xorist | 57194af0f251effbcae37460c06fdf476fdea061b1c8ec87251bd28be62f8b46

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
08-10-2024 03:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
Size

7KB
MD5

1f5257a6bb7f294588c2c7871df95960
SHA1

941cf0701205010faceb1b92f48926db44a4b90f
SHA256

57194af0f251effbcae37460c06fdf476fdea061b1c8ec87251bd28be62f8b46
SHA512

3b4d18d0a7b68d2f0e7f55d413edf429e6f306fb2aea1f1a1e4b2b3f3f11ffa2d5e15d49b2296be013d0671d2e5755aca8fdb50750667ecd845e5f79d0f41946
SSDEEP

96:l/9Zhl8wdS+r3yOYW189fTwUVF0CWHyjk8P1LOmjXfihExevFntnwWZGXquipy1P:59zdrr1FG1WDCgmjPZ2LNGXqb0GMUA

Score

10^/10

xorist discovery persistence ransomware spyware stealer upx

Malware Config

Signatures

Detected Xorist Ransomware 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2668-8981-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/2668-8983-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/2668-8989-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/2668-8990-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist

Xorist Ransomware
Xorist is a ransomware first seen in 2020.
ransomware xorist
Renames multiple (2181) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Drivers directory 8 IoCs

Processes:

1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe

Drops startup file 1 IoCs

Processes:

1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qUYUesw0w27oXlC.exe"	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe

Drops file in System32 directory 64 IoCs

Processes:

1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\System32\DriverStore\FileRepository\prnrc004.inf_amd64_neutral_bbd3435eeaf576ee\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnts002.inf_amd64_neutral_ad2aa922aa11af2c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnnr004.inf_amd64_neutral_3319ff2548f89fd8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_For.help.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\_Default\ProfessionalN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_pipelines.help.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\_Default\HomePremiumE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-NetworkBridge\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_scopes.help.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Automatic_Variables.help.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\0015\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_data_sections.help.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Throw.help.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlx00w.inf_amd64_neutral_d4c93bb2fbf75723\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\eval\ProfessionalN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_remote_troubleshooting.help.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\OEM\Ultimate\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnrc00c.inf_amd64_neutral_53a58f4fd7d88575\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Special_Characters.help.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_If.help.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netk57a.inf_amd64_neutral_8b26ad5d0cc037a9\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\OEM\HomePremiumN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\slmgr\040C\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_For.help.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Foreach.help.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_remote_troubleshooting.help.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\brmfport.inf_amd64_neutral_f41f35e5c21bc350\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\eval\ProfessionalE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hpoa1sd.inf_amd64_neutral_caaa16c52c48f8ac\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\winusb.inf_amd64_neutral_6cb50ae9f480775b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_If.help.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_wildcards.help.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sv-SE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_functions_advanced_parameters.help.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_parameters.help.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Quoting_Rules.help.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netl1e64.inf_amd64_neutral_22118b1072f57433\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\OEM\HomeBasic\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\OEM\EnterpriseN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Throw.help.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\0011\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_remote_output.help.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_try_catch_finally.help.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmiodat.inf_amd64_neutral_839e9ee1a8736613\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmnttd2.inf_amd64_neutral_9dcd97ab7a913b7a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\sffdisk.inf_amd64_neutral_d2425e60845d17d3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\StarterE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Break.help.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_join.help.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_PSSnapins.help.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Redirection.help.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_split.help.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_modules.help.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prngt004.inf_amd64_neutral_f5bf8a7ba9dfff55\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnrc006.inf_amd64_neutral_7e12a60cc98d3f89\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wvmic.inf_amd64_neutral_b94eb92e8150fa35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\zh-HK\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\OEM\StarterE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wceisvista.inf_amd64_neutral_3500779911f7f3ca\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2668-0-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2668-8981-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2668-8983-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2668-8989-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2668-8990-0x0000000000400000-0x000000000040C000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\24.png	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\Tulip.jpg	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\BUTTON.GIF	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_up.png	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02742G.GIF	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14516_.GIF	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145373.JPG	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Program Files\Java\jre7\lib\images\cursors\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\bg_sidebar.png	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RICEPAPR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENFR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)alertIcon.png	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0214098.WAV	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14583_.GIF	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_hover.png	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\win32\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384895.JPG	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10299_.GIF	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\dotslightoverlay.png	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\slideShow.html	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\9.png	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21321_.GIF	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsBrowserUpgrade.html	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02750G.GIF	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\TAB_OFF.GIF	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Text.zip	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\cpu.html	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR45F.GIF	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\prev_down.png	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Games\Chess\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeAUM_rootCert.cer	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02412K.JPG	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground_PAL.wmv	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21512_.GIF	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationLeft_SelectionSubpicture.png	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PIXEL\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Defender\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)grayStateIcon.png	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR35F.GIF	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ADD.GIF	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\trad_settings.png	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14514_.GIF	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\button_left_over.gif	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_70.png	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\Words.pdf	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178348.JPG	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143752.GIF	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR41F.GIF	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_thunderstorm.png	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14868_.GIF	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

Processes:

1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\winsxs\amd64_microsoft-windows-pentraining-adm_31bf3856ad364e35_6.1.7600.16385_none_97d8591eff34f5c7\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..cognition.resources_31bf3856ad364e35_6.1.7600.16385_en-us_39d3bb4b3fea013c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-h..p-provsvc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_ca5f33128c54b8a1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-scripting.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_b9d33f69760d3b6d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-b..trics-cpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_9cc244c688b4a7a1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-help-secpriv.resources_31bf3856ad364e35_6.1.7600.16385_en-us_4cd3c21490242b78\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..p-support.resources_31bf3856ad364e35_8.0.7600.16385_fr-fr_b8433714d56623a0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..moregames.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_cd54bd2dbd5436da\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-shell-soundthemes-raga_31bf3856ad364e35_6.1.7600.16385_none_2fe300bf8e73cdbd\Windows Navigation Start.wav	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_wcf-system.io.log_b03f5f7f11d50a3a_6.1.7600.16385_none_aef4e407776a19b9\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.Commands.WriteDiagProgress.Resources\1.0.0.0_ja_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..rbleplace.resources_31bf3856ad364e35_6.1.7600.16385_it-it_9666f6e1dbe77f43\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_6.1.7600.16385_de-de_cc53e808eda33786\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-n..5linqcomp.resources_31bf3856ad364e35_6.1.7601.17514_it-it_46e7f1f4bdaedd67\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-shdocvw.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c764748ebbb625b9\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-com-base.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4344f5fd149fa43d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..oundthemes-festival_31bf3856ad364e35_6.1.7600.16385_none_121f20b55f0bde68\Windows User Account Control.wav	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_prngt002.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_4060ca3886538c9a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_Windows_PowerShell_2.0.help.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-newdev.resources_31bf3856ad364e35_6.1.7600.16385_en-us_72e204af7ddd5d15\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-n..n-clients.resources_31bf3856ad364e35_6.1.7600.16385_en-us_bde200ae871a59b5\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-s..temclient.resources_31bf3856ad364e35_6.1.7600.16385_it-it_5ebf9d632f172d6a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-x..rtificateenrollment_31bf3856ad364e35_6.1.7601.17514_none_f59e20ddece8f922\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework\v4.0_4.0.0.0__31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security.Cryptography.Encoding\v4.0_4.0.0.0__b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-i..ntconsole.resources_31bf3856ad364e35_6.1.7600.16385_it-it_826215eb3de0f470\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-onex.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b3a767cbb3ea917b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\Help\Windows\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-pshed.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_920c092685ce6f3f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-stickynotes-app_31bf3856ad364e35_6.1.7600.16385_none_493ba8a4d2fc9697\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..asks-sync.resources_31bf3856ad364e35_6.1.7600.16385_it-it_789174f89a833193\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\500-17.htm	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c02a16e1ae17ab94\about_Reserved_Words.help.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..instationextensions_31bf3856ad364e35_6.1.7601.17514_none_f8373ee981acd109\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-w..e-upgrade.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5e22647efe8fc5c8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-security-digest_31bf3856ad364e35_6.1.7600.16385_none_a116e710cac6dc6b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-wmvdecod_31bf3856ad364e35_6.1.7601.17514_none_20b089c0f6efacae\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-rasifmon.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_50f4a4d6418fc3c4\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-shlwapi.resources_31bf3856ad364e35_6.1.7600.16385_es-es_53712ba885839443\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Web.Services.resources\2.0.0.0_de_b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_lsi_fc.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_ea8c19459ddd1771\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_mdmmoto1.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_fa7a63ef9bf8c237\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_it-it_e0c803777a7cc698\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..p-support.resources_31bf3856ad364e35_8.0.7600.16385_ja-jp_4490ac689fb31af9\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-t..ork-msutb.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e597f24ff89aa82c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-audio-dsound.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b7ef5df3770026c2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-iscsi-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0708866546abddd4\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..workspace.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_9bb0cde6683692ee\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sqlliteoledb_31bf3856ad364e35_6.1.7600.16385_none_be555cece2277ff9\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.SmartTag\14.0.0.0__71e9bce111e9429c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_wpf-globalserifcf_31bf3856ad364e35_6.1.7600.16385_none_8f6eab2bb993c745\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-ntshrui.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b5a84a5872eca4d5\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-t..nputpanel.resources_31bf3856ad364e35_6.1.7600.16385_it-it_899618b0c85f9413\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-r..iagnostic.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2cb9f2652ac79e9b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-w..onservice.resources_31bf3856ad364e35_6.1.7600.16385_en-us_f39c7dc580011c1c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_prnlx00x.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_8bfcedccf2a7e1bd\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-usercpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_f302914c04ea20f3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_4db0b909695af8f9\8.png	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-t..es-drprov.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f11d165352651d65\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-font-truetype-raavi_31bf3856ad364e35_6.1.7600.16385_none_a2d43ed8e3097243\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..eraccount.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2cf978a34335da7c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..ltinstall.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_3ba1f5d34890f57b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..duled-adm.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_020bf59234fd9577\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_prnlx002.inf_31bf3856ad364e35_6.1.7600.16385_none_47a30bdfc616cefe\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe

Modifies registry class 10 IoCs

Processes:

1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\UISURIYYTUPGNIV\shell\open\command	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd\ = "UISURIYYTUPGNIV"	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\UISURIYYTUPGNIV\DefaultIcon	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\UISURIYYTUPGNIV\shell	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\UISURIYYTUPGNIV\shell\open	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\UISURIYYTUPGNIV\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qUYUesw0w27oXlC.exe"	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\UISURIYYTUPGNIV	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\UISURIYYTUPGNIV\ = "CRYPTED!"	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\UISURIYYTUPGNIV\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qUYUesw0w27oXlC.exe,0"	1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1f5257a6bb7f294588c2c7871df95960_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt

Filesize
282B

MD5
69a98ef655778f1cb3764a923acbae80

SHA1
22683321e95c9a631039d15fc49ac5d3e639ac54

SHA256
2ff127d5bc4c7333c8f522aa4b456684eca97c06d452bf7d00b6a99b49b11b0e

SHA512
610fc09f40124e1a74ff303ddd95ad5809679be9e0c381e5d367ecf8e1e137c3da188142de7a2c5fe2b1225e12482245f2b5c417d43d73618108bfb1c32a5ed2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
341B

MD5
ae2111a3373af16d1f34571c7dfd6ea9

SHA1
0e7f0543b3683506c68ead01066202db0568b8e1

SHA256
c43150473f6c9decebe55d1d7a09246191cd28f11fd5b487f4fda9c8786e55e4

SHA512
281a7946aefd35bb6b84e22cf775a039aaa110b57dcd6cf5421734bd986257c6d2dffd6fcb5401b1d9f9355bb492bab702bfbdafb3b7d7821d0c08503bdd42e4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

Filesize
222B

MD5
942ed2ef036c880f26dd4e511880ba3d

SHA1
64940b02e9985966bced25547683b007de65a5c9

SHA256
38ff516a9605ef1c19b6040835a8238017e07dcba55404536ade1c5b9484091e

SHA512
be562efd6307732c2e266d505ca6b16e19ef73c59649723a5a43fc24b35588740e7f795a609ee44f7b8d443d00226c195701643ee4b2d8c54670788694ec9bba

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\BG_ADOBE.GIF

Filesize
24KB

MD5
b987ced4576aa29ae4736d9ff16e427a

SHA1
e64f2fb402e86b1ff20eb00704aebff7e96690a8

SHA256
f136d107d0614a161c526c682ed2aba260ef5b77354567bfacd7055a283fe08c

SHA512
94045eb1e6ed5899a4eb1d706fc12f40b559063751c583fdd1dd27cb49a213f01be3dcfb2630969645e05028acc9918f8bb07ae58767323355769d7de6065ab0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\BUTTON.GIF

Filesize
185B

MD5
3e62553d97eb81441c04edd73b26b0eb

SHA1
bee4e46a416fc61ece9bb3165d40d44d71ccc91e

SHA256
70d7c89f4fe1f3a7f24d20cfdeffcb402e9a7a515b7e619e33a8c3ad10409ff1

SHA512
164a8df723d0c6888482c36bfb80d3b0c148cf6058e82f2262ba29d8ecf95f67616c1a3626b2d933769eb3fb1320d9cd29942be82158a73fcb105316dd92e9fd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_OFF.GIF

Filesize
496B

MD5
5f459ffe66da6cafd9658d9060fc4894

SHA1
e2121072de8a53f66627769eb5c9332826bd1305

SHA256
113c762265b56a2f147446c34bf8a360b65d70bb6304fe4a23deb6af48ab1588

SHA512
b852abc9c7c83b10d26993e796e23c6b0f5ceade3669e0d9a4146a3e19906cb6484e6b4d8972b34d34730358db521f098c5c2dab60bd12cf86a47cbeb2d547e7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_ON.GIF

Filesize
1KB

MD5
b514726b57f1d443976478eed6280f28

SHA1
16628cddcea2737caf771d4c2cfa3b410a525694

SHA256
4637584afe320b1531ade6e51df0072bbdf49b839fc2e9394a596e2740b297c5

SHA512
bb0da5d84b4c271803526c866ab2f18faa995c4f8f5fae3d5cf8dd53bba141108188d70fdf739eca345d4a01a83ee49ff5179c4d7a139f2680704492bf9d4743

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_off.gif

Filesize
341B

MD5
55baad4ca5a995c9f526e62d933cc6f2

SHA1
c0748f7055ea4e72bf5ff7cd7228892ef72a1d67

SHA256
399b09fc2c8032a72ff0c0bbcbfc66d49062835afb48b97f943aeb0e3100f64c

SHA512
150071ec3975370fddacc4c381678bc0673573591463b20a580a6435bcbba69dcf55a3e3120a6cd776b34567c14b5c9546161dbbd36f69ecb64636940fc853b1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_on.gif

Filesize
222B

MD5
cbc8b1c478054831c307a8b4ba8e4e35

SHA1
13ab2cb22ba7b647c70cab95d62bbabe23aa19b3

SHA256
b59ddc0b4ab353f6b3a4d0ecc188c73b8278483234ffc3ae38f3fdbd6c60d9d9

SHA512
e1db8deda449667f0a3b8f80c7520cf24c377d630f8da7141afed172c313736b735892fe94a0a7e1c49822ed86f42be5aef1cb4265910e0852a1e7df42d9384a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif

Filesize
5KB

MD5
08ce86fea9d689d156a450bc59938316

SHA1
c06122e629dc5bdb388e5ea54bf65bab8a7e2532

SHA256
4ebe2b6705e09c80b5fd4f1b9e727b90e79707b529d745d814f2491dd49215ef

SHA512
8997cc517debb90da7762548bb7b11d2864641732faacb24fee1e1b4dbd01335f4a7a6da2c6ad26558755ad4ba6a2735202d1a3761822dbce4d7232d32b7733f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Country.gif

Filesize
31KB

MD5
4da48918ca2e106cc919261d1e945e86

SHA1
621ac98785d26beb3186bed8655be3fcef799c0d

SHA256
23741bbe368ced5993e393cb03f0d87605141af83841481f24b6c4fe598980e3

SHA512
e7b0b5ae3cd9d79e4d74794c7e4b38f0aa68a7688b32cda324c424895563cad876140019c9cfb35c68d09577412ef2e3fc09a39d02051d2a3b5efbed2a5fe8f5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif

Filesize
4KB

MD5
f2c2873626c6cb203c7e3804b3a3aaac

SHA1
24020fe3e399c8875bdc0ae37e899638ef5329bb

SHA256
e5d632571bef5ffd534a633b1f47f529f5e3d44f7bb9434a8d590594cca96ade

SHA512
eab90fb8ab5da774e68892969ba1364def3c870a836ff540d4ba0b9f816179d579462f168a596f2a4dac71d72e4dc208ab6a92de900a3e3c2d8b50537861ea5b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif

Filesize
21KB

MD5
9f6ad3a6812d63fcfa534c8b70efb153

SHA1
8473fb3cc81bcb8fbb1f7562dab5da06d7f468db

SHA256
8526c37f2fb62bfd8fa3a580fe5543978e80a6d8bbab9e2b9a3f01ac116cc2eb

SHA512
e5b8c9175d33cafe3cf4b4e2304f82db8720d596ab1d430d7ee0511bddb035878fc014034b305464ac94d6aa9f76ab713bbc92fb3217cb394bcc655ce8e5dbe6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif

Filesize
8KB

MD5
b32cdb5be3106c497238dc6b1bdb5d30

SHA1
b4d49f55208c671dadf4c1c3d214e05ed8d1ec56

SHA256
d838c2b4a460355a0f1e337a696dea7223dcb7bade8dcfc2242513799b13a7c3

SHA512
650eacafe46d80642d10aec56de51c70fd1fdf37294143ff90e77514cc1cbf7347aec0d2ab3195e31c8ddfde9a3f5b184d8fe47407d71515e4133cb6cc541201

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif

Filesize
15KB

MD5
a33b5073185a5e35e728ec817a040fe2

SHA1
b3e91669b118700a6b6f2bf57a56ccaffa6df1e9

SHA256
2bd07883dae053810cf763df5d094321cb51f5c92418aad861442e2147a46ea8

SHA512
4be53c3d908af8e66cf7c5e671ab97369d0d533b21480b75dfae299f16d9ec8884a6abaaebdc6fea90491cf55fc6c68903ecbb2732e3b34302b0bce770cc5a36

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif

Filesize
6KB

MD5
b35ddf170f1ae3a1cb8be9fa21dbbca4

SHA1
fa26d38f351331fe2b50cd7a4e9ad6427e992d9b

SHA256
dc4b6cf9e3757da593bc3d21eeb4df27a58f14b1d8e5616dabf109a8b35b5b68

SHA512
07d22cda67f5dcfe46efac00e4e05ffbbf617a2fac4b35d15acb6c0966dcb01b6cc3ed030bc3a49587c85bf881e1c68db01c49daa88d8fc8dc1ce3d56f7ccbfd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif

Filesize
20KB

MD5
94ae87a9708d2d1549b2a6ff302969b7

SHA1
d7d8787171872f1a9dd99d26e6013fcbbd97de82

SHA256
4ddf56392f059751aa84594a680d7f12a94646839b712b176abca18fe16236bb

SHA512
f5816d93d9c5b2707ec753a7e054553777a85d68ad770571c5be71a3aa3d8596ea34d40418625865feb67a80003c8535c5f2cbc9f54cb0c39dadd68247ebebab

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif

Filesize
6KB

MD5
5e39f08b6bdb9444c7883160e6d66ed7

SHA1
3d2673a73c9b8ff50c4123b8462baa43e43c7cdf

SHA256
d9a7107fb014bbc71b5923c872bd66087807c3083ddf828c30303b34ee8de4dc

SHA512
d267b703d1e5de1292c6fa4e7709a0b673bf6ef75b52fa5789c0db0402223248cb84664772890d270a5202ab1276efd777e4b21084e3a1e8536ea1e65a075dce

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif

Filesize
15KB

MD5
bc3270a22093611cee0bfe191d419177

SHA1
b3122cbcdfac0c7a7e62ce7fbd6f07c2ddc86050

SHA256
be60a5d5d5a65930279c6bcc61ecd50215bc296ef5267f866d573928acef4fc5

SHA512
39080e37b93e300cee60087cfc1564ed2351725c8ff900cd38d45621ab83c4c02bfd3ae283cadde6920b8b9c2479f24986d73ddc0e6f9eae1dd5578406be632c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg

Filesize
2KB

MD5
bf7aeee996ce9bb559ae58b88adff3bb

SHA1
afb9edab554742f37ab5696337b9dc1ad2d306ef

SHA256
2d5fd956b4d13e5a1b6433d80b8606b43c378fedcac2affafea888848ff969ae

SHA512
e92f9e5c7f0ba24b1da180e91a2f3f5dc54de52b9f24561b8942982bf4a04b83dde31df904e75f8f08d7156493b185907d3377222ecd7aea5a7aff59300e61a6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp

Filesize
2KB

MD5
f2a1bf06827b83d0398d3d8da61bc927

SHA1
8952aeab77590e7bb1c0265f53ff0686c933706f

SHA256
42d05e805c6b1676c6bc850ba4efa2c8dceb349af83be032b82999504deaf1d9

SHA512
4791413bc28f8c23b9f1245f9df321914df2f6206303ec858125e3f8e5fad866c668f52c62a2d8ffebdaafab99a10918c67f1641ebe6d73753c97eab6d6a269b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg

Filesize
6KB

MD5
42fe0864ee2a6710ab0e2fd95325c67e

SHA1
04b4c14288d0455df2d0ea2cd1ba6a2a6af5a993

SHA256
0509b2fb7fcfe46bb6ea9129f45c66bc6ddf45edf1020f20cead8de6e32b0469

SHA512
0b884ca77b63b43e5bfc0bee38e72fc6f8902dca66a8fa76ac116fe0b2e27010863298e235fb5afcc29604dd1c2de1942b1c50a213efda3be59a765645a39726

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF

Filesize
255B

MD5
d0c24b0b5c90c4a969f9b4e99aa06460

SHA1
4f0294365e41c1cfbc64508f01555700887ad5fb

SHA256
b0daee96e874e7ec2f80705b1876b86c1a1047c9b564bef995cb8eb85f85f0ae

SHA512
c200c28e9d610e5b7cb5711a25aaa41d28f0c2ea78436d25b852dac212c13d6b45d3fe5f95493af25797a5bbe2b00a9f5fa2097b9d5b3973f257c78e743ae40f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\background.gif

Filesize
323B

MD5
f15f553840c240f755700f55726649aa

SHA1
fa808a4ab2ac920e6f5d100504eb20a37367709d

SHA256
3e6b35c2d47fc4534d3406885f9e3e0c562b1b8c0b45e6dfeb9131d61da972a6

SHA512
a088d9f09ebc306f16800d1ba432de6cb9b6aa045bcb7913b93beb3610a52691787a6684faf501cda6f41a06bb4598651a4a8a7f7a15602b66c7c0b61a82601e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF

Filesize
367B

MD5
a0c76403219f5786d95500bf77793ccd

SHA1
d011d9292ec40485132ba0b89a309316acf85296

SHA256
5713d573ecac398bce6a68dd1b8d4dc4e2687daac572236811aee56289cbe1de

SHA512
c58ee3082f7aa4cd2007b86fa44a546dfa5eb00bf650e22e5b3da8f1f390f3440c54c99b7acc240de1a676da1c9c137f3d36034bd4589b60d8ee7e69350f8bc9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF

Filesize
148B

MD5
972ff73ecddd84ecb3457971caa2da0b

SHA1
938ae85a2be0e8102623e6d13346c3e5ba7c8a35

SHA256
b84c1196670a8c1479d6e3434b1556c606f0b1fb719070ac0c0b9014b3ca871a

SHA512
6911cb56ea74c4f394b6c35ca33ebc5211ac1559b84913f7f90293feaab9e45a0b7de3c2390640f91390bbe21522e1a648b4a80b7aaf911f90e8e8875601f5f4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HEADER.GIF

Filesize
440B

MD5
41b9f662dc77d5ce7ca9c7cf9271bf51

SHA1
fd211f825227c5d23ef049356b99540787ca3516

SHA256
549499cc8c9bbc7e59e6e8a53d785a3c55a423eada21a7a1d9d6189a77c9ba5b

SHA512
f5d726843f51204772d9f900cfad1b081e71f96b43371321c52bd386310aaef75f99d4cdfc5d7c608f256fa2c11b38d92ddfd7098dcfd90e38411aa3e386bfa1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_OFF.GIF

Filesize
462B

MD5
f3ba2ad78e84a101f0180916e30feeb6

SHA1
5c797d30dbd69e4d58634ed4003b697be684df2d

SHA256
8e9e2e4d1c0959afbad1328124a28ef0e6db02425babf7b7b5529853809bd59f

SHA512
5dfe28ff521beac7543122e6de958f07819b740776d093f32e8b9306217ae5dd14cbb3104522634a6dc0701e1d3d31b47783a5eb919fae9cc46119ed4ef80f94

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF

Filesize
267B

MD5
7ca2fb06018933c505b45877cddb051c

SHA1
6cbbce27e30fa72c15121c3e9fba189f46e67edf

SHA256
b9c07498fa5704881fd81dc1f2c14b6ecbb10da73a73f5cb1005463bd66ea8e8

SHA512
a259ab084b284b8953c434fc3770111d1d5bc494ab8381d06e32c8cbd55749391aa43af96653dad84f7c7c4ce5f35addcd1ea791892c8dcfd8aeddf056dbdedd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HEADER.GIF

Filesize
2KB

MD5
443d8746c005bd0c87059382fb0f6d79

SHA1
a62813dc7b04e159aabfed459dd1681ae16c8f5e

SHA256
0390997f6367ecd1f7d4000eb166ad0fb9874f412b0c6771ee7822282bb8f937

SHA512
681b6dd21d4b4af6d1433ca5a37734428656e4a648a143a94735cad39ff768fab2ed62c60488d2716c11868118c3e58fce9d9dcaed7d033f33ed4f1be019dca0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif

Filesize
233B

MD5
79e64f1c415be797046a1635d3428866

SHA1
9ca87d907d126bb01e574d7789df8091cd9a173f

SHA256
c599069e46c989e8b5221233daef9a1f70104255014731de53f2f6ee149a182d

SHA512
c104b93e585945b95909ac5e49fe5f5b5f6cba4a2a2ca7a9f4e12d711ce49b4ffd0d7b7ff16415dc662eec62ab179ae39cda0184ca318b8eac511e0bc6e73942

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_OFF.GIF

Filesize
364B

MD5
0a69987a30c3092599d0ba091ec9c7d5

SHA1
6d740576967ddeef830879e18a06dbc1006f140d

SHA256
2e862198391bc8679211c0aef2adf147764dcef0469f07a7487f0d2d421a6bd1

SHA512
6938cb1a963c440090a597b3e76da1565e71864fea7307370a3d7388c3fd308527d8cf923f0cc45298676e7fe73808dc57ac78b21f9bc7a9f152183dc6e79a9a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_ON.GIF

Filesize
364B

MD5
2037d934ef5342dfbd3d58266def4ff8

SHA1
55119ccd16d7660c821bae8cd83497a9bd6898d3

SHA256
461398ffc3b08226983c8ac9e5600b1f35631f95434945bf78463e9be93f8fa6

SHA512
bdb715245ac5fa1643a608e241d609a3792605a8d07a1c74e224c9d75839ea87b6b351687da39aa7e3c1644bbdd9d525aca4c7704175d07ea5412accb5ae30b7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\background.gif

Filesize
6KB

MD5
0fe8b0dddf1a07b745c6de6b0efe1558

SHA1
60de983cf9ccc0bb0a4c3de5ece03549a75b703c

SHA256
7763847e83e416f0d98df1cc0df0f1d0a9d169090c6d9bf5acc0ffdd4c1ed27b

SHA512
f269941ad386d9844ce9858c780c12a43a29e62e693f9144f438258a1b67de3e9ed903cf95b83b8ecbf153cc5acc818fdbc2477d525aef45f0a35c40f2159487

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\BUTTON.GIF

Filesize
428B

MD5
494156ac4677410cba650289a58f89ba

SHA1
55d61c9e9ed357482cab81d13223b764a6c0a65e

SHA256
f4c48614da80438ad09688b74fae17e08ee62495535dad2a07c5e70f7a69f311

SHA512
e27265b09cd035cbd4734f9cfc631b857b08408a078caf55a51a6972161f80308ef318cf5ca173df7fda697155cea22f09de213f1ee4b57d312b937a4b7661db

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\background.gif

Filesize
815B

MD5
391c4e3d1b33ce1b5b221a9f90fa627f

SHA1
d56e6f806cc631fc4e52f26423df0165dea74cf9

SHA256
73ed6b648c2ef2593f5a005a7221f92b2196d0a12fd9d59a436a31222ffb5c6c

SHA512
32d6f9e88c6da95b6705497b1fb44875e9d04bbc86af4f896e3c3757869e865e845b99ddf6ad2407add081523ea38296a0b04e2afb68b04fb5a9ce234b030334

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\RTF_BOLD.GIF

Filesize
870B

MD5
4e6d219eaba561b12222ad13a69a2ee7

SHA1
da2bb507730f8f2c8ab6586000c0fc7a14b2dd7a

SHA256
d979e087d83fea6557e868059c1b95cdd1f4dcead06042a17be2a32bc559d677

SHA512
04f2131796d7c84a4c4862a8d011f5864c7af3be07e73e4ad80350adb0b87d927b4ad47cc53e47622f3abe6a3b22ce42704857aeb0238226bcf356adcaf6172e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg

Filesize
3KB

MD5
7b1642052516142f5030f7b56fef8dda

SHA1
1f818bb1d77b96b3b937de4dfdce63e6866a4806

SHA256
34d38d324cd0d2be68d5f3755519f2ad958ade18ca047e1f033c2a57bd625669

SHA512
d226ed0e55043bc71d869930aab7a165114f686e62268d790bf0ca044f5487c967c5506b4cc561eb74126a5a230746ecc102c22a3b68d52c1051bec9550c925d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif

Filesize
2KB

MD5
71ef5bff52cd2a2ba86946f39b34b7f0

SHA1
6d96bf3660fd184efffebf9dbe8d44fc276aaef0

SHA256
aec8355c93dea18308a1102dd21c675efea6c802de80f7239cf8e69ba63f2941

SHA512
9c056ce085519bbe08640a9d728a41b954a2692b9538d1116d69fa27378549897a89fb1699a77dea182ad023ace1b1e3542cce941918f1e719c770b6541738de

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif

Filesize
19KB

MD5
1ac6836fc2881766bb7cb7400ff6ec3a

SHA1
7ae9b2d233b3645a0192347588681c69f1a94c56

SHA256
199b4ebbd768866a12f99b633452a527a9e08f8ef151fa26f254e1818844e2a4

SHA512
969b7955158616b01184ee71bb5843561732482e5ea413d0dc1d8501d3fedbd7b4c32d6814561ffddf9fc06536a37b3b27f5579864651a27eb1bccc467cd2ca0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosefont.gif

Filesize
890B

MD5
1b40ba631cf5f7ab09d3a0c00815c29e

SHA1
f19e9353cdf531980e270db149d21ad04be5f753

SHA256
f83c88f53f2cd0f61c443f96cb6dc358504bf0dd2f5cf98265dddcddb3da31b3

SHA512
e466c10f8c767b30e7e0c2d11a6d86527a2c4a503492e5c9e9d9b815d04f855a3919c5f15efd740fba6e2f73c00f0ab14212cb47e94dd3f9e1b94dc99008fee1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif

Filesize
852B

MD5
c09df4c788828fb2634162e18d12ed00

SHA1
43ee4bbb05cff14bf2fecf85f00a325a4c1fd2ab

SHA256
8277504230f58e5da5fce4902b545bbc9c759d710a184e058aa5b6f11884b4c0

SHA512
39c8af2e0e1c1bf55903c104c2059eb2047e57101acd1637eec2ed50d70cd903c1eceecc457bc2fb23144e31732c6583f6a7245acb5a25a3d6ea8ff41cf519ea

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif

Filesize
860B

MD5
1d998d3556d2c6c02dee3f69725abd3f

SHA1
261351b944f77794fe217ee858d5928088fceed8

SHA256
60c2c05d6492079298efd46444c9e0fcf28da72b5a6bdf38fbf78fbe8b3b15b1

SHA512
2835bb68609c27a6ae40b6403f45732a586732de2e5050ccf01bad77d73890295999214726051f8cf71fd3732df71bd1692ed0f35040e9a7f6c1c916d8ab7ecf

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ADD.GIF

Filesize
580B

MD5
304e8cefa8b35368a8976343d6f7e1c9

SHA1
3011a7d5112266505c7a363e83919815bbdb9794

SHA256
24c7bb2797aa6732e7eea3da6c848c9f579b1d088418cb503d93037d47c8cbf9

SHA512
27a5f3ede59047002904666b130a7c9fe8708ec91c58e09ca842d48ea4c06ce1512da93e2d1c1a2c893708baa6eae648cdf65628beac1ade8404d1515dee5b78

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF

Filesize
899B

MD5
65413c775ac8f350d20189f654a15cee

SHA1
6147f53a59579697284bbda1c5d490c31eb3c24d

SHA256
1a3a847ab123e49d9be29a80e97a49595e966f5aaebd26d58f29bb16467cc31a

SHA512
159bd84f01daeef7ea758d96377349e5a8d85c0b2dff5067aa637ad41bc5da54448c908ac7354366ca2e711b27ad615c7b9bfb7de1acb41ef4ff1f1d326cf12f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIF

Filesize
625B

MD5
5aeaeb75343b703e60d1d1509219fb0e

SHA1
9714ca9c4a2df25b760e212334cca05b10d16682

SHA256
f2dc766cabf053f1dd72488b6eb2560478ba12c321e4c23a3b7be2ae6a1d6322

SHA512
7486cfb090b5369ca40c7cfa7ad3447eac0ac08d7c1d63ad5a91c59c2e068bedbd0762e30ade9dc6a57e7c92077a427621e77502a07f2164339f3a2f410e7d43

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF

Filesize
873B

MD5
faa62d6a3deb3108312a97e4dba42b45

SHA1
838c984d69d1fbfd2d74fc193e72d612888466f9

SHA256
5a8b385ab8b66da5d65ee4f19eac3485ecba24272e95c1c87091a0098151b884

SHA512
273316893fa0ca489109e7b38a8ca878416a28e906c271c9b958adeb4dd067195000e7a77bc48f1c67847b76fe702087ef90bae588691148ce91956df9421af1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg

Filesize
5KB

MD5
cb8c6852bd778574f0fc5c2f05a714bf

SHA1
5028845288224fd837d7fb39d4a2a2d551536393

SHA256
aeb8f79c4d8c5e7c35e4be10af4c6743cfb6063ace8ba98d7b92a2da7dacb377

SHA512
5f93f7b3fdf2acc1cc138e4c456c76f53b79e195a69cf5120dc5780d77c6e9a5f2c8302ded837522d8db5c799964082b5e004aa12b276a246345387a20f5ea91

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp

Filesize
1KB

MD5
b46a16e69d086a87c8e2ca73435b4440

SHA1
bb711a86a3b9b7da29b6db6e82e0313f4b173087

SHA256
29e3ac07fec304b2cc0d6a177a5e900a20917239f7cb61bae757f0ef56379d8f

SHA512
ebdef547ae93b8198026960ffae8bc9d6fc6daba09790058bebf1ca7382dd6d81487a5ca5c7fb65d0fba8fcedd474ec765d81e51efd6c6b423fba8491ffe47c7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF

Filesize
615B

MD5
5df8c268dc21ed2ff7cf95715c889264

SHA1
803e8ce4c56d29cc90da542ff6896b7fe4bfd448

SHA256
4973fb14cf91bdd2146b75fb78d1c5a21c23bbaa25d3674bdfe9c698935a8c49

SHA512
12af31af42af70bb95035da3e822ac932d1e9c568e594832863a7cb9b8bd7f938720f3cba8191ad7299911588cfd878d2118d62f4bdd2c2b96dcca8ac5e78ac0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

Filesize
848B

MD5
39110b3830184f0129ecb246a645e109

SHA1
78cbe103a07472268faa06265408dc9994632ea1

SHA256
975801cfa6458e9677beb1a6931192e40be12fa185fb6bbc5277ff1023702d54

SHA512
af42e9632ea98fde434b3416703c44f0d6b25a41ead65cf39bb32a64a3c466baab94fdd9b902cc0df8bc8a0bfcdfa112a154d4c14aeeca0540f2f83298c10662

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

Filesize
847B

MD5
a48bc3392ddc5948458ec781ec554522

SHA1
94429e2b6a3158a3b9c036d95d29c538821282f2

SHA256
f6db179cc5441a888f8a340257cdcbd87914505cb09b05265f25d2639e13baff

SHA512
d9d9f69559e82f39f7b44a97d208f7b20870a520a0896dd9ffc9b59e02debec0f819bedf242909fccac101705c1f72fc779f241da98d8cd78c3cdb1c24bd0b28

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

Filesize
869B

MD5
1d12d074be098365484c3b88064761dd

SHA1
98f8635c562f5d164d205531a4c08fb8c6e2a826

SHA256
d12bf2570f9c8148aedf82fb940097b565764f329890006dccd1fd5dc2a61a27

SHA512
0a1c01039d36c9c36580ec37ee85d9113ae0af866b4fc30a92da58660bee05e2ebcfa91a9cbb8ce85771b9c2d5e2bac9ee8ee37b8868fe1b080be8245ec8e142

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

Filesize
847B

MD5
a4f2474bc03501f521fc51e6b7fe8574

SHA1
3139e8ee0fb1c7f79159dc513cafe1f2e7d7f4ab

SHA256
c0651d831d74fb7da22890348687879ff1f85c8f08162f4994520797ed315d3f

SHA512
a2c49579f4d782e19da9ec348596d7c1d681dee633d9e1b0a103468439b2ad0fc1c343ec50efae8514bda649ecb42cb08738dc046832c6b2d0096f3a22a2f887

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

Filesize
863B

MD5
32f730232edb578ce9a3cde133292086

SHA1
21aed3f09f169647ae7d114255c3db1054f03dff

SHA256
d7d1e4f2daa519514df925199d0527992dc44c0027f0f4a248c7a7461653a573

SHA512
034600ae726667d5b81bbe683b89a310d2601be73e683c0841e1e1bb327b09f26f5f81c8ef6c3b72d49ae8fd6da98c5096c83af3793ab2008a016c9ef36c4120

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

Filesize
861B

MD5
ae6f5dc36a6fcce6c78a156e64ce268b

SHA1
415b3fe4894dc8ee8e26f4b562450742bb86773a

SHA256
7ce7bb21f3b364a4386a232c5f01267329bb4d0c0d5470cdf34b67ce55a45313

SHA512
4ad6a11bb96be092aef92af65415027e3f19094d4f2b8516f1eda9f7b34e060595a281a0deb54cc54db1df49c0179b659b59f52d5df0bfc907924093a74a432c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

Filesize
850B

MD5
a89457512af36b4a5de3c33a9fe825ca

SHA1
0500da77bb8d70d12c4b075d87fd937a0c7edf51

SHA256
1b1896f9de9b58982932d83331a4e7fff939b128759ae6d4b29191bec5cfe98d

SHA512
f10e543f0defe470401e4e440ec84aaadf8a6ed7b890fa4d96b16e8be8d869f43054f2fa3b6a940784deccda04a7f4fce365c220a445268f1a5683f29628e82e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

Filesize
883B

MD5
372062d684a7a99be88d8e7f6d1a3c5f

SHA1
f10067ee4ff790ccbb5e7aaa3b2aff8ca2e1a342

SHA256
fc11551102257bbae536268bc76380aeda9b77d9ee95c3a22ef167a7970b2ddc

SHA512
98c0b028ec6e663113cdb53a77618ce41d89ff0b646044f87f6eacb96c623ecda01d5db4b2976e2bb8a04e63d4c32226f7d37112a2c9909dd0b31618c4bbffca

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif

Filesize
153B

MD5
617ba0d83223aec5d918f881e885a7b9

SHA1
e778056385a8cdc3ccba942459b10fea0c100535

SHA256
08e71d7496788bb892c62a0038534a60d62f864286125dc3c1b59cf3fa000f1e

SHA512
107fa887c533a23c4d3df92eee0b9f6fc6eb73d3c23e9dc606acf00a0bc94978e224dff8a0131bff06afdcc2cad008e9d1c5a512bb3801860c9819a8413138a4

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
abda2d480a81d9f0631199b6a5fbfe07

SHA1
3474df6712272b12c04ff6a7aa380ca0e097e1da

SHA256
956fc6fabfc5d30dde2489f7866197df935235b8fdb5fe3c5bb8448d2c99f4d4

SHA512
96e46013f15ab379bfcdb19af8ff74c4d94287496f67950a89465cdefcd1c45b981a79370eaa9c1d34a93a643336c95006fb86e28b0cb42f79f13d0b25794598

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
8KB

MD5
531751e30242b840eafaefa9b802ec1b

SHA1
bda47a738a3928549cab5e2dae970bd59ef49a14

SHA256
c4adb5db53f685e436ec65669ca5b843a6be4a125a317a99c0b7dad06823bdfe

SHA512
b9d2303cccb769e02e0b71adb2c84790978d7384e2e43be8102723d76968a45323b49f4ee832d5daa02f3f81ac793feb75364b8419e437d0bc44ad56b403127f

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
5e63ac9b9770dbe8c50d8946d409ea9b

SHA1
00e14842c6553f790c311b7348bd495dd15b7286

SHA256
1dea41a4a8b813f7c0ab28b4d9f81a44d6836c2274cb3c61d8474c8220b2f7cd

SHA512
e150a2bc5b94091c908151c0dfc5aceceb8a5ebab19da534f7b9dd9a0f8d22d71c8f2fc46c44c7e48dcef2807efe01d335119122c99ba624835f5c5893d31e1c

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
0fecff4ad203ec4306c40384d16722e3

SHA1
0795e626ac8891ae9313f9706df452a3e86a2d6e

SHA256
df7e9648040d5a4524587e0106510c8c848ad9dc8f9db7584e9f2f817bfa4a72

SHA512
89ad01a06982c538b13b32594368a6090ca0c2a5fd85af9de1bb55f0329e7becd203993b1596e4e58c28d0e33e3444ad213fb0f520f864e04619942f08d93bbd

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
172KB

MD5
59e076d26295c63e897f24751cb9a183

SHA1
6e9fbbcd08be127f7bfca852bb31d621cbf587a8

SHA256
4887f9a50cbde505ff6d5948c08e27780c5cde18cb475c7241f205ea80780a0a

SHA512
01867e7a26a0c2af0ad4224191ce99d1500b67f2d6896a4caa35ecc781074cd7f8cc9dad331b120014419ed6b0d2b3cd44b9afbc08e2eb0135e1a85612733f9f

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk

Filesize
1KB

MD5
d465d23357c2959cc5c50aa5c2982475

SHA1
b595dfa26084d77eaaa83a35fc226193a0d651c5

SHA256
fb652c19d1b9ef2fe793a891357e1cc408e3b5cc9c6e896f474c20e184c64775

SHA512
8b4949078cc0efea4fbb4d11995ec4ac6ede75d0846ae9837c18976a7063c4a5b896a4a40f1092e52a42828c967574c7a8f3047f732451b0f2ffa190ce18b073

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg

Filesize
21KB

MD5
5d7d2dee1a3f9b9e47bf7ec11ba9d98b

SHA1
588a6f75bfe938ed74afbb9d0191274bfc8fad86

SHA256
e1f5da52f91a9257a5d079fc32b833ff0722365b8fe8af72d08f73fff4f9a605

SHA512
336f1b768812d615536d22d2d12dd9003cf9c7995f6ffdacb750fc2d05e8a934cb8592c876f7f03b7fb52eebbd48b588dd948d252ea4392439b6b01facb22094

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\HelpIcon_solid.gif

Filesize
1KB

MD5
5a72da1216a1fe2d788f5f99a189d8bc

SHA1
fd8a95b0c5e0519cc47376057e087180ae121eca

SHA256
6836ebe7db1b334ead958cf9803f058a67ab0baf73819962d796e54405bdd8ea

SHA512
764e0f97e3a35121caa3cac031a4f80712764ac99575381c7d9abb50cb052a4536776ac982ba23b38d9cf46c7fb128ed3b2395a8c5c67d3dc326566462aecf27

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\alert_lrg.gif

Filesize
952B

MD5
b6a1962593447a4c0bbd38b0d95ee2c6

SHA1
d652918eee2ed79b06e60a66a998f29893e862eb

SHA256
da92c33d874738ca8e5971b9323193c22f712b3f73e42395bb8c1cf684405ae3

SHA512
216b1d7bc29613c10c0e90c1a3d58f76045f81dc1d83d8c4e917c5389de39083dc0651a87a44e9cf87a935e016c9080e2fd16a5441bf894b037884a7e063ee88

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\aspx_file.gif

Filesize
121B

MD5
bc60d114ab69b8788b87dbbafc5f6ebf

SHA1
4b567a2ea842cc00af56e4b1f429b0fff35d2c07

SHA256
7bd64e2c1dff6019282bca56a03456ac11d508fe2d32b7fd8d624d40a90ee738

SHA512
2fd55da2a543702cdd05375b78f6585610bfa15af00e87a69348cd602128f8a095184d5224fdc64452348bc4ac03b483c69457176e0a1f6710496d46ae9e7fcc

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\branding_Full2.gif

Filesize
1KB

MD5
a3668938b91d1abf963fe7652f2fda8e

SHA1
1bc7390e05ebcb114f931e43a5127ba73fc0645f

SHA256
12b9989ac5a2b3cf79922c600b4a87cb0a22a08133e2f03fe2723e008b93bd16

SHA512
af482cf09c9715f3c7c9f38131818b32fb2a15dba9c03bc5a04f66f09af8c343ff1b56eb15e50ec57f7e35da897b79de2a27791066e07dbe4e2df2a13198f61c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg

Filesize
8KB

MD5
b51f97c98ff867343bcea48bb2a5cb7c

SHA1
fc8a2fb68d3183574dd968f00a0d86367fcc3a1d

SHA256
c08da82b437b7f147c842c5a72b0d8e37cddbbe8073d0589c38c1a7c5ba6b597

SHA512
659587b35b7db3f510985c356660d295c0695460f53920c01aa3da9d3b6ce42012476a8e77910ae6c80402ecf3a48ec5c2d13bfb4a85e326c2c76237bbb05449

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\folder.gif

Filesize
914B

MD5
0bbdd9712b0f772742359855ca3695ec

SHA1
70f007ee1ea3da89d04eb434acbd5c15fc301815

SHA256
0e13bc4c9e8a6a2bea4d830deb580a3cc901d4e9b9a67179b9f541fd3de10294

SHA512
764f999ae3d37fc627435b81112af29d6c487b525b59f99fc268a8689fa82ac033cebf5e5cc044f5fead021245833f3ba70e0fc52b567c06c525eff4a3eb6511

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\headerGRADIENT_Tall.gif

Filesize
328B

MD5
03908a38f7e3f17088bb399b7d01fcd9

SHA1
3399b55936fdd8cf505b8a5ae5270a0638500b77

SHA256
18a1950676ecd79250b4eeb9fea701294dde0705b5d2b03729a2debb2da5685e

SHA512
5b9b1aad8ea779185547e6bc71907cf208b4a99fd07f16a7d0e580c5dc4a9c2595681ec631fdf5175f88acc7b9c5def18c361b031d50e2b06003418ffca7995c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\help.jpg

Filesize
1KB

MD5
7b8e1c63526e2d5c0a63d557f475f226

SHA1
ca4554baf36367109c8f3a6896a044349b78e05a

SHA256
8944b5232dd0adca082ae530cf7824f6ae99d5620b7264eb32a52fb9bebd78f4

SHA512
8202f577df93755e494473fce31427a09c7961d65d05bb98d24a1bf771bcad62ad0f967fdbfff909885b25adfeb64fc4706fb5197f65d15c1d5871fcc069465c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image1.gif

Filesize
162B

MD5
7241430a4efb8e881374383c13eb2e87

SHA1
48edc9b326141ffaf5f8b1600d58fa9edb250af2

SHA256
1e26995741f367c8e2c8983da1715b8e4b857e5d6c04683cfd6b5efea5e6583f

SHA512
c1a6f3d2b8772350d9448d6ac7fffe4b247fba3a9e90ff64a04ee0a3b6cffdce1b5cea962f3f33d758a249a0814fc5bbbbab15e68dc6cd1eb287efea76b346bd

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image2.gif

Filesize
586B

MD5
4a92a9b897bcd49a6217deed5827cc22

SHA1
740179a1eb745f3f5e4700fe7c0544034aebbcf0

SHA256
62a111c93792fb25ee452cf584801a522f14dd084770bb72c1b9682670873323

SHA512
7c4a18f460cf09b14b6e2578e01eb4221c78002235373b6aac3117b16893ef7cbfebd369f65be591edad89104ab691b71acba141acbdf69832549e5b0eb2ab29

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\requiredBang.gif

Filesize
124B

MD5
d02b7220ce90d7c8e3ae38ae149598a4

SHA1
df318bf256425ce3bda38b10def747d53191efca

SHA256
6cb21335331e38eec2b27103ac334247dfec496ef6558453ba3e0369aafa8781

SHA512
7f6240b48497867909c118770621739c30ebc4f0d55b644c42e4d92816516ca0821abaa727adb5b183fda05bbc3ed71201f049970016ffb1763083f072a85e4c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg

Filesize
8KB

MD5
68d6d2400991315727ef86bd269976a9

SHA1
deddbc96a7070a37821f5f5d053a04a9dfc7cc01

SHA256
65ead79ffed0503e113f861aae0bc938389d0c2c62532e668fb0712a8f26271a

SHA512
7ac3eea783ac2340047c40ce8e5bd04f6f0158b6e7e2543e335216dc76c95093f42c0f483ffb88815b5adc3dbc535aa70e7f8d81e6656f7aedaf9be609680135

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\yellowCORNER.gif

Filesize
880B

MD5
67c0722a889fe7780c7d5b6d3f9fdbbf

SHA1
d0aa29f8f918cd8ea24ea35bca240df71f7b74a1

SHA256
74655e2c7aca7bb65f89c21c2f3f8c94b8f8806813f413c0908802fd6374bfe0

SHA512
f36989f4a8ea6f52c88463cf85427bc99e6ac5ce2e6de1b4618dabe4d42592dcb82b3d8a5a3233b816133e96f09ece94b49f97f744bfeed4581885bf682214d8

Download Submit
memory/2668-0-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2668-8981-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2668-8983-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2668-8989-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2668-8990-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download