xorist | dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-10-2024 02:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
Size

7KB
MD5

040d31fee8dc69b4c0585494696d4a50
SHA1

9434a9b4f3e17a66de0ca3f7c1fd4d5e88ddc188
SHA256

dfac10c147ca8ab81e46a81fe46e874f13894cf121a9cc67e2df4f3b64614ab3
SHA512

ee18c862771ce6ca126bf33e701fac2a2281e17fe550f31f8352ac20137a9744ee9e96007007d8a5f1dccb034e61b17b83a015752c2da0a16635f24f974125ca
SSDEEP

96:FpLZhl8wdS+r3yOYW189fTwUVF0CWHyjk8P1LOmjXfihEx1TaCy4oTQeINBXlqfi:zzdrr1FG1WDCgmjPZ1kANVl05MUA

Score

10^/10

xorist discovery persistence ransomware spyware stealer upx

Malware Config

Signatures

Detected Xorist Ransomware 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2168-5-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/2168-9104-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/2168-9105-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/2168-9106-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/2168-9107-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist

Xorist Ransomware
Xorist is a ransomware first seen in 2020.
ransomware xorist
Renames multiple (2204) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Drivers directory 8 IoCs

Processes:

040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe

Drops startup file 1 IoCs

Processes:

040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xFYWU9X9m7k3f76.exe"	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe

Drops file in System32 directory 64 IoCs

Processes:

040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\System32\DriverStore\FileRepository\ts_wpdmtp.inf_amd64_neutral_daa64ca27846aa23\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\eval\Professional\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\spp\tokens\ppdlic\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Continue.help.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnms002.inf_amd64_neutral_d834e48846616289\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnsh002.inf_amd64_neutral_42b7a64f45c7554c\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Dism\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_preference_variables.help.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_remote_requirements.help.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\slmgr\0410\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Signing.help.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\migwiz\replacementmanifests\microsoft-activedirectory-webservices\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmgsm.inf_amd64_neutral_dd3fbd8c64c7c87d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_remote_requirements.help.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hdaudio.inf_amd64_neutral_ce7bc199c85ae0a0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnkm005.inf_amd64_neutral_c03c9e328608873e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnsa002.inf_amd64_neutral_d9df1d04d8cbe336\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wiabr002.inf_amd64_neutral_b4ea26a49ad66560\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\_Default\Enterprise\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\eval\HomeBasic\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_requires.help.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\eval\EnterpriseN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netl1e64.inf_amd64_neutral_22118b1072f57433\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\OEM\EnterpriseE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\migwiz\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Speech\SpeechUX\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_pssessions.help.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\arcsas.inf_amd64_neutral_c763887719bed95d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlx009.inf_amd64_neutral_d4b76afd08f308fb\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Quoting_Rules.help.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_remote_output.help.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DriverStore\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\_Default\UltimateN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-Unimodem-Config\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_functions_advanced_methods.help.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_trap.help.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnle002.inf_amd64_neutral_c7564163ba063094\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\eval\EnterpriseN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\migwiz\replacementmanifests\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Special_Characters.help.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_pssession_details.help.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\OEM\HomePremium\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\Enterprise\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_functions_advanced_methods.help.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmaiwat.inf_amd64_neutral_213e93b5ced8b0fe\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\Ultimate\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\migration\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-MediaPlayer\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_functions_advanced_parameters.help.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnky308.inf_amd64_ja-jp_d90af802b607044a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\xcbdav.inf_amd64_neutral_cf80e4da1c95e6e2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\eval\UltimateE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_data_sections.help.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_If.help.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_parameters.help.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\PostMigRes\Web\base_images\Users.gif	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_functions_advanced_parameters.help.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_CommonParameters.help.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_types.ps1xml.help.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\OEM\HomePremium\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Redirection.help.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2168-5-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2168-9104-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2168-9105-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2168-9106-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2168-9107-0x0000000000400000-0x000000000040C000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_pressed.png	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_s.png	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\Mso Example Intl Setup File A.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384900.JPG	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR33F.GIF	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Tanspecks.jpg	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\license.html	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\settings.html	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_divider_left.png	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationRight_ButtonGraphic.png	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Main_Gradient.png	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\square_m.png	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\dial.png	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Program Files\Common Files\System\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PAPYRUS\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\js\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_pressed.png	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\view.html	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_left_disable.gif	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\cpu.html	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\dotsdarkoverlay.png	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02750G.GIF	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR40F.GIF	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sm\LC_MESSAGES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\weather.html	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10297_.GIF	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Program Files\Mozilla Firefox\browser\VisualElements\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\20.png	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\DELETE.GIF	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Stars.jpg	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\BUTTON.GIF	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\babypink.png	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\curl-hot.png	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099201.GIF	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0214098.WAV	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR34B.GIF	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\GrayCheck\TAB_ON.GIF	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Program Files\Common Files\System\ado\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\settings.html	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143754.GIF	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\icon.png	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Program Files\DVD Maker\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\heart_glass_Thumbnail.bmp	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-next-static.png	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\larrow.gif	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_highlights_Thumbnail.bmp	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14983_.GIF	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

Processes:

040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\401-1.htm	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-n..icysnapin.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_6f42d6c956b52fd1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-p..ndprintui.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_754bce83add5924d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-a..erpriseed.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b14453eb2d255ef8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-help-netwl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0fa08bcaba9ead5f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-n..35wpfcomp.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c53561399cd249a0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_prnlx00a.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1f40745c28333938\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-pcw.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_9f360ff648a30232\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-t..tservices.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_1a2e61998947e51c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File opened for modification	C:\Windows\Media\Calligraphy\Windows Navigation Start.wav	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..show-core.resources_31bf3856ad364e35_6.1.7600.16385_en-us_aaedd68e5784d2c2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-n..sh-helper.resources_31bf3856ad364e35_6.1.7600.16385_es-es_43f7c2ea0646a637\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-networkprovisioning_31bf3856ad364e35_6.1.7600.16385_none_2946f2d2d3f22416\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sideshow-adm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_67032851d5fde6d0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..installer.resources_31bf3856ad364e35_6.1.7600.16385_de-de_1a2eb2a6ed7e9056\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..ntrol-rll.resources_31bf3856ad364e35_6.1.7600.16385_de-de_56ad01a8a53fba14\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-n..ion-netsh.resources_31bf3856ad364e35_6.1.7600.16385_es-es_2640b820f51f3033\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-a..core-base.resources_31bf3856ad364e35_6.1.7600.16385_es-es_69cd279a554d50be\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..ctshow-dv.resources_31bf3856ad364e35_6.1.7600.16385_en-us_181bfd47120ca6b5\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\diagnostics\scheduled\Maintenance\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..stack-msg.resources_31bf3856ad364e35_6.1.7600.16385_it-it_4ae5495c772f5647\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..pc-mathinputcontrol_31bf3856ad364e35_6.1.7600.16385_none_de525a99c5d0dbee\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-tpm-tbs-core.resources_31bf3856ad364e35_6.1.7600.16385_it-it_6def92289e9788fa\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Web.2486c0f5#\8e1a0ff5d2f22bb7de74bb93081c8fba\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-w..-provider.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8a268e3923fca9b9\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-i..l-keyboard-00020409_31bf3856ad364e35_6.1.7600.16385_none_975481c69523e0d6\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..-logagent.resources_31bf3856ad364e35_6.1.7600.16385_it-it_6bce6ae371d3a168\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..style-layeredtitles_31bf3856ad364e35_6.1.7600.16385_none_4ad2978b8b3ac8b2\NavigationRight_SelectionSubpicture.png	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_pcmcia.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2704f2b7c177fbfc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..torserver.resources_31bf3856ad364e35_6.1.7601.17514_de-de_6fa8f9bf42405e40\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_prnca00i.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7fe9001b90f46630\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_prnlx00y.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_1b27c3f2fdf38d72\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_da-dk_bc83aeba06823a38\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-mydocs_31bf3856ad364e35_6.1.7601.17514_none_41fecee29ca47686\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_MSIL\PresentationFontCache\3.0.0.0__31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-content-filter-office_31bf3856ad364e35_7.0.7600.16385_none_8e76e0a23a969708\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..providers.resources_31bf3856ad364e35_6.1.7600.16385_de-de_834abd744e95dd25\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\winsxs\msil_policy.6.0.ehrecobj_31bf3856ad364e35_6.1.7600.16385_none_84a910d1f06b2beb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-i..l-keyboard-00000468_31bf3856ad364e35_6.1.7600.16385_none_50a5e9d6b04b3ba3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-cpu_31bf3856ad364e35_6.1.7600.16385_none_4b7bf556f6fe4db9\dialdot.png	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_iscsi.inf_31bf3856ad364e35_6.1.7601.17514_none_9ae9cb230a463c6f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-e..t-service.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5248279edc15852b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ehome-epgtos.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_588756b8b7ec6ba3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\500-18.htm	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..mes-chess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8ce17f80cc8e9b4a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_net8187bv64.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_4ac3310762bf76b0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-a..xtensions.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_052cbec07ddb0da7\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_networking-mpssvc-admin.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_71c7cd9eb251b00e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..ining-adm.resources_31bf3856ad364e35_6.1.7600.16385_it-it_765839f3aafd70f3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-w..ystem-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5f405ec67f38d749\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-s..-whitebox.resources_31bf3856ad364e35_6.1.7600.16385_de-de_911b617d0d404a57\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-c..splay-adm.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_9adacf401a9285b5\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-clip.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_f7e05482e7498fc3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..datalayer.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_869e1bd64cd6c21d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..overy-adm.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f8e88136e0edc6f0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-n..5linqcomp.resources_31bf3856ad364e35_6.1.7601.17514_it-it_46e7f1f4bdaedd67\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-s..framework.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ea2ab951129dc326\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-w..verytools.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0e99b3a8d388f7f4\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ja\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_For.help.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-rasmm.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_98f36a13cac0f221\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_ja-jp_3f3fe41f00efb443\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\winsxs\msil_system.workflow.activities.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6c6ce62d99e18e42\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-w..atibility.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_7308527527ee3b2e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe

Modifies registry class 10 IoCs

Processes:

040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Zalk	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Zalk\ = "QJMEELMBVJVHQYV"	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QJMEELMBVJVHQYV	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QJMEELMBVJVHQYV\DefaultIcon	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QJMEELMBVJVHQYV\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xFYWU9X9m7k3f76.exe,0"	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QJMEELMBVJVHQYV\shell\open\command	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QJMEELMBVJVHQYV\ = "CRYPTED!"	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QJMEELMBVJVHQYV\shell	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QJMEELMBVJVHQYV\shell\open	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QJMEELMBVJVHQYV\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xFYWU9X9m7k3f76.exe"	040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\040d31fee8dc69b4c0585494696d4a50_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt

Filesize
316B

MD5
a10e814d9b98dec5755b5c72167366dd

SHA1
6c01d1061a7fe360dda69a055f696d3c42ed0984

SHA256
f1c5e45ecfea34ba2b14805a7b003d2e4679c17f538c8af3e901b85098a2ad90

SHA512
1dd03c68c53941c542b48b27ceda6f2f0c8e310b6b250815562866c3439a38dabb92440f5a0f16c647275de4fdee2a1621ca1ff40b16f925c25d3e717b0f5f5d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
341B

MD5
293e1841dd4ca529d8437baa10cbca7b

SHA1
d705422d0b0c8d9b5a99a297b7d69e05bd1c369f

SHA256
80ebb6f605e5d8755715980711ab87850fa006a99417e7d2da5f811bd5ef71cc

SHA512
eec9d666a2b30bf72c987e9c0ef712bd651be73d50519b1b00ad52c335c421303018d53184c1fd608c2df727a6077870fa3b2d8b83934285f611d03d1a3bc4d1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

Filesize
222B

MD5
15debbead5431641d819df769ccae307

SHA1
94c56f0a595ea23f681a334cfde7465a84de6d70

SHA256
5a42610dde68e98355663a5c3c561790449a3d5924bdbf7e1c0af4cc9f83831e

SHA512
2fc8c2aee968a13e72ccf084030b2e049a6f4b49f8d03b1e7ac91d14f40fb45015e409c1bee67d630171fa634240545165130e3329b44f570a906aa66b073e48

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\BG_ADOBE.GIF

Filesize
24KB

MD5
81736c5202d20eae55e23f4f9fb96ecd

SHA1
4a9c43ef1990048db58d21a718868ebb4ab784f5

SHA256
3628ab78be7328b90db74ac370f244192da0ccae5a21b8ca359664bd774a09c9

SHA512
f823617ee81bf1caad1b6a280f572e9b127eb55aeaee4bdc1ef11203b1612e97bb0362fcbc6874cd7a61777add375fd016ea467e58e3e60b75373c38fcce8f8f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\BUTTON.GIF

Filesize
185B

MD5
de970ca644b31e5301172e2ca41d1faf

SHA1
cac7d76ff60484146dd9a9a1819ba007f473678f

SHA256
ac8cfebeeec2ad3f003907f13479903b31f953614184e92045cb02058cce95cc

SHA512
b9f2394d17fd5282ee584e53d595913a27c0a5439a6b39a12e6c8d69f21130078084362adf901ec7dea92998bc82743bc7acb0fd5003160aea1b6e64390ee298

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_OFF.GIF

Filesize
496B

MD5
511001fbe22ca6034b9d23690b373d2b

SHA1
3ee7170eb2df7468245ad1d4ec57d32f8637ac9f

SHA256
21ddd877ef5ede29a66421a1a3d12951067359d35f3b878b90f8fd59c0fe660a

SHA512
6f3f304f4d435cd3b8528b7aac313d7876fa817db99e56fd557558dff156ea5d6444817aeadf2acd259e6460ae51ef8b4196d73b126b8c8878ccfb084cdb0557

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_ON.GIF

Filesize
1KB

MD5
95a6363312cce34c6b67c212d2599eb8

SHA1
fa2acf0cf7aeb8d51464d39f1b4c9d373427a3ca

SHA256
7a998646b2f2dd72569aa66d758cf3e9227494441a720a20c6e38d1a07d3592e

SHA512
3c93e73804c0d91f579f4402d38e7e90b83038334ead7a145f1d1ebd462638bc7b6eca475a149cdb489dc7f11bdc37bfb21bcdabc9ae5af9a7cf688d415eadd2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif

Filesize
5KB

MD5
7431ad18051888ca3367e3f5cb52ee9a

SHA1
1945e28dbdf5c5a4b5711f59b70592fb6a5b0d04

SHA256
524eb1e99be3bb0f69fa67259a5f4897151a4a3765c82b54832721a3b66a4236

SHA512
040be8bda3bccc5e8a875e0c194e1691459326c89c9fb081bfcf161cd2679d81e2c64594d3eda3d445ab1650b2e9f8a950cb872a3c35a2f49f032c4f8b49e0d9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Country.gif

Filesize
31KB

MD5
6137314f735d0cbd435fe18a0e6aac62

SHA1
d2a39c2aa8dd3963a09887e5f256dbefc526cd4b

SHA256
35b4ad603cb0f53305640231c48b5c26f8ef3b996adb0d34a292ce0f2f130248

SHA512
64ac458855c521b1f0fac04f8caa2fcc614f1b31bf8e03dd2722722d63354caf15c848f54745747ffce9192eb90b6cb5314519d1eca16d37bc275456ed4ca38f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif

Filesize
4KB

MD5
f3bad0f57e4d162a319753e11ac592f6

SHA1
5ed918b91e58c769beb7a3e1e97640063c41e8f1

SHA256
5ee88d74c7bd05c233364adb4a63f1924d4e76b780ca011dcb0da441f4dc56ba

SHA512
fd65c0d6fc6d96a83a69c129453272d37bcdc944ca10a0a96a216889ac71429d4a71b52bcce399e26fe0c952ac1d5554812a4939e5698f6d2fdbecc68d2aa726

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif

Filesize
21KB

MD5
c585b445571c88d5d32ea9a17672651a

SHA1
2e6666f1432dacfc5829271afbd85e1a95317230

SHA256
3a2f7a056b18fdde5d31d9f60d687349a8fe9b194e88ba4f95baafa965090742

SHA512
a2c5cb79dd79a9135a141cfcfeee0da8950779b76bae594cb1e89c73afcbfb03eb140440cbae06a372515f230867b7a36b48ea3564312007fcb50ed56969079c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Groove.gif

Filesize
106B

MD5
12d291ddaa0ef01298f024348c329abd

SHA1
40abbf3f0193a5f8d6446c5fedd2d177cd7dcb23

SHA256
21b1e3927d1c91241af2df7ea826c3b9332f691b880606fa79f2ff5d69c3b46f

SHA512
a998130be64cb0ea25c2234bd5cc986e1ce835e47922ff3cb6a18ed0babad69abf76741d463b9a1ffa343c616d4fe47de5d278025094094acfbfb213079a5bc7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif

Filesize
8KB

MD5
d7baa32dc1df7849f67d2ffed8c652af

SHA1
a43de649b902f2af5417267cdac9b9c6b386d514

SHA256
3378e28e3d375a5f93cbacaf3963f05ae0d2c12c1c049d28b26fcc9b55171e4b

SHA512
9a6b646a7136e1462a7a88a4f51f9f37aeb82387bef3e94e4f14ceb2af9d8f76ad18cffcdd54932fbcd17788ecc4bcf2953b3174775543b1fdb3b10080b73f37

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif

Filesize
15KB

MD5
65f3bbdd3c4dbbc3a3133347cfafddc1

SHA1
fe04805d0e5326fa78fedaf6ff4ec97beaefa7b8

SHA256
669d9f9bdd67695a2890ef475f0767ad0b5aa3a2c0fd737a99241fd963c5622b

SHA512
8247f277a70c1b07a1d2cbbf217439ca75b590e05270ff99c072d999f41b49911d939ad4d05756d0690f4f343038d6ff56b2ce619126cbc51a3c64a7e4b0055a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif

Filesize
6KB

MD5
bba18bbecfbbaa97a443b366d4e204e3

SHA1
5d0631b85b2320ca4f623cfe76433a63e4ac1c4b

SHA256
549e5a81db7bfccbe1a59f00287a74f363f6a8351bee7b8dc40fcde5d35dac1f

SHA512
3d067b2b2d588c25eb98740a91eaa65ed8478c55c840665c6b44ff595e997e292f7c9eb04f87c9638712195b5b17a45704251e85e0b9266b120512c604979e74

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif

Filesize
20KB

MD5
3eb1d1d4d4319dcfbdbf02b01618e98e

SHA1
673ff86c96a15d9426e57f165ccc1b339edcdd88

SHA256
5d21a2f39a8a5355f34d8a2874e0a3a66f3fa7f0b5b516562f190df6b12c9cd6

SHA512
b3dcb967de1ee0a4949dd6fecca400baa739b4f6319cd2e36c505107f3ef9abe583daaac4e0c4a2da12e88e85160022b717ab4b9337a41f8240b11a3a649af5c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif

Filesize
6KB

MD5
2d4c79d32ab385c2ab563ad7e4b7090c

SHA1
fbf50bea7435c0cea69eacf3b7393964888f0e0e

SHA256
451bc7cbe04c61ffc36164baa7edde4724b5c160c86fbfeb3c539b6bf9125a36

SHA512
114b0169a4e7b8e22ef115a066133087abdaff415f7bfb60aceab1b592dd0995811f12dc73ca2f39729ea0caf723017c0e981ccb0eda82417f91b5afc8fea368

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif

Filesize
15KB

MD5
12a0ef5144160c12387b4fe8970c0239

SHA1
af3125feb79394fd2dea5736149f7acfcf105c64

SHA256
3d43100712fc8ff2cf1b67b6cc356c9e90a984d396dd0d8126be75131420c5fe

SHA512
e1f91df9c2d7afab83567911e79b9f7933ab61de75121819043c7a3935f4005bd6fe29f12f02499e4e217c1d37b0927732b60e342d03ae350b4490f9e6b1087b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg.Zalk

Filesize
2KB

MD5
2dead7f6da6a339aa53817b0e96098c1

SHA1
0769bb4ed7b3b0faf9c1e4c33c7c1c74fa217b65

SHA256
bf35016e1944792e9c0ca535fd2da685c3fda91e0a3eac73a73ccad9151ddb40

SHA512
d39be5a83d3318c0d2a922baad91b13aa6e4642058105d8ead4c43cd19982657dcb1ec227727fc6a59ac77b59b0e9ea034f9736939b8668bca7f4670119913af

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp

Filesize
2KB

MD5
5a698708dc05139f431ecbe326574aa7

SHA1
57ad971b73cfbdd8c5aa4cdd18e6531045655e65

SHA256
3dc4f338c9333c6e8cfb644ff04095c1f65859027a0921ac9179cd945fe93608

SHA512
4785dc6cccc95a16521438d79af3df29012f2f7b3ef198c16d3604dcdf6642f7b1fd4454370e4492620fb4d6fe5d902bc40aa2a9450af852dcc10e010920744f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg

Filesize
6KB

MD5
9dee4c7d1adcf2d42c95ff3f25f51aeb

SHA1
dc2a78546cb240931eea38a1f5002ff82eb0b618

SHA256
1a5bbe73dffc61958d6fde13ceab94b1b3d8c0b63cf10d5db059d65df631e9df

SHA512
e334fffa02ba696b3237547b66cf8735db4db967a51639965e6149d754482019a1e57b720a2cc85fe9b05a43b2ef805f138cf36dbed87e165613351b863e8171

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF

Filesize
255B

MD5
e18ce477fadc6dc98d9635f9d0c0c96f

SHA1
f8fb676e6a6ca82b7dcf537aa9c7d246262c113d

SHA256
de0aa5d2b78be642aea49ddbf7e5b2a54fc3e4dc1ecd2771d5e879e7f517eb2f

SHA512
588472b9285692b082e36e348e7c97f8b1b94b0de6b6249b2aa35a103dcf00b1dac52ac29519ee7634aa01d48e98cd4d2108350590b454530b797f0fbac96dcd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\background.gif

Filesize
323B

MD5
b4632cb222e00125ceb1cbaf26782f91

SHA1
8d3a8aa2d24935694e7b1ae5851eec629f581424

SHA256
595ab995e209aa6d09a53ddac74ac0e0bd474b06d1d2526be3447d9b3992dcc7

SHA512
a8b38d6eadea70d3bf12f50a9340958195192432fb7c9fca12ffe0287d4bc191e2a6ba9087eff787c74383689aefd143e76dd504886abc6f801e65e3ed8ee45f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF

Filesize
367B

MD5
43d565d12fa5af0f8069a9d6b8ee86d1

SHA1
114ba35ec571be4e6c93b38bbed64eeda11ed907

SHA256
fcf12fe9665a92b054a27e3af5b229c98894e328b5fbca30b72f944d7bd72d8a

SHA512
9ce4a301799fc783bfada305d5a0169da2d60df1019e74aae56ba5aa0ee99d7d340b277debd69a5b1ea39a174327f988625932c4b407857ba15b7b00e69c306b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF

Filesize
148B

MD5
01fdaaacb4e203bad61b841090c2f58a

SHA1
639b510b9a0f1441fd53e64afe70f0f90d35d42c

SHA256
4476e2cc55c1b52d07fd3b615fa6183a8ff23b2727ebd05ec782ef098f5b1b30

SHA512
494e211e4942471be39c7a83ed25f20259f2f600482f8082aae2458d6901aac0838ab82d9caa6da0b2406966176301695279ebecd69198f4461f72aa9d78928e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HEADER.GIF

Filesize
440B

MD5
407e6155b49978812b3137b3d49558b0

SHA1
ba055991fb25ed44d02e7668509191cb6c7639bc

SHA256
969df386c7438a2aa5b2898b77f46bfdeb9305c78adeca979b01de5a9b8c808f

SHA512
d38b5291e54311bcfa3a174748bf7c5695ec7ded3231bf2eaa27d17a64ebc4a42a0f668243d01e89a741bdf98d0ebd76de289ded3c766416e8c7ba5d7f195fdf

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_OFF.GIF

Filesize
462B

MD5
63a29f6317be66f70393e4a70b6011c0

SHA1
0d9c9f8daa232a331776242f97981ac7217a74bd

SHA256
cfe620a241c843de4ca361f93e7b35cd855ec2f461bb898a7b7a8f31b551da4f

SHA512
475bdab6f5d7700813f0287dc6c361e7aa799172ceda7ae186bb4bc1885db2ed70c02defaac62d8f9d6ea9aa46c74f816acb087e747ea8f7864f2fcc01ab0461

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF

Filesize
267B

MD5
4ede01bb6a272538f9ddbfff5f364325

SHA1
92ec6f9c3f7c476df56d8f6bbe745327f2b42b6f

SHA256
01dcfecfdd5085037eb4574c6317cb442b7fcbdf4cebc7dea472d76646854bef

SHA512
71753decead2bf3be2ef912e63c1e451c2959cda44ad6a07e10597e69fd23a25545cd25ace95f513745e9c41dfd47e522116d6e0ed655dff3a8486bf25c1f5cc

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HEADER.GIF

Filesize
2KB

MD5
ae9d36d06c462f783e781615cf4576e6

SHA1
26241fd98612bb30c07600c4a7eba495da340650

SHA256
7eef0cdc77895e15e706e81304c800c1d744616d6e591099b5cf33d63d511422

SHA512
dca83c442b3404e107aa88deaf85b86010a201cefb9ca88ba095ae329ddde57808b3ef8c74db3754eec62e5e0d649a07db8a586f8a472d30cbc9b73c1830108a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\HEADER.GIF

Filesize
3KB

MD5
368b9fb22e74f84410d4b13eaf51347f

SHA1
54b74e37f9beab713eb2a9959669f597731adaea

SHA256
9b9547800c2ca21f6325da5d7f944d9f8a4a7befe314b7416adbfe5ac446d30f

SHA512
72d451f715114fc858edaab0af3ffa0b585b3a96a0f6663464f0af86428f07903f8bbb5132760a264333efe62402cb69c5d0b881e82971c7ce2efee27ce53dd0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\TAB_OFF.GIF

Filesize
462B

MD5
0752c3fb7576769ab7def2c2bf6b3d86

SHA1
8f13c3d614125bebe55c7573dc39d2933732e2ff

SHA256
b35275b51dfd2a6513b12ff81a30641d04c0b76db977154fbb125bef260a3f99

SHA512
968739071cc76273c1b80553e9028381572d7158c493ba5e83fa66d8b551c6d22e641f337c0240ec6ca8a9952b59931859f0f173ac314a6a64a3505fcdcbdbb4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\TAB_ON.GIF

Filesize
264B

MD5
085bd6124901cd06f734dc24dda86ad0

SHA1
3e19d48ec5abb37c8290c21f2a4537fc319ee6dd

SHA256
b52985ee16558b59ec177180bf1e33d0a0ec1590f7d09c3e42a35a36e34a764a

SHA512
2513676027a71b8a723611971d69c53d2913f5ba5f819fca33e9e127a5023a1ef0cff71c47f3664b116103c384e034761c6921058da5b0c787f50607d750c3b6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif

Filesize
233B

MD5
1825090bead28af19661644b74b2fac9

SHA1
9b624b91f548fe75a7f28e82bf632bf6df7500f5

SHA256
69523e6e9fe6ec144f336176693f63e832c8d4caa6985091a309e989b85745ea

SHA512
8272a37f764f48c9fd4433311bc09ff3930689e473031d68bd1f1f1fd938823bf189f25c449fb864e03658c97cfecf2c99b5e0f535801555a216bcef9cd08b22

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_OFF.GIF

Filesize
364B

MD5
966b9cc78714d948bd12b0c5f9b05ae7

SHA1
c4ca38ca8b17db5b378630ebe532929c7895b1de

SHA256
a1151b71f131b81457374170cba61d2214adf4d47059be1562c1299690c873af

SHA512
0ac3cf645f6f87341866d8c3dbf0dcafe794a9d56fd8108831364d7816db4fdd189041308eea05b75fac783c993c61afa60ed32269417bf0dbf2bc81c833ffee

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_ON.GIF

Filesize
364B

MD5
58e47a971b9d2aeb94517a74a193744a

SHA1
8f3efaca96d4ca66e848f106dc8ef8fd3860eefb

SHA256
4ca965c33fa7417a065e6d177f586498960736312931aa177428ddcadd557a33

SHA512
a9f346c4531307ab4f50bf51c2a4db1900521b78a9ffd7a4ca35697c4b88d5520340e46d0eae66eea114da39f7e6f097b7c197b1f2f737c06bc7ec01db194842

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\background.gif

Filesize
6KB

MD5
1b72669d681771b46b7ba36e4f726322

SHA1
feb79cb8c04a1ea909ab5c88c9dfd89f495e481c

SHA256
39ddc5f487dfc2d476c5b3ba0146112c00528afb9a1904918ce016becd525553

SHA512
edd5f51f0b2f98aca41b120f2366ae271f15f42dca7b55ca11dd422725c91326095e50b6f2650b89f0666f064256fa46990420c7fd23aa1b30be6c8bacc7425e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\BUTTON.GIF

Filesize
428B

MD5
229896bbf56e089c3ff714a1c5c48853

SHA1
d03861d55c571cc348925a72cc2d88c34864dd3c

SHA256
f19dd7c5cf0a31886837b79387a180b0ff19cca6f44549949364425f9450d1e7

SHA512
4d54218775b6b38fe225f99923fccada56493e70ac70e992c5318200a258966d83553c0bc661fc66c625b32e62c88f43dd755410e3269034fc538ed56170901b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\HEADER.GIF

Filesize
26KB

MD5
62a000529f0482c233ffe842a399e18a

SHA1
818401bf98987d7b8dcb61b74e866e6bbb83d288

SHA256
f86f3cc23c83b215b3f1659a8a2c36d70bf185a5d392e3f7d551a1b6613fd338

SHA512
398dd96544512b146dbd1c2281d7ce677a02c6a552a5fac5aab08fb3585ce36b579e142400765d84f34b90b8ca042c8593c0bb506c261b93051088f1382ddf6c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\background.gif

Filesize
815B

MD5
33a97209a1cfc7ccba48ffa5bc51be32

SHA1
d52db4a137724a9447896650e9f5cd31f6a7efd0

SHA256
97766719bc08ed77e605ce97ea13aa7af371e271d721aac294cb285d6047e151

SHA512
71d346da599527aee023d08c4ea7786fde261998f9213fe5ef9c5fd8bc8366d7fa427778bfc5a85698090ec7df70ba19e4bbea1a54327b0641633b8e6a07c1b9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\RTF_BOLD.GIF

Filesize
870B

MD5
5d29c71344020117bf9c8425256a90c1

SHA1
e6b19f41f5c03992dccc1350f0bd8ae6ebd066c3

SHA256
4968eb7b7984a6205a15b6392c979154b206e332255605a6b1ddb7b46b7ffc78

SHA512
7df9e28be9e747bd41f0397f8482597489716fa1e5c3e1ef04f868934cef6e2d9ea6617c628521388fc936dd5f0416f449326e8383d662b965d9ba18de18e6fa

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg

Filesize
3KB

MD5
115bb93094951b6bd765ad9b89e327f7

SHA1
8a29541ac841e3f7c9051c87be80b6a27ff2709d

SHA256
a672a62b731487eb0f178bb56889bdf3e580ab9809e9459f40d520bba4c0713a

SHA512
1b29a20b8102c2924da6b8ef1f274d5ba2156223a28387f0ded588fdcc58a5699dfc6d75ec86dcab4d628532a67668f5b60cd0ef13f00eab656bda761667900a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif

Filesize
2KB

MD5
c14321387a349935a2e76b8cddb2e32c

SHA1
3542a4f2259aae3e82b752d27bc2a1437a0bb8ce

SHA256
8d85625c59d925c35391e6da778835ccb5977319a435b1fa8df27df5e82067fb

SHA512
63b31948db2502d2a965742fbd6a7bea616bbb570f4b1b1c92e27c67ea296b31c4c21efc6ad161d87dd49b2243236d1b10821019acc218a06f2a09ce3e9a71c6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif

Filesize
19KB

MD5
962576d932c472907b07e670f85b3f17

SHA1
ed8775fce0d2c60eb318881ba68d4c237a3681f2

SHA256
bedf4164b706bdf591ce7744dbfdfd22ddece0ab21c844ed0b1ec6ca8f63c30e

SHA512
e280e32f39802ba2714638b26e26bd9789927152753e957b2c7d2f3b7cddbcaf5fe5e7d92918cac3bec5089da128633035c188632eded20a122ca0807b207450

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosefont.gif

Filesize
890B

MD5
c5d841f47289d5461666693e1db8e43b

SHA1
f623e6c27f875499267192bd7000533881b829bf

SHA256
12e6bbda2df5b058c9919dc82ebadee89e1e7f616eb8d57615f4ae3d21f1a826

SHA512
e2428123bb7f222b488d2b681e616a6f78525896d3f22b13b9087aeb0076d733fca17f3ecc7beba6fe13af876bcafbcee937cf6c44eb702df6a5e21d4ca9c9a1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif

Filesize
852B

MD5
a5338a57eb17d5367d490c67f400be82

SHA1
0eb2d3663559df9fcd550c68e60d3a0988bad2df

SHA256
a3b6a68988513a6f283cbe790f0b88d5b44c4b762f000b7968cd7a5ba22e1e6f

SHA512
e675a25b67b19c7a97e072da8f2e50611fd0cdab1bcf7a7ffaef1f2ec7ce6403936a0ca47fa94e23c61cac69a5035a9a880903428286916063e6b991feffd1f1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif

Filesize
860B

MD5
a6390519d3ae528af918cb004beb5197

SHA1
3e77a1532ebcc8cfe2f709b23329beb7e1d3b856

SHA256
fd331f8f919b51348081a64e7085d414a4c92d160118983afecb881b1219dfb5

SHA512
d366e4d77fa2ee689a555778370b61b2499e95b6c5a4652eac5b4af1b43b1f26653ebbf6be2519ee1af2308cae83457dd4eb959e7b9d84cd5779d5428aa91050

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ADD.GIF

Filesize
580B

MD5
12c14eb61cacf3c10e151a31aeea4f73

SHA1
539aa531007565da0f5b1e8d162da578a816232d

SHA256
294ccf562ccfb591726fcdb6fc1021ed9f82ad2d40f746da86a61993a281f816

SHA512
2c2f6c86946cce8fe927ce15bc13f93caa399c0225e3e9320d7d67fe3e33fe59df86b1d506ff133c691b83308944fcf5e8f2f89e10d8b1df19964cfd762bfd96

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF

Filesize
899B

MD5
b8923eac6ff869695e038cf2ac3d4885

SHA1
3167b660d79131dcc6ff62e46b541e993bd3dc00

SHA256
5d55cd0637f2e23ec1eb0b795ad07e65676691b9b667f5838367b658acb4613f

SHA512
155dd2ad9fbd29c205a19db1917a59307998ec7473a8371fc2b338d881345abe2e29c168068e8f7bb28e7e7815bc3533a561a22e26371a5b434ca1d2166a0510

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIF

Filesize
625B

MD5
5eccbf767f1eaca2f69c897ac3c2eb9e

SHA1
93597dcd42491d99e2009e012d76c6c3ec413af7

SHA256
b45522ea47cbbf4607535aba5f54dc822aa2710fdc7aac93364689e57d48fc7c

SHA512
b1d2864055784c619d8d1a362192787b55f9432dfe84c26e1273e7da79e70f8140e66f57a6c2b68a63e74ea10bd59decb747f16e3a77c5edb2d27df8568dcef9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF

Filesize
873B

MD5
d1a3134e070ea0f4d69f857937ca865a

SHA1
aa617cf107ab0c4ad91dd03f10b09c6093870f35

SHA256
252adc8f87074bda4a574dc0333d3e46f75716beba9c408ee600e58fb621671c

SHA512
5a6c37471dd4fdaddd607dadd188cbd4a56eccbd93d0beb9151054776169140c1e82c2147d1155e6a43013e60720a0a8ac75fa7e443859b00bd91c1f29ce3e4f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg

Filesize
5KB

MD5
1b1d2d4dd80bbcb6ec39237d9344e18e

SHA1
601d7cdd06546d32c2430ee4628b354c87d9f26c

SHA256
bff09ff392236d78c4e8dc82dcdd02e05fd93ccad7caeb2f50f43e017dc1443d

SHA512
7a9b1820d78c041eedbb4a7e1ef49f83d0cc0c9da9bbd03f09b48d2138cd676d3b7e1de1ef2a7c5e78a0bc4b48ce63b27454c7a1b92e3c0ac8d0891b72265945

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp

Filesize
1KB

MD5
f2ed0c351fba1ff93be5581dcd7e7917

SHA1
ac8add7eb4a8018ab4dd704f83c0a184f09149e3

SHA256
2741fd1648de573f7666f7ab725a2c6239d0f65105a86a16476b5b8c33519053

SHA512
7cc65d0d71182ae0b9b463c334342e35ccdb5b201b055ec3dbd586591c8397411da2e58e4e84cd6c17bcf2eb724824448d9bb85c5c6efce127263a6c8ac9c071

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF

Filesize
615B

MD5
1e00bb6c75e3023a288e48c55614b2ab

SHA1
bff86b4604f8005273ad24a0d31565bab3113821

SHA256
45c0849d112b153d0892e1239d442d38141d58cf5208cc2d163114a0ce90624f

SHA512
79c87e2a58a0f3609f7d5ffc6238fa763babb99a22d58a947ec5639790e7abc647749977e927522cbc65e978928f0339ae0ae7fccfc38834c4172b86516bcd2c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

Filesize
848B

MD5
f0b85358eb98459484d16ace6491b673

SHA1
f51bb7e8020d1372874026d687071d016d93d14a

SHA256
b3632ea7a21fcebaa3a28166a03d23a7c62fdf3e989de6ada46945003207b46c

SHA512
e633e9742e56748c69e5beafaa1b2259c4e13034c248a55f9b380f66b9e0af7256b323d725a31dbb79dc267aabc6abf193305415535cd45d4ae263f54daabe5d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

Filesize
847B

MD5
4fc1aa55c4631193b7ea2c09618580a2

SHA1
27ef2a8d52a8184fdfd76779b55da01e1240f3ec

SHA256
33f2f5deeb3d65d32e369293fb886526535b256730f218a8fb1c3c8f554f7963

SHA512
27eaf2a180411b4e2e68dcd808e414a6af8dc84ef204b642fe53cf52f5d96df70b77d8c1054909ffcfd03b76f7309fcfe32b42cbf1442b4845d9b772e0ef6fa6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

Filesize
869B

MD5
7157c25549228cf77b654b0d656a022e

SHA1
64a7ef8ec146ba2182256fdca5264d79c5d9dfe6

SHA256
0549268f7b5cb68add05431d1736f6657cb015eb1fc41927ea4359be5914928c

SHA512
5c9cbdb4048d981fc61e578c6a48328ccf58a9c2565d5561a258d89263df1be0198ad430dba55dc08d798365fdba2d96dd2137c9facf0a2337d94dbd8fcad8d8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

Filesize
847B

MD5
0ad3e33ffa9eea2ff104e8be539e5adb

SHA1
282a800090d02726f0859d8bd395bfaaa1e2a1da

SHA256
30bfa387e35900368f6772b80f022abae2fd57a1ac10b3d78ee51d705fe2a138

SHA512
66ceff1cfa9617d338241c80626856ecf627aad3d8084de30f2a5d4e0504e98e5658cf71cdf9fc090692b346ce19b5645bc882a6013069491f459059947a6b2a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

Filesize
863B

MD5
d0e887327763056842d1595b266d8225

SHA1
cc6143d39ec3e8ec92c0b5f7f023682ca671eb7c

SHA256
08a4c3c7609e548bfc52970c3f533aa8d9660b16073c0f91f19014d7efe3b705

SHA512
24c9fd9307695c0705e4bee0c1d0bc58fb6432fc15cd6a81f8043e4b2db4e8b23f266bb39e8466368ecd54895e7659d41aee4d79e5f33c4d9309cade3cb4d8bc

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

Filesize
861B

MD5
8457ebc52668f03dd03586358554c3d8

SHA1
b1be1a96d77e2cd20138834e3776199fc4bb7352

SHA256
cfd529eb3f7eb346792faa4762c77202e57f80db3860e482ea099c79da390f3b

SHA512
aef1c02181f8c9b6a65d52d2d9e5c0a1ee3c3ab3ed80815e0ea7921de7e38fd532116a2def5b0112da4a228e2bb6f958ac3a57e410c6446c550f793f5c5e41e0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

Filesize
850B

MD5
58d79d8449d874b646ecb7cba640ec8f

SHA1
913b851dfe36e04b9de43f3c6931b6df53b15281

SHA256
863c99a70c6f60f6e98721d1473c9e3a77b794e046dce2319eced930570723f3

SHA512
f05f66ddbfa10ca855dd193aff96a4b132e998eb2cd2ccf30b7932833298e0e37a18a2059affedae20958af00468e0c5043db0b295b10ffb27bc4f2fcf9aa8d3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

Filesize
883B

MD5
b7102d63c8c041f18924545bd423eae4

SHA1
aaf3352dcd6b01d133e9f72866d7752e727dc75a

SHA256
88bbdbe90d6ae3fca6b483087fbce82de7808c79d4f10a6b7b5254c8f96e1d93

SHA512
262c48defcefd0ba7e90fb5f9a32fca80dbda0ee9f65c6b5174daab9e99b8d55f5401484485f1238e1388590f72a9402bf916b2bf3ca61f1819fd46fb0a4cee6

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
153B

MD5
8be8bdaa523cd7c31262656a44ea6a07

SHA1
1fe97813995ee6d8e745d606bb189af3795d76dc

SHA256
eff1d1a42aba4145ec6829bf97848b89d15bd054d2641a0608013edf53204ada

SHA512
930ebb3a88e8c02a29072c5774fa6d000808bf71d1a89af9a80009d274aa2d35ef6b58665f8dc89622478cff84d1dbaf91ae73607e72a994999de03bff83cc2a

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
2bc5441694c5811714dd74613bb614aa

SHA1
e0c71c5bc28d7a39d57896a1743eced26dbf15c4

SHA256
935111dbf9e3a91812a6952446893db12f87a0b9cb15b4270fb66fa2f50d01e0

SHA512
dbc26b11497bb12849ea99d5cd32975eb9b39c55594dc0c612d392d38b18998beec7c9236fa79a9f8044f555d55c1a7c500a23a12ba7a604fd55b7c916b63610

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
8KB

MD5
1e30e93851a0166b0cc4a8fe714d8fe0

SHA1
56258a347eae701dc583648fa836d33b8bdc6aea

SHA256
e7430dcc744b56dcec14cfa9054d5408236ec2db93672f5e57d3d6ed7421532d

SHA512
374aad9aebb43b65ce9fdecb168ba1a1e55313b641e416fe2fd13250ab4b7c3721be1373f7863b494d0e7a3df7cdb5ad6abb15d6101249065623663b388e33a5

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
54794cbb437141841d639518494a42d6

SHA1
1dd8dae4a27a95273e5028f278235c0ab945caad

SHA256
48311a71027967600c97ed097450def4b383dcc8316efcb658f8f5483f506536

SHA512
42084fad0b0135d304be7fa32b747fb998fd5610712df57ab52e05042a3e6b242ba73479400f8a21b98d2030eb1eb80d8c8fa2ee4103a6cb6040b6f829355377

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
7e4635a276c8c11b5c3778b52335eeb1

SHA1
a145fd88668f236391fe2d5afd2113fd95141401

SHA256
52a2f3711881b9223ea8900dab60f359465ea57659850e40cca2c49ce7449756

SHA512
9b93c12eb15982ee44c3eb0869f4fed606ce19ac2c8075fdfec777de538d1ca1ad8ecf7f3dce4ea84de917383f697c5d2b399f8345e7899dd230459b013ef51d

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
172KB

MD5
a236696004c5bca70667b34711fef5e4

SHA1
eb716d4f40677522e94e611993428388d527ed11

SHA256
b8468bc6ccb71e97b6f567275d431a821ebb47d9d7364ca30afe6488cb3f5763

SHA512
bb76f05af9e162f388756d054d0fb8ace5b68b2b473525209ab749954278b9af9031d2490ba634240876f3f802cab472380989ff077f8eabdd908bf6365306d9

Download Submit
C:\Users\Admin\Documents\JoinUninstall.xlsx

Filesize
14KB

MD5
097a3920874174dcd0667fa8b0a0da91

SHA1
449ba3c3b0d5c33c4ca06e6f3238e4e3a625d649

SHA256
d43114204ad2b6735d5610ddee64d1263baee1239917f0bca9a00901b5f9916e

SHA512
6c2e247863ba009ff49e4c6f81ccfad10596eb8dc6bf76f26592bb816bcf12b3882adb87cee5fea5fa74fd3509beeb0bbc186e0ca39ffd374e2cb8e7b034b804

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk

Filesize
1KB

MD5
8f8a6e0d949c8732cff2085251e66529

SHA1
1c8b14862891f062b30471e1ad6398aa2f4db6fc

SHA256
0172406c0d220a753498b36e623163e5476cbdcba2238055dcad9c070569057f

SHA512
99224cbfa666ef17566cd2198c0c3dba486f46dd191feb4076405dc464c1721300d74aa676d319f0f7a90a0d2915cc83d30082835d6a8d8a712b2203be3776f1

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg

Filesize
21KB

MD5
d4dcc5e243efe2e21eb0113f0cf4c051

SHA1
bf5f738f3ff49ef3ebaab3591f69b4387f278602

SHA256
aca9649537afb71133e69a01c28f6aa7bf9aa857d37a184c6e2b160f7af9b592

SHA512
4961bebe83ddb1723c20dce4c6e28763b30580b5dde2f4b55679a51d50bf4dcb25b922cf77449824e7ed58f27dbce5832e950b8058e78066933d27c2a43a99b4

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\HelpIcon_solid.gif

Filesize
1KB

MD5
dcc706c166f8ad7f3b3527c399152dfe

SHA1
53a3316806792a9032ef9a61833b9391cc03f1ae

SHA256
31f03b3aa196ed2e68d922cdd1817fb69a505f18385b04bfd38afac9f7966223

SHA512
4a7beb3f161d8946549c5f5980cb9bc498d9d4fb7e8849399c52466ba7ede09dd0c941babbfe06e376edff51c7a5131711fd357d7f7d180788c74e5e5696d4e3

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\alert_lrg.gif

Filesize
952B

MD5
c6a19d0ba7997c5c0bdd849fb9e5523a

SHA1
681ac4b0ea3b86cf633d18fd7bbdf32b3ac69859

SHA256
bd79bdc81a0d79bcef60197836a5b9629c13c5247c65beeb3aa25a5d9d1c1481

SHA512
7bdb6f8ff4fe1b191e60b427ee79dfcde8324bcbb5ae045a4e0b278b0dd348239812d2ffec118938194c32592a37e89140d51f42552a2b120408dad3142b613e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\aspx_file.gif

Filesize
121B

MD5
8be52fec17847ce52bde1ada5b6b4ab3

SHA1
f56f6a8259ff1619ed1fd7b30e2a45de642fad79

SHA256
12100486a7a43200d7591749a3018a4e0cfc30c1171dd851f981553a7d7d0757

SHA512
7eb78949ad97d29836bd3c151e277e8198c6cf395e1470c23215ca930da07986b5e40b221b373bb469698b13a527730392840867a207853fc72d6fecdb863589

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\branding_Full2.gif

Filesize
1KB

MD5
e7e9737e9e2025f03380448ed8a0e3d1

SHA1
2f726f8dd128b34cbd7bcc54320fcb1eba9b0203

SHA256
2d0163c3f7c05db841b24d0f8bbf7a8119d4ed79cf2616638b89ca98dad1f676

SHA512
c65a747221696b5ae1a6c2455621f5c3840b275503ffde8c47d0d3502585447cca48363991766f1115e20c1c2cb9aaba05bbb361390041ebcfaf851341d463d0

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg

Filesize
8KB

MD5
3cc74699442b3084ac6cde16f4d3ba5a

SHA1
c4f0e57377a1a40c58e5160bb80a85af162d4749

SHA256
397ef4201a83ba0c57a83578a9a3f89f180be776cc2ba79a05820abdb639a222

SHA512
d3ca41d7f0c54013a4c041be811e09312ff2b6608d5e813e137d9bb03777ad64985c3927f9c3e7a100923a05d3b034b0f493ccb1c63817da7d675209d7ae765e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\folder.gif

Filesize
914B

MD5
9669e9651e92291f052b1634e27d99a8

SHA1
be9407382e459343b50c166dc4d1328ba260c81e

SHA256
b3a90a8b9f31407aa6c9de5a201880205bef7244bec84c7d8fafe716aba3a68e

SHA512
10fea3b2a44969192d3376dee3849a48ce3fd2506ef177fddf1566053718b1a2e3995115dac2f7c74ea046a93311c9e4dc21ec7feca8f2f9ffa665a2c5a11b09

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onBlue.gif

Filesize
90B

MD5
f83c0c8090a03da94a8f93123d3a69c3

SHA1
5eabd956c037b3644593e5b277edcb598d55e501

SHA256
d2ec18b87c1039f18a1284475b006b56fa48706a7160b2d3c955d0c3b589b486

SHA512
1373481dea05038123b2bcbd7c4c322d206b0ebb4eba4056d23abcad1e13c7d888ab52925acfc1eaaf12730c51ce5b3b55f5f21fa0f2b201c2d81cb1f67d118e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onWhite.gif

Filesize
90B

MD5
9457e60ad00d7a043073144b4bc2da65

SHA1
faa131566748e0e9cd68e449ae4f3426848863a9

SHA256
7f5d5e0e5758d3b5549fa0e0cd8668fba8cf31593769d5234d6f5062e4ffbc32

SHA512
7d8796bcf04b8f4955f1a69fe34c3efc805349ae7a85788f6e54df13e425ecdf02fad0cae3cd925558498c3a0ba378a29431245c5e6834334eec3f1f2581cf39

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\headerGRADIENT_Tall.gif

Filesize
328B

MD5
24356a1445e437f548acd898eb78ebf8

SHA1
b098819d69fbbeef08d6135608712494afa2f5e6

SHA256
b7cd342ee2c9e6d20b8ff44c385f3bf56f386b38f8e5ee6540dc687c33e02984

SHA512
d7aee4ef4b994e24867d79f58930ff2e3dfdf59c1d92f616ce6165af2d15c630c1d0a9135d8a68c8b3411d105dceadca39f0ddc76e120c056c35426a4126ebe4

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\help.jpg

Filesize
1KB

MD5
fe16c7d82033c0bda7fb04e80238530a

SHA1
7387cb598afe0082e1a8f38b712e665b08d2fd90

SHA256
f35c2e37ae34896c66acdcdc86cee172015360ffc9e1cf6fb11dd4426e9f8246

SHA512
da5d40dea158fd7cc1a1b68174d6414926a83284eb108ce390501700d7a0a279a4097104eae6c3c8d9734fcd42c0bf7c9481a6e03980480675d964c44a09d3e7

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image1.gif

Filesize
162B

MD5
e65c436c266f089d0117cb84b7d01c1a

SHA1
8e3d709855ddcb47a3590a9d3476c3e99a882f80

SHA256
52a018038c7c81893de3591dca10606abd342b3f52427a89bee922ee717fb1dc

SHA512
dadfb97c13d7b2f637bbce43ca476bcae58dc435b39f1a493546d3a5dbd15483b5e203816babcd79d9b45131c527503317758324caafb11a366350f60697079a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image2.gif

Filesize
586B

MD5
8b0b903a1805d69de41f9ae1c4e77ac1

SHA1
059ca681146afff11b5273222579220de782cfe3

SHA256
e8231ef76d363f33f46ea6581c4677d8040b539ee67b1456275b8b566f43c3c1

SHA512
8ac2ebf5003f0b376dc61a85dc7cc1583718b2b4897a45360f1e5e8f392b4b243fba101e3ac18ff470c9efe32390317971b7adacbd5a7f7080df51b9ace7e62a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\requiredBang.gif

Filesize
124B

MD5
9106222afcdf222c8ac36e23061ce8b8

SHA1
5f7cb394b0e7c2dc8a056a9cd910f91819549569

SHA256
3169d00dc77c64d70e1bc6057603638f9c47455f51b18d07dc2785fea3c74a2b

SHA512
25aa980cbe6f351c041009d14921448423c35abf5cfac655b75e161db7037420877a13338e5bb8d873b461a800e478a1e9f06918baf092ef2d0f72c91a2a3bb9

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg

Filesize
8KB

MD5
31aa56deb879ecefce9e319767290c38

SHA1
3c90f4e0d6de54ade5fad24bda6344aecab6d598

SHA256
7cec3b30e082478e63b137b3bba40e49af572ff95acb98cb93e03bc4da8665ed

SHA512
e47cdc14ddbbb345a750fbb6580e479840b2e9e7fca3dbcf83cc71d3c870c4661aade6c051f7541d4a77076f6014cb4b9dfa4358ffc93caa32ec00d1e045a31b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\yellowCORNER.gif

Filesize
880B

MD5
15e77094d0d4b70bf6464b90f8e8229d

SHA1
16f0ac0f1adcf7e275516095a55663a2fb4dec0b

SHA256
5f68f31a81f856bdddd981df5322ac407ac509a88cea05dbdd37c7b70b97658f

SHA512
c1237ef4d84f8c3c5e4335481a21a40ae84632515f6e285274415fce065d5c27494f720f13094acc9bc404100f00571c787f9b758ee4c6fbaed242515c29feca

Download Submit
C:\vcredist2010_x86.log.html

Filesize
81KB

MD5
5739891310c820105a67d9ba28a6812f

SHA1
846eac755b3502828d912696bf50df30c00c0773

SHA256
47e8a284e438bb75fa4b68788e946b72d4688878eb7f1f7f942c7b78d5e9adb0

SHA512
6dcf5b1c0fb429500ed8d04a6696c08b40515ba55ab7157445550a1e2da5094ec65944fa3fecdcf76f3611a0a3af35ec77366df746a7c41d2f265424e146d209

Download Submit
memory/2168-5-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2168-9104-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2168-9105-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2168-9106-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2168-9107-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download