xorist | e520e80d78251c93a6ab15bcca6217d111075d0e218c2b571cdc5dc5d981d392

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
19-10-2024 16:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
Size

39KB
MD5

5d8c6e9022da9cdde7c83e500bc09660
SHA1

fc8679bea044346912f09ff17ded0caf53af9b07
SHA256

e520e80d78251c93a6ab15bcca6217d111075d0e218c2b571cdc5dc5d981d392
SHA512

373ca7cbcb63d1cd4bf33be6c524a8104781a714aaa0d50991cabfe746143ca18f355a592f681128ffb829fe82d7f5e3f4d2d5e956a520f2d4b9a7645f37e4ed
SSDEEP

384:HebFNw4Pk1itKkpAjjalraxkqYvjSXkDCgSZWQbxpwMB:H0FmBkpKj1xnY7fDCpHxpF

Score

10^/10

xorist discovery persistence ransomware spyware stealer upx

Malware Config

Signatures

Detected Xorist Ransomware 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2916-3-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/2916-7634-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/2916-9074-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist

Xorist Ransomware
Xorist is a ransomware first seen in 2020.
ransomware xorist
Renames multiple (2199) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Drivers directory 8 IoCs

Processes:

5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe

Drops startup file 1 IoCs

Processes:

5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\llsyriQkU2dpajN.exe"	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe

Drops file in System32 directory 64 IoCs

Processes:

5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\System32\DriverStore\FileRepository\mdmcommu.inf_amd64_neutral_83cc415156be45c8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ws3cap.inf_amd64_neutral_eeaccb8f1560f5fb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_transactions.help.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\net1qx64.inf_amd64_neutral_85d10fa4c777b7be\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\OEM\StarterE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_locations.help.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\slmgr\0C0A\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_script_internationalization.help.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\erofflps.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmbw561.inf_amd64_neutral_fe42c0ff14d5562b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmirmdm.inf_amd64_neutral_fadec14b0a37b637\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wiaca00a.inf_amd64_neutral_163313056d8f34ab\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\OEM\HomeBasicN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\_Default\HomePremiumN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\iirsp.inf_amd64_neutral_25c14d33af7f54f1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_functions.help.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_arrays.help.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Redirection.help.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\XPSViewer\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\unknown.inf_amd64_neutral_5eb6ac70dd1a3ad0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\migwiz\replacementmanifests\Microsoft-Windows-TerminalServices-LicenseServer\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\usb.inf_amd64_neutral_269d7150439b3372\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Assignment_Operators.help.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Windows_PowerShell_2.0.help.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Reserved_Words.help.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\TroubleshootingPack\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnky307.inf_amd64_ja-jp_e40bd14f18e8ff7d\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\sbp2.inf_amd64_neutral_332943647e950ada\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\_Default\HomePremiumN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Core_Commands.help.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmwhql0.inf_amd64_neutral_23613e3dd9401f10\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\nfrd960.inf_amd64_neutral_cfc8c0013e9ede68\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\OEM\Ultimate\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\zh-CN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_environment_variables.help.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_hash_tables.help.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\angel264.inf_amd64_neutral_04b54b6322607cce\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\umbus.inf_amd64_neutral_2d4257afa2e35253\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmtdkj5.inf_amd64_neutral_15940559c66fe8d9\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_aliases.help.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\es-ES\about_BITS_Cmdlets.help.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\com\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\OEM\EnterpriseE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\_Default\HomePremiumE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_scripts.help.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\XPSViewer\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\cxraptor_fm1216mk5_ibv64.inf_amd64_neutral_3eaae75b591bd148\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_type_operators.help.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\OEM\UltimateN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_do.help.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netefe3e.inf_amd64_neutral_b71dd3dadc5c3e27\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\_Default\EnterpriseE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmzyxlg.inf_amd64_neutral_14f9249844f1cf17\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmgl005.inf_amd64_neutral_8b56291bfd2a4061\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmpsion.inf_amd64_neutral_6e65ea91a16f922a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\migwiz\PostMigRes\data\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_requires.help.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\_Default\Enterprise\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_amd64_neutral_0684fdc43059f486\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\circlass.inf_amd64_neutral_cf52485bed804e02\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnky308.inf_amd64_ja-jp_d90af802b607044a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\PostMigRes\Web\base_images\ClickDownNormal.gif	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_data_sections.help.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2916-3-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2916-7634-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2916-9074-0x0000000000400000-0x000000000040C000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\videowall.png	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Media Player\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Title_Page_Ref_PAL.wmv	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkHandle.png	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\VeriSignLogo.jpg	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\NOTEBOOK.HTM	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\license.html	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Games\FreeCell\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Program Files\Windows NT\Accessories\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveDrop32x32.gif	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SoftBlue\tab_on.gif	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382967.JPG	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\control\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Program Files\Windows Mail\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color32.jpg	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0177257.JPG	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\GIGGLE.WAV	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\delete_down.png	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_select-highlight.png	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationLeft_SelectionSubpicture.png	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\pause_down.png	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\43.png	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21533_.GIF	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_spellcheck.gif	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\bear_formatted_rgb6.wmv	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Games\Solitaire\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_top_left.png	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECHO\THMBNAIL.PNG	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bg-desk.png	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty.png	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\navSubpicture.png	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_SelectionSubpicture.png	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer.png	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macGrey.png	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Program Files\Java\jre7\lib\zi\Atlantic\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Program Files\Windows Journal\Templates\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099147.JPG	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341738.JPG	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR16F.GIF	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Dot.png	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\ParentMenuButtonIcon.png	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_few-showers.png	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\SoftBlue.jpg	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD10890_.GIF	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectStatusIconsMask.bmp	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

Processes:

5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\winsxs\x86_microsoft-windows-advpack.resources_31bf3856ad364e35_8.0.7600.16385_fr-fr_f43b3d62d3eb720a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_hcw85c64.inf_31bf3856ad364e35_6.1.7600.16385_none_0446c109eabcdb24\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..iagnostic.resources_31bf3856ad364e35_6.1.7601.17514_en-us_63ace8212d64b345\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-r..sisengine.resources_31bf3856ad364e35_6.1.7600.16385_it-it_3e39dfce59b6632d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..ktopini-maintenance_31bf3856ad364e35_6.1.7600.16385_none_ba8f25a3b6d81a68\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-autoconv.resources_31bf3856ad364e35_6.1.7600.16385_es-es_066b7d2afc7d66de\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-f..ger-utils.resources_31bf3856ad364e35_6.1.7600.16385_de-de_1ef36752eab76554\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-s..framework.resources_31bf3856ad364e35_6.1.7600.16385_en-us_47a7e66e1fa4bb1f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-tasklist_31bf3856ad364e35_6.1.7600.16385_none_28198854bba53a00\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\1031\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ntlanman.resources_31bf3856ad364e35_6.1.7600.16385_it-it_246142242c393ad2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-smartcardksp.resources_31bf3856ad364e35_6.1.7600.16385_es-es_06b640479d085066\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..zards-mui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b36e58d048faf248\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-w..lient-aux.resources_31bf3856ad364e35_7.5.7601.17514_en-us_292a8b37a9ef3b8c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..onverters.resources_31bf3856ad364e35_6.1.7600.16385_it-it_74ca4465205ca68e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\winsxs\msil_microsoft.iis.power..framework.resources_31bf3856ad364e35_6.1.7601.17514_de-de_527cbc407cab8a51\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\winsxs\msil_ieexecremote_b03f5f7f11d50a3a_6.1.7600.16385_none_c3f621f081831627\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-opengl-mf_31bf3856ad364e35_6.1.7600.16385_none_27505f112f7632da\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-powershell_31bf3856ad364e35_6.1.7601.17514_none_5b56b853bd5adf50\Windows PowerShell.lnk	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-t..cesclient.resources_31bf3856ad364e35_6.1.7601.17514_it-it_034fe7cc968b64bf\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-directwrite.resources_31bf3856ad364e35_7.1.7601.16492_it-it_6d6b27713a307bae\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-rpc-netsh.resources_31bf3856ad364e35_6.1.7600.16385_en-us_4cff4b4c04a24056\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-x..achviewer.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_83e1ef13fa56314d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-b..trics-cpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_9cc244c688b4a7a1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-help-pwrmgm.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_727ae8dbdb2b75bb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_escape_characters.help.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-i..ibinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8bd619bfc102154f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-deskperf_31bf3856ad364e35_6.1.7600.16385_none_209ac7a9488f9245\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sidebar-adm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_a611a6570549db88\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-w..erclasses.resources_31bf3856ad364e35_6.1.7600.16385_en-us_ac657f04a78630d3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d2d.resources_31bf3856ad364e35_7.1.7601.16492_da-dk_4099a4adfbeefa1e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-peerdist.resources_31bf3856ad364e35_6.1.7600.16385_de-de_c3c8dcc25ef7f623\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-imagesp1.resources_31bf3856ad364e35_6.1.7600.16385_en-us_a3883b23cca467b5\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-lsa-msprivs.resources_31bf3856ad364e35_6.1.7600.16385_ru-ru_b0559c54ab497568\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_avc.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_9eddde74a096be5a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-shell-wallpaper-nature_31bf3856ad364e35_6.1.7600.16385_none_d5909570704a09c0\img3.jpg	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-waitfor.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e073611e2a5088c9\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_prnlx007.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_3230bc3c18315ab9\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_mdmnis5t.inf_31bf3856ad364e35_6.1.7600.16385_none_74fe4d4e5594d82d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_server-help-chm.iismmc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_2336482446b69ccb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\winsxs\msil_microsoft.iis.power...provider.resources_31bf3856ad364e35_6.1.7601.17514_en-us_eee506200bd43e29\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-m..ents-mdac.resources_31bf3856ad364e35_6.1.7600.16385_it-it_c4b9ba2a3ac12f32\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g...scrptadm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_393b7e0c577c6b37\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..epremiume.resources_31bf3856ad364e35_6.1.7600.16385_en-us_4e9d378fe10f62e2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_3342e6899aa0557f\settings_right_pressed.png	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-help-medctr.resources_31bf3856ad364e35_6.1.7600.16385_es-es_ea00975d53d7502c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..writerqfe.resources_31bf3856ad364e35_6.1.7600.16385_es-es_9cb1b20adfb419ad\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-p..st-common.resources_31bf3856ad364e35_6.1.7600.16385_en-us_d0db429429b01e85\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-compact.resources_31bf3856ad364e35_6.1.7600.16385_en-us_cd993ca7dc92d5bd\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\19ec2acb1a563ecfce8396babd4a3b25\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-speechcommon_31bf3856ad364e35_6.1.7601.17514_none_34284e05e94a6f7c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-winlogon-tools_31bf3856ad364e35_6.1.7600.16385_none_f0686b7ca6acde00\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_MSIL\MiguiControls\1.0.0.0__31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File opened for modification	C:\Windows\ehome\it-IT\playready_eula.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-x..ocess-mui.resources_31bf3856ad364e35_6.1.7600.16385_de-de_05129292ac22f63b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.1.7600.16385_pt-br_20f45663f3f88da5\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_type_operators.help.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_Windows_PowerShell_ISE.help.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-i..collector.resources_31bf3856ad364e35_11.2.9600.16428_en-us_808cf65d04adb28d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiUPnP\8b58e86c1211cac8bb344ec05015055b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Permissions\App_LocalResources\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-c..er-office.resources_31bf3856ad364e35_7.0.7600.16385_it-it_90f60a1ef84a3566\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7601.17514_none_114417c17d05cb37\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_environment_variables.help.txt	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe

Modifies registry class 10 IoCs

Processes:

5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HAPVDRQOHXAYMMB\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\llsyriQkU2dpajN.exe,0"	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HAPVDRQOHXAYMMB\shell\open\command	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HAPVDRQOHXAYMMB\shell\open	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HAPVDRQOHXAYMMB\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\llsyriQkU2dpajN.exe"	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd\ = "HAPVDRQOHXAYMMB"	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HAPVDRQOHXAYMMB	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HAPVDRQOHXAYMMB\ = "CRYPTED!"	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HAPVDRQOHXAYMMB\DefaultIcon	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HAPVDRQOHXAYMMB\shell	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd	5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5d8c6e9022da9cdde7c83e500bc09660_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt

Filesize
210B

MD5
ab9da5ed186b51c64d4eef5afb2e2a09

SHA1
b8220000a28a18c74667236a0c17c52d2ddbb6df

SHA256
4664789a35bf0a204358a5f17ff1949a9656ab90ccee20ef004b65e305b6d745

SHA512
2b2ff33612c0abf492319f30f952b2d2ce9af45e92fda421474725c4cf11d6587500c805460e4cb82824cf920d9e7aa810103ef47bfa670f20155773b1bf1aed

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
341B

MD5
35eb3a26777aece49f05e6cd3e3850f6

SHA1
dcbce229c7989f179f3566ea30c6395c7f00b399

SHA256
77ef0d221d3eaff7869101de0a0627a743430cd750a7eb1d538628cff120e1c8

SHA512
92b79e1a648b9ba1bc3754f4887447dbe2f53545818b1f6c2eeb1ea52a25009c3ec3e96bc4e4a63bdc35e719391667e13668099a484ab52da986c79012abf675

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

Filesize
222B

MD5
74a950b1d2ed31899bffabd19f9ab986

SHA1
9946be18713151bf2e80364db07520b72d99d557

SHA256
cc03cc6c05e1cb8cdecedd4b1c4b133103b9a237c2d4ed9ec2ac65dd687ca661

SHA512
3d45df7adc78de3e9ea9a798255a5bcce642b844e146310b85ebdc820d97edd9c4a956545f35e06ae45f19a3aea11c8cf29eb7621dfd5dc09b55d6bd7c42be0c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\BG_ADOBE.GIF

Filesize
24KB

MD5
e439d7571777f68fa641b4928b4c1cd9

SHA1
25129906c806ccdda7a7b6ea1ad86c60543ded5f

SHA256
398e5d5043540dd53bdf62ac5c4ecd36c26df52db07b5aa7de79efaf0f9aa500

SHA512
17a7d73aa535b701056893af37d91adc50b3d8b3c8c50e3844a36c11273646b60f73140ba51ffa29ce239f6f6abfd7ee7299997e336e0f3e6f614271fe76c96f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\BUTTON.GIF

Filesize
185B

MD5
c23f56aa11644e72483cffb8f39255e0

SHA1
6444563febf743551988ec92af0797c093583bf4

SHA256
1c5ba19bc0ba07d184a9500dc9558588f770eaea4a82a3a2e6847de5d90e4890

SHA512
6668be0a7f47a68f44ba6b206eb967e4e9a1c0d5105d3d15a3ad3a326b1fa502cb7a53837395db17115f51c8e26610b56f3bc1eeb3464e6db3b8059b08676b9f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_OFF.GIF

Filesize
496B

MD5
237057f3b54fbf4e24c814cf99ed4c2e

SHA1
3013b14eb6a2a325e5a027dafe5e8e46126c25f9

SHA256
a97dd52e0562af029733e8c11363970f245a8fce10fae59bd2a9335ed171c73b

SHA512
9c69140e01b1346f8a37a9557fb7a30617c011fb99c45630f9694c04903817a9189fe8675b8274ee14c3ca1cd609f9cef0b96af42aee971f60365c9d4bfe6daa

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_ON.GIF

Filesize
1KB

MD5
cacd2df424e21d146c9fce136e56140b

SHA1
6a7fa343e649f78947f54042ad3b547254ccca97

SHA256
e196cb4f0854259d9d50777b0565396697bf1d79fe19e6c08e2b5780787d29a2

SHA512
61b6eebcc13c8e743d2100f95c51ce2fe8d2a1419f43fd9ca9942a3ff12e299ddc2b82bdb8f40848dca698b082500f495d18b1272848f71304754331072153dd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_off.gif

Filesize
341B

MD5
a85f5623810ff0bcdede913d6f5cccc8

SHA1
15d92718ac7d9417e36aea332ded6f6835da69e6

SHA256
91bb1e81e1403ed92fa4b0934cf2f1187a516d2d57e3f2ae730e0f8089c7a8ca

SHA512
3945438879b9127b52d5a69941f8d536c14011c1772e3deff9b7168ac948cfcaec8c53aad72b78c03a2e455c270917059a8caf2cd778d95701a7004ed6dba0a0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_on.gif

Filesize
222B

MD5
05a8d43eec1b1e17ee9aab0003c8acac

SHA1
3a26831db81e2b227a0c1fc7ab81cbef48759743

SHA256
6d5d787b1e42393f358db8ab12654c24184fcb485df65a60aa238308bfb92b8a

SHA512
10a6fb823eb0666e1024df37942606566ca936dc08606eea318a512b6899d6b3603ab0376309746662b9e4f62902ce343a866d0ea419220138157ac07c62bd9a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif

Filesize
5KB

MD5
1d59e4db879a2b08c2acc67d85031b8f

SHA1
54644530dfa871fcf69975a680df18e318856f41

SHA256
27da7d071f8b09a83b668a6a162ad531addbdd93f124dc9e5e165df19a415708

SHA512
7ce2ae1d580b9f5574c96ffebef3b721ff45617f393c45f1e50bb93b101c987265506e4d3952d9eeb9d9fc4dc51d36163b0508ee69d8aa2c35676fcfc1e66547

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Country.gif

Filesize
31KB

MD5
c86a497738034011d5c7465e253e0441

SHA1
d19fe9264a49da67ee405efde3e1d0714df53251

SHA256
45b8fbba4f8594078dce6086ef7cbf6841fa09cf94818cc317ed5c0a8d5733ab

SHA512
0f7de0215a2c0c3d489aa775b8faae68d3f8f648f1cf85d02fc8f304afb4c7aa84611a1d113c4ac0446a49f6a162347784d888c9fa639362bb6a9b5c8804230a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif

Filesize
4KB

MD5
274d32107f3bdae1d17d5a5dc21aa965

SHA1
7f2671c47cf03000b182724a22970241203222ab

SHA256
79b5b1acc6cca8c2c2a6486d0bcada3b90c97c6d983ce958eea247f6d43b9707

SHA512
0aff0305e269809d19eea9299e08325bd1d7db047f7ca12acbfad622532d6f76d7d7aca49802543380b17fb632e9104cf22504da2f79e0ce58d4c449b950f2a6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif

Filesize
21KB

MD5
bc56b77d912f59b1dbd5b198175211d5

SHA1
9802a0b7be406beaa4795cbbc2261642c02d9aab

SHA256
bbe8536aad9fbe188f246be664c8d18670812cf40aeebdaf1782ddda377b4f7a

SHA512
6d44dcbd723564e5b81f02ccd796a42ca325aca7bfc57d3f49008e52f8b38115a68621bd953e9e33f66045112d4132ebe905b7e3e4e6312ea8902ac6c61601f7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Groove.gif

Filesize
106B

MD5
4c2112c7cef300f5a0bf95b4643f94d2

SHA1
d00bf4c6e4ba255df301e37f924690c9180e82b8

SHA256
6a63df73cc0c0ddf0ff1d455b6b28cdb2669361c5b7b02bdc9e7da338de9df25

SHA512
21b96126a97196e38bcb565d087662b405e47c40622bdf91866543da425146cda45ad4bdf1418ff67efdea66fe8b41dd665e1b1d1b88b56e42547aa63fa1a7ab

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif

Filesize
8KB

MD5
fdfd42c816342465ce3c61f4a363b4f7

SHA1
2bffe38a8b3324c6c825953166ef76d724facfae

SHA256
5860bb1400cd1ac3cd95580d95c1d3f9541560992a0a2305109707668d273091

SHA512
7c679c694486d0085985e147dee103ac2876df78ceb2cdc16ad21e3b8356a693e914074d6a9893049c4a509867016a0080f821ec2e8323a852dbe30e8347b51e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif

Filesize
15KB

MD5
a4cf956d05783170da071662b9cc3f66

SHA1
2520c29675ce822168636138a8d1e7a9de1a7181

SHA256
139480c1b23d39ce6fedb68fc159c629b599ffb760fed608144d05135bbc954c

SHA512
f6e90be4336b033965a7a21c79bf87e4f550b89efc41e29a51ce6e5fd3420d9474ac507deb7e39c3c441d2233e29d9572d0dbaf2d9cf2ddf16e054a4e2da68ee

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif

Filesize
6KB

MD5
90e5a0121a3ccb87f7e5b3f29642e87f

SHA1
d7250b6b5f0cd4c9b961d7eee09b556b73483601

SHA256
50248fce09cac25fd2d36ada3a27c527ab0416bca97de79e7f33886cc17162e3

SHA512
faed9eb8294d87c4f32b9de507b78cf97f8468a94831c49723a44c8f0d091076172af07505f06368d932c6b3232f74a155ce5d5ab1d81fc0cd4feef28f5ff5f5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif

Filesize
20KB

MD5
9c04f37bf5148dfa42d01f2dbd8611c1

SHA1
847932ff80b312be215711271e24f639686b2c46

SHA256
16c7d7948e0159cf436e0e7ebbdaa9242adb0f4b1f015e693b6a5daf16cd3924

SHA512
018efda0b33b1a30f75ac711b276e8d9f01230d1a76ede48ac28a05824e6689f474448d577edd90a95e508c0959aa9fb8fb65d6b5946d7307c05c56da3228e8b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif

Filesize
6KB

MD5
29aa0f44d5f6e9548be32f8d5a46b7f6

SHA1
887e8056a0095a92f2818be0e7be7b67602cbe1a

SHA256
696096ba1a3f1d8f198245c833f1c46b5fe53898427e136fde7bea38f37aba00

SHA512
1786c6ecbe11ccc73d819a1c6d624c7b0658782a1cbdc31bf935af3c5641f085469d88201204b2b598788715301a81b4bf8c994ea69fb1968628fd1f22772409

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif

Filesize
15KB

MD5
06dc16e223ee39807d680c627c90540f

SHA1
ea4ecaca9fd1e0182752b938b9f7a58f33f5695f

SHA256
a8598603bbdc6729c8c4d366a691841bf401b39f557a450a2225fda8642529f3

SHA512
a047f43a05a151433a023c87fa466afcb3c83619d64809caf136a3f1504ff21e103c06b1c155257f063b011a898182ac91210cfac033455df8b678cb1e0ed652

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg

Filesize
2KB

MD5
5813a4f6f83305aa0a2abd97882b2cec

SHA1
60a9950d84fa315aef0cb6608257a39a62b02197

SHA256
fffa5a220c779e0d7d6fa514c73ee8e520ad66b17fba76ddb61cf161972fe644

SHA512
77bdf00bcacbd598f8dde4f4c3e3293a6e43c4883cbebf49340cf53f79e0afb46fab5684408f08a360b4ee4505dd80895e182e745887582a8c2f11d43b53eca7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp

Filesize
2KB

MD5
10484e88c47a7e8de1a32c3646b727fc

SHA1
32d70885afdbe27ea04221bc944d00f244f22b97

SHA256
5695e04cf4afeae8b364b0bf3c14fd3a2b12519d826c523ee4b706d06240f3c0

SHA512
86f5af16a43b298f78b20361006679ff4bf05e7dca1ca5d407b6edca5986741cc739a52d51092439aaa2d8fd6208117074eb7b5c9828eca1352f53d6abd91ddf

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg

Filesize
6KB

MD5
0a4857021fd4f363e9212129a931ceef

SHA1
da9087ba72b1e4f64712511f7eb2d87fe3af79fe

SHA256
fd51ccf19cb039986300a6452141aa14933ce1fe180cd741cbb23110ff601bb3

SHA512
ae74350ad2c82692b486f31a17b7e8d15887c0416f0ec2293dc77f43f9a31d9a045a84d9da16abb5e8c870665bca50abb74568f51f2ae94c4aba7b19670739ff

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF

Filesize
255B

MD5
bfed5556b68f6afff8fd8eeda77f4850

SHA1
e06fda615f9f4eb12dfccf67a20aeff450ef7e83

SHA256
5977c07d884066c0d726386e58a72fb23cc1814737ed0e8e4ca30f8a94d05361

SHA512
9a82dcc03708421441be63953da42855aa9461610af8aed5f64b39043046afbcd07a85dcd62f7b73c4e07610c83b4183d86fcd355718166ff81dd58b09b0fd15

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\background.gif

Filesize
323B

MD5
f4ebb5a958c858d98225aff3cef1930f

SHA1
65015ee91c1cc954a6f0c713b5130fb4798c0e5b

SHA256
c48336e9e2f0d3541a3604eb531e4a52d8e4c28acc89f8fcbafcb27dc1528095

SHA512
76d10a8c795de4a0a71e0e487f11834bd15cc92dfdbeed505ac5052b0b4d371582e515df3da5c1d16d54eab22d57ebce1554a75c583ca1a3463987c412580885

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF

Filesize
367B

MD5
5f6d3207fe1454020dc9ad74736a28cb

SHA1
4efcbf9278220d5988727ebe16f71f2f2edbe64a

SHA256
74222600978077743faa8ebf2e8ede6ccba73c8d254a6096dad5783091829f5b

SHA512
5e0100fd5285e70a21512f5bc47ab45c690d8ab950c5e573af251fb63ce54a89cdc41d6d162b21f1b94c86ebbcb8e0bea941ac2489472d98d62d3e48aa3383c3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF

Filesize
148B

MD5
8906b273736911a65c69e6473450c2d8

SHA1
a0e01c2d2c0aa0390466de701706e3b842fd0c22

SHA256
7b24f766c2c0f7320df93356d1e0dd4fa30dc0bd4d146757e82d9804685c323e

SHA512
c06db461e828bd1b557f249f53ab0067bb4bc66aa20446211e215a9cbca27d7e08a85014cf18f1816204ea0fd919f63b8bbf871bd0e870eb63d4236878f9a654

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HEADER.GIF

Filesize
440B

MD5
d21a21bb6d3f4105dbc7479d7768fd89

SHA1
a76d45ee33f87d8e6e312e107c30705eed344a09

SHA256
23c06068cac1335c06b4c37e867461e1db02d14cddf7235bb32bd011bb67ae35

SHA512
3516056b2b0fcc5c3df9934a6311013e280ad5d566ee3f605c2e8700c5a447dd57d23e99991223e622bc8b1bc421aa7aa31ac0221c674d8e515586f283b78237

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_OFF.GIF

Filesize
462B

MD5
bb144fe96e1aa5ed844c0161641a6f83

SHA1
8dac78f7444e20f41d5ce1a2eb399a126c9ff839

SHA256
cd05a4c1b140b4d075425f484c2f13d620d693c977f92b12ce1835efa0cd3cf5

SHA512
5ae930c9774a3876229034b1e02b56132c20f920e544f13705b34babeb1beece06933701763a0943ccc8b4a89328e840f26a69699f4b838853b8560a55506088

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF

Filesize
267B

MD5
11102ac8bcd4197b5697dc016bfe6897

SHA1
bebd28ff69f5def8ad98f15d93057ab55751702c

SHA256
29ccec10b116a92063ba5df7dc83dadfc516f5ea8f495e7711fb72d79859f809

SHA512
c14c187165613914dfa0f9c0e8cd0e40ee2b78fc7962bc1faa097c3b104bc49f3f5cfdd4e1632591dc027f0313be379e76261033bcc571c870ed87b24088c05a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HEADER.GIF

Filesize
2KB

MD5
b374791ac0406787926563f8c701e171

SHA1
33b7da0a9f7d01fe4e0376fd80107fbbb9139dae

SHA256
2575abd1bbe9dc704c99e9ba093733276df7eea3ed9d00db5b157022998f95ce

SHA512
841e1d619463254d8f0cc7704bd5bf793bbc34b79efdd19a926d30f9e712a02ef38b183ef3ad2e32d6eeadce7728d5b2320af422ec239bef24fc3144b463ebbe

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif

Filesize
233B

MD5
07a82eefdf5a53eaa2a68e959698b061

SHA1
031880e80cf1150f7955f21c49afb47b606c497c

SHA256
85dad519af966e87246db850020d320c20f2951d57f53832d0cbd5ee309f296f

SHA512
a4cec5c5c8d89c69c8cc3e9069cb9b967031c1612f68463987350dc39eb42007eec6efe382013c1b5ba55fc2e39485a918e52c1aa81a73ba872220b1a043db20

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_OFF.GIF

Filesize
364B

MD5
8bc7713809e2ed8154daeac77e37e927

SHA1
1ac5e236dda6e2177d7f5c8c1398fc147f2a18fa

SHA256
2ba14cf7b5f03087156e4925354f3a1f5f18f6afb56aae23dfd6bd2447ddd280

SHA512
574e705d58dccb29d3279d33bdd1ad0745ea4aa26bd9ab2e916fb424159dcb28a94d0eb21287b7e2a5890292ea8493b211fed0fa6da4347197bde536f368b752

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_ON.GIF

Filesize
364B

MD5
84628da4fc35370f9251eac4c3eefb00

SHA1
26ffeac3ac64b5b59330321a078bf929fe3eb2aa

SHA256
0010fe6b03bfa68496acdae699224f04810836493c064ea7a9d552ca6c4166a1

SHA512
3d4515a79531659ab94a07c5d679a9addd0c9a3759f5e19b2017f56c17d23d5725f988e19a28d89495ff39dbd02b8f4a656c1c7c90646824a736a00029b79723

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\background.gif

Filesize
6KB

MD5
d28f8cf6eb9cb22907249d8059491a97

SHA1
10e54deb7054333856b8dc1cfb69f5b29b1e77e2

SHA256
50f558da57867e85c8d256ae00c13c2919374d89b68fb8626d4244085b2384aa

SHA512
8acb35a4b4f070f1e5302f6708bd363312f86c5808a79c56f17c7c15d59dbc6d1fa7215778035c66352d76f5b64aa6cc468eaa79d9ac528d182fd8ae95dcb6cd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\BUTTON.GIF

Filesize
428B

MD5
708647b0613288dbc5db8d0e78825252

SHA1
4999941c848fa7c08344ffb79002afa837357ff6

SHA256
8c3762fabfa258131cd1f9dff8f8339b5f0485488423c727f0ecd644fa3e8a97

SHA512
6e6239fe8f0b9c144480401fb6fe8106e28ff2a84980e08bc5ac54c401ff35a814da5a543551852d2685da68f36c668abc26153d458895b619f0cc44b6287a2c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\background.gif

Filesize
815B

MD5
cc988773ab8d1270199997f302aded83

SHA1
3ce1c8dd583acfe6e1161c7a500efff14a1813fc

SHA256
9101fe2c9f5f23166c9019a71e3b9ddf877f4b26810046f34b259f43a52c166a

SHA512
7036b8e4e12d3de94a1789bfeaa70e84efc9fb2199da1c0610c05641e595d4f2567a3e41672d3c291faefbe3ef90ec7628d10493c63e3462b3c84c21f271846e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\RTF_BOLD.GIF

Filesize
870B

MD5
1f5c7186fb559e693ab2c4da75fa46c2

SHA1
ff3fc4460968a6f03b95edec159565a80dbdcaee

SHA256
d5fb23dfe0004224b48971da28e5f6ecf4e2ac546fe2b0edf7d7e1b3883655df

SHA512
d00c83d0473ab1d453c739096d8a82a641a69fa2a4d7e5012ae366cafde496b0f79d75e61604d7188d52a2fccc2235bb818911f76d9b91448a38fd1cf8c30716

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg

Filesize
3KB

MD5
dfb7c19017496ad7a159594f1b6c90f4

SHA1
904382aa686b244d13dd80cefc00f45f60de735a

SHA256
9b58b46da8fc6d9e639cb9cc67c0061758840422bd1e78d5561f6ffc2b253127

SHA512
d665a210ece7f3ec52768c8474a7fb0099fcb27a4c65d4aff77c046c5406fb31d3ef825b2af019da9faed72634f73fabb69c033f8b388b697cf5cf144a76ace7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif

Filesize
2KB

MD5
83629dae9d6172208b9fbe91988a6af3

SHA1
ba627109bb5bc3653c713026a2feff698e724765

SHA256
7d14f2fde2ca948fe966adfe4fbed2593f6ecbce1c49dfadd61a327b5f1be9a1

SHA512
499d9e353c1d62d19692862a2e9e02615d5910a51737d5a5bfe280b08c48bc782f852cddffd1859d6bf6393e3e2506b8c8ade6c0ae57eb1dd2bd889a4c17e2cb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif

Filesize
19KB

MD5
7aad800ce24b8e9379ab968195169731

SHA1
c0d995c72c829eddeea5995a7f2fb4fc6c92ffbf

SHA256
80a1681c79a461d9be220c10a7dfc85d3a8f7998ec5c9e7174bc2ceeb5e6ed17

SHA512
a6949eafe0267445dfc29221a6516cada46553d675a69301f0cec2d1ba0edd1c0bb329eab82995da2ddfe36452f40d07c2783aecddd2cebf09b42f728944d688

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosefont.gif

Filesize
890B

MD5
c8573d3dcd09749be0491c866c38908a

SHA1
4ff13a019a2693a1501c940109ba890c3bc2e091

SHA256
c75b9518a8206cd4b4da7617d726f54730997c6a5bdeb76419d21133cd726f1f

SHA512
4c9e90ea36cb9212c3fc8360c50e64d94db59478a9d753caaf042bbb13f977e4ef7e4d15a4eee5a2860a8adf53e52e10543aa7790a1508d426cad05a406ff734

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif

Filesize
852B

MD5
033eee0feb185fdf710a96d57b7611fc

SHA1
492f449cd806ba3a19fe37a4f80f93e73f353717

SHA256
88438f2ba88a70ed5529f0a82369064eca9f488eca22bc72126455d1d9ccd568

SHA512
87c8d1303ef6136e4980d805c5582174e7164869d43007ce019501e736958a445bba53c2371f26f61f7f25073701f42c65ff6c064d331c26c5a3ebc4611a3ae4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif

Filesize
860B

MD5
ea5fd406e35fbd946130516160bebe7f

SHA1
da37f67f5b41445c95653274affa72a18466bd05

SHA256
070c36f173aa48e0939d6b7dcf47e08b7d0587be898a93b5b4d9479681c3534e

SHA512
28cfe02c1a841a4279609fa35f7034ba021dd2f60bba5464964815bdf4d091bc103b35c80eeb0e8c85a9b18f2021c074e7ee08e4ed716d0ff669c0cca1b40df9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ADD.GIF

Filesize
580B

MD5
54858e1cd128ce5b4e4cc0976aaefb85

SHA1
352deb6969d2ae7a133fc9485e7ddf4e19be5386

SHA256
42bae6f0532368fc878808a4256922636e4f8e5138753bdfbed74647e2361346

SHA512
f39f524ff2166e07ecbd40df59a42a365b0c2653b3844d74e5d324698433ba440644242043477d7db84decbf7834d0e572c68ca622cd45b8a12e40a77b33af39

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF

Filesize
899B

MD5
13931853d6f34d93046df390690e5c94

SHA1
8330dbcfd4b70ba5b408eae4f12784e562c07e05

SHA256
69ce0418705073ac9463370817eb14a009137e3674b8f305ce82f8d2dc0b1897

SHA512
168286867d91b16930a9ada06bf445525274a1d81edec8848a8b5269819d61ddf8a098e3744a7cee04ea70f70988d3d6f703ee8cfca0165bb351778f0473ce88

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIF

Filesize
625B

MD5
805f9f9003daeea5b776fadc1d2dce97

SHA1
f0cbb804db13c2da7a9c050feb81c0a124acaca7

SHA256
f00b307eb51abf7fea37aa5144f0f8484841dbc69c2d049fcf3f713cb439fbaf

SHA512
82a1c4347951ffea12d30bdf71034e979954b4433189c5d56221fd48ee6da60c55841c14a19ed45cd5a77010c53b25b73269ca74930d0cd08eba6ff14e93482d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF

Filesize
873B

MD5
7c0ceb5d247cbef9fe103535f1330bc3

SHA1
269093d2c441dbe20abe6b281c182d1698bf5fc5

SHA256
30261295e8352c5342c704a7e1f738b01b41ba77963cc6e4eac389d74d01ea97

SHA512
2b7afdbc4728bf1b4fc79b4cf233fbe1013fb35dd13fc3a2ef265b4f42f1222e32d1ff6a1364f7e82de152bfc54002083f1d5e00ae5b0e748f9c616fe0824129

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg

Filesize
5KB

MD5
c0b0617ca0111b0d538b55039ecb64f5

SHA1
5093374297b223b899c373285ef23671a89ebd31

SHA256
b87150a26d069113cdc0d563eadedbdb9103cfed779882c946af1bf0300928fa

SHA512
e5da67cf7f664db290cfe3136d88242421116d93deb876a6b8cde651207d5e65e50bd2166fce110ceae60e39571e4e4e4b033a17150bb5f6af9b75f84c23b014

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp

Filesize
1KB

MD5
56a75e582d8190f6d109feff02c09a55

SHA1
e7cb0076733e086a42a65eb9475c783dd6723cf3

SHA256
f3f6698e020058f077cfe6877dc3c18cfa138003cd0d457157a741b7f04d43f2

SHA512
52b882770c54639f1d7e2c951a8032c20def013394ef6fbc0c3726fd9c32ecbeb6851ecd1a6d58f944910d952c59425e42658fad80d75a19b6aec3b83bf98152

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF

Filesize
615B

MD5
51672583fe61a74fe1ead14c296cc162

SHA1
c4fa7af156e76573720cef679b5e1cba07d4e51c

SHA256
459baeeadd403ced1905b4ef6c81c9790c5038ee34ce9b97b9051ae3e6eec5b9

SHA512
6bdf2761937e2f1904fc2f6e58b68b8f924c2387a9c6e29d5ebc70e6bce470387bbff5f9996eea03a412d9c2673b43c785b40e5a485e7ac5369f49643d1433af

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

Filesize
848B

MD5
41e13532c8fda9e900592eb126dcf770

SHA1
deb523289dbadd5ecf7a7b62dde66ded11b30a47

SHA256
c918240d1934546d50eaab4fda37e06ba52cf55e0637221b305cc11d243382fa

SHA512
e768e9867549b46d50ab07d3f52174fefd84fe45c785729995f483382d69145bb5a03fef890dffe5c06d36ced46ab8f2499bbb9af4851d548f88aac71911be2c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

Filesize
847B

MD5
c4f46f55de177a5a965786a419d266d2

SHA1
340c39e4f3a43e5ed86a998a107cc270615e2508

SHA256
a5f8029daf0c57eaf7154a848ff0e67f0cf893a90257fb36e2dea9cea498ed57

SHA512
2a8c2ddecfb675b23f63609473e8bb97089e702ccd2a8570967f2ca7e23f453d668bbb5b30c772b56b8440f9096ebed84750fa4e062cc8655541b6497e72e56f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

Filesize
869B

MD5
05311ced486e685e622b79d710fd689d

SHA1
74b86aad63532af635bc7f515d7ce47ef4b0714a

SHA256
139936fa33b4611c2525cdf1e1d4f57ed084324957fbbb68cec3f783e117f9ec

SHA512
cedd52b8ecff7b3055e37d7da09db7367c7fbee3d0e3b02acc3cb9fd7b5f0deaabe212243c209f638bf662ce97c075706cf4e0f9364f83441b3bfaa46e9f8668

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

Filesize
847B

MD5
02e57150b48247591225a53e60ede8a5

SHA1
4ec31b7a093743dfe7a91d503e86c87cc1e6e13c

SHA256
ba1062ab72f9d9fe3b5607b79a71cc6b17674fd6b8ff46e080fd821ddb6396eb

SHA512
cfc0d03479188d57bfc2de29ac2c864f42bdd108ae67288184b4b9952c3e8f526b4681f4a480f4df460b2eefaae3c2ff1a46b49ec8439fb1f641fe2614d7e89d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

Filesize
863B

MD5
93fd68732920695ac68a14c3b8579b76

SHA1
1cda0e81b0d6b38c4a3d6f11e59e900e1a9cb737

SHA256
9379fde08883e065bfbca9d94e3d3654cf86247ca629fd55c6e23386ccb32b21

SHA512
5fa9cc3dcee377fc83176cdd2ba90b962f3e753bfbc551ca062372d32b0e4743bd70045159438f93846ea0834df0601e9ad7d9ac1cadc34bcee2c091bf0da19b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

Filesize
861B

MD5
0083a9612b25f3d73c6ed4573c7e5c47

SHA1
02b5c54191c7fd16bfef683f00a195191bd85fbf

SHA256
0523519ff0509edc12964c0d2e232efb69c556219d18252d6c8e4d099ec515a2

SHA512
d6a474baebb50324176a611b10d6bbd5bb7f5d3c0632c957c3d6c3627d1768ec4b7d3cb19bf4daf1110bdd67ddfbe414519e6b7733803d4b05aa5234d09fde3a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

Filesize
850B

MD5
5d4324c828d2c550de25883223635752

SHA1
48f3a783584f3fb69610e3227cf6a02ecffbc10e

SHA256
69f3cf7e54cf28fc222174fdd80cdf42024b7f95cad89f2183c1056b22bbe0f7

SHA512
33045f01c29aeaaad1c92836e6b9b9444fb88db32748efcf2a6bacb917b9a9976c27254232a3dca7939c7a5389f01356da20f7e1500e334ed6ad439d023cb22b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

Filesize
883B

MD5
3fdab1fff0b8c6f4deb1dcab3806df13

SHA1
2e396bb5517ee1067d2736ab5c2b48a5f4fab9a3

SHA256
c92e6b86aa8b729f698e551df1c1de5d34d6b0fc0359a845ef68fe9f7b23630f

SHA512
2bdf323980074b7c68ccfd6587ad378c7ba22a997255e3283d8aae67eed63fd616d7df3cb159b4d438ea38470ec33824c5abc2a164a9cacb73eab30c0d462e8e

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif

Filesize
153B

MD5
29afb79f9f745a70ae3dc62665a888dd

SHA1
abb8cf627612eb9c358aff8f22c00277fd81c9d4

SHA256
c8ced006d22a9cbabe2fcff58392e2210ae953d82fa7af17437244f81d816965

SHA512
098b4941a78935933710b45f512c0badf541f5ad24bb096906d71ce73dea44360236bf896367ee4f9896445d0845c462a1418c646896e1bf0dfffe780f896c1c

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
8aacaf93680b003cf9715a37bfc22029

SHA1
23e92d67540e70e1cf96ce3abd5872d4e64222d3

SHA256
fa23a6db76921598034f542ee362c2492a17a5244cf9a47e9af5e2673f650633

SHA512
859324ba4c7c4a8ded2f4754db0b1c9f0d4ac8f54efba885d11c56b1dc4c78443711d1d53a095af3d0e6455c1929a5e797f9553fbfcfe23a71170b2ae420b94b

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
8KB

MD5
86bd4ac12d405a8ad2ef1b2ee753de2f

SHA1
1bbb7d9a278271db8751386e0d46b5843d223d61

SHA256
7e51153a2afa3c559fb32188b9d81535e0aa4c69fea48bacd17af05bb3dcb128

SHA512
41f0c607cc284beb42364610d1c92f16c6740ccaa9a168844f5d4fede30121f81aa55eb997e39b8a8952dcfe9848b8801ab01d307e652e2d1c8f53555aaef854

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
4a3668968b56c51c5d793db0c84950b9

SHA1
81924e7d44d16e1d1197e484b86e2a56236de732

SHA256
15ce2eda7d419c22a614460a9a9c96933aeca4b53439d056ef551da12278e829

SHA512
32765032620b400cfb6c31861f483f7fb9eeec8386850d37211fd15506adae5bb8e7215480f8805a9500e9ed53b30ba21bd979eec4e13aa44f44ae9c49636dbe

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
60b0bac94d7f2a19ffecdd2ea9147982

SHA1
a9137a5fb754b0f7f5da5aa0ab283c933a4a4264

SHA256
2fc72a0637673b008a5fc70df956a350d83d0384411ffa2ab1e67db773239e69

SHA512
b4fb505acfcb6da71c25c4985e7a83c2e574a0c47f77570ce1f9cc80b668d25ca3c9ccd33f7aabd51322fcec3631e2750c4d2b2e8a32f41e73ba6ded78223f37

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
172KB

MD5
e4e91baeb8d550ad64c2fa7af631b795

SHA1
dc0e4a39f9c8c371b80f08fe5e16c590b0f29184

SHA256
6cbdca26bb88db147081b894794a03bdcfa7283f29d263f701f2993feefd07c6

SHA512
4502d636bfdee3d988dbed8b07b165cd417d2625a57256a336163c59c3a4b277685f69d326b92254ef4bd19008b7301b535ad04b1611bbfaa953e645d5d299d9

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk

Filesize
1KB

MD5
48f7cf0ca4d2d35e42d8ef095b749b71

SHA1
6a6855835fae02960577263ab9628a8a3ad5139f

SHA256
fc308e964bf6fe268550258b30b053287422103a2ceb6a589c532427c853546a

SHA512
41531ba567746ceeaf63c26002468f56a09516e5d4aa23514fdd82e09a5fd6b3dad4258330b2cb0d8d31596aa06392745bae4cb82093c4d1f4f9493f95bf0c39

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg

Filesize
21KB

MD5
478bc7fb1e62c56eb647f0b389ab14bf

SHA1
f15aab0f22d2fa8c223df1f1364468136c39eb41

SHA256
75b709a30c0870ff79d3d09b08298374a1127766a632b59d90552606b9a9a8f7

SHA512
6649bec4581a1cbbc62ae53dc9ef41c100a9740073101145e949e66e67ba49003842a0f07febbed19cee7abb3447b466d167eaad6f74ab2bdba23d4efd8ad91b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\HelpIcon_solid.gif

Filesize
1KB

MD5
fae7417dfdebd87f7a94775c73e52627

SHA1
1d418e20238fb07c220c4fdc444567282f896f5c

SHA256
955a23a02a001ac4b838483fc71ca9d0bfcf4dac10f9c3bf0c1fa5222a4c464e

SHA512
3f3ce0850058270ca4928c9adb319ddeb93a8089c4c3e4e4811281fd7eadd213542257c00ec31eb84030eef8e170067858bba46ac4d4bf173a57a3a5ebad81e7

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\alert_lrg.gif

Filesize
952B

MD5
016e89f565747a7d1a7b3a7d8837ab62

SHA1
9964c197b04171916c6360f5970cd13eba3c9a2f

SHA256
6cde67ef60a3afc121a4553093f2815259eb933ad7616d3251bf1fa6678d38b5

SHA512
5718ea140f2f1657da81a12afaaa8427049f88f50eab7ca4f605e6ebed8ef82a04b4fb2bef418289d1486766fd7931f768b7e20b626823c3f48d64b57609dbd2

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\aspx_file.gif

Filesize
121B

MD5
53fbcf4223a6faaf4067f1db44a04bf5

SHA1
8a76614ea63beea032045ae6acb382b3b5beff88

SHA256
c503ecc783f016516208790f1dac8c144f9312386b382ef3027bb39162178d27

SHA512
c5e8a1872aa067062031a6dd6b5b9f5ff9433cfa53264cd1e32140e8618f9560fcbaee64054e4e86258391ecb96e59a39a5ff92f6028283bafae68e7486885d4

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\branding_Full2.gif

Filesize
1KB

MD5
884cdb8fa3ce2aae101da048a2dcb65a

SHA1
7dc51dc749da5c536bda245749780417781d0a27

SHA256
4c7f9f5e4fc8806b9e55e912d54b7074fe3c2021c14b89266a8524b6d6d6f404

SHA512
6479bb4600fe22969897bc1f7429580f96761790157984599f1248f6edc2cf7082c05b13e8190979c4db6a6cb860ae6903ac460c3ba25f7f65c0efb8e5fdf8d8

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg

Filesize
8KB

MD5
713c82ad2b2d4a6b6e3c48b1cf4bdd04

SHA1
29d8b517438eaca2542defec9e2a997377eda98a

SHA256
9b33e31bd4e9e77e233f2dd68e8de4f3429c595ae8289c278f88faf1500c2798

SHA512
21eaa5118f68ea07b6f53bc4c018d60cf641708737b5c0683d2d73b9348b6433faf69472cebbd8370a5eaf9fea6cf296c2301fdce2817008b338610a7e14d234

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\folder.gif

Filesize
914B

MD5
27698a0ac195829f55586586cc6c3812

SHA1
c96d174e7a88b9892fd938b869ead305b3b1e25b

SHA256
eddef17a6563c1013d9f9de7face2ad059e76529daf0b132dfa2ba66edbfee4c

SHA512
609c9ae7f85a696686fd0738771e387f1bfb3125f8d16ec0c2e7890f49118f2fa559748926de10591445789cde7877ea78dbe51d994b184be34336be24a6de32

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onBlue.gif

Filesize
90B

MD5
435a7d0a8ffb995138b68ae1b83b0103

SHA1
6d58d94d2588688f35c0eb74c4f5ba7efc50c091

SHA256
eb363739f1a3552750c219cce7c3412ab5f437ae1ed6cac3b53adf5b0620a232

SHA512
1921f0b80bbcc5019cfc4993072bc7878d9399e84cb20614f807e18f45221c7d44d21fdbee1e30df8cceb0d0f68f0091e49bf1865eebb575ed757d820326757d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onWhite.gif

Filesize
90B

MD5
a4858bdfc6a8c2f77c7666b9cba76f0c

SHA1
3d6bc50e18d155c41261435546c028e9bfac5d9d

SHA256
524d28a45b8635deaef0e96cbeb656e30e3c2a3089519d3c0b87ebfe1960c4de

SHA512
92d56756f47453801b0645769a4590fcf2e03847f054f65d875c2c6e891c34b7b379719e8096a804a41bb5e9697fa19dd7e2af79ec1430430db5ae9214140b66

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\headerGRADIENT_Tall.gif

Filesize
328B

MD5
a99b9c6bf5d1ff63d1ac0ef972e463d1

SHA1
cda93924ae927936370cb338224d909c9de810d4

SHA256
975da1839bf8943614981938dd62e2603423100c58034fd45438296666de30b7

SHA512
c0dfa3e41fde33b016b4fe82346108f81c17b793ed0b5e802b44919e88bfa17e4adb872aa9c8a4875f6d9c187b78d4932352857ed2fcce63f6b18f17c7e2e219

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\help.jpg

Filesize
1KB

MD5
5989bac9a43cc4b5b5a22de974f95d99

SHA1
71f274b84f02eae83c2c3c3af495fc47a61c3ab9

SHA256
af2e8600f159e79955d860a1da9e8b1c62296c7a2489a99eb2ce67269f19df5b

SHA512
ce8fcd7591a4385cc75177d494ee675efbd9be8beaa123950b0d186162c31873fd64b0fb0e3ffd8cc802c5a7be536dcf6df553290be966c34bf8d9a6c9b6ebf5

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image1.gif

Filesize
162B

MD5
7f56946d5a45be825cac8f32d9c4ed67

SHA1
9331a7d122f83d6928a887190ebebf963c77ac1d

SHA256
5902ded570dd007f8273b7093b81c2fcefcb1432566adccbba01307e205e6a8c

SHA512
c50a9bcd709c69370cdfd8bfe7a6f551f9522b53f232cad445102b569a5ac046a42ea8185a69e0478fb1497ee830379f8f49ac54a10b0b0027136e66f03798db

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image2.gif

Filesize
586B

MD5
a483635c4f2b164cd6d857b19de47df5

SHA1
6d477f60dc4f2f225c51945c05a48ceee7b109f2

SHA256
2cf68461ee0e380cab6054a0f2c67851ad9de5f32e60af00c8817090ed2c5268

SHA512
12b39120d0995b7b6c74e4bb6894ed8ff9a01ac504b0adf3ac4f030107e7587e45b2cdeec5660ded42569ec126ca2f13a392f2c8dab5b10bf8d85a5c62f9c22b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\requiredBang.gif

Filesize
124B

MD5
70407595ef45b9d275e15ed51c5eb31b

SHA1
8fe998aebd97ebeb0b9c62d6e3f9e8c6fe254c68

SHA256
4b7ee53c74631f9955b3e3ae50ad28628c40b7ce412a065b5bd39ee98af7b03a

SHA512
d84642363f4a263bf532a19ff685c807784cf67eb5d087235d4f7d28fe1eadddccd846f6aca230001fd0efc2e16f4aa1fb944d581696c694317db0a23ba1f5bd

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg

Filesize
8KB

MD5
f47a7af6d65bde15a1d1dfe16f2d0ba0

SHA1
012dc88e7198df92273c9a2930aca779ff1046ec

SHA256
eb238989797d4ab61a029fbea8aad931dabe65c808c176375df08d201fbd6004

SHA512
a397d14c10a2d601f89f2401fb4014145b5c188d19068603637aefc388a2aee8f160f5b7d7666eb3b1b424bc4bee0ec8c33543802140947eedb7ac94d18b7839

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\yellowCORNER.gif

Filesize
880B

MD5
387367947e081b8d0f0568788b15183e

SHA1
c9244514aec2cc2b5edc8a5ee14bf3af5e4845ea

SHA256
a5e577a92dda957cf77c30496e705a1c9bb31596d0b591e30ed89e609365b5ac

SHA512
63b10e9eb91ff46289b15e29d084f22a9f4f604ec4e750ea9d5783d46c6d10f0325da6a8e7f381181517b590c1488f12d7b09b003d14d9e02dba808c50b26bff

Download Submit
memory/2916-7634-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2916-3-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2916-9074-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download