef5258f4eb

SHA1
8b4e622a7a78f021c3a44ff73e51a47752947157

SHA256
ca47da80adea631fcee3b5f21dcdc721248d57d3432620e8cfe78cb68968b074

SHA512
1e767ebeca689f8794d8e0077cef0a8b5a4d8f86fcff0527973f150c39bfeb8a89ec186734d1f30dc9a1509fd4ca1bff1d483ac2133292d1a846f35b4e778019

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

Filesize
883B

MD5
e792df61f42e8db5c0f482f5a0908f88

SHA1
b7b74ec8d75a4552988085171b9a5e558993ecc6

SHA256
ed8657d203122317d9170ed0acab701fd1f295a8de1a4eaccbc50b90764b0684

SHA512
4844b275e74df338e9fd380542c5d0fb5635f751b8fb9ffd1806ff36591017a4dca7ec257ffd9c8299a1af700c49e2522d663f682b345f671247a677bde4826c

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif

Filesize
153B

MD5
55a07fc284111c26784e0afd867fe9ba

SHA1
34d14603bdaea29321108060850d9848cf2588f3

SHA256
55c78d9597cbaa1a7acf53544f974d66e5962b94c99e8535a954af002477ccf5

SHA512
83c11f0c0ff5dca1223764b59b9a317f9c494de60e9d9503fd023cb2ebf68612782521cc29e8fc16e5174e80a9a8d0e7b758c955263b5cf7077c26ac1686440e

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
46c63cda44507ba324b559b6abd25946

SHA1
f32f6a76c94198be35c5ef3220dd6aa856d7d0ea

SHA256
e37685ec49c7f6b444515294bd32d314dd0c04b3721eba883999214d20c657c4

SHA512
b194778a0717a356ef87e96e8f3ec25cc6d8d40491451474bfa46ffc4996adfb86e557c85ab4fb3a9f54cfebc6851ee7bdc2a93e4d6dccb51c9409a21a51dbfc

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
8KB

MD5
330e98ad5cad97cfe4bedbc0cf74c938

SHA1
afcffe2c25170b04298d1121daf90af4cbc3ff30

SHA256
f8ba8931d3eebc2e090c7cc6974ff32772054e7b10ed432aeeb8c170ea775f6c

SHA512
4148b2dd4506fe48e16d95bd0ccb9f46d0ca0f02002714467cd26a76071eaef15a22e708384db9facffe249541115a1840db6bccff6eb8267142ebd3e892ba5e

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
72ecdba5aa10fddcc97528420a216bec

SHA1
897b2fd2db3cd803acf219056466476506741055

SHA256
d8d675421f5f27715b7ce13e97ace479563ba474b3092061898694f40a56dbf2

SHA512
bca8098ff37b9eaa2f21aecfc4dc8df94fbbd0a5180c7bb6405eab1f4f422450435a9b883abf89678f3c5d3401f92037f371fa44d91f0f75e122dc4887254267

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
14b5c417c770e6b62749fa038b7584e5

SHA1
16e05d0f275a2932655510fb1c0e18f508c16ab7

SHA256
405d23c98376b55c0cede9058d476a5db90b4d920af0a60bfd25a458a96be458

SHA512
0701649ebe0b8fdb00b133c933513b6b3914005aa8601e3da903ba02a4adaade39ad2fd97d07694724729c607a54f6fd97d87c3c09618d78a497ea7a3b65bbf6

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
172KB

MD5
3e7dbc3b67b88eda8865c25317c3df17

SHA1
9bb902811e5aa76effc4c6ece8aaa976155f30e2

SHA256
32f6e7c7ad2ad9db94a082b7f07414cee99d59383d65e2a062c9e5d484dc52ab

SHA512
27f940003103c488330c32dd719186f35560219f6b4f1ae9364f993de3222c8fad69950014dc330ceaefa25c00ca02e51912a7c9a6e4381a66d8688991194712

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk

Filesize
1KB

MD5
096450723e6a5c082c82dbd6995a09f8

SHA1
ad964d6174632f8dcad926d8eebac9d3e1622156

SHA256
4064e6370580c24bdada2c2988cbf54fd6a8d0e1058e117910a0e8b3c47f601a

SHA512
6bbbfa3e31311d64d4b2fc662e7c073bb54cadb55b1584956fe9c56a0b8c927cdc95d2fdf803436b8cc2f32fd7e0e7b7e9faf9aaaf5c3b7d83d0fcfcda242422

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg

Filesize
21KB

MD5
87dd73e5290b33abd6818f792ba61204

SHA1
10ce100de192ba848d3aca716eb736ba2bbb73e7

SHA256
ed83b0a36d989a24c4077e862808199e62c33bdb9bf3f0f991648e764f8b7aee

SHA512
bd293adddb6e0ce7f4871de845514abfec881c7e47cbb7703dea7dbb24c663e52689b62f10bc3f3bc7b3b917505f33981e29c2c727a54a1973f4d61117668218

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\HelpIcon_solid.gif

Filesize
1KB

MD5
b583eeb54548ac03bdf28322a62b626b

SHA1
48ea1e2d0c1b6d333f2ebcf394b52a73a6952c7a

SHA256
4a090b7ab5a638822b07061866f484380620d20794065d8b7a1b1c1f91471f02

SHA512
9d5bcec87f84530f409840ea7bf03e168f4df537334d4e80afa06c1c54ab563e7ee2a1ae97e1affc80ff7b047d20683834b43dbfa67f72fc332d7322c0fe974d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\alert_lrg.gif

Filesize
952B

MD5
865bd4884f3a98fb66cc54d289aa9fd6

SHA1
3ec22f921216816f78c027ba8f459b445ec0b36a

SHA256
84c7aa32fca2b9019662c7caac3ec0dd6a4e59b1330d3a1dc9c1a406a119febe

SHA512
2ea11d79ab3ba94b46164b390c14794c639bedceb6852f79dae838bbd3f316559a875dc7511d8cbfc842a69b6195b030325279bca320d6704607c87f1def8535

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\aspx_file.gif

Filesize
121B

MD5
2d1f7c8b5b41bc8dc96b5ca2edf8dc91

SHA1
df1aa284b816558f3e9f6076caea07dbf7a120a2

SHA256
50c804b7b8891527b13018041978d961dfb6ffbd26db4296026bf122b89a3d8d

SHA512
b1dab038b6255eeae352bb6b27c257bd84e4fca76fad58413a2a13d87a8cebe5333289b342d983052ffd7d24de7e9421a025a1d999fe48e9f17d808486b3cffd

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\branding_Full2.gif

Filesize
1KB

MD5
16f82380a3de58fa87084ed97b998726

SHA1
0a0f70e6c28f6d706ff2e6b1adaf2f2fc900f902

SHA256
5660e02d083d4bbfc987df76ce4cb853098a1a34d627392473600b8219b027af

SHA512
35adc7c01bf926d159c9a62d4aad45b531656b93357762fd171006e461a86aa9ee790549156d5b5807a93992050fc66316d4646c9f62219c015dbd653cfd7cda

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg

Filesize
8KB

MD5
d3f0d7a57e8ee41dec53e27928543134

SHA1
4e374b67d38b8b35429c4cd9788caf2558f262a8

SHA256
3b949321054a567a367c36d6d96c402c05c0de6fd33a391a8d31c9688bbb9bdd

SHA512
73bc46f1169ed5d373ac95f594b85f272fd5c594086fd447f019df9a092e7a0fc6ed160a14a26321cbfe3155262b1f4187232a9d521b9b2675e1f3ee40f563db

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\folder.gif

Filesize
914B

MD5
1c239bf35f920cc564a7b70d5af9d60b

SHA1
5690efaa79ca089aac03e74aaa8a16f3f1c9411a

SHA256
1a625e194646d4d7c92e25f398860edf8ac32a0677d66b3365adf518fb6a0368

SHA512
7d91d0e6189b734c9f79e55593b2cbc21d91cdff1dadecfd5500f10c8452bb0f58dca92c38290bba595ce421d0918f9a269169c744b00a2f0554078f83e5c26e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onBlue.gif

Filesize
90B

MD5
435a7d0a8ffb995138b68ae1b83b0103

SHA1
6d58d94d2588688f35c0eb74c4f5ba7efc50c091

SHA256
eb363739f1a3552750c219cce7c3412ab5f437ae1ed6cac3b53adf5b0620a232

SHA512
1921f0b80bbcc5019cfc4993072bc7878d9399e84cb20614f807e18f45221c7d44d21fdbee1e30df8cceb0d0f68f0091e49bf1865eebb575ed757d820326757d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onWhite.gif

Filesize
90B

MD5
a4858bdfc6a8c2f77c7666b9cba76f0c

SHA1
3d6bc50e18d155c41261435546c028e9bfac5d9d

SHA256
524d28a45b8635deaef0e96cbeb656e30e3c2a3089519d3c0b87ebfe1960c4de

SHA512
92d56756f47453801b0645769a4590fcf2e03847f054f65d875c2c6e891c34b7b379719e8096a804a41bb5e9697fa19dd7e2af79ec1430430db5ae9214140b66

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\headerGRADIENT_Tall.gif

Filesize
328B

MD5
5e011efc14bdeb736a28ae13e9fdf350

SHA1
de85502a5f7a30c74763228194dae8bcc97a52b1

SHA256
8565b88de568c3e264b6e59288fb0a67bdfeb16841f280b5bb2d62e690d49404

SHA512
fbf1ee82bc9f6d1a381ab85d1022f2861c194de75e5cf3ace58951e1979fdfbfc23ab8b7c3a3b0092d71202eff18a0689e6756c94c433a0dcb7ab2399fe5e95a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\help.jpg

Filesize
1KB

MD5
1138b8719e713e1cebd18b97099eeeb3

SHA1
5e7c144132844942f54738c7f52e7b991bbd92a0

SHA256
b8f2f8263d676d7db6088e7f1b53f3c03c37d4e7c98a2204ecb3236e986ef958

SHA512
bcad040a29e209dd4d8a0cdad3fd55d8b1e6468d1ad9e81d5986268a2facf66b6b3199cc7b74ff09a8c68893e5e3249ab79f5b723c6a2fa17cc823a0a99cd7cc

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image1.gif

Filesize
162B

MD5
65fc5af75e0b77b713311aa97a98dd57

SHA1
d437059008dfd58d46188a803abdf35921de6c63

SHA256
7f3f9ffc1069e28083527953861f4aed56054e08b0101be6ea757fbd5a3b33a6

SHA512
19b4f559070ba3c7ed22675d512a054bad5b214b156105342f92f084e8efa707d9f2387dc5629d2c8068c6348e3577b43210c9e20b6c2214c8828ce463d4c479

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image2.gif

Filesize
586B

MD5
00a3c5dd4072b876e79cfe6637f61e63

SHA1
fa6f22f7ef1f745bccc6ba9dd6170ada1ecf5a65

SHA256
81b5391eabc3332422720b7eec2703bb2dc49965e342af9a4132d1dff23d5784

SHA512
19b7a3e67520a94454a3b9cf7c7a2d65df34bbed0b93dbfe6d02bc0b548048dfae17003c78c33c91f4d99aa961b2dbea9d44430fb33a1b26a7730c2d2ae86c09

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\requiredBang.gif

Filesize
124B

MD5
8c96819d84ea7e413c93a5f48c50d464

SHA1
632bf61e845b44dcdb068945d68dcdcc1a39961c

SHA256
8caace3fc6c1c37e00839d5a556972ed694a3f7ef6829b25e1745c2a8028388b

SHA512
45969312029e373e8a749f45d88595731c1f13008c0a2ff17aca10e13aa5eb3d43e2d3b8ed1dab03270d91ed64820ea21a8b7ac2591523a059243b7f028ba46b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg

Filesize
8KB

MD5
56674c93c00af4e3140810a540502778

SHA1
277064420910a3131340fd6a039bc226840d55e6

SHA256
668e4e22177a7efeb70ca916be6691be28f1bad42f5719fde9495fd6119d576b

SHA512
7dbdc999384bcebf0a74fdddd73ef8faf428a96952e87cbb450950f21cf5aa36fcfdb1f56ec151347c2fb2010b85029018684585e5b9d3c979df048f429ed67a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\yellowCORNER.gif

Filesize
880B

MD5
d9ff7e3536b3ee044e354ed80c715910

SHA1
1bf9aed0bc5bc860c78facd11ff7c3ccc023edb5

SHA256
9121986f041767b5cd5615258a69b42a11af51ccc1c7f5163448a2a881881041

SHA512
0b223f5b23657f24554bd5505a32f0b9b639a58eabd34d545ceecf76de061c47349a64b746070b5c53ea17ee6ed0aca96f12db5216f0fac3ea787af5f0f8d6cb

Download Submit
memory/2380-8618-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2380-0-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2380-9100-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads