xorist | e6acd52fed1ec9c49673348d152d9b84a2f06614ca75b20feb2939804f04a521

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-10-2024 15:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
Size

69KB
MD5

6afc9ef212bace7ccafe1832cb1cc812
SHA1

1d8b9093a70e37233d71f31d6787edf8324d475f
SHA256

e6acd52fed1ec9c49673348d152d9b84a2f06614ca75b20feb2939804f04a521
SHA512

2809b78ce5115573ea8a9f6b23547723f55b4c672ceae4d0353081d5bcd05d6061e51df814e0366f9435bebbb0f10a8a4e3a567ee86a6ff7c3cf122a64703647
SSDEEP

1536:5r4/tfLJmXzHPl9DqBLP2cY2z2MOjpsh:5rG6r42Mq

Score

10^/10

xorist discovery persistence ransomware spyware stealer upx

Malware Config

Signatures

Detected Xorist Ransomware 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2904-9038-0x0000000000400000-0x000000000042A000-memory.dmp	family_xorist
behavioral1/memory/2904-9037-0x0000000000400000-0x000000000042A000-memory.dmp	family_xorist
behavioral1/memory/2904-9101-0x0000000000400000-0x000000000042A000-memory.dmp	family_xorist
behavioral1/memory/2904-9102-0x0000000000400000-0x000000000042A000-memory.dmp	family_xorist
behavioral1/memory/2904-9103-0x0000000000400000-0x000000000042A000-memory.dmp	family_xorist

Xorist Ransomware
Xorist is a ransomware first seen in 2020.
ransomware xorist
Renames multiple (2203) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Drivers directory 8 IoCs

Processes:

6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe

Drops startup file 1 IoCs

Processes:

6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3FYu5Ng3u0d0Q9B.exe"	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe

Drops file in System32 directory 64 IoCs

Processes:

6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\System32\DriverStore\FileRepository\cxfalcon_ibv64.inf_amd64_neutral_d065aec3fcf4ec4e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_debuggers.help.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\IME\IMETC10\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnky009.inf_amd64_neutral_8e54c9ff272b72f1\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wiabr002.inf_amd64_neutral_b4ea26a49ad66560\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\acpipmi.inf_amd64_neutral_256ad642985694b3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\eval\HomePremiumN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnrc005.inf_amd64_neutral_31e08a1c2f933124\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wbem\xml\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\migration\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnky306.inf_amd64_ja-jp_97f0de39317f6837\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\Starter\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnbr004.inf_amd64_neutral_a78e168d6944619a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnbr00a.inf_amd64_neutral_e7f3f91e6832ef5c\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnky302.inf_amd64_ja-jp_dd74fe49601b74f6\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\001a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\migwiz\replacementmanifests\Microsoft-Windows-TerminalServices-AppServer-Licensing\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_WMI_Cmdlets.help.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_script_internationalization.help.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_neutral_4616c3de1949be6d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wbem\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_operators.help.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ph3xibc8.inf_amd64_neutral_c93e7023ef90e637\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnnr002.inf_amd64_neutral_37896c5e81c8d488\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\OEM\StarterE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Break.help.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_WS-Management_Cmdlets.help.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmags64.inf_amd64_neutral_e68956e24e287714\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnep002.inf_amd64_neutral_efc4a7485b172c07\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnep00e.inf_amd64_neutral_edc631ff41a34218\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_do.help.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_functions.help.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\image.inf_amd64_neutral_4a983035eaabe2f4\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\slmgr\040C\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnky007.inf_amd64_neutral_e637699044f367f3\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnky308.inf_amd64_ja-jp_d90af802b607044a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\OEM\HomeBasicN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnca00f.inf_amd64_neutral_777b6911d18869b7\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\OEM\HomePremiumE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\_Default\StarterN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\msdri.inf_amd64_neutral_86bb50f34c49ae71\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnrc302.inf_amd64_ja-jp_64ee91a0bf7b132c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\unknown.inf_amd64_neutral_5eb6ac70dd1a3ad0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\OEM\EnterpriseE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_command_precedence.help.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ipmidrv.inf_amd64_neutral_1cb648411f252d13\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\cxraptor_fm1236mk5_ibv64.inf_amd64_neutral_b81bec917adfaea5\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmlasno.inf_amd64_neutral_c86d5b5e5fa8b48a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmpin.inf_amd64_neutral_2415474b9db0a888\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnky009.inf_amd64_neutral_8e54c9ff272b72f1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\eval\StarterN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\slmgr\0C0A\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Foreach.help.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmaiwa4.inf_amd64_neutral_6e97842bb8d9e6a8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\_Default\StarterN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmetech.inf_amd64_neutral_230358eeb58f0b3b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\_Default\Enterprise\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\OEM\UltimateE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_If.help.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\com\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2904-0-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2904-9038-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2904-9037-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2904-9101-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2904-9102-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2904-9103-0x0000000000400000-0x000000000042A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.PPT	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15275_.GIF	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\3.png	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUECALM\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01242_.GIF	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_hover.png	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VC\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115868.GIF	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\RSSFeeds.html	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\CalendarViewButtonImages.jpg	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\button_left_over.gif	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Program Files\Common Files\System\ado\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\HEADER.GIF	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Components\SignedComponents.cer	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21482_.GIF	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\js\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\OrangeCircles.jpg	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierBackgroundRTL.jpg	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\graph_up.png	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.jpg	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_buttongraphic.png	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\larrow.gif	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\weather.html	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21370_.GIF	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\TAB_OFF.GIF	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\shatter.png	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14755_.GIF	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD15302_.GIF	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR51B.GIF	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\1047x576black.png	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\THMBNAIL.PNG	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluHandle.png	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21480_.GIF	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_h.png	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana\TAB_OFF.GIF	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_up.png	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Stucco.gif	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\reveal_rest.png	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\System\Ole DB\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21337_.GIF	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationRight_ButtonGraphic.png	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Program Files\Windows Mail\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115835.GIF	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Sand_Paper.jpg	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh.htm	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\date-span-16.png	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_snow.png	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\button-highlight.png	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\logo.png	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\SectionHeading.jpg	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101867.BMP	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

Processes:

6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\winsxs\amd64_microsoft-windows-cttune.resources_31bf3856ad364e35_6.1.7600.16385_es-es_901da9afe8195930\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-t..k-softkbd.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7a71deba7f23fe38\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-wlan-dialog.resources_31bf3856ad364e35_6.1.7600.16385_es-es_829a12b1c18b4f88\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_mdmmetri.inf_31bf3856ad364e35_6.1.7600.16385_none_0c74b3dc07900de3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..howgadget.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_f86c44a49a61f132\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..eprotocol.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_9f72475f89cffa63\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..peeradmin.resources_31bf3856ad364e35_6.1.7600.16385_en-us_719df0580731deba\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-e..rding-adm.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_caabc67d61c8d93f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-msaatext.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8cf8b075c8953e23\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..-components-jettext_31bf3856ad364e35_6.1.7600.16385_none_067df6b907b9fe71\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-s..-binaries.resources_31bf3856ad364e35_6.1.7601.17514_he-il_3dd459ed9f63fbca\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-bits-perf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_94657074771e9f6b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-iscsi_initiator_ui_31bf3856ad364e35_6.1.7600.16385_none_33e01c5875c2e5cb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..disc-style-stacking_31bf3856ad364e35_6.1.7600.16385_none_d0d2b98d4629a41f\NavigationUp_SelectionSubpicture.png	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..iagnostic.resources_31bf3856ad364e35_6.1.7601.17514_it-it_a5dd588057663bd8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-uiribbon_31bf3856ad364e35_6.1.7601.17514_none_db578bdb5e3559c6\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_de-de_15cddf79c0b60008\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_mdmarn.inf_31bf3856ad364e35_6.1.7600.16385_none_36c04b56b6587575\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-c..omplus-ui.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_9732feaf635ba983\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ehome-ehmsas.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b85d0baafd3364de\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-aclui.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_70787288cf854a52\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.0\WPF\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..nent-sku-enterprise_31bf3856ad364e35_6.1.7601.17514_none_a381bd793c2342fb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-wmpnss-ux.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4b72740bfc1c815a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-performancetoolsgui_31bf3856ad364e35_6.1.7601.17514_none_04846decebf43c4c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-legacyhwui_31bf3856ad364e35_6.1.7600.16385_none_3e69140a61f1eff5\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-p..reensaver.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_3f7db19deedfd00d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\Globalization\MCT\MCT-US\RSSFeed\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio1c968d57#\5685d6d6ada98c8dc25bb505e6421fd1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_Ref.help.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-runonce.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_a04905f5ef78bfe2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_prnrc003.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_6e0fa00f1a02166a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-g..picturepuzzlegadget_31bf3856ad364e35_6.1.7600.16385_none_725857cf41f74c3f\settings_right_pressed.png	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-i..tbranding.resources_31bf3856ad364e35_8.0.7600.16385_fr-fr_b35229a5d28ea585\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_nb-no_40e59f17fbfe3781\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-help-privacy.resources_31bf3856ad364e35_6.1.7600.16385_es-es_f0b8f2ffcb847ed1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..onservice.resources_31bf3856ad364e35_6.1.7600.16385_de-de_67dbac01c72ea261\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-advpack.resources_31bf3856ad364e35_8.0.7600.16385_es-es_5183c763e1195ba8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-w..up-wizard.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45ed3fa07951124a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-diskpart.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_cf0f5fcc4a71438d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-usertiles_31bf3856ad364e35_6.1.7600.16385_none_f385bacaa98d1e8b\usertile37.bmp	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_prnca00b.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_f1598547509b529d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_prnlx00c.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_a6aecef07b1c690a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_server-help-chm.regedit32.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_dc469ba2affc26b7\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..-logagent.resources_31bf3856ad364e35_6.1.7600.16385_en-us_df23a1b9a7a8b3e3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.7600.16385_sv-se_9f7243facccd99be\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_netfx-fw_netfxperf_dll_31bf3856ad364e35_6.2.7601.17514_none_bae87b3630a3f232\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_ar-sa_f1795577af1fbb6f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-n..orkcenter.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b2cafad46d666e76\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-regsvr32.resources_31bf3856ad364e35_6.1.7600.16385_it-it_a5c6981a8c785981\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-wlanui.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_55a1ac78011ffc90\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-efs-ui_31bf3856ad364e35_6.1.7600.16385_none_5269b9a9a14782a8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-audio-audiocore_31bf3856ad364e35_6.1.7601.17514_none_d4c5c995fb3f4a1b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d2d.resources_31bf3856ad364e35_7.1.7601.16492_it-it_7360d90cb6ce4802\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-n.._service_runtimeapi_31bf3856ad364e35_6.1.7600.16385_none_e789f0e67a8cb67d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\winsxs\msil_securityauditpoliciessnapin.resources_31bf3856ad364e35_6.1.7601.17514_es-es_9a3d170402755915\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-c..ermodepnp.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_1a2f0b6630a66a2f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-c..omplus-ui.resources_31bf3856ad364e35_6.1.7600.16385_it-it_253c597282301dcb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\ReachFramework\7073e12b4c349a6ad94522e465e4f4ed\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..ent-machineidentity_31bf3856ad364e35_6.1.7600.16385_none_5c4d6af71513f669\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..spp-tools.resources_31bf3856ad364e35_6.1.7600.16385_it-it_1187dc0b62b80795\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-credui.resources_31bf3856ad364e35_6.1.7601.17514_es-es_c00c27bdb90841b1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-basedependencies_31bf3856ad364e35_6.1.7600.16385_none_5e96e36b42806ee7\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe

Modifies registry class 10 IoCs

Processes:

6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd\ = "RVNPSAEHKPFHSJJ"	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RVNPSAEHKPFHSJJ\shell\open\command	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RVNPSAEHKPFHSJJ\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3FYu5Ng3u0d0Q9B.exe"	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RVNPSAEHKPFHSJJ\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3FYu5Ng3u0d0Q9B.exe,0"	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RVNPSAEHKPFHSJJ\shell	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RVNPSAEHKPFHSJJ\shell\open	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RVNPSAEHKPFHSJJ	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RVNPSAEHKPFHSJJ\ = "CRYPTED!"	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RVNPSAEHKPFHSJJ\DefaultIcon	6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6afc9ef212bace7ccafe1832cb1cc812_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt

Filesize
461B

MD5
3906ad032abd920d98c9028b12df882b

SHA1
7b95f2d900381a37a54055bee6e0e2fba729a21a

SHA256
29f0ac8b3b5a180c991015cdbb8c5986a70bf35ed8f3773b28bb7971e2b0fd79

SHA512
d6afcc82a85a2876a50cff0ef43c1bda2fb72b857aa9c88ebbf880b10fe6a5f4fc88a13419000961a8d608480485bca6209909b52c2db68d00eebba322cd8945

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
341B

MD5
49a09de7806f3cd29d2c02f7459897c2

SHA1
fb169034d1e4e592239715e883d33f2b6f41943b

SHA256
335b82e585ea38842d9e2df4cf3adbcc26cb598fe58303cd97858ad20c715e09

SHA512
8a5062be89b4041a7adea9c0f2cff1e7fc38b514ad035fec3bf56c377204cdca7816aead8762a1ed9bbb03f9158a21a505780472baafe0b65882fa68a1f6ca34

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

Filesize
222B

MD5
7d707f6887b0fcb3221dd2660c2ffb9d

SHA1
4dfeb6d695e3b0b0ccf5d68dbd949516b8748c24

SHA256
23b1291d0c929471f4c63762e48e4a0eacaa613795d6d87cb1cd4730bf211c4b

SHA512
980b8b348d9ec18cc7b250d8f112447f3e128639caf4fd17bd4f937cc60655706bdea8b985cc2a7c38593ede5d9ebd3ab01762c20f67ebdd9b47793a64022905

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\BG_ADOBE.GIF

Filesize
24KB

MD5
71613b642f513bdd7e383cc56fae75e5

SHA1
3d9cf3e0f39606cf4b6571276a5bcf8dc24ccbff

SHA256
87b3167042a131717bfc26e5d3d34300d488d7bc0a071ceb3d2cf15b28880270

SHA512
61bf0dec1c9af623e0ce5065719a41a51354dfbfd83f2be5e0f89c17e2b4fdef3e6c9d37ef6f6d69b5baf7d82e8ac705371d1509d7dab7be0c8d62b5cf8f7277

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\BUTTON.GIF

Filesize
185B

MD5
44dbe451fbb683162f3e00fceadda12a

SHA1
8b967b5f5d2eb7f372e9699497760932495e7dbc

SHA256
6a1fc85558326b6876023f5b4d278f411d44f5fc2780df12930208be69ef5d73

SHA512
0f6f17694d4ae0f34ddc7e02c95b358a602b401889afa32d5ec4b5b93f69cfbb5d40a2471967804276d0362e0ee1825174b80f0f2180387ddd51a53b9303a443

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_OFF.GIF

Filesize
496B

MD5
e849ae5d8f959373d872b1cd150c3db6

SHA1
bd59ea298bffe6198c50b0abf254eb027ccf79de

SHA256
7b09833827631136e47c2d85a9a7d9c53175eb65fa42da408347ed5f97b23b4a

SHA512
9c12d2b12197fc933b737b0ff8dc4b0a89401046db138c11e2dee085768d4f119f3fa6d47159ec212a13955d5f32243c9ddf73c1a58ab26fb22f80f87dab53cc

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_ON.GIF

Filesize
1KB

MD5
802bd81064f8eecfbddcd244700215b2

SHA1
423e5e659c42a581194f89b42af0e4a48bafaaa4

SHA256
46128d44080021ce5e9f1b6d03dda235958bd4c94960608339d037d0eb9e2326

SHA512
c32b9bc9bbc50eace73d448c4764adb1b1238b2234f84172ea87685e2a428d476a981086655c1bb0c626dc70072497b91073325083a96a785375edffa0649de3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_off.gif

Filesize
341B

MD5
9ed6639ed02c09d6f1d54944c8e6e170

SHA1
563688f63e5eff7a8a4c1f1c1db57f4bbaf3c593

SHA256
00b4ffcf7b7b1078b22dd80c6000dc47030de08153c59d9d905755d8b8ca70a1

SHA512
176ed6ec5f8247a648a8bc982c0418876778a036ac32edc3152775e56bc001c7a1e6d833d0af2b1a48dba683739b0834355cafd2d61e39c7af1e6e8f709d8e19

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_on.gif

Filesize
222B

MD5
d0873e7bb289adf4717fe6193259f5ea

SHA1
4c9cefca262c3999715734552c9b2809913d118d

SHA256
96fc7a34943f813f0af015add2aea4f6de3004e941bd0207a4c0902512bed948

SHA512
e6d4ad6e4cda3c20b581babb95756b7949649d4066fc7343eaa2f7e0d0cac5a7725e055ada1f6443bd7de48107b3fe96faef00695ef3e753afb138314354ce56

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif

Filesize
5KB

MD5
8d484ed3b5a15eb50552563bc806f0f3

SHA1
f078fa4bb420388979e2b191b9feaad9af74b93b

SHA256
b824a7f9e3f38cfa26f1e53a887c257df35a875b4bf4f84ee664b43047501fe0

SHA512
3a591ce0c968ede84f0bd5f91ce33ebf8bbc3a704fc425908b15ddef0addff1fc62775204cc6bc53ee095d24069352f685634e1a680c0f922f192e58fa1bbf91

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Country.gif

Filesize
31KB

MD5
7a2023db6bce671c1d302def40b8a3ed

SHA1
9b387007f30d7e9518716278e5222c7f7ed721ec

SHA256
41d16b23812e49c926d18d32f2f452a610cc4f2412a2bc5abfacc976341ca36f

SHA512
f52c0ed1f18ccf076df3801240c968a659770a74d0604bfd428a0136a9319d66ca3e150dd3fba3661e21e9d81218ebd00f5a1984e3812fac09ca79fb0ff4a833

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif

Filesize
4KB

MD5
2f4a178d87f004219235dfc47e10b3ec

SHA1
29c317de6346eda4f7eabc9e7a78bfedfedf9339

SHA256
a6b593e161cd8fafa3f3c9b6c7281bcde0c7b8bdc84e5d6fafb6a73ea0b0c9ef

SHA512
a11f9091922f5d94ca0d36c9757c5dc08920829f01a67e695aaf5cfd3c0d950c546d10831f8818becf7cb4370b88224edbbd3b483a9b75b830cedc19a1029ef4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif

Filesize
21KB

MD5
a9bd5bc72595d25f0c53930ab538a380

SHA1
ab14632d844ed1bfaba066f5014a29a959c74a6b

SHA256
ee35712ec8a137474008543ee900da60df857f0d84d4d939e7cae6a7fa658af9

SHA512
875097a760f075147e47df566b7fe9ba3eda6a79e91f9fcdd4c0b24802d7273a986667b78a1f2a8ad4426344654f26e91261f7a91f32517992d73e7ada59a851

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Groove.gif

Filesize
106B

MD5
71c8429010ad401dc6a84f3b842ce5d6

SHA1
ff6d6328419744b0784f51eec79de8ac1b85e0a1

SHA256
9ed2fb141287f46bf9d8ae7a0bc1aff3981a70208895a8a00aefdfca88ebba3e

SHA512
59759a476681485d24eeb394a0504f658c5210c2d7d29dcb03667a79744e270cc56801f58fef5fad3fb022f57ff41bdf6451aa1f547fc8fbc5513b5026d49968

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif

Filesize
8KB

MD5
3aefd8de61f81db2ca6d7fa7a1f6f0f5

SHA1
0f4364f8d29ac80168aba2a95a6815c19e215b4e

SHA256
c89bb869e90a0d85307852cb6a3a95ce1f77b4f143dcb9541c13eb4c30149068

SHA512
3d7ad06f4e8d3aa7603fc2dec592e3c7c515af663eb0458739723a9a518509e59fb2db27f522ecb13583617f226058d4c44cabdf860ef9d7730858c21548384e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif

Filesize
15KB

MD5
6f9591e81e1f010ccc779bcd3e75bab4

SHA1
5bc7e7bc9ba4e882fc1df081dc8272ebcba02059

SHA256
da310784e9c8dd0dff9ac3755f91d905df344eafc3502890ea4e5ba407f0ecb6

SHA512
4f09f4157d75b5173e5cc52d771bb8cef235ca7147a24ea47e5d439dd57276e90ffb12e86e76b254307cd3861328f46239aa9c9c65cab85939a0a9666043bf87

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif

Filesize
6KB

MD5
ea1abe020d766e4a75e493ca7bf39d63

SHA1
7bf0cb270a8b9a5fed19570ca409a49fc7cc90e3

SHA256
74089bc8b5c989854b60f1ab4658bf3406c893d2aad12c4767c395b208839e03

SHA512
cd682a84f333db24d09569b412c31c1e88f63917e72228038ed2c0504958d2506764177846e5b36a6f818b4b6549401f3834fae8e6a42580115e974d7e8f0379

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif

Filesize
20KB

MD5
5bb6c66777f2c92608a05e39789c8bc6

SHA1
76d86803bd7de7ebdd60f7b84c3f7a352f9fa404

SHA256
4a3835332be4ebf98d1e1998f04ed98d7db6743c2d943fccb8a66cd3c8c34b34

SHA512
c61e495c6a18aedde3d7bc38195bd4fc9dabeca076940217b75b6a17c25517eee60c349e0b1f55c65b20650374d956a5b16db8c2247a643d3910d9e6f7277b4b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif

Filesize
6KB

MD5
e0fab499fd2d0e4c5926ba6a065242d8

SHA1
280d1fba4f54b72f40824bafbb097fe18167ebcb

SHA256
ed03b26abf889546217072e3f6b68c1f5af0fb5acfee71609829ed7388031895

SHA512
62ff326d02115302730970da4b6be7505e15777d9757980cbb09662a25b137919d62becff549591bb32051ae6749c21201c00c2871ecb05710a20f43d4a7ce53

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif

Filesize
15KB

MD5
88ad5e00f6f864674c96fccd98594f64

SHA1
aff6558010ecfd9fed935db9343ddaa74ed3539e

SHA256
d41f609a40f84c287a50b0e0aa46b1028d6fd5913bfcc2a730efcd0d2e2c687a

SHA512
c4d41f33efc2613beb1635f35fa2cc556152e52d2a9aa653dad8d8207c6cdf93f94078265635d6778ae761f77828127510104674ef1dd0edc661d0dc5303be39

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg

Filesize
2KB

MD5
0bc3620ab7224e109a833035cac0692d

SHA1
4681c375fcfc673f6281709a69848202adb8de95

SHA256
45cde4a3324ece44bd9d0611866134fe2de689a8b96389850b43512bcdb4fa93

SHA512
c7e1392c07acc8e4b9de9450a0111321f371d0575dab247f55c6a70e67cba266736872d9d8fec82ae4a78dd3792e5564c93dd9ed10f698c82c9055c153191d09

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp

Filesize
2KB

MD5
b2cdd283460859b5684ccfa0ff148b22

SHA1
02af28eed79d7e63448fbd8024c7ab5ec6f2270f

SHA256
a64de1203f3ca9c7d96c17266b7aab5f37671fdf163e78abd394379773a602a7

SHA512
2a6c5104e9c5cd83a38bdcb722fea35eb4da5097f20c8d128f92f02672b691f4ee38d07edf1bb3c7db4149687e759a4c6c184624efc5e0b8efa145ae33b79712

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg

Filesize
6KB

MD5
a82e8f9c2611177cee7f4f28e924d925

SHA1
d4cb507963c86180f93cfffd3f945767a9d87af1

SHA256
4e83e0cd861d31912b455ef2695279361553485b53c04093d7633c305c5010fd

SHA512
a5e97e65c912423f6bfd259c6620ffd64bf9e2b78285b9c6308ea971de39be1d84cdb5989ed3b4002c9552df9986069f3fb158a4b4e3ab851c2950d0bf8ff613

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF

Filesize
255B

MD5
1da7039ab2be01c113c25190dce6143e

SHA1
626c321a30a2993b8c05c486af292aa5ff67b81d

SHA256
089d26ecd68392987e705fe8fac855d0e631a28a4885ea6791782fc5f54a1c37

SHA512
d5ba6d2f93534bc14f9f869e55cb8ec9daceeeb38095d5ac8f083c6a5424d877355ae8c9cc384d6f7c9f537a154417dcef02b135441fffcccac18e559779778b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\background.gif

Filesize
323B

MD5
53496eaa7d9ec6eec106af13f3c8c4cf

SHA1
8dbdf70b29ae1ffb1a36c491f4d6f0c1838bd430

SHA256
645621569084ee91a9f90b7f94498881c99cd45a523bee6ffce7d6aebaf96962

SHA512
2c141d16874f3166351e9a90586617b86bb043636b78eb1d279adc07df4dcf52c0e5817e83445476166bd71a808828c9f442f2972636c2b07a43239ce6fb818f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF

Filesize
367B

MD5
73d207ff757e2d5ee5a9e3b03cd2754b

SHA1
c6d0edae1fc8dafcc240b98c24df66f28cbc8591

SHA256
b82fc92471b4c2581d583d5bada9cd586b78b1e9c0553aa128b7aacef6f95115

SHA512
80a15c2bad5686a7fd67bde71e0e593623a497efcc6300d3dd3fe3087db251f57322ff6e6aa7f57f2927d75de09440fbf1f6237052ab9dca98c7bc1944a255e8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF

Filesize
148B

MD5
59721843ad537be92fd36a55f2e58c9a

SHA1
bf333e085e6bb42a1d0b3147982eaa1bd33ef3c2

SHA256
1d9169e9173d8c92cf420a51664b435430fcdc0dec706203dd935e33010b43dc

SHA512
68768795950fb9393a455dd350d391198151294dd26853e9f46dc368ef5cb8813b1c7cf27194275b1a7aa5365fbe8cda9c9e94d2e97096692408637e7259e5d5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HEADER.GIF

Filesize
440B

MD5
7dba11655308588077758bdb8e00871e

SHA1
7dde016eaf6005d9bcbcb8d3ab6fe0489641dd4f

SHA256
8fb769624dbf1cb92bac88f2b23b34754ae440981a960d80828495a25d61e945

SHA512
3cbd76fdd176f73c22891c15b9cfd8d3590f9cff8fe699c69214c76ebfae48364d3c42a8901f296dbe494b08bc308a89d4cf4a5876e87b5085c057b584a41df2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_OFF.GIF

Filesize
462B

MD5
ac16f0294308fcc8e031d07ad8c9d287

SHA1
7257fe702f46cbe7dbc5db1c890e99687e634bbc

SHA256
5884e81a4ac44d10b6b3ebb038c0d8a96b932c389637873f7bb62d62328f22f7

SHA512
d3e677036b11d9b3a2535e638e350f260c5da914e581031dd766ab25e3b36bab4c1f33b61fcb077ebff62be16e04a10f43320b8a1813cc2660c054536fde620d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF

Filesize
267B

MD5
a4a0ff7080e2b23b79bc4fffb4f1d35b

SHA1
3ea4ba1103d1b485aef8aba3ef78ef35904d1830

SHA256
e657af2ee27e11772ec6315fbafd11fb6de37656b4bafddfd0e18468d6cc02db

SHA512
92e5f050ba2bb4c2a020e3e4a579c5fcff08330004a62fda03f0ec34e890e7ead89c4b556b599282ab5d375ba0f91d819dce4ad496e90d37fc89af3a4a82e793

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HEADER.GIF

Filesize
2KB

MD5
cbda14f823ce731ae83a92a72f712287

SHA1
f7f43d1bcd598bbec28013d35eeaeb80b8bf44e5

SHA256
1b1d56179833a81237c266ce4e0822368781040451032436c7b201ea300be091

SHA512
82c539745f8eeb15d973647cc1e4461e23e853d41fda9c9a7f05f42c4cb1cad526d6cc6377da2d1a5119f8b90d416a1fd61e7e405359c8bc802b0e75b850769e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif

Filesize
233B

MD5
0e501be0fb2994c00f291a6eed8ee2cd

SHA1
9731b581bf713ab26a491aa439509ede7c003912

SHA256
43cd66f95c01400bf5d90ea622469bc43c71eb433f529fa58902d3a2fc55da5a

SHA512
8003941075408929df094cbf85e4250b9407ba400c014bb1263489b2a74c1c87240bcbd676b486cf1bcb9c4065629033553e90e4a15e30207dfdd4d350e7a77e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_OFF.GIF

Filesize
364B

MD5
a80cc61d29b706f14ff8559a1e46b2fc

SHA1
da7e773290fdf40868b5b25d4fbe4c7d6778cc72

SHA256
6d389ad1523a8afe057099a6887776027a1cf5e906713c51881b77ccc1fe2844

SHA512
5aa66b31cc4921ab9483f06d14f9f1e66eadb679e42670caf884c657f9c1ab21256ab26ca19028779a6653e3b36f65e31ca1aac0083ff3b230713ad2a1260412

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_ON.GIF

Filesize
364B

MD5
a2322502e4cfd3d11b244b85c5ee78c6

SHA1
0e1ff1bc80d383bb3da0fdfe8e83d02d2aa72559

SHA256
b62c9de8e70a9a190fb7f8bc3030d413edc3ada4e95117e010eb0a2f429eca2c

SHA512
b46c54c503c64b2aabea7be069a0bddad685bbefc3625c65c03579263a2ed3b15e7e674158439f75de8036ae29ce55f970901a7ed9e9d39591dfedf8409839af

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\background.gif

Filesize
6KB

MD5
d8a659fb0e340778e25a6fa63415bb2f

SHA1
f858b970b8e0779000a04ed41974df94e9d76bb0

SHA256
041ab256b393bb033ccb77bc8d291fff3825090089179d633910a7b3b769a2bf

SHA512
8931ca0adb59a3664a88f96d8c9f2f61dc8d1c0c0cea6edd43cd49ea309e583576e18cd58ca2e47d7b0273d421d669604b8a8db818824d9a906022ec14bdddd4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\BUTTON.GIF

Filesize
428B

MD5
418d480cbb0ef470a0d796d9cba15154

SHA1
d31bb8522750aeab32141756642487392f3858aa

SHA256
b2596239b9953237a24c97a630d006cc9635404e1c21e1624977f43fed4327d4

SHA512
4d85b2e8e17be5d876ac3b73d47ddda282184e4af64a9d5fbb4e7903f1fe110c8f53439905ced0e9187568d00baecbc4e8732cc9c789964973580b7289a271aa

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\background.gif

Filesize
815B

MD5
7ceb65b96a74a12fc0c9e1b46e633006

SHA1
095ea65252622ea271a35beb41f028177b6b5fb2

SHA256
dcb87668535c53ca60b2c8f1e873e525ca15647c0127d6941e1087d805ef2702

SHA512
e865dcaad09c01e082320ee3a192286199706a0d66a70185cb5947a1ad2ec8c19c3baa1152709c7f79b0cce3ff9f11649ee618f04c6c696d9bb11fecc8e140e3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\RTF_BOLD.GIF

Filesize
870B

MD5
60f6dcf5667d7766e7796f198e8aa47d

SHA1
c6cce6757d0a01d4f80a38815baeb3c1c60ff45b

SHA256
dd1a2bc3b89fa57002dfb9de8cf1851b6cc5706a7c733220e0606e4c09660396

SHA512
679604bcca728b8f84f69bbbc7d761dc13a7a7874bdf76363a4ec79c3b961c2bc65e03efe30d77efb41e5ba326b030c48b575333f6f822a37679e10e849386da

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg

Filesize
3KB

MD5
f98a3e3cbd22a22f407f6ab00e884f53

SHA1
c2fe6ac738dc8b798e10aedfca0e69b798c3f42e

SHA256
81061372b09939c6565c8fffbd20b7af42dae56b44ffa548907b330f7a1eb415

SHA512
e60d64949147e023a81591f09a25e88974f56275615e54bcc99a22370c90241395b2037ac61eae40dc47a51667a60f79a3df7603b3349da40f9cf08cda087da4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif

Filesize
2KB

MD5
c45e56d42fd2aaba808cc8f1de9b392e

SHA1
cb1f4618eb8efd434f95b1a369c2fe61f02f1a30

SHA256
8ae8da006e0846b716618b3d207c8ec4e10fc129873d05f49bb9dfb826361d9f

SHA512
1905dec93e2567b0b63c74de80f32a518a1a468b6fc0dbf3a608f893a3a6d1b0364c37d4eca835e3c98898423e56a475a7ace279a8443a24fedc1718310121da

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif

Filesize
19KB

MD5
9c6f403ae02759e1c83e115d189c5e74

SHA1
52d640283311d749f7ff567b21ce6ca6b300b7f5

SHA256
6d423c13c489a8fcc6c4424c22b1b5eaf5dfcf6d0552875c3636047e190a4497

SHA512
590e33114609ae4f2b4595a7fba0602c4dfe5d26de729f666adba89dbc8beec0235a79010fca6011ac708b65f012b7e71784f0f730e231a28e1a2710086f327e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosefont.gif

Filesize
890B

MD5
0af95a006c5693f496029348ec18e78d

SHA1
dcadcd78f34bfa89c52d514efaf09bf490f3b572

SHA256
ac770abac324fc322677025cc524bd9719f830c879221a69e7837a93b86e3223

SHA512
ea05ddaad3991be095837410fbb83755a9e65cf00292508fade30752813c8bb92daefa348e77906b72772b213389ab1ebfa19372ea967cf9ef3e3baf3a4f722a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif

Filesize
852B

MD5
4e9b95256b96ca5445a87c61420720dc

SHA1
3eebe035584eecd1feaf081169d15edd41084b52

SHA256
64518555f1d8be8eb3442ddca34cf4092d19cca508f6aa4f65ef27bc8233a52b

SHA512
b702f1121a8e5cc778075370067a047556a2947b4d6f8d53e03293fdce46e72922164ba41a843d8b0cbb9721680f043136c96d6c3f33e4c906e91b2c656076c4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif

Filesize
860B

MD5
69ec47634b2d176d6436f95acb57571c

SHA1
2af7fdb5ceab848ab62b896171086068082466c7

SHA256
91ee2e5fd027776ffa5ad51a1d035be4974f32207004f80ec0a2aeaa7070fb56

SHA512
3036e9115084b4adb8d04b2be2c156a3051a5eb907d92b528f74b1b620b768196ff4bc5cbd74c6ac243a85ad82d9e352981b381c2b6cc2f44c1ad1e9bc27ac45

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ADD.GIF

Filesize
580B

MD5
1cfa09603bd06f61b88cd1b277aa83c8

SHA1
c7a6a7bc80491da146c7d1f9e522f405ebba3520

SHA256
3419f71b55e65f9f5431d2cb0914d2d8411333a45b6579b5f693d4f1a37d1c55

SHA512
aaa8e34a26ab935897e17686ca5729f00282e9ff67289ef2714d980d386b454d2a411b1d372eb2019dc7106370e64af1244617cd9261a1a9680d4905894d814b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF

Filesize
899B

MD5
317084a0fa6c9d3ac3731d748f335a76

SHA1
496e7645a9a9a2d14aaa35b8905545a56e80fd67

SHA256
5754aeb0f1ccfe23ca238730c9e24b3d5955c40730469e43e4e8cf87bdf4430b

SHA512
44b45e49dc842864c4529056646412643ac3762152161ee5590202b2009ed6177ebe0f86d720c2939dc3d27ae04880c6edd21599fbc827883837c9d158ea1b5a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIF

Filesize
625B

MD5
ada9d05c948e159a9a77ba5ee7371c4b

SHA1
6bfeac09f23247b1b765d9e70c0b3949685d34d0

SHA256
d8d17ee60952361ad3dd800905928684c715b422238bdf0fdf8440caccb01b30

SHA512
5e15e26ed635aedd7057db2781fa71ab123a2ce95a60119c9e595f0101a93af2b1ca844c98353ac63160974d6a7eed6b685cc8eda09d4303d3556b346bbc41f9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF

Filesize
873B

MD5
2fac17e0a8e9a1495c1b09d695a794ff

SHA1
6f30002570c98c06bbd1f3ad0cee6bf3ef029eee

SHA256
80890dc959495c503c36c7ccd93ccda6e8784221b62434dbb6ae3085ddfadc72

SHA512
ef6fb1272ce98778243c335ee16990fab1d7512cfffb491c0d8549af4bc5444f4ec48df23381b075bf89ee4326b47951f02787d9af2a01c490cd618b2c4968f7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg

Filesize
5KB

MD5
18fcc6908aa0f2502c54abb2141ac3e0

SHA1
e627c31cd296fb943afadef76e7c5926bf36ef75

SHA256
eaf544231522c7783b1085811448412e465a05ef9df115818b855da640719406

SHA512
cb6c71add39228c821bcdd2bff749312d72091547f9c0881fc425fe6e19ea77e93036c63594a969443fe717a1c08929aa67f94e5921c62f7bbac29a5680fcbea

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp

Filesize
1KB

MD5
c974f3670d474fe79350678c8b9fee12

SHA1
784cf96eab21f824e2454adad856e32c597050a7

SHA256
f8483156234a81d517e228a4418f4607fe66111f34322a1df225f77af3da8b3f

SHA512
9f93ef7db2feda4dec11bf321252c1ce22d650c96e1face4a591559cda0af34fb82025439724c1ebd7bfab3ca5287ea46593b71cf802913dd683fad8c834e1fe

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF

Filesize
615B

MD5
ed607dcac7d90feb0909caf7da6b18ce

SHA1
7997a2a5363f2d25eaa88af05fd87621d25ee176

SHA256
295549a70e73af6559a0d97d25191d36471c2ba8cb16f40a8b4ea87724fdfd70

SHA512
7bb5afc450341fb63ce36715f9c3a4f33250593c2538873100c0aa99ea1b272d7e2db198b69d6786fa95bc53d9668412bf1558ec5f0bc777bbcc20d21e0aab75

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

Filesize
848B

MD5
9cbf233327067c63eb7f6c8f761f6f1c

SHA1
76d28aa7c1daee993dceabb1364c0f59b4963245

SHA256
7b2eb3ca6af0a0e78d365318da4c208b98b90549bc62f5e53d445a78e3ede9fb

SHA512
e3fb8a247ca975d1ce93a8e993b2d7eaa24c53dcd78a4edee77781211f69d68e9285c74ca583c29700e48e5d55483e8b75ad9d70cc1128a4eb4657c2acef3c93

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

Filesize
847B

MD5
42e9a0226e7bd1ae49126cd2bcaca7f9

SHA1
0c60174fbd26dbcdcea5faa0744d7a0b75e0b507

SHA256
e19ab8a6f591dfe3d03c56d6156d7d23d9dec2f5ed9e2e07fb06a1ff4c73e6dd

SHA512
b5e339fa1a9e56f4e76ddb93e92ee6a810b2c964a093f9e14b2ba4eaf843946283d5bbb33036b58c0b39e36e6d19287e9cde6a78c1ba74772cd7a7c3d31eab52

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

Filesize
869B

MD5
fc1c686b3f664b9b44edf6889ca4c222

SHA1
0aebbc2c783b4056ffd7f21474143520d2fda056

SHA256
3786a8ab27fc9c26c553952bd101fa34ddbe8013850b3f0de0c2a0a74923f65a

SHA512
d684ec1d1d85f9c3355d5d0a56f21e38192d7c02df01bfe539c26858d29a16af1daffd4a2f7cdd98907d989ffbadbf10cc5147002c1e08c8a2c51fdb3c31f265

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

Filesize
847B

MD5
c6906b465efb2d71c0a8433a9105d324

SHA1
c76ef48663076fce77c8f240b250c186a450a6ca

SHA256
56c47d142866abadaf3a719509c929ebfe5d33c03a3727a616efd70f42bfed4f

SHA512
1c6909bf78c648c02ba52ba5ca5ce7c123d3ed3941f2aa121c5c61f7126ea4e13820b7de6170c77f2908f2d7bd42efe99198376973ec4f8dcbb7d74f85b2acf8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

Filesize
863B

MD5
866f0d2f616ea848014dca608ec6b0e1

SHA1
62d2c850f24156bfa9b0f3715324fad92921d201

SHA256
9ae263f1c0d1cb945d692323a7ef7ae963d9b064580ba476366f600e86c9d7a5

SHA512
e1a772c831d8bb9966f346a3269a4845657a9083b495faecbc2c91de429a2e4e9e0304781e81d6d76e90535b7c95ade6f7aeef9b68f0e03359e584ba0b359977

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

Filesize
861B

MD5
1a462a35f4849851a165f3c9123eedc6

SHA1
90aba52e7bc50aec0b2d40d0cfb11a57ea1733a5

SHA256
74cc0a0f5a78c78b5085ed27aaf61ea845672854edd31e0e476d244402b36434

SHA512
18a1483fb63f99d17d4c5ed60b8071eb7793e83942ace36a6dbc694bbf0442eb8d647f55fbb9ab6feb8c12564f289d8255b5e3fbe78669ddfe5ff1aca41145f3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

Filesize
850B

MD5
eb32afb13ce13da5222efbf90716657d

SHA1
a702c40f4ccf979ab5b135a37f0a08c3db4360aa

SHA256
95c78952ca52a2419a103f09ec70981d3e3ab01f1506e2c8b648ad01279e732e

SHA512
add1894ad0b528764bcc2b7fbd25be1901be368fbce2cd8f1a8a191cf0a22f50b959e3e907b0d0b2d5b5ee9bcacb516dc39a0ff4196da8140f3992fe159c5eb9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

Filesize
883B

MD5
e50412271791168c2eb98c108c60e83b

SHA1
c58edb7ffa32eadcb94a6a1c7f84333eaca88f42

SHA256
b19466f8901f9b8f7e11be1d27382d810678b6e9c65f1991f3acef15744d9af1

SHA512
6bd2c9c5631d1d78575bd55c811a87a77668ce0877b64a45fa70719238d6ee7cebc8bc34d2922788a938a56e7e5b420bfd005ab4b2f80eda0d436ba244c603ea

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif

Filesize
153B

MD5
38eb0dc87f6e5c34c0d3eb0be415ec77

SHA1
e9a488cb54992d5def91b9c91ccce27205a97714

SHA256
5b912336c3e14e6fe56c9f87db13e1dd51fa60d0759cd83ff75e1a6dfb45f8e1

SHA512
2bd4b589f0209134cf2236788af4f46c17c303987b2727465038c1e4407d5ea87d3be89d4680ae6ca9259f0a83c518035701c8aedbb5f9d05bfbcdcb7af32e63

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
13da3987bab812a5a5986a215cc2b167

SHA1
f037fd2065f40455a00e2a80d9da72d720ac41f8

SHA256
415a8cd9b80137c214016f6bf83a989a13bbf58acdbd1794e0f7391706e63309

SHA512
ae37bdd9cf752d77c6b59c804dc504f8d585910ba53a5624951ebf95759bef6af761c8e5035e47e0408a3aff32570fb38b1314f54f75d6ee37c3c049902495fa

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
8KB

MD5
d24e7c83fc78f27e515afbc904358de9

SHA1
ff3d660d144031077f031a2fbb15e034b25ec79c

SHA256
3931afcc73e4a7d8bbe4592e804b1a2e130229d38ec699d65d5dba28cba77ab0

SHA512
20f748ccd14747dc4bdcfbf629b24a64b696a46dddd481352ca8140d896b7bb1f75fd6dd5d33dfff24d2328e7477eff31dec97062b0cf97327fb99ba7f78eaeb

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
6e94486064e0221ccec06f9de9fa8df9

SHA1
e1049247b8c81ba7e3d0ecffe2e9b930fc9a527d

SHA256
e3871e6cd3f0d4d67968dc93f2675b50e989e0a3b3296c0449070dfb1019a565

SHA512
17f58f89dc83c621ca7c1b637e32c09f449b2d6bb677a7dc268079138097e5a594f326ebf4e0f031cf3b1f6e07446cf9c81cb178300b44f73310988ec1fbba74

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
17bd616d437b415aa7c4c57508614b91

SHA1
4362217edcf9f01be368aeaa97796414753101c4

SHA256
8965fd1d8e78ce848ca5db4211c467d520de00ed73857fd724ded31140e63e27

SHA512
02dc99368256dff6d5565c1614f4ab87b93e714e5707f84fbd8453695661213813ee7ee42638319b9abb90a4bd80e14ea5bbdfadb165d28b30f2187bf095dfee

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
172KB

MD5
fa6e919047903d7858c3224572d4cb01

SHA1
87fa1c0d557681ce8d3f87cdefad3259a9549d25

SHA256
feddbb57680fe5094446d906a1ee93b26798259b1eee4ed80ffd27150c23e99a

SHA512
d5b223d98d1fda77c23b13c4d8c55989d6d47fb0ab51d6cf00ba85d9724a02c9b7960edbacf3edcbfbadb6b1c567caa946aad4ba08cc6859be99bf8a29a49817

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk

Filesize
1KB

MD5
aadaf3cd6227d2b0043ba90ff1e5f1fd

SHA1
f2a18d8b28c5db811a10a726153797ccf5adf599

SHA256
2e087d3d4ae7a1c27266bdda5e3d58e2b2767dbf164465306207f09e936c9336

SHA512
f539a545a1ef8b1e1009c30b22f0138c8144947293224fcfc7b77ec4eb4b230a0e2f92053f509e91ecf073a74752f8325d70968c46b94f5b985d437a6b2f0c24

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg

Filesize
21KB

MD5
078dbad3884b7244d8fbaef0de0bb740

SHA1
5b4560cd6698a5746b3b3d06f9ffb19501a94ca6

SHA256
02222175fe6b773c294bae107695b0bfa7fc586dbdd1a58eea01f734463cae4d

SHA512
a90785a30c8499864fcd09089835e06a66cdaa7efd994934f782596573ad4ec848c97f902d3b291709468d4acf4cb030f9d2ee5985c780ba33476d1e3d687d22

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\HelpIcon_solid.gif

Filesize
1KB

MD5
58829f997e3124209e9975f3493e4ab9

SHA1
2b786a45e881095e15e15ded067e861fdc0be0cf

SHA256
695784deeef06a0b0385d68bd23c859401bcbe5e1b1ad754a4b02a8b752c7e72

SHA512
07f4c8a3e5bf236fe4c96443f933e280e30049270570858f92c28d4081fe2e10ac3a268f0816cf79e7a03e3859a33add6f7e527434d5c70749b2ab3a740136c8

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\alert_lrg.gif

Filesize
952B

MD5
2fe0322ee9d31036b46240e21ccf1fea

SHA1
82dcb38a21189e3533712a1cae650bf577fbf0e8

SHA256
e40c6bc5a7a8184543c752cb89033b941c01da8e9817b2aa925cc24deda38c46

SHA512
af7dbf2c21e22657c5022fe54643c228980969ed702203f3f1a549e8b7ba2bbd8c91fee0299f23f62a3257cf17af96b1576ecbd5a60b79733e447a78492a7871

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\aspx_file.gif

Filesize
121B

MD5
d403413f4962c5ce8b07b262198e59e4

SHA1
9dbdad856778c95dfceb43b11b3c81ff4da1d455

SHA256
c61f9ce56e6009c26f63571507f94c1587fa1df253924d18c8ec4b653524681f

SHA512
100a5947ffea4dd30a6a64e8a177f7343f01eb10e6f32403568b57f1a33df37fad2d475690120f9ead37212cfe8db4a0155f65791c276dcf667b2a674acbaf14

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\branding_Full2.gif

Filesize
1KB

MD5
c1e929d3e7f650703c270b1eebf2d416

SHA1
89087cd3199cca6d79c0ec44189aa16f4c7aa439

SHA256
04a58248f4fe3574b0d146a4fd00a334a435911380dab533b9365bbb42844777

SHA512
b571b77f10ecafbc0d0f3b942b384dd856e920dca639b88cb63724adab2f18908f61fc41e14fe02a4e67065de2b3ceeb2885d10f5e1eec274f6fedb9a794f928

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg

Filesize
8KB

MD5
df6572f37696a8286b5b2f1d15536e9e

SHA1
9d59d52537892cc1778398d3db0eded31ac588f1

SHA256
6a5f3a666809d1418b213b07609b1a14331af008b14b4780115bc47771acec99

SHA512
bad7ab7324369fb6a565a8f615dd3c4dc501b9bf53e667e7b4461706486ffbfff52a0a7a6292678c8a2048233fd81d22bf3a5fe3006410697c58156b6461f7a3

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\folder.gif

Filesize
914B

MD5
dce087bc8c1d6893d1c4b072a4ea72af

SHA1
5b43cf93cb5c7b2ce3818cee27f37d65305ea244

SHA256
3ef6bc2a91ba941bc557408016af8cd960afe8844a3d9eafdc5f62061b2698e0

SHA512
839606c20d571ad07ecb76d2021e31a9a945a254460ac7f4b9ba641805190bfa83633835c367e672c3cc707e75b645ff6e9a47ea1b2ee4b458aff7735a8bed4f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onBlue.gif

Filesize
90B

MD5
671352d6938169b59a7bacca06b95ba8

SHA1
6cb6af59e9604b7c7ae2646ccc624c1e746b66f9

SHA256
ad497b9c3cf2cd294d4a9ecada6fad67a1f3370d9108272448e7d9eecd1da83e

SHA512
46da2fe103afc42b137bee1fb4b0519150f2d2d7d9df2c534c8a557f651ab76512284b100cbfec3ce29c2de0a1171f53d70dc099cdc4bd0a4bcea02f76966bd2

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onWhite.gif

Filesize
90B

MD5
b7dfa1928bf6c6f2b77ee807c5f10b80

SHA1
de797a81e32a8d63a4921fe30c0bbaaf1ce29115

SHA256
379f343acc3fa0663452826dc19d9f11bdc1bef33e8ec9e5d1b58cad75839c84

SHA512
44cc748874780979359fbe44a33447f0f51c6c9a186704126e98c19712750812d3fe822caa9adcb08a69f3260eaba20d42600b6981e184a400d58e27dc328b38

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\headerGRADIENT_Tall.gif

Filesize
328B

MD5
0493b851fb627ceaa26b45621f7717b5

SHA1
1be00547c2ff68099791b56676e51e051e2082b8

SHA256
916033a19131a934a9e131950a1faa4dd3df0fd491e1ce2df8ece2c7e72c0c37

SHA512
528cbde46641dfc798b4153f59190873c006d9549c717e0765aff85d0a0cbc4c6463229e946f28ffcb667339b866ff2414a97dd69b97f61e6225dd9924dd4e62

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\help.jpg

Filesize
1KB

MD5
b522fcafdefad69c85eff5ad08ddef9c

SHA1
4a340acd7a97e53171994ba02dedd638d11c30ed

SHA256
9f26fd905980cd95926f90ebd0b3d664bdfdd1e3d5df997fc2a91a68e0bb7815

SHA512
eecbb71d253f537a03b4c0ccfa7fe250c0a9bc89ae5905660589d0160f14b3a8303d218284fe2b07794239012116925b6041c27cb7ee247bf1562c7bb258be89

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image1.gif

Filesize
162B

MD5
b95c04950c40749c40d0fa4849cbb785

SHA1
07a301e8fbd484ea5af70873118fc28e4e71f89f

SHA256
f1c2d1c1f1d18c48bd8c626b781b6b25727a6b25907e64a23e52895b61cdeec4

SHA512
2ac0458ea5306676fdb6e5ae8e7863d58d11333fa18859f43f7e5208aa6a9bf8e3ab9ad99c3da70beedd3da94671915983e83efd99aaa8c56fd91037aedc0947

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image2.gif

Filesize
586B

MD5
22aee700de59203ffb6e96db4cb9a0d4

SHA1
81489814b0da13267b82333b172024f6274a9987

SHA256
e044a6113f1520e3cacad4a70f7e33cefe50f8b7cffa291e04e23f4a21b21a5c

SHA512
dc190b76655c1fca4ce9f3c5121675008a904a209d6f4b5b904e17b8915fafb86a850f7fec3efc8e61a6db22435d71210bea9ff3e886a97fecbde9be96e0f0b1

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\requiredBang.gif

Filesize
124B

MD5
bfcf7095fb3628dc86c4db9bbbcab72a

SHA1
50b6803c5a8f93de65f5757f1ce2422b90ea4a17

SHA256
af0230d6a0955b1255a2db32a98f71c62394dbea42faefc743a0870eb7a246d9

SHA512
4ffd0476803ad3f83157c60a1640c2d3ae49346695589dca5a43cb0f932f1b4d728e0c46669e08139a09527b23a3a3bfdee2be6805d3a95e244f87d672bd0cdb

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg

Filesize
8KB

MD5
36daac26a4157ce93faff4030fe16ca3

SHA1
e62dcfa896f34aa24f2d95348ae740ded9dcb022

SHA256
137dc28fc75062458a89ef44a185172cb22ff9f7dfd2e25e11ac40955e53353b

SHA512
a8d46184499b20b800a6074296045a1fd785e77d52cf6d7d506f4ecd8afddb22cdd6240a77b1ec167c54c0ff84cc31b1750b78cbfe72a15b41b92866b2a115da

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\yellowCORNER.gif

Filesize
880B

MD5
31d3167cd24c85efe986adbd6f49a7b1

SHA1
7e7e1e757e898540aa60776124e83f8d519fb7f4

SHA256
37b54d555e497d0ca0e823e9548f6afcf1761c4cdf710bca63f83cba48259d19

SHA512
3200dfb26b420fbd590b0508a72ede1b2a0e3f2f4ac93b43b4832acb9ab93974ca3c61b528ddff49e4bb03dae48bb07f0df2e1ca5174473b2520ec2f234d4ff7

Download Submit
memory/2904-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2904-9038-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2904-9037-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2904-9101-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2904-9102-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2904-9103-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download