xorist | 7f645dda20bcf6daebcb766087752ec445b174956def5406fcc46268c06ed49b

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-10-2024 09:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
Size

7KB
MD5

3f171bd7c1341c99b216622fe6cddd70
SHA1

fc657e65b0434e8e2ef890498b1288dbcdc0f637
SHA256

7f645dda20bcf6daebcb766087752ec445b174956def5406fcc46268c06ed49b
SHA512

14af5391fb893195b53ff9772ed843d2a0b2b107a382dca485fe5234e0c0173b66cb2c21106b3cbffeb54c7faa92f172294813188d5306762675e5c081f7e5e4
SSDEEP

96:lZZhl8wdS+r3yOYW189fTwUVF0CWHyjk8P1LOmjXfihExOx9hGazTLIQi9TAn/MB:jzdrr1FG1WDCgmjPZOxT1Tlgkn/MUA

Score

10^/10

xorist discovery persistence ransomware spyware stealer upx

Malware Config

Signatures

Detected Xorist Ransomware 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2708-8495-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/2708-8498-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/2708-9097-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/2708-9098-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/2708-9099-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist

Xorist Ransomware
Xorist is a ransomware first seen in 2020.
ransomware xorist
Renames multiple (2208) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Drivers directory 8 IoCs

Processes:

3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe

Drops startup file 1 IoCs

Processes:

3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jgd5P9HlCkDJpaP.exe"	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe

Drops file in System32 directory 64 IoCs

Processes:

3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\SysWOW64\es-ES\Licenses\OEM\Starter\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\040c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NetworkList\Icons\StockIcons\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\_Default\HomePremiumE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_script_blocks.help.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_remote.help.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Reserved_Words.help.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\XPSViewer\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\_Default\Enterprise\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\eval\ProfessionalE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_types.ps1xml.help.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\acpipmi.inf_amd64_neutral_256ad642985694b3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_remote_output.help.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnep00e.inf_amd64_neutral_edc631ff41a34218\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp004.inf_amd64_neutral_53f688945cfc24cc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\migwiz\replacementmanifests\Microsoft-Windows-OfflineFiles-Core\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Command_Syntax.help.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\_Default\EnterpriseE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netathrx.inf_amd64_neutral_905772087ff288af\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\slmgr\0407\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_While.help.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\default.help.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\eval\StarterN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_requires.help.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_type_operators.help.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmcrtix.inf_amd64_neutral_e91a5dc0655e200a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_functions.help.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\OEM\HomePremiumE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\OEM\StarterE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\OEM\Ultimate\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Command_Syntax.help.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_remote_requirements.help.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\eval\Starter\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnky303.inf_amd64_ja-jp_b054bb0d59e0a3ad\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\tsprint.inf_amd64_neutral_c48d421ad2c1e3e3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_locations.help.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_join.help.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmzyxel.inf_amd64_neutral_ed1f16b3d0cae908\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\oobe\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Line_Editing.help.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_arrays.help.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_scripts.help.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\XPSViewer\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmpin.inf_amd64_neutral_2415474b9db0a888\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\OEM\StarterN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\_Default\ProfessionalE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Reserved_Words.help.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmlasno.inf_amd64_neutral_c86d5b5e5fa8b48a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\OEM\UltimateE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\migration\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\eval\HomePremiumE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ph3xibc11.inf_amd64_neutral_bb18e5f134c40c68\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\PostMigRes\Web\base_images\AppInstalled.gif	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmaiwa4.inf_amd64_neutral_6e97842bb8d9e6a8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\hu-HU\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\nete1g3e.inf_amd64_neutral_7f08406e40c6ede2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hiddigi.inf_amd64_neutral_12aaf5742a9969da\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\OEM\HomeBasicE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_requires.help.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Core_Commands.help.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_properties.help.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\OEM\HomeBasic\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_trap.help.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2708-0-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2708-8495-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2708-8498-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2708-9097-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2708-9098-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2708-9099-0x0000000000400000-0x000000000040C000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_cloudy.png	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Program Files\Windows Photo Viewer\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\slideShow.html	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\J0115875.GIF	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\curl.png	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Title_Page_Ref.wmv	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\date-span-16.png	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\LoginTool24x24Images.jpg	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\slideShow.html	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-crescent.png	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099152.JPG	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01247U.BMP	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\42.png	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\flyout.html	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR19F.GIF	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LEVEL\THMBNAIL.PNG	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-full.png	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\button-overlay.png	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\README-JDK.html	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\RSSFeeds.html	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\ManagedObjects\SignedManagedObjects.cer	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\reveal_down.png	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Games\FreeCell\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\add_down.png	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rss_headline_glow_floating.png	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_Premium.gif	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099148.JPG	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341653.JPG	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Places\LASER.WAV	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\button_mid_over.gif	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\ffjcext.zip	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\rings-desk.png	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\glass.png	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Components\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\system_settings.png	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21421_.GIF	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Star_Half.png	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\logo.png	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02028K.JPG	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_single_bkg.png	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Main_Gradient.png	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\js\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0337280.JPG	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationUp_ButtonGraphic.png	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_single.png	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_h.png	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\TAB_OFF.GIF	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\QuestionIcon.jpg	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\attention.gif	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\18.png	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

Processes:

3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\winsxs\amd64_microsoft-windows-help-medctr.resources_31bf3856ad364e35_6.1.7600.16385_en-us_ea353a7953b05e87\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_wiaky002.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_9240c4539026a6f6\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-t..tivexcore.resources_31bf3856ad364e35_6.1.7601.17514_en-us_75c91afce4c06c91\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-w..-provider.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_fe1bfb48db8f2ffa\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_netfx-aspnet_webadmin_res_res_b03f5f7f11d50a3a_6.1.7600.16385_none_d07272ee73dcea8e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..homebasic.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_89cfdc3542c35d4c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_MSIL\MMCEx.Resources\3.0.0.0_es_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..atement_r.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_e429287568bba98b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..oler-core.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8397ae911b4db071\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-i..-optional.resources_31bf3856ad364e35_8.0.7601.17514_it-it_a242b1f371a03af9\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-cipher.resources_31bf3856ad364e35_6.1.7600.16385_en-us_9fe9387d530f64e3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-i..rityzones.resources_31bf3856ad364e35_8.0.7600.16385_de-de_e0227901caf0ea73\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\401-5.htm	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..ssmanager.resources_31bf3856ad364e35_6.1.7600.16385_de-de_3674b74f68cf81e0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_netfx-system.web.services_b03f5f7f11d50a3a_6.1.7601.17514_none_f88c2ed4e4f8c858\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\undocked_black_moon-waning-gibbous.png	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-u..endedjoin.resources_31bf3856ad364e35_6.1.7600.16385_es-es_f50a17c35ec053a9\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-mlang_31bf3856ad364e35_6.1.7600.16385_none_bd28e772321016e1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-oleaccrc_31bf3856ad364e35_6.1.7600.16385_none_df738b47d574e668\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-s..engine-nativeengine_31bf3856ad364e35_6.1.7600.16385_none_5ab95222c3014a28\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-n..lperclass.resources_31bf3856ad364e35_6.1.7600.16385_en-us_22e0bdddd00840bf\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..allpaper-landscapes_31bf3856ad364e35_6.1.7600.16385_none_e57abb2f66db71a9\img12.jpg	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-smartcardksp_31bf3856ad364e35_6.1.7601.17514_none_b7f7d8e8e19ade8a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-w..nttoolapi.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2b836fad8f8b06f3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_msmouse.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_5c34eec16d0ebc6f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_remote.help.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\about_While.help.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-r..-detector.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_9ec7947a2ac1be42\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-dsquery.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0a132734932c23f6\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..kstvtuner.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_eede0e15732a55e2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-n..tshellext.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b35c4de9a604947a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-pnpui.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7c0020149332c183\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-r..-provider.resources_31bf3856ad364e35_6.1.7600.16385_it-it_15f9e02c067f1390\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-wcfcorecomp.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_45549abb8ab456cb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-findstr_31bf3856ad364e35_6.1.7601.17514_none_855590d1705431c5\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-ca-component_31bf3856ad364e35_6.1.7601.17514_none_fae061a2e0ae5019\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-findstr.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4ebb74971da093a0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..how-other.resources_31bf3856ad364e35_6.1.7600.16385_es-es_d789ca474e9fb03c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-msmpeg2enc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_cdef2ea57a90cff2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..-autoplay.resources_31bf3856ad364e35_6.1.7600.16385_de-de_ca13124c1e464624\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\winsxs\msil_microsoft.security...ionwizard.resources_31bf3856ad364e35_6.1.7600.16385_es-es_05b1e604d15d6734\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-n..-statusui.resources_31bf3856ad364e35_6.1.7600.16385_de-de_9afdcc96f43e3da3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\schemas\TSWorkSpace\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-s..trolpanel.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1c2f17658368719d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Security.#\e166ff6b4e2f181ace48ef30fcc1b55c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Printing\aac5817d96d0ddcffebc1c45000e9008\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\winsxs\msil_system.windows.forms.resources_b77a5c561934e089_6.1.7600.16385_de-de_8a9d73b390fd5af5\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..-ultimate.resources_31bf3856ad364e35_6.1.7601.17514_it-it_39ac79f647abe196\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..iagnostic.resources_31bf3856ad364e35_6.1.7601.17514_it-it_cba2a82d1ba25d8c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_ntprint.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_92fd0160e8774145\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-imapiv2-legacyshim-mof_31bf3856ad364e35_6.1.7600.16385_none_ded556e609d21a37\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..ediadisc-style-pets_31bf3856ad364e35_6.1.7600.16385_none_d0d7ee773d711005\Title_Page_Ref.wmv	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-htmlhelp.resources_31bf3856ad364e35_6.1.7600.16385_de-de_72a70ca7e03b9b86\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-s..ropertiesprotection_31bf3856ad364e35_6.1.7600.16385_none_6388acf17dd74912\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-g..-calendar.resources_31bf3856ad364e35_6.1.7600.16385_en-us_39b468a7491888f2\calendar.html	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..-kerberos.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_0977e120f420e9da\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_server-help-chm.saf..oncepts_v.resources_31bf3856ad364e35_6.1.7600.16385_en-us_820aa5e4ee8b4ffc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..rectplay8.resources_31bf3856ad364e35_6.1.7600.16385_es-es_3880fee08332b130\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\404-15.htm	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_prnep00b.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_c40cc658267a714e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-rasapi.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5c73a08d1ee1ac1b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-e..presenter.resources_31bf3856ad364e35_6.1.7600.16385_de-de_3a7b83490cb22fdb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-ca-component_31bf3856ad364e35_6.1.7601.17514_none_fae061a2e0ae5019\CA-wp4.jpg	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe

Modifies registry class 10 IoCs

Processes:

3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ZRBFRVKEZVNQLDH\shell\open\command	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ZRBFRVKEZVNQLDH\shell\open	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ZRBFRVKEZVNQLDH\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jgd5P9HlCkDJpaP.exe"	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ZRBFRVKEZVNQLDH\ = "CRYPTED!"	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd\ = "ZRBFRVKEZVNQLDH"	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ZRBFRVKEZVNQLDH	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ZRBFRVKEZVNQLDH\DefaultIcon	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ZRBFRVKEZVNQLDH\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jgd5P9HlCkDJpaP.exe,0"	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ZRBFRVKEZVNQLDH\shell	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd	3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3f171bd7c1341c99b216622fe6cddd70_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt

Filesize
285B

MD5
a7d769635d5ea3f099e19639c556901e

SHA1
2db39400a4d7f7c0603631b5f6e1d6356b2fdc75

SHA256
a4a94d8fa8c598c6f8166fb8606b1b853918dc0838e958417e675b246a1ad913

SHA512
1291cd08c9df59d420174a2fc2d1e334d0e1ad38584af20533ea33e6272a7ce93b6e36a198c56772d9828f5edde050b782e8fe356f4619212fc7a1b4231bbe38

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
341B

MD5
e34fd39d49cf57fe71ae50728fb28623

SHA1
c99aa47198c21a048f2e533d5218aec41273ca63

SHA256
f5ebed5ad6434b5975f790e09dae592ba483b4d63617a3301a0068e2febbd83e

SHA512
4ae52d703322196e2c07c0cb08c7679728da4ebf4ba963cbad2ebda5f2fc8d62c2380e2efcccdfa69fb2eb945bb3a7d8dcf61c4b13a117a46c1e9d87509b03dd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

Filesize
222B

MD5
e6ef91ca310432cd1b7d607e22fcfe0c

SHA1
31585bfe3f34f9755f53b162892d40042ed0f35e

SHA256
5f469132cbcf554aac1d569ad760863150e0e2f3902ff881c8bf8ec88437634d

SHA512
c1611482e50d79ff8c67a0d5df63b5ab2b4ec6219a795cc11af25c7625b67aad6509e466500b9d0a23c020d22bb7e2d2c7384b07357401abee04c39662ccd9bf

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\BG_ADOBE.GIF

Filesize
24KB

MD5
5f6e12eb8fdd5ad3f0f8032cfc5a9cf5

SHA1
6a52712ab052d2c471a07f43d7ebcbb5900780a8

SHA256
81a93d1d72ae6c75b66d42eaf664b90287d55abe0c4cb3ea62392a928bad53da

SHA512
824dfe18a522f94c5ce89368052454af8851c9071b6a0650898506d1ab51dccea5d561e9e18a0710f3eb4fb5c5cdab8f04178dfe2ead9be6152a1046f5ad13cc

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\BUTTON.GIF

Filesize
185B

MD5
149b34e79d13cd371dafc5644aa4f7e7

SHA1
ef5b782f960479bc5deffe1855fff917ec357446

SHA256
2afde4c8ee029dae59c6491c590dfc1bc8066ffa7d3b6f3dd46713f0b46f699d

SHA512
379c7cce062ea40eaf05c26c83dc5bade4371a3451505a33a63715c36632f9d17c822f89eea599e7e390551016888aee1a61a464fc896795f47d10c8910df7a4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_OFF.GIF

Filesize
496B

MD5
608a288d26ecff3d391b59d09538cc9d

SHA1
44c931d28bfbb244d424fc27d41742189912af77

SHA256
d18ee8711ffb48f8701e88dcd4d8be310182ec85e5f9c36af4303d501ccb43da

SHA512
71ef6b1c1c855fc16bf108c18ea9c3ca2e842b57497a62dc17b9b3f1c0dc3876ab76c418bd4dad1abccd6d43d85676fef1fdaad253b4df200507d5909faf65a9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_ON.GIF

Filesize
1KB

MD5
83ba4afb34bbbe0362e4caf46395ff28

SHA1
9681ca08ac0105bb33eeabd10e6b9265ef9f77d7

SHA256
06343881f3c3f9ce0668f2f04afeb8ac668c72e8df1766ff7037d15219a3eeb1

SHA512
9f4e4fafc3f5b8895450de90a20041b4bc7d56b8d85b01451191ebe01229f0df3b6be767004f4d0119889f34105467c46bf53383651eb8abd9f398e98caf77f8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_off.gif

Filesize
341B

MD5
916e43947ca02724240d80fd86f52021

SHA1
8e209653ae96db78b5baa56981ec60b506cee0fc

SHA256
f9c47e04ad517dac18aee4baaef2dd35a31b013dbcbc722ef1debba4b1a17223

SHA512
c36abc714d0e028d7f9555c46c73c018a0246056274593908f52bbbb2f327a4b04659e403c0b181ca5aa6ebbb2d78c815f11a21f9d826a1e100e7f3b041c48df

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_on.gif

Filesize
222B

MD5
4dc810128f327dfd7a7d3ca7be52725b

SHA1
09d1939a8cde219684fd01af845744d73b0f9b46

SHA256
6057754377e5de30d3b5746445c0ff7f3d75edfbf4e9a549f67cf4cca2f8422f

SHA512
a3453e6ef8fe745f0ae1d307850cbca9adc08205cbfe577dce3f1dea927e206fa0341d0ae2a58e9f1cbcdaebb7990e095ad4337f59005a1eeeffcde186df5dba

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif

Filesize
5KB

MD5
6905b5a7f66b9d92ea9001bccfe03c56

SHA1
53d6bf295986db9977f5708e7ad663ef9b0a4953

SHA256
fc342078cef069abe0859f032a192591451d42296247f6181969b3629b90bacd

SHA512
c4fb677ff830b785005e4a0355945d9fd64f50421155bd28814d29eb2150da86a6fa677af3a272e6481836f6aa9dc15298927cd5772b802f95d9a91dd03c0bf7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Country.gif

Filesize
31KB

MD5
d094627cda9e9ef345519a010b3a8712

SHA1
4be98801372ad26d45062e191728e4218afe96bd

SHA256
96bf2a2681be409dad6b7526a7ad7692830774651b9d74ae6dd8ed175cf95da1

SHA512
f87ea0276becb5aa12b82eed5d93074859e48614d6fbb16dd373f11b8a54490b0c62405f1eaae2a349a4bb9f1676193cd9bc09ba4c58b9f75c066506d8a51f50

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif

Filesize
4KB

MD5
b12c50aff48334c77748f271e17b73ef

SHA1
6c55dd7d626c301fc4dd8a5ee8002955ca105c4d

SHA256
204b42619d22ffe43520cd7b71f517db3d56fe36f884f13fe87282d09940cef4

SHA512
2363591105332927469b7f78739df1cc89bed2f6da9b849b7172f7f7adeaa33c18e15cfe415f12b5f22f42af12979cd05a6f7f33ab3181db6651f8e4c691b04c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif

Filesize
21KB

MD5
38fda553de9819fea6681d8807188e1e

SHA1
e82fd628927d805295447bde51a84c8dd31bf0e0

SHA256
33b27571455c083c4f8ef94e8d34bd7f29f07f53fcd2374db88a0c82b931a761

SHA512
a81d56f5ff0de3fad9f35c2af45fc7e24710ff97e633742607fc10cc810bcc3ee3b8173884110d2579cd5357d5663fa0aa7b906c81ec5c63ea8fab5189d611cf

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Groove.gif

Filesize
106B

MD5
37b739761cdb1a55cb0355d637a3b6bc

SHA1
10fd504eeb45bda65ed86a031582940d14838eff

SHA256
bd4efc61015957cb466dd177367de4dbd7eae78dc90633f644705cd5045f9df0

SHA512
15dfee324b90eac07e53afa2f7d4dd3e6f139d935d87c8f477c24d9cd0f92742e3377574ed7948d869fb0c34536629b991e6ccdbc819f34df64a24aee401ebec

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif

Filesize
8KB

MD5
d46e8a93af6c480c9307ed5ea5673046

SHA1
f5216ebe78c4fdce5c71be6c21dd08c9a3335395

SHA256
f247d993aaa3c8c3c7ad10982bd9a2fd0c6adb6bd2e93492eeb611230505cf70

SHA512
51867348805420cda45d0467b80e62c3751595135eed7384752ac5741978b99eb1c725ccfc6c2521aa9feeb917d73aafca3bf4d8a8f656184391d9cc004196bc

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif

Filesize
15KB

MD5
2691daf65059b781696c823c7cdccdfc

SHA1
ac1aa27bd087dd17ca51e17bfab534c11c28a5be

SHA256
3e35eb17953b05dfbea824fba60d0eb6a41fed450a568b010b4309b99be2cfc4

SHA512
f12274c35d10d3bca52eb3d6157fc58fae91199ce3c9dbfdd6af950438773936c6c670acf501ae8b66b4221c09cde8f39191ffadeb4ba7bac6b129857e3cb536

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif

Filesize
6KB

MD5
a6aead35b703e61cd6825adf2164d637

SHA1
4681ee654c7e5a5f52cba384f1a1b5384ee09794

SHA256
7e7f952f2c7e9d319907f601358a2bdff197b3ea95896dc77420f24a17ca723d

SHA512
397e1b0fe8a2bb575fae4c5082c47030e51928501b13d2e8238c95c2788b275d2bf4dd746fe7ef8621fb5a4cb4d9edc5eb272fd19cc4fa4edeee8184bac55046

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif

Filesize
20KB

MD5
a179ec373cadde6e3ce6a08474bd0650

SHA1
4e602f9266697add8e5fa6c5be4ee207cfe8173c

SHA256
5477fac7dba5cb9fcd72822e56cf57b14d1d04d5571748b81f96e2f5e0c656d7

SHA512
49aa55fa5459211cfe4f67858030e769866ae4b05e454dcbd494be25da6ff53c091db51106e52a1fe3f75b641a72da2dae34677d2252253a7c9d95332d538845

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif

Filesize
6KB

MD5
1bb89e80c4a41d67629b5588623633df

SHA1
40c7adc98532444af24945e636da9d627c97a38d

SHA256
fc4ef3b3317ec53cfb0c345bb3d04f7c3077463db696f018cf1557372d5acdd3

SHA512
5f91222d3a8c3a433e05f42635d973b5d8e99e20450e1f11b05eaf172d147b2ebd61df144ffc5c0276f54ab050b4abb293ed64bbd1bf3bd007a22e6713dfc3e2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif

Filesize
15KB

MD5
41478181565c65d9836ec19fd448553a

SHA1
acd30469d63d35d1e0bbc089327edfda83cd8b51

SHA256
23942176b2017ec02f90b505afc01b5ea9003097b43fb16d83b293b437fe7954

SHA512
2ef9a26becef1207ceb7b23a9c539948c4955a98e6814143b638a78de6df181d9d68564ea3fd0cafbb68ca037ec020ecd95542fa1221568c2f58717ff7307f6f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg

Filesize
2KB

MD5
bb2c64766e77d87ddd75e5715c52541c

SHA1
d79ebbd79730a51a75ab331bcccd7cc495b53cb8

SHA256
0050d519f20cf00a96235658ef316997d4cab1cac98f44997977a2d1aea777dd

SHA512
f38e564fd9610f6f8dbb65ae5a5fbc252885ddfe8470305818f9a8ebd6f431f38eda2362dacda051ef2688086ad6350cb962b595ba078d87c097cc5b2cf45385

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp

Filesize
2KB

MD5
8e96e56bdaadc9297778b9ed728996ef

SHA1
78c3ee31ae6823109f1c0bac140a6caffee5aef8

SHA256
7c1c4fa647826b0da0617fddcdcdd878ab97f9fe8e9bf65dea4fdf1dc0315388

SHA512
5d4f1b0b26e1289355b731475c4368644f6a5087bd7202eba38260c850cfdab085b7614e191158b38c23e5149784e6ec778f76f97f390ca69fb1767c588bf703

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg

Filesize
6KB

MD5
b94b64090fb7c2f472cf19bb66503837

SHA1
788dab19ad86ebc00379c0a31d043ceec367d801

SHA256
8d7e21e68db47e8028d0b472efed90b8383fd0764e0165348f91dd9cc6dea9d0

SHA512
1163f1ab3505156b151c8ba30ddb38d6f98801afdc08ccec8be3ba55d83591bbce0c6d1639a4d96cd4b8713c6136b3f351d95dceb185fd8eb431dc80ac415b5a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF

Filesize
255B

MD5
d6c0d9702a9960e021263ec3ca042a54

SHA1
cb99e1905a5ec562b954b2cbf595947bc0775eac

SHA256
d139c9155e338ff1901b41e0a22a2111c294276e10510d29863106a5a4579a86

SHA512
64a7a0a011a45b455dd02dbe62497de84328b872945257e02aede23ee279026e9505a7905fbe4510176ba5165d79cf269c69df83e0d2c291b53422100c14fd73

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\background.gif

Filesize
323B

MD5
9562eac8ef2712b72d854636b4f19d9b

SHA1
d5d9fb2b51bf29a2ffe7f965f7606001e13f8317

SHA256
a85e1d1fa96d31767363e6912e80774953248ffd1743725c14ff8ff764c8fd94

SHA512
f5bd7ae73d9cd970e1919b889017b7b0c943126e8ad55476f6cc7fac25889e83bec849676353cfd282bae6560d4e4bc7141f9fb4e4161787f19f7bc54fe25207

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF

Filesize
367B

MD5
839a3dfa53acf29127cd30a8da07b0c5

SHA1
eccb73fcb6cbc90a721ebdc7681ac6fa1e2f3867

SHA256
90fc08ec678b5fe13da4cf8c0e0726d656a4ec0baf2f873b5d0dbefc51236cc4

SHA512
ec5d77ec7fe0df11f6cb88b9a5e689f65a9f2c265b0fe19b23d6e742cf2ab70799579f4e78b323bfb34be48cdb9fc98a7f57ee24f7c0eb8f834624f44ce9c7e1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF

Filesize
148B

MD5
9158228f25fb764a5498ca9970efb69e

SHA1
304f9888aa3e91071d2dca859270477b19c9b35b

SHA256
5317a8c3a4b5692b5add1bde8760b0bfee7b086f1fba15a89c5f40eae63c8bfd

SHA512
03f367df6866ce86c9b5889e3abc725ad713d49c90c785184eba81c24a9b1bd94cbe180de7bd6f0b57555b56b7375c38be898265f586c4a721cf5bf8f259f104

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HEADER.GIF

Filesize
440B

MD5
237147a31ead51b636dc84376b4bdf58

SHA1
d0a7ae79799105114f621a96d0317b69eefab0da

SHA256
c8186c5740a16750c37543253be222343e5086027eca7980b7581b0ceeea6453

SHA512
24c26c6d8f198da9b14b3c3b9e948ead353b7cd0aa92eed5c61f049331f9f7e07a2234f278bcf62f036d9203900ed3c6a9540cd8d9c1f60895283d995a237c25

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_OFF.GIF

Filesize
462B

MD5
a5879cf0c14b01a0e57f853eb1719892

SHA1
2c9744b2f7e70e7af0da4a9d10e0db163e3d6a1d

SHA256
e35df610d736a96153bf51ef7330309724188e7500dbdda43b435dacc6fb3b50

SHA512
ae7a150dd90b4612543783cc7194afe6d3eb43f2dcd99d0c34b22517504e07c6cb00b5b079a1bf053e97cbf8225a9461cf9d476799a2a30c8306109354a043f2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF

Filesize
267B

MD5
9db96ea6f43831838417e209ee8d8b3e

SHA1
43b51bfe4774db1c5e9ca49b65d4ee2bb089c821

SHA256
9a904434393a17e93fcec291998dd0bf9d86e9c98e875f461fd3473b8fe36515

SHA512
ac8585cdd482ceedb4e2f85a623f4c3d5055d3770b21445dcda9cca61e3e05420b7ef7859920132de9e3954644ee53178da3a705e695723a405b8fcf836be879

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HEADER.GIF

Filesize
2KB

MD5
8ac25cb472deb41ab05ccfa9ad59117d

SHA1
7784fabdc6b3e196a644b1f068b78cf1a8b9e091

SHA256
c60f86deb28d0034903b20b3645c8888d4dd12f6849f9803568f5850485baf59

SHA512
fdd5d0e81e5780145dbc788d80824cd7932dfa0525e6a1b1377bda275caa99f5d6d1a57a0ecd725e2ea31802e4e452947f98d03b9ebf924ae13424f8980a15fd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif

Filesize
233B

MD5
ca882b63ee26864c5bfa1a94beb27a2d

SHA1
e0d9ab03e3b2cdabf02d8d15424b30d81e1bce04

SHA256
ec238f0170fdcf9b64528a9c489351dbab1c7ad29fe14a6911172e848070c2b6

SHA512
0d99a857fb3b6fbc78d75f4874b38bfee558874ad0f1882b47196de1e21a983c29b1f6fcaa026e05a6f206e2ded637658b135aa67bc2d3baa187d651b64ff672

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_OFF.GIF

Filesize
364B

MD5
05648abde092360bc4ab6b2deda5e291

SHA1
f448bf5dce907a40f2111b6f351742da38ea169e

SHA256
8811047d85445445de434cdb8d49a6b7127c1519dbbe12b323e9e417d4949f93

SHA512
4556c6ddd5bab702b26225839df52831dd5fdc0ec947e6bbd2e6d43f5d95e8229cab9d624be3b47398fcf527d67947083af5c2ffb646e31d649a92ee70f5073b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_ON.GIF

Filesize
364B

MD5
b2985a8e4c063fd26b57553b70cde293

SHA1
b5cd9d58dc97ff44c00016352350ff9b73455474

SHA256
cfebd348ef1d13276a556c215c29dc58498e0c1ca555b0f2fc97dcbbe2ccde22

SHA512
0b44ac1f8f8b4476488b380a45f792ba6a2e710c4bc7136408c51e8afc04a49de83f852dbc8058765417e67d872c7cdcde8cf634049d80649d4392d04a5eedb5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\background.gif

Filesize
6KB

MD5
94ebfc86023a82d1e3cb2702f30afafb

SHA1
db31ce23551658fe26a0f66ca700299cf7cdd510

SHA256
cdba42d930724dd49989f900d143611a36205ecf0d4620971438f623f4a5b7b2

SHA512
e1c3f3c15e2b190c513c66ee46b76680e4955ff8cea8ad61df81b6ceee1bc99efbd6cb17a370651b548529edb2dc544a572564a8de6ca301056cb67ae25f1e29

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\BUTTON.GIF

Filesize
428B

MD5
f453e9655cac9505715de0724fdf9e81

SHA1
0525daa91af17c5c2e702a5a48348a50ec8b5c3e

SHA256
f3e8ec1a159cfd55421ed467796ff157d72f91c9c7cddf1dedd62ca9c36a0a78

SHA512
4cf7a345efddfb4019bcd034eb265e15d4d011deca57e220388ab39363b4e50ee6f5a80f1969f09509695b3892f8380746f3e4bfa97c5f5e431fafd44915fb15

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\background.gif

Filesize
815B

MD5
3b5309ce4f840b49b95e7b3764a08cac

SHA1
ce781fb6a60e31188d9124c07f9ac11825dca715

SHA256
019ee2999ee7016b315a2c38b559e8b1f1e30494d0c7c26e30d192922f73a7f3

SHA512
b796b66cb9421261556edd4c4a528c85f60cfe26703d425c24fe0fd98b0d04fe406bb45cca9e641e3302a062a19642ec6a4783a300c38609a8acfb6875e59368

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\RTF_BOLD.GIF

Filesize
870B

MD5
4414ed635b1277177eeb7468ffa4249e

SHA1
81bbf99345a8f7250228f16054c55c1c828c8552

SHA256
de7502af8c6f5f6b4fa407f2ecca4acd4e132311c33d31532665689e83372b90

SHA512
61d5b2ba8cd3177698d8f9c0c3bc170992c7ac2892217cbd0cd9b9e3e855785b27b319534619b36a2baca64294b0669fa7c2c72f5bb11e9452a0260dea114c54

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg

Filesize
3KB

MD5
de8fcf9e8bbb629a135cdbf5b36a2698

SHA1
50d7b2ec9aff6c1571a005cb62845e1f3cb1b382

SHA256
577c0263c7eeeb3e48b94b2d14080787daad41cbf0e3c0c4b5f881e7a999176d

SHA512
ae039d27f356d7c1bd3d93484f27cdfcea10409131ce8c8ed5148beafc96fb8f6beada68c7156da8809d4bdc697b8f06183a1c9d368238daa7c1eed974db37dd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif

Filesize
2KB

MD5
752e3713bdd1eabc111a1bb0a4baad92

SHA1
485fa52ebce869a092e0e096956d7952bd44faa3

SHA256
da39f46e07913bfc508925183349cc12d16e0c8d3452dfac6947e1f38b670cc3

SHA512
b16a4bbf09dfa28fc637e8f49d1626d9e9e1480438906e30ecdacd25f756ea5d480a716d2333631a23da7e74563efdafb108d7074a9e4ca847140451b6c33a64

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif

Filesize
19KB

MD5
75b157178e99b68c50bdf726cd056599

SHA1
233c09d3f35f3b332708c7944094b8507b14a0a5

SHA256
334410e47da5ad714a0ada1092cbe39288154df27cfe75b1eb97222f19f0a867

SHA512
d09301829cd711e6cbead6ecba5c00ed4573fea5a8dad43d79d9d689b7ed185dc406331f741d4f1d7cac6ec74942380da96ad8b0cd2780148a5be802f629c515

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosefont.gif

Filesize
890B

MD5
cd49ab787ed32703067cacde49320397

SHA1
41784bc8a9b1179a47f41fa2339839f6d535bac6

SHA256
0b497402dfb7f8431197c98f3a649e59a9b7646cdf1d52854dd705e5846dc40c

SHA512
bdd566a65d5bdc7dcf56e594b49fa00c8954300c9da758dbac19934ceae798e2140a2817c60c60a24ecc993b3fcc028cc4f04adc016480c366e743680bb993b9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif

Filesize
852B

MD5
d1546853d7351962e0e2e372464ba0c8

SHA1
30084fda95f78774481c83a4f12673e7b3af3c67

SHA256
1bf17c891a78d8a811173d25c5e3e60faf2c1c1c1097c72d4efbb55f0e078a44

SHA512
65e8851d91e6bb3e7e4fc3f53b40173b6caf74b52a710ea2a891df6397097e980b8af7c00fd3aa4c2651444972bc0ae21879620b5a26d3f1b9f403413bc9ca94

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif

Filesize
860B

MD5
95d91e881eb81afb521acf9fa68e5c88

SHA1
699416f8c489b1a164e9b1be82d2cbbd4dda86d6

SHA256
e63b3be174c1b52e5e93aa2a4929dfd9b71c1e5ff9dbc07f31cfb5cf588331b1

SHA512
b1216c0a2cff1980d9e677a753e33d8cbaf12cdb158cd2e73b0ace7147d99ab10ea77dff5ac1676537e6c479c7bc4876e614f000e8e6054501c4ae94395d0df2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ADD.GIF

Filesize
580B

MD5
94db039e7a41209686f48be751e470bf

SHA1
8e659e147bdc68a7b1eb8c8c0777bee489184634

SHA256
f183331a79c675d3acb3e2e292bec05409034b91099ae2ce1e6fd8aff75336b5

SHA512
84dbf4cc502a6d6b819a22b84d0787c48d8c4b1d0e1f8392d861b2bc0c25ee25d07295e0bcdaca0a375aad54f8fbfaf7b55cd4423bd1340e8e95345ad2dcda36

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF

Filesize
899B

MD5
31ff98b753326ead702ab8bd45a7dc5b

SHA1
2ba6a9a8cce3eb4c7e601cbbae50069cb0a4bc17

SHA256
71cc7d95f62c217d04e68082bd4f074bda1c0cb1d77498d3977977ac10cecca2

SHA512
98d49a6dd245a29110e27a541c7e4ea1126e0bf0b5985ab6e3898cc1f9d03a56cfde5638761c0f5dabcc3d4e5cc461dd2e470ae7ac0ad976a9c7f991bc71f441

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIF

Filesize
625B

MD5
4da4ea1aacb4ddbc6c419ddc56635e66

SHA1
f9e7ec70ab545d90bc4264c3a975761005ee8320

SHA256
3ebbd1fb38042c2bc4b5223af133d63125e5143d42942ccf794f042b8ebf3e93

SHA512
2dbf912d724e3b207a9de823b420e011815246e6de03be2d441eefda227a3d3f1b976976b30b9d5cc914ff52bf499942d0193b31a0170957c1eec738c2cb3f59

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF

Filesize
873B

MD5
90507a718ac6c63e3ddb07520bead47a

SHA1
5e130327d0f2157b9c0c06481a8b081d6e72320d

SHA256
7289eaa56e4180a9e4d9eaaf230790ff0fec2b2c623f18a45091ca3e15808cfd

SHA512
ab0d1fa8226ae975b111af667fb3db7d485fe615d2c85e67886821e5fede53b1c40068e765360ec3395b032e9693cd63d208fc1ea61afec56e3c464b7a5320d4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg

Filesize
5KB

MD5
df5a6edbc6894045b345946fcf693f6d

SHA1
d70f8880eb9fa38a7c103233d273d6bd10285950

SHA256
9cc84006704e59a5d34d7eca84df0c4abebe30b951e510fa88dbfe3a54316ed3

SHA512
f4f488a6dac87dff59d9a9113e4ba2084fa3a54a03840143dd6f892c2b9662a28cca43e253f9c6cc185ed58a1609d50c042d989f2b63e582c6dfbae7e4000010

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp

Filesize
1KB

MD5
ffddcc796657bf469d98101c8fdbcb7f

SHA1
269246aff1ddb30d78f89c1b6b1f8f825bdb6acd

SHA256
ffd08f10670333b7026a96190d70e7527fc34e52f792670c638058e678acc7bc

SHA512
d573231e6ed4059ab445d91b069104f207278c1b248f03d2182547fe838cb8401d799da3caeec73f0645e0d7b0be12bd9adeeba1ef89d66f7163c3f9a5958a7c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF

Filesize
615B

MD5
403252830d2aff1664af45621743a6f3

SHA1
c8227a221e296788045fd40b6d74a2ef1fa96917

SHA256
ccfdb28d8c3aa5337b99f51079979bf89797a2db228ebbe8a086aaecfd4f193b

SHA512
12eec0419957007525de630b05937ffad5b35f98b29695eac2b3464094479a72adc3e27b03c6c82268fee77402f895d82db2918a8b62cd86bda4471bc3b90534

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

Filesize
848B

MD5
03b590624f79c9ed662425a728cde85b

SHA1
b06ba7b448ad6cc8d0eb2f07732ef5fdbbf4ba4d

SHA256
135ce2a877869c3dd35a0a5e1067e24a38ea2ee69a96008b7102b97dc23d3da7

SHA512
68dbd6ad1207f1969400e341ebfb1e870dce5c76e13fd5837a9d737248b2e98019a2262a16af78362ed152e1d5148467bf1b60fb3aa1c776ec3bf95377426e58

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

Filesize
847B

MD5
c1b41f9961a0d7e3a678b081e89e1e2f

SHA1
b1ed00b8c2d8691f9ad0281cc2f323170458f04d

SHA256
17fc8d6e562065bc3af0837f369b000ee97e53ec81b2a770838ffac7d6b15961

SHA512
b94f5c0fd294b5ec41dc2b814e4a25d310435971321e7e763ee5c0461017ef3b602c0d76dd51a06a2e5b38a1219ed894ad506054d5380c0333e784785196d3c1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

Filesize
869B

MD5
06c8ed15e07bb36dcdab7b499e42b3d8

SHA1
57e5fb4048cba06c3be81a1ffed5a001243fdc7f

SHA256
2684a7521b36581a98c0badd6cb1270a82247cb93acb893eff1e5aae0555d1ba

SHA512
06ef83fa2fdf3b3b27ea6d9e5829b8f1ddd9c3fb477e60ae9e24e76dc1904b870b96102bef6a75321ec9c4934fb68e72192a84e55971e7a77f864b1a5cd73048

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

Filesize
847B

MD5
cb6b2ef619b343b9a4fce933a82fb088

SHA1
98ae66fd61fd31eb6a6f0c32fbbc7638deafbb5f

SHA256
517e4730bf974a5267ea9496d5a672c8b98b5509e8f6382633d0586b2bf53061

SHA512
d1e69b69cd08854d083f2cdd58b0f8500e36e76c2dcf53e1ac5edfcd837f5beadf57fe847cc69914a4e8fa33fb5e575b101b278a807208ec55c14a48ab098083

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

Filesize
863B

MD5
89af43235e34c7b34a4bf96a9444e706

SHA1
bb75c09905e74675198edc96a52f85f8472180bb

SHA256
551472bada284cefa5ebb48e710a53d2b0494db1753891ddd9f25690d5bd9159

SHA512
970b2f1290c96ae40e56f5d437ca08124e6cf6579d6dc1c78854a5181522f702797963ce057c006f4b665b26d37a5e92dab589119dc0aeb276bfabeddbec7608

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

Filesize
861B

MD5
5fc353cde79393a6a24fd9267c8cde70

SHA1
de3706cc8dc9fefe719e2d50a1db5637b326e4ba

SHA256
de9ff35b92b024b2e63f5da5635a892e6ed6906337e9ecf567772a75635f5da3

SHA512
284dddb0d358dc93390932288830aee5502f62ecf410cda89008d8d24883dfb4882680ffcc8b5d838a98d19c7e973312d529e6bc7bd1f7cf30ca98cbaca0ac05

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

Filesize
850B

MD5
c13efeae9b6a285b0e19576fcf7de7b9

SHA1
298801852910434defe4d5ee23f912db58f99de2

SHA256
78dad7c95dfbe0d66641035dec127c7df7b0a5a9ded3cdecf6fd649c3886310b

SHA512
383343a18466b63e72dfe85e1d772b60ba51a5e072e7c6d6daa070dc10aa803d4a47a72b87a6685b5facbde765c1d57b2def50a1f2b11fbac6da87c2bfdedff5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

Filesize
883B

MD5
68a137e4fb9e62cee686c80b4e57e80a

SHA1
e1ccc01cf8fc1e1010f89c16f17a3408d25dfbde

SHA256
cc5fa2a9a4bfb7b4e5fbc752873bf37de753d27eb0bff47d1411e93083cdebe9

SHA512
c85240689e8bb9f38bbea27036d5c7dd3e78d39354c48e4e956c40be8b45e4834a1f4d3efbb69e37bf79205e882e93ab74cde51780df1426b853708dee49c2fd

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif

Filesize
153B

MD5
c1ed8d70a2fbbd918d4cac4cc78de217

SHA1
1e0d05fb341bbf267f58df84bca6450a9a118866

SHA256
9e343a26b559c398cdb3e89efe2a5d769704120fbe230bd79955ed489e3ca0d9

SHA512
717309b9b928015d34a3267c6987e6dbf1be5e787c062681aa27cabfe543d7e7b3a3dcd15dde23bafec2d49992268e771683b1a9565a2bcd10b38ec3a7454119

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
aa67613a9808e594e7b23700e24a278b

SHA1
9e60acac065f54066b95351f8a67529d59b7459d

SHA256
ac08fe6aa1773289e017a6299d2a14aebfc603a6cd44e7abea8c3dbdcfcc1316

SHA512
7dc69e27366fb8dc98140a7a7320467303eac1791194bac144fe9d83383c04d79a2f10406b3f7a9643810ef735ad197b97993bde4da5ecc7221a21ea8cbbf55b

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
8KB

MD5
aa942cbf71565cac098e5cb293d1734f

SHA1
cf699dedf863e2476f58e74d3cb67d8b6b14601a

SHA256
f45b2e639291d26f015730339dd5896a4cb0ba3155577475a4cece44652c8db7

SHA512
b8fde5224529ba750d4a5df58f4804f123d8323f80b44e8df9cc8b8411fb9a6b42cfd52dd5c2bae959d400a592ca655c1a559c1ce48f1222740e5d3400b2bd0e

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
d14cd4b732038fca059e0364dd12db5d

SHA1
72c8b1f213bc8108b93db3a960e032b191621447

SHA256
ef2e53f979e911f316bea140978973f6d03c49f49947503b1733160f00c640dc

SHA512
7011413343e7355cdc20d50390a6bca907016da57ff51a667ba8f87b3c89e5968fd35421d114dce72052b75907b5247d67b6f4d45e3ed0723d039d89440d1e01

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
f8b08c75a0a824498eae47f98b9f5a1b

SHA1
dfb9d184061fae911ec9fef92224e930f27c5b46

SHA256
56ca98663230517bd229e174fbcf2e74e50d84bdde37f0f30ad24cc48ca562d0

SHA512
a8bb1745a670f82037aa70ea2cfcc48544cdada2a3e422f7dc7009f3351718a0e32746a2c21489043b1c2bca6bc7a04e7c8007a5253629a1d121163aad6adc30

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
172KB

MD5
eaedcd9726dd04bab6d699393eb61fd7

SHA1
93172319c1dd29613b072b7d3263f14d380f83a5

SHA256
82b913dd60aaac296ebc126440930cd81c8010bd161a39ff86393a0dc6215d31

SHA512
ec1565390dd40ee0e30f9fce86ac209d6fef79ed6d1633b39a981cfcd70981e299d6e2732be2e8e7664012ebb9ba9c83fcb163af809bd605db439388b914b20b

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk

Filesize
1KB

MD5
437c5d33138c8d9009efe73c1226de85

SHA1
10543672df01c68e9138a97de989cb2de1213232

SHA256
88430d7febd4d5ef78a8e71d65d0c4cf5fc27305a07a66a6b9f9980c8794e2ec

SHA512
4a0f1b908dc23824c3cffe844f4f476005421b63a387928adf26c4ff49139bed2ba892851918e1e2b823e56061784bd531d116bf371b4cc2a64c9d6807443116

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg

Filesize
21KB

MD5
ad479954a843d1bda6af753b1aad67eb

SHA1
14f609d859a8575b545cefae10cba857809bbbeb

SHA256
49a84b15b8301c6c0b1d085f0bcc97e9910dac10cd067be08f4f261ed9f5e75b

SHA512
17266049bf165bd1a6231541584936bcbeaaf8db27337c9c18e01c9dce61a0cf105eb0eff6f9dd743f9ee7aa0bccaf2b39543aa45f97703f2402ee57d39e902c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\HelpIcon_solid.gif

Filesize
1KB

MD5
81abd299f8f931f569d125d9216c635f

SHA1
e8de35ba8d1be99096e3d41d452ee2aa4d4f4fa7

SHA256
e942e9e0dbaa1c844bc57539f39db4d9db094252943f591175cad0338c994d41

SHA512
6ebceee82990bcfe4d849b5827ab9825a7ff8519aeec6fd3c51e7790720a4ab6104d9170da8f9a7f6799db6254e64a3e83a09fbf7539f6a941a42efcaa43fd2f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\alert_lrg.gif

Filesize
952B

MD5
c9ad6107b6d0b968cb7683d171c0cf6c

SHA1
1fe5dc9bdfe15a609966c07e1babc2ed9528c294

SHA256
ba88c8e86f73620dd5fb524dc1c208ad6341e3d4728bc239258fe01fc29507e9

SHA512
1039f30f18bf9c8dc1d31d289b2491d1b9ebd7a03624e1a9463ccbcbfe070450213e2822491d1cfbc9baf74f2367a523980de3dcd253e2f1686ce5e56bd8b4db

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\aspx_file.gif

Filesize
121B

MD5
45679ff00745ad58afc10670af38056c

SHA1
373492d5d3d3f944a5166168f31b14c6b73331de

SHA256
3adbebd9030b7f569989667bee0f535864a166d2367e66cc5be54bbc2172ec70

SHA512
4eb0c675eb2b8b75d289e85c65cffbd40f1ee86b5347d82ac1c40e70285604e5272feb16c372b4b2683e25be44269ec9eb058a6e0fbfbd81d548ded5f2e2e0b3

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\branding_Full2.gif

Filesize
1KB

MD5
8a263424dca2800839fe2c58f221fd73

SHA1
7acbb6d8369e7197842d91bbee42a0acb902700e

SHA256
1080c85816e68553d88f102f8b5ea066b2cf553dcffb26d36f9bfac5613999a1

SHA512
932a447d8322f4508e0ec62249e5056eb948202da8eaa56b1e1d728e67dd767d42b846739cebcb1d4fa55878a698c113cf648fbeef6ea3d21319a3ce576395e6

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg

Filesize
8KB

MD5
eb2a5e791a819db112ad1654c111524f

SHA1
1d5878df732686fcea7cabaac1d1d5c1719389bc

SHA256
8406ad9fe30cfaa52c9e73128cce96a92b523371f18a9d68c62dc8eb03790e00

SHA512
099194657ff48d5e7709bb830eefc196da7155dc7efc7500d62afd631f8bc816f9dcab3cc136e70ef6d784cbd5f50d13648e145ff7f4b811bd0ec10c93fa5293

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\folder.gif

Filesize
914B

MD5
588727f45f9add683f94b88f2c72ccad

SHA1
4e94cc8a1994d1fceaa9abcd1123c0147ea2ee55

SHA256
39f9fba3bbfa9b69dc24a6cdb75f56c1ced8e528eea4ad46463ecdda3ac5fdb0

SHA512
4c48ab695e3991af4fd9f0d29255216f92390feaa4827e6e9d3c9b44d0b438acaf40aa5a0ae30eda8c01807c5faec6f25d6d9932615fc25c8b389f44e1b7919b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onBlue.gif

Filesize
90B

MD5
435a7d0a8ffb995138b68ae1b83b0103

SHA1
6d58d94d2588688f35c0eb74c4f5ba7efc50c091

SHA256
eb363739f1a3552750c219cce7c3412ab5f437ae1ed6cac3b53adf5b0620a232

SHA512
1921f0b80bbcc5019cfc4993072bc7878d9399e84cb20614f807e18f45221c7d44d21fdbee1e30df8cceb0d0f68f0091e49bf1865eebb575ed757d820326757d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onWhite.gif

Filesize
90B

MD5
a4858bdfc6a8c2f77c7666b9cba76f0c

SHA1
3d6bc50e18d155c41261435546c028e9bfac5d9d

SHA256
524d28a45b8635deaef0e96cbeb656e30e3c2a3089519d3c0b87ebfe1960c4de

SHA512
92d56756f47453801b0645769a4590fcf2e03847f054f65d875c2c6e891c34b7b379719e8096a804a41bb5e9697fa19dd7e2af79ec1430430db5ae9214140b66

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\headerGRADIENT_Tall.gif

Filesize
328B

MD5
2ea82e72d3e54826be6d68a83c0d925c

SHA1
c5f6a8c895f29b9d7a0b19b83e51cea289ddbfb2

SHA256
b3a7e4ea222f7715710f524ddaaa24696bbeb46c23702eb9c6602665dfed53a1

SHA512
9a78c178bd80cf0e56602ecb0aed3bb2ed63da4e16f9ad5e0f653c76d1b96140d692547d051b6d6f964af3669f4e006ff5bb16eb96d6deea4c9322be88b2aec0

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\help.jpg

Filesize
1KB

MD5
1617d5339e8b203219783eef534cb5b8

SHA1
3ffdd34334ba6c9a7d7147ddacdf3dace23c234e

SHA256
a9c8f544caf278a04d25b3afe40e9f1d66935a8d78fa576cff992750744e3065

SHA512
624077c9b6e75e8fd330f0a68efe8539d9ee434444c5b17acfabb84386bc3eabf86d70f6daf7f36edd37ce69029a324661642a9d2a11a8c21b59889de5de55fa

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image1.gif

Filesize
162B

MD5
66076005a1e10c284eea6ff22899b9da

SHA1
444848b795da1f6964e5931e9d598ec6592a2608

SHA256
a33de7e6cb51c01e9cf0de1d272d1017ba90a8b12e2361f57e7913416a9c868b

SHA512
086c4b554530b51dec6d7abf583e4911428869832ea1d8596eae1188b202ca44813faee21db2cad8fa04c4a56d9211108421bbdae6967d4729f67cc7923d8bc4

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image2.gif

Filesize
586B

MD5
cea490a8b275f022d789293f958c116b

SHA1
77400c2a93257b61c194bd33d7db919db86b52ae

SHA256
5dea768e7f81ad672d621e1b1b2cdd287bbf8258437b3c0eb60946f2dc6a3f26

SHA512
d12e0b817d143381b9431e55edf21c519a1365c0aa3441bf75c71dd4539e81877285b25099b6ba2821f7fa44ab7090bef8c9a36f446043bbd9088a09ef27a18c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\requiredBang.gif

Filesize
124B

MD5
8ee64a6210a297086f824d7d4791806f

SHA1
217cd640229fc23054667678bfbf1668805759f3

SHA256
1dcf604ee2ba55884e323f21d53e3a047c373379c44d42ad76b67c0fb1adcf56

SHA512
5701443b0e0265e3f3dbec4d9f2ccbe342e9daae9e93d34412a392368a5a6ecbd32cc9828e92df84c2537c49634455b9b9a5740b64a4290d812859493d02cbe4

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg

Filesize
8KB

MD5
295ee021be75531e2d65ab253892965d

SHA1
e27e60b5a33bf74bba0fdc131b2e9cc7f52ae8c3

SHA256
0f884c805b9c1904136fee196c4d98a4b558687c7f1952953b7577ab3fc5c4f6

SHA512
27fda1ca9cf80ca9e02aaf77aa8e41244ee5bbad88b3d2daa5922edc8132dae67268db6b2afe1fadd9b3e02040614a6c9383e1faac3a0a66f79ad825a125113d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\yellowCORNER.gif

Filesize
880B

MD5
859ac8c7ff6f0261458f1d5eda8e618c

SHA1
6c845d00ce4ed48b38e5d783a047db20aadce4d1

SHA256
3fe6bca63d9509ed5a6b78c31fd938c8a31a22753e3df976055ef99fc134c7ff

SHA512
19d2d18b8745a79c99952913c8c347e3146184209ddb15a5d3351834bb0b76d4db698e9b78873cfa0df116862fee98f50a309dbd0c8cc8867a510dc11baeb02b

Download Submit
memory/2708-8495-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2708-0-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2708-8498-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2708-9097-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2708-9098-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2708-9099-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download