xorist | 65499d28c56270f3859faebf0bd376f8e19b166ad4c65918e16cd0a8db4d7c4c

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
31-10-2024 02:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
Size

39KB
MD5

8120a1911ae7d00f4e5a07e4c0bbeaf4
SHA1

fc030f2fd2116f95e81926212054c3930541a653
SHA256

65499d28c56270f3859faebf0bd376f8e19b166ad4c65918e16cd0a8db4d7c4c
SHA512

1c7caab77027589ab71a6e1e6c755c1321ae0b8978887d3d4c37c94c421ccdb536764d8093fb6159ade05590dea0eb1dbd6955e1beafba405faabaac136fcb3e
SSDEEP

384:7ebFNw4Pk1itKkpAjjalrxYqYvjS3kDCgSnJFMB:70FmBkpKjSY7fDCE

Score

10^/10

xorist discovery persistence ransomware spyware stealer upx

Malware Config

Signatures

Detected Xorist Ransomware 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1636-0-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/1636-8465-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/1636-9057-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist

Xorist Ransomware
Xorist is a ransomware first seen in 2020.
ransomware xorist
Xorist family
xorist
Renames multiple (2187) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Drivers directory 8 IoCs

Processes:

8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe

Drops startup file 1 IoCs

Processes:

8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3UJ76DcM5gR8996.exe"	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe

Drops file in System32 directory 64 IoCs

Processes:

8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_remote_requirements.help.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnkm002.inf_amd64_neutral_7c42808e24ebff99\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wiabr006.inf_amd64_neutral_0232ca4f23224d01\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\_Default\HomePremiumN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnin002.inf_amd64_neutral_977d40799168c216\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_pipelines.help.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmusrk1.inf_amd64_neutral_19cdebd3e1182874\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\tsgenericusbdriver.inf_amd64_neutral_24c807694f614911\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_type_operators.help.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnod002.inf_amd64_neutral_a10c656b6c7c053c\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\OEM\HomeBasicN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_remote_requirements.help.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ph3xibc3.inf_amd64_neutral_1da6abc36a79974f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WCN\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Return.help.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmtron.inf_amd64_neutral_1121c7f92e9e3001\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnts003.inf_amd64_neutral_33a68664c7e7ae4b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\eval\StarterN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Path_Syntax.help.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_profiles.help.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\61883.inf_amd64_neutral_a64d66bac757464c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\eval\ProfessionalE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnca00b.inf_amd64_neutral_4412894f52d39895\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnca00g.inf_amd64_neutral_6f76b14b2912fa55\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnrc005.inf_amd64_neutral_31e08a1c2f933124\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-MediaPlayer\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Signing.help.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnrc00a.inf_amd64_neutral_565c5d04cc520c48\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnsv003.inf_amd64_neutral_1e0c4fbb9b11b015\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_try_catch_finally.help.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netk57a.inf_amd64_neutral_8b26ad5d0cc037a9\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnin004.inf_amd64_neutral_c8902ae660ab1360\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Return.help.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\slmgr\0410\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_While.help.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\arc.inf_amd64_neutral_11b52dec8e94d9aa\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\IME\IMEJP10\APPLETS\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\OEM\HomeBasic\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\OEM\UltimateE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-NDIS\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sk-SK\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\_Default\Professional\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wsdprint.inf_amd64_neutral_f91980f20f3112ed\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\OEM\HomePremiumE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnbr007.inf_amd64_neutral_add2acf1d573aef0\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnbr009.inf_amd64_neutral_fd2ac5b9c40bd465\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\OEM\Ultimate\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Line_Editing.help.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ql40xx.inf_amd64_neutral_77a826e5c0a07842\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\migration\WSMT\rras\replacementmanifests\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_transactions.help.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Session_Configurations.help.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ricoh.inf_amd64_neutral_66b4504d1fb1c857\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\0024\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\OEM\StarterN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\tape.inf_amd64_neutral_c6a6811d3d827dba\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\HomePremiumE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_aliases.help.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\vhdmp.inf_amd64_neutral_c3910bbf4fbccf97\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\en\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\nete1g3e.inf_amd64_neutral_7f08406e40c6ede2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1636-0-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1636-8465-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1636-9057-0x0000000000400000-0x000000000040C000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Program Files\Windows Media Player\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382954.JPG	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21311_.GIF	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\header.gif	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Defender\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\prev_hov.png	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00163_.GIF	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Mail\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_windy.png	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-new.png	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\SEAMARBL.JPG	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00172_.GIF	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\GrayCheck\TAB_OFF.GIF	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\bear_formatted_matte2.wmv	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\uarrow.gif	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-new_partly-cloudy.png	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0175428.JPG	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR20F.GIF	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\en-US\js\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EXPEDITN\PREVIEW.GIF	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rss_headline_glow_flyout.png	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color48.png	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\tile_drop_shadow.png	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\GoldRing.png	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\README.TXT	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)grayStateIcon.png	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-back-static.png	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert\TAB_OFF.GIF	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_hail.png	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_VideoInset.png	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMainMask.wmv	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)grayStateIcon.png	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Program Files\Windows Journal\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR6B.GIF	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\PUSH.WAV	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationUp_SelectionSubpicture.png	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\203x8subpicture.png	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\PrivateBrowsing_150.png	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_LOOP_BG_PAL.wmv	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_divider_right.png	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RADIAL\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana\TAB_OFF.GIF	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\CALENDAR.GIF	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\graph_down.png	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

Processes:

8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-winsatmediasamples_31bf3856ad364e35_6.1.7600.16385_none_0b34d0642122c1c4\Clip_480p_5sec_6mbps_new.mpg	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-qwave.resources_31bf3856ad364e35_6.1.7600.16385_de-de_cd9bb53373ac851f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-u..em-config.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_341a55f41ef1be52\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..tional-codepage-437_31bf3856ad364e35_6.1.7600.16385_none_2b05ce0ab4c4b80f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\about_Automatic_Variables.help.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-setx.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1d708a26f1847fd0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-i..escriptdetectiondll_31bf3856ad364e35_6.1.7600.16385_none_22c2050af8e2b32b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-msvcirt_31bf3856ad364e35_6.1.7600.16385_none_bcb21589b7ba0d7d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\winsxs\msil_microsoft.web.manag..nt.aspnet.resources_31bf3856ad364e35_6.1.7601.17514_it-it_c13a38d6c1e37dad\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-font-fms.resources_31bf3856ad364e35_6.1.7600.16385_pl-pl_f1f573b011efe89e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-documents-performance_31bf3856ad364e35_6.1.7600.16385_none_3cdadc249cb267a4\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\divider-horizontal.png	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_4db0b909695af8f9\docked_black_rainy.png	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-netcfg.resources_31bf3856ad364e35_6.1.7600.16385_de-de_eaf79cba4c19a928\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-winsrv-adm_31bf3856ad364e35_6.1.7600.16385_none_74fe9f3a6d505307\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-tcpip-adm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_61cd287ce4c327db\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-w..oradapter.resources_31bf3856ad364e35_6.1.7600.16385_de-de_bf9af86f3ce6a687\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-wlan-dialog.resources_31bf3856ad364e35_6.1.7600.16385_de-de_35fc7b588ae3c354\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_f35f9773adf74c06\Garden.htm	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..ngsupport.resources_31bf3856ad364e35_8.0.7600.16385_fr-fr_4ff56e14ff6226b3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-label.resources_31bf3856ad364e35_6.1.7600.16385_es-es_428809fbbe0429cd\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-smartcardsubsystem_31bf3856ad364e35_6.1.7601.17514_none_76234513809272a3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\inf\MSDTC Bridge 4.0.0.0\0816\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-i..tiator_ui.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ab1a9e33c91a3cba\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sechost.resources_31bf3856ad364e35_6.1.7600.16385_it-it_69a381305aa0f73c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..leshooter.resources_31bf3856ad364e35_6.1.7600.16385_en-us_e0e6a5c0d9dc8584\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..lservices-workspace_31bf3856ad364e35_6.1.7601.17514_none_2f1505d970be5493\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-diskcopy.resources_31bf3856ad364e35_6.1.7600.16385_en-us_6f5451fd6d41ee2c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_netxfx64.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_f64de8baa602acf0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-directx-rgbrast_31bf3856ad364e35_6.1.7600.16385_none_742e78f858cd79ea\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_desktop_shell-search-srchadmin.resources_31bf3856ad364e35_7.0.7600.16385_de-de_d769c3ced4077c10\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-directwrite.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_1c478182a533cb0e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_scripts.help.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\diagnostics\system\PCW\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File opened for modification	C:\Windows\Media\Raga\Windows Notify.wav	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_server-help-chm.ipsecmonitor.resources_31bf3856ad364e35_6.1.7600.16385_it-it_a7c01a54f64c21fc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-iis-adm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_1dcea8f1f1b0f47d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..estore-propertypage_31bf3856ad364e35_6.1.7601.17514_none_e907844a97552799\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\winsxs\msil_microsoft.security...licymodel.resources_31bf3856ad364e35_6.1.7600.16385_es-es_d7f8cee99e82d3b8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-m..onwizardapplication_31bf3856ad364e35_6.1.7601.17514_none_22f5c6aadf559287\WindowsOutlookExpress.bmp	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-unimodem-core_31bf3856ad364e35_6.1.7600.16385_none_fae1cec5229fb80c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.SDHost.Resources\1.0.0.0_ja_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-autofmt.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_1303475905cc8818\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-s..interface.resources_31bf3856ad364e35_6.1.7600.16385_es-es_66117ffa2765471c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File opened for modification	C:\Windows\Media\Festival\Windows Print complete.wav	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..n-support.resources_31bf3856ad364e35_6.1.7600.16385_es-es_4b9cd3e5ea229836\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4a6b77ab9aa530d\about_regular_expressions.help.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_netfx-microsoft.jscript_b03f5f7f11d50a3a_6.1.7600.16385_none_f371f988e550616a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-mfplat_31bf3856ad364e35_6.1.7600.16385_none_f680eed0b4c8e693\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_MSIL\System.resources\2.0.0.0_ja_b77a5c561934e089\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-f..opycompareutilities_31bf3856ad364e35_6.1.7600.16385_none_3575d2dc8edf4a22\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\403-16.htm	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-b..t-windows.resources_31bf3856ad364e35_6.1.7600.16385_de-de_cf8114625afc4538\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-tapi3.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_48a21249766a92e5\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-calc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8b3e631c1e90e66b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_pt-pt_c13cbb631bb77948\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-winver.resources_31bf3856ad364e35_6.1.7600.16385_es-es_76b02716a21b0f0a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_prnep00e.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_66f4530f4efc442e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-s..ty-syskey.resources_31bf3856ad364e35_6.1.7600.16385_de-de_13cea71302512be8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\32.png	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-help-library.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_cd026318e81c6364\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-lsa-msprivs.resources_31bf3856ad364e35_6.1.7600.16385_nb-no_7e1fc6449a7ddd29\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-cpu_31bf3856ad364e35_6.1.7600.16385_none_4b7bf556f6fe4db9\back_lrg.png	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe

Modifies registry class 10 IoCs

Processes:

8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XWQMWENWANTGLEM\DefaultIcon	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XWQMWENWANTGLEM\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3UJ76DcM5gR8996.exe,0"	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XWQMWENWANTGLEM\shell	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XWQMWENWANTGLEM\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3UJ76DcM5gR8996.exe"	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd\ = "XWQMWENWANTGLEM"	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XWQMWENWANTGLEM	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XWQMWENWANTGLEM\ = "CRYPTED!"	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XWQMWENWANTGLEM\shell\open\command	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XWQMWENWANTGLEM\shell\open	8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8120a1911ae7d00f4e5a07e4c0bbeaf4_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt

Filesize
290B

MD5
7eb8b2297a1f44433c0f09dcc976beeb

SHA1
c602d15a6ce1937c432e979bb86a7defefebfdd8

SHA256
1a802d9f93517d7ae4270bea7796db388664e982f48150236b14fd622e69ad84

SHA512
338ad4cdfe236c8dc945890738423f2b2c91a9ef3dacab4538eb0dccc354b2cd508892efd7352d499e2d4c15d66587be19a02e04350f2dda6462a931146a1a3c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
341B

MD5
a1b5b5e886c7f76ed10b94cd03088b9d

SHA1
fb033bb76f89d97819068e640ff0433b099f246b

SHA256
43e240633ddb948a66052368aa3a482b678b792290b4d4cfed9dde1ffffc8e61

SHA512
aa597140e3d541303a883bd6bf323d9786a7d62d1b3f2e2849af5dfacfe09f1d4280f5397c495f2e78fb7f4d1246c873692a0c8d15d5e1f506dc238d032f7e64

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

Filesize
222B

MD5
5babafcd670810170201363697712b36

SHA1
5e22e02e6b47311cd0a9e1401d999b467492fabc

SHA256
f4413aa0b5160d81be22a9a655df69199c7e5bbd817c40f2df7533efdce62fd2

SHA512
ac868fbf5cf243c169960d4edceaa2f24b3227b0601d5146c8b72d0e51375ec57d8f503ea271cee61a5591a910f566cb13ee6305612426e9b0ca10db1741a96f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\BG_ADOBE.GIF

Filesize
24KB

MD5
eed387e2edec678a1a54fabebc3471d4

SHA1
9551eac0a5553d56a691baa91240941248f70765

SHA256
9ac6395dcab028faa1e74f7b7c038e1a810b9b8784eed60d6c3fb72f80b9c168

SHA512
1fb76ce5a707321364e50a26557eb5e08edd7a2b507b9801067eaf784cd52eae6c8d563c9d088df9903bc9e569ca2b8cb8a0360b003bd7fdf35605947a6e5132

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\BUTTON.GIF

Filesize
185B

MD5
15b6afb78086895020f3c7add0401937

SHA1
f10b3d41af98d8ca8372e4adbf97d95be09d1591

SHA256
bf2e7aad451e194a94458030e28497853b2f01785a769e27b73c5239e4ecabbb

SHA512
73e0dc5d1f3c4f41da84588cf8c3e7aab7bed339e66cd29b0af9c124c30a081af803b52e355d407d78790616a8a7504ebcb24b95f8633c2774472c9faaeacd2f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_OFF.GIF

Filesize
496B

MD5
6c86be974cae6d54479b6af785b4a704

SHA1
0f5b93990f0bf51a89bd6d2ba6321fbc6ff351fd

SHA256
7693f79e99bbe710573ab42c7bd47527d56f44ff227a3ae5539761f2344c9e14

SHA512
62634c96d5cdc94b70d2967e6c3e3d71321dd4f48fd766085c8cb9c9fc19db0870a099b1d7fc523d68f9d1509bc30a28d53a424fef73ddab0b58e2609bdbc7c1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_ON.GIF

Filesize
1KB

MD5
28f773d9ceee768028909c39fae4940d

SHA1
ce373c937d9b5cdc6282d0f42b72eab92099724e

SHA256
5bb0f95e9a4fd4128266cceb2b3fbc75e8a9efac9721e9330fecac2090267345

SHA512
12b3be4be1b6d3a962a7f42a93af12b39f35756d06d3fadb3e1654906ef7631a213ca92721ecf0d7b4f55b97a9fbf927bd54bb39d88666da652207413dc298cf

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_off.gif

Filesize
341B

MD5
a0af04084d5562fad9d8c5e48c92ba04

SHA1
848fee53e220f2dc290075c05e60a4a6c2fb0388

SHA256
52e5fe72aee3fafb31b0a882154e7f791dd67b3d99fb6f3d5182c5b723d3892f

SHA512
02abc047650a731bf564f9d0be13fcbb6f8a3c0e951781241708b3d1f4fffdad484597d1dc94e7993bdeb0c1d47e546cc26370c84ef04d7fc564c61bf560f22f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_on.gif

Filesize
222B

MD5
e1acdd6070a653c41dc02510220144ba

SHA1
efd6dca9fc3122fa96b98bd7fc507a5ee47e282a

SHA256
a018a01fad4728dc22fb41a098455292c4c78dc0da7a12386d328a151c15bf2d

SHA512
968f59705d66d8c2b43fc2847126a2eae5f76198390cd966ca53da8d4396d3761a0085502df8a2143c9d763320837b2463cacc4732c2661b4827deb925b8e022

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif

Filesize
5KB

MD5
3c88c9897e8178b5d25903dcc3f8a26b

SHA1
1ca534479707717f5aa53be24d5bc11ef16073b0

SHA256
ef8784b04ea5f6c9c3aae9dcfb9c2133703ce0c50b3d1dc4306445ec6f7c4850

SHA512
a2c4897c3f2d3757858430d7ae2e9b44a26e69e1542e55d54bb36cc97be402560db61374e7425ae68a6949f63928a372754a106cf4c303c62a6e1e05527d4255

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Country.gif

Filesize
31KB

MD5
b8619f903b8f2dbdf3844c11bc7d5974

SHA1
15c5e28b33bd0fc6ae608b9b3bf0a7062616e239

SHA256
5e53a21dcd1a8a5e85d819f48f58828d77fc7af129e96a839a13ca6739cf06bb

SHA512
21833f9fcc88cdf5fc60e182b7035293d4d500fc0d31ed9d989ffe36b51486503b768ca944354dae6f4a179fd7124579258e90427f4ffb6e76d65db392cba4da

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif

Filesize
4KB

MD5
2b294d9335ebf852633469397b8a2a03

SHA1
8d2ee507e4da4aa04a95548a423b1842c48a5cd8

SHA256
a75631e2401b9249fff4e637a619791d4ab464fe0dfebad96b77e97e778b81d3

SHA512
4f68710feeaaece01f8a62df917f08e9cb561f5025944fcefdf5f565f82bad8a77e40a401830752a8a042f4059efc08224611b722101afd13b15dea4c038e38c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif

Filesize
21KB

MD5
cd696d835babd6135a5627c51efb8343

SHA1
6fb5d2a8436e24e285abc6f8acf83325ec14b029

SHA256
c34bb9cc6736a8aeabb90c8ed3b6391122f4d5a71ee4da3644ab5dc8ad7d7ae7

SHA512
0d11d6b243af9852a125f36e34e798ebd073fdc62bcf721299d901a67f2168c232ca0aa2295ae94fa97e4c61b95d03a8ae706aa3a141b169618155f6523bdea5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Groove.gif

Filesize
106B

MD5
26ab7af660c861fb19a371a4785ba4a5

SHA1
bfa5f77270b564a02f2f4974f952ea53e7eff313

SHA256
34553990275d770ec8e400c30921a0093a5935dc704337c89784ce7cd28a1f13

SHA512
15a4516154df5ad17bb82a75444d44d95dcbf07885fe94277b1f826bab4ed232d4f5e79a26a162a0833eb2765a36a2e99deec6d203b8fc25d9cef4af0b3fd6bf

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif

Filesize
8KB

MD5
7f31ade33526ff65500f3ae8749e34a6

SHA1
ee854dceb8ef7cfaf1c6b2e03a541d1a654fa5fc

SHA256
494442a7d215f70f1ee871aa75e9751862313234ed4f6d4e1ed8d7e75cfc5ab8

SHA512
1063c777b0c5549c6d0237acd22bfca2f03e989e89fe2a126978381bfe5a832e8e87e40bea202a2c27ff22786fe473d500033361aeb5ecfbf27e182143cf8f4c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif

Filesize
15KB

MD5
e3d11adb58088ee938cb43aebea8917f

SHA1
e52db986d4fdc4c128c4a7f40b4a65be9d5dc245

SHA256
ba90712d39e931109aec57c3912ac2466ac8acbe7dd581db62e1236fb0074bc3

SHA512
5948d5b5a5f5b7d1f162afdb53d17c27013e40cda3c19fc788bb4981824948a340b418f813cb2d1873bfc5faa9cb5e413ee26a32c8ec51d987ef71fc9baf0fe9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif

Filesize
6KB

MD5
b4786c5a96c2245d1240be9d0b0c584d

SHA1
a38974640de3b78873a722715a2b042c6d57a375

SHA256
b7b9e01a87cfe61ec1a8f5ea7c3fef8937c9cb44391030b55decafd840a47e30

SHA512
0b8776739332ed9c2920edb162d88a4652f325aedaec107f53d1a6876cf0de98d7d0b30fee401690d1ff1e709950c077f70d4f2c3cd2153872e204334dc555cd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif.EnCiPhErEd

Filesize
20KB

MD5
07d6ae9eccbf80b49f7e6067ed7db455

SHA1
9551b62322eb008d7a8c86e584b2defdaeb86ab5

SHA256
14d42f11e8f70a02fdd3926e53965f8399e61e56eaadfba40681e56678286779

SHA512
47eec96e3b23eb8132cbe20f49239dc0a8a79e4f3826488fd197fd13b241164c361bd889246b3afb4b5ec2d7c855d46ac7134abec978062f9020e86784e76c76

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif

Filesize
6KB

MD5
41a3bcf908da5fe5274cc3edbf5bd97f

SHA1
5b83ebe9d55b90e9b6ce1d5884a5eb95a9d2ffe0

SHA256
333dd1d22de7dadce9ff343141730b695aecfe5957a43ff8c0ebfcbc732b46fd

SHA512
c828c56f759302ca53cc22696e52240f26bbd324f885b7a3014c13b835d2a1a04525b6eeb9be544b764eb4536f2fa5041d4b496aef11fb3b5ea9ff40ae9aa5a9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif

Filesize
15KB

MD5
1dd23178745336f5b890519fa77b6cc2

SHA1
130f63ec5e2461b5f3387b4fccafa093f77d6347

SHA256
1ca3cd67f442c531041fce0a8d4162ef1f7ae27dcae7a9acca7310e858b25d11

SHA512
b8ea9ba7b63654e6d13423924bc4f40a80cddc548d75bd339cadf6fce193877d9c243b37ac7192c19ec147092d27425d4434d890bc39bfe3d228715d171c74a0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg

Filesize
2KB

MD5
139f71dc149f4c591bc83deba52dc92a

SHA1
fb07228388f68325e25bde2427444009b12a5ecd

SHA256
3ab7fe34b3cb03ee37370f611598c6b22c2da5ff03b44f979216850229c58fcc

SHA512
2d9175eba00e62248a08d02c8c0ce71f7d66d465acf5103b7509db6feb02db8cd5afec63b45cff59a2bd92e8ecfc186905edc7e14338f44bdf4d3fb0911eb79b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp

Filesize
2KB

MD5
a71adc020b9cb675b490e996ebbd1b1a

SHA1
fc6074692fa9bcfacae1a4e7f82d9f21e88bc423

SHA256
0a79da5d0e6b09fd1b732b1a61b177f524e1277e7ed6b6426a19405084ac5edd

SHA512
5d07847ddd87759e59a328d8e0604d19b6e95a0c8838c1677b0ee69c3598444f9df410666c25c3df74079d4d1dd1c0fcdfc6c03f749a169daea62c2cdcbd7b81

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg

Filesize
6KB

MD5
98cc7156a03be8b6946ad5840482232c

SHA1
79bcce77024972b35019962fe7c69e6aebfc28be

SHA256
9eac039d8ab79d3632f23aefb94b66f2869bbe5c97f7e3cc9aeac46f2a890283

SHA512
af65db1d5a622ef3acc2db9e21895bb069d10d905c0f7a0c68fe723f2a9208df03918db7dfd046fc9f6e5f3a66d3b676c1ab55f763153c3559cb3bca7acfabbe

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF

Filesize
255B

MD5
e148ed1c9114b284331f7d1447d6403d

SHA1
22003c7cdf0afc80cfeb7ef9f1117f9f4fbebf88

SHA256
4e97f59cbee5e9839afa256dedbc021f1d5cafced26bacc355b704973ab54d9d

SHA512
a57a6a4e16a0ae7229934c52c18c1c1e16bd7f45e6183acb9ae309b6cbbbd8e9d75bb21e2f72c17006d5aeef3e1023fa36270979d174dfc97770b8de333eebd4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\background.gif.EnCiPhErEd

Filesize
323B

MD5
352510ae25935209dad8b185ed575ff1

SHA1
66cc3c7fcab5a8ac609d680cf267bc746fa971ae

SHA256
dc9a548e73dd3ec9ec0c76af12fb05aa56077e61fbd44135aedbe2b51f6d165b

SHA512
9c33dc06fac35b795c780e745147fb4400ddcc58300a453dfaaf37a328168e366ddcef37e947d1817679c72f6a84ba09b4029c926bc462c26c08d99163377ac2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF

Filesize
367B

MD5
75684580a442552e118cb46de8231cb5

SHA1
6d0c94765ce3c04f70b530e495d818a40356fa22

SHA256
14c340e8bea47579608940e76c506d129b6c3272a76122f0328bf7337a635c73

SHA512
5dd6f181ead6a0b970f1920fca949c24bfa12ac6d0a71d8d242cd4015ea095c2ed727b90a1a1ae369bc88d36ab7c9b80ca58867e2a14a76160d96508cacda4d9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF

Filesize
148B

MD5
8443fca471ee73225fcc75d11061b5d3

SHA1
4c5c28617b70ad1e08514e28aca15a18956e4f1c

SHA256
a507d79469c7bafb8d995b020544e127c7ddc9ff9ad550a1dfb542c2c9b9aa66

SHA512
9f60a0087d52d58cc6007564761fac34e609d7e1449ed50a0924f57f3a7ae045ead06165ac172263c6edbb429a108e96bf085ea06563aad769047249f90e7148

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HEADER.GIF

Filesize
440B

MD5
ddd11a467e5614fc8ade2dee89e75bfc

SHA1
4b0db310f686fb7835791be04621e75eacf71a70

SHA256
b946b98961141aafb79a2e673306a472a49fe1fab4af730721d1f39d032debd7

SHA512
e364a99656132009248a4179893b4d3dd76d987dd4394cf5b665ee2e678f8ec3aada505763f7f35fb3c424ab184df029a2a45432a4c6882ae0d931014103fbcc

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_OFF.GIF

Filesize
462B

MD5
48bea1912103c27c0e7ece8c0282a533

SHA1
b6113c2c250ac3e2c915a505f3992e5913fd8daa

SHA256
95351cda705b7c256795fcd79771c7301544fd200f6a3d982fd8db28d3948c40

SHA512
30d5b368b0be58b31ab83abb25595b5cc6bf8cc177c56842dc64b026d346879d7193a894e1f668e9db0aff7c14909df3451116eb9ee36babbddb45bf4366b5f5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF

Filesize
267B

MD5
e4a59bab7cb4cd3a585e7dcdb60bbc93

SHA1
544acb6687739c8825800f83794eed3d1ea3f0d7

SHA256
d82523409d509b4d1d7eeca64acfdf1e20da7b6c82e689a3f5e8bb882e54fb64

SHA512
6855288c686e96847b971218cf6a4f897a1a0e088a001a166682cf42cc9b4caa621f8f03d1a892028eba85a2ae64a6f156b9634762a3adb46aa0d0c325a78d5c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HEADER.GIF

Filesize
2KB

MD5
d59a3846511f14f99929c3228fa06595

SHA1
3d5d477a20bc2e0cd914265088d6eec53f5a2c96

SHA256
d2775c76bd5f0840fdf2eeb86b7eb070fb7f1b779841769019420788a2d4a3d0

SHA512
6617556f9519cddfbe3b523a4b9eec418b3d16854b08901f467b8ab8dba9c418f718f66d54d718b1ca0061113fb3d852e5e6def3f6af968ee64e9974295d3f70

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif

Filesize
233B

MD5
f8a0ed7a1397a5f42777d015457fc6da

SHA1
3144c634ff6f3276a117c699fbfb24a0ba2f4e76

SHA256
d42a2dd52c2260fcd641361fa895952a114e4f303cef66741bcc81a46354bf83

SHA512
e2ee0cdcc4486ad3bd24f69b0fa0090bffabe87b935c58247eb6d2ec1f727af5f0509361ce868945a45b3b0532c413705e62ea593697abb73a1a91bf10c2a5b1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_OFF.GIF

Filesize
364B

MD5
09d86acd433500f0b54fe506ca19dd3f

SHA1
8fcb375092b22c0d8ab26032f09d2ad502ada33d

SHA256
36379f1813adfb9c38b7d9e7948e077f977ffcb790e0afc60d6ed7835cb8fc26

SHA512
3d19722259b1e05461ec09641f2fb0a9017dede9dbbc78c7c5b35b8c78e17aeeb98e1c4d2275a7e5470322b0497ac400e5d8cb165e92b0a0f2193b08a5f3e59d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_ON.GIF

Filesize
364B

MD5
c59c92e775ae8438da29518d56240a8d

SHA1
d54d3e18a842ac2627d9b72fbed3236fccc7e087

SHA256
1d7ea8cb6441ccccb56faeb818779c6957c7b183aba3dd482c929b818f0c16b0

SHA512
b1dad24d0bf6fce68a557e28c3c97fe1f16cfb74ad951ae37667e87d233fc7d3ea8274304547ff9290102faa8b4c4d7f3ac83d534e806a902ef3762f44f936e7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\background.gif

Filesize
6KB

MD5
ee26013da20ecebfe3a2b95cd41723ea

SHA1
3a838346b8597d060e583cf103601d0a132b3dec

SHA256
cb4679efd59d53b9339d904c056eb74100b08163c520165a0f192870f74aff45

SHA512
2e7e588c4a9886cb7fc69e1c570a502a6ac08e609736b53cafd49f177bbc7ced310ddf6685a1a9073a0d5cea3db4ec47f790870a3dcdde783909b75ab6ffbbfe

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\BUTTON.GIF

Filesize
428B

MD5
08426d10982f7dc3da200b3ab39ec02b

SHA1
729caf2c7db375b7f705f354a1bab9fa60ea1eaa

SHA256
d7a5309b43214fbb33f62894e864c41a0f0268bf1f8a984a2f5d01b3565f332a

SHA512
133fe5f2298dd8667e220c2ac9d6d9bc52f4833bae0ac843900bb7400eaead41b4b2c294151827730310ebd2c9c10ab5290045f24c2c90cfc687e489ab6c3aa6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\background.gif

Filesize
815B

MD5
b83c2f751f355029b6423cb636a92c4e

SHA1
b87c3d28f55e418bea97d023f18d20c493cc0e73

SHA256
813809a4875b2f3f4042ab56afc1326a2810a6e4572bf8e4412a3aff11afcb03

SHA512
f97b6b0629620490852476ecc78b5d6bf6df45a59779302d96be79316dfb6df940e359d5961cd6925f133cbe3403efcf059358dc2df1cfe06863736bb8a5fd8a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\RTF_BOLD.GIF

Filesize
870B

MD5
350dd7a0f571d2886e869769f3550f04

SHA1
60c7791321dc48a5a60e2e8e1efc12968f5dee86

SHA256
add6fe65eb1e9d681250a6932bf0a24cb2158a8c94d1dd8a851194bc239c21f6

SHA512
12f05dc4f87d3d2b5153f10c6303127b71152a996f9a906ae054bede72f3b39fc9f7ada62eef0db0a84b5fc845dbf41c6a0b9c9b8217084470a9411b807222a2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg

Filesize
3KB

MD5
69fa4a49d668a6fadf3b14e5c06b8069

SHA1
bb7aaa86e37c58f29c0d9eb89604b15a35e90f1f

SHA256
4aebc09b457d56472d7d662bb79fa299abb3733ba7b8cd411b849f0cb0d75924

SHA512
65a0775cf8ea0b9fe6e081bbd49fbe5e42d97cbcd2c9f2ca2a50962fa9fec1aece6cadb1e16324e23b7da008ed736660eebd70987ae42879e9ff579f286c7448

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif.EnCiPhErEd

Filesize
2KB

MD5
e0d992d3b59285d6647e9c69f0b8fdca

SHA1
000a86a93cfd29ec92040760f850e0db46e2133b

SHA256
44556de84b1465a81cb83554b2add1ab86acf55e1392ba01386dcb110c9282f0

SHA512
6c277ab072b1261935ad89ef61e6298cfd587d7aeeb23964f2782c3b7c631c261c8ff0ee04fe16676396c9302f53877ce5639547289134b3ff591365c6dd55d2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif

Filesize
19KB

MD5
c90c4d2839f4f4521954fa8dfd4b3f40

SHA1
f15eb7b26b0f9346d5184c7e2964e37cf23280bc

SHA256
365cbaae90b1bdadf1df01fa2df9dd9e55879cff88796909e50b9c326f85d70c

SHA512
cc441cf0473737fc5fca37c9dab2a36eee8258ac7746f7478a7f9b92054133a655285db284095115182b20325f348f204c8919f7d78dd13f92fdb3dbe3e4860f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosefont.gif

Filesize
890B

MD5
2a2920ceda677ef9444556f63a499f9a

SHA1
65a29cb133d6b389fa9f4ae71a54b772065bb7c9

SHA256
1f2a6d1d3e63c8dea3f9b435e919dccf63af09bda820cbf2baa1e4ba09859f3a

SHA512
fc673ab3f88d445c10de1959848b177a223e60131292a0a3902066190857d8b5f598c8be35cb68be1e7fe9945522f8420d870f0d38784cb169713157b5632152

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif

Filesize
852B

MD5
2207b377412a4a5b27f0f1d2588e9405

SHA1
e43668971f04742a25a16a61ccfaba8e6e99abf9

SHA256
389d69813d0f951393174867a3ed466241546c9ca2e17903c723c371e9d02561

SHA512
cabace9f9027286807b531250dbab0785cece0200f15643abadcd42d57b1b10e5507dced973aed6261d12291e10184d2c43e3de7e08bb6238753c6126c010925

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif

Filesize
860B

MD5
c23c7fa311139e279323f7554339e3fd

SHA1
cf3106171aa736bcb35b8d385b18429d6f37e4cc

SHA256
119025dfc82517a8b0adc9ad1ef0fbcd077da8a8c338695eab5ff0254a350b85

SHA512
7b021e938d27b3984727e34da8c17532bcf1df91ee968abb391afe30f6eec6a63cd768a537628bfcb5d5d8c1ff197018075b8a21d5cf3e6bef0120cfc4e5f8a2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ADD.GIF

Filesize
580B

MD5
2c35c1813b985ddc842f7e58ecb6f563

SHA1
88ea81bbfd841422641a3714419ee27ec4b3043e

SHA256
c8f12e3c21588abb77127b0ebde8a7a78e27c6f14ecfc9ff27cc7152f7015308

SHA512
f51c6a261c85cb21bba7d6dab8fd3e340664f34d25ec80952881c1d99aa0b7a23cf9ed4fb5242dae8012c958f8a94f3186ef081d84522440919f1a9b8b91e981

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF

Filesize
899B

MD5
10c4f45030fd85a97ed27c125313760f

SHA1
d319becab5e751f672048769d51047c84c340d05

SHA256
eb9c02b282612e5b1a0f44a8c5cf3b2b134103554db8e25b8fd69c62bfdd3143

SHA512
b1f1368fef3f6865955d8146e252d8a61f8653781605b09bd95d8a76682b0a0dd81e666c113c1eee8b63b1463d1f7ddc50b8bced61c7760e93e63537688b7cf0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIF

Filesize
625B

MD5
c62591d3023dc72b695156e25f131f9a

SHA1
857dd8a5a2f93653a97eeda70a4cf0ad08899d38

SHA256
5afb87c6d84fcffa5b5f0aa396e39e317c7f2a0929ab7762ee09b7de85b71c90

SHA512
29b59f94b7191f0d62ac5cd17df39adf2236ecae9d9b3afea848b3c2740987d16cd035a01caad164c248feea2cff6d4083c79823a4d276632f77ce5f17a8cc4c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF

Filesize
873B

MD5
206176f39c421c88140adf6000603401

SHA1
c7b4d19d36b3413231d4ec82a19ab5b79a88bae2

SHA256
2328ff124eba40c8d8387822331b41e57a2f8109a2767f0c2dae5c7783e1479c

SHA512
0d6c5f2031252b4fb4a447fd44744d58f393cc3702a6eca5f8ba3bce312e13616ba6270f6dab3da9ddf73d75a6cc08f46acc173f5a08ce73a09652b685ed1ef5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg

Filesize
5KB

MD5
25502111c23283fc907750152a53e0dd

SHA1
a1a04684b740e7e4aa1b4bcf5a6f644a03c10bab

SHA256
5a879604aef191b68c94c8219a16ed180754e5839a19ce09a298c5848534b9ac

SHA512
04e417c35295318f44947e3e2279ed8bb326d0f81436169cf6c7b47e4858748119fcfc8775dce32828a575fa22bc19b6c9df1907e1877e769ec883516acd69d8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp

Filesize
1KB

MD5
4e759ee354f12f85d98d083f3879f30c

SHA1
98db994b03dffe12576050ae84d8e9128b5d8bcc

SHA256
539c78f0170110c54c409e3031e689467e4f944f236eceffd4e88906715e9491

SHA512
69a07cb34d4d66b183a50203bfc26bd77ddec454054cf983e563b64a9dcc8c329ce94370a22ffbc112e57774d643e20605eda23ec12c9cf4831ae8b521cfa813

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF

Filesize
615B

MD5
1627695c2e95ede63c644ff63bb6ed6e

SHA1
b31b6b6237b093717563489058a28536e6a02504

SHA256
11b1b364f784ca066c55eb898f874751416f8b5e7f4ca1ce7fa1437427dfed37

SHA512
023b21c0b7e0067298e8e53e12b603645386499173ddd071d41046c162ccc410bace9576033970585c8769461dd07a7f9d233f67d7b766347ac62109ac97b392

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

Filesize
848B

MD5
f7908d7d506b9c57b6ac34c080b75fcd

SHA1
411ed3ea3f78f82c698abc3c601f50f4af4c824e

SHA256
a0510aa3a700bdf6ff38c90789de1205a359a2d22c2e12171272f52bd9017691

SHA512
066e210e8399081fd24809adffc675820c0771d47da26b782a4792686a612ee9a2cd56655dc2b2de97b1024b1179741fea2df88130d6a045cadc9470660df0da

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

Filesize
847B

MD5
bb66ce259b1f643a01d6e1075b9ee1c5

SHA1
ca5eefcea7d07d6e8fc5d6002e2e84940d398164

SHA256
939beb1cc145644eb5225f57a7ca37dc8c8bac11fab9145598e3902c47740355

SHA512
258430cc3b079e177da4a5ee8238a339cc172bd0ed752e9ea9570ef79832de257f2f2f1eeed89411eccb46a41ff093b8876020083a34aa683f28283ec76bc0ba

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

Filesize
869B

MD5
bf481aa05e1ac3775368bbb4b5330d27

SHA1
8aafebc694430ece858f07d3230aecef6b2e2df4

SHA256
a5072fe5668d8722fd6dc3d3b85fdad20419ef7b7276cf7591edec2103cbd1f2

SHA512
dcdbc679373cb96bc5e1227ed7ee3248f851a13d90e955d8eb365490073c224eee7877feecc1a7512b9fe481f20d62054de7deda8cacd2388b1589f243861672

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

Filesize
847B

MD5
78dfac86887ec409ee640ff761b6a8de

SHA1
e4936cc9d214c6d40c744e46a10107b17729f66e

SHA256
1b1212ab6be449fb4ac0c73d7922acdd0e44fbf11afbf792c0d3d570cfd34f58

SHA512
31751d4a50c0ddf4b76de460e1c329ce60f8c04de8f403029bcb1be9edea42507171a8008a7b2535b642398ecce05fe20618699e99fa6b65087d0a082f3a49d1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

Filesize
863B

MD5
e4bb0d755ac71fd327e3ca73c4bc374a

SHA1
b15ad0c3474313197cf0d109d459016843d1ac88

SHA256
9701233da81611ba2007d9318c92209569308355c54aceda82b5c9f3bc1ca26d

SHA512
f708582e7426f6e351b0c653a1cabcb2b1dcd88683137a690aa371cbbf8ef4d6a4841d983a5db3104611d100fc62a4ae8d2cf01aeb56cf68dd2f0c49574d87bf

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

Filesize
861B

MD5
89229de5961476811c0fc074fd1b1d33

SHA1
286397c10352ae060beff8bc0e8464966e81eb9c

SHA256
6d7d4677b22810a66d3055395f6b153f62d9b5db95fba1852e7b74a369d0167a

SHA512
074a5b493c394574e50dc58b9aeb010fe46ca40668936e4a21f9b19215876e82076e5f484b9073009071a3f6d4fe958d9397f63e4bc6e024736694f09b38b77d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif.EnCiPhErEd

Filesize
850B

MD5
e3db925b6ded16753a228da4559c11a0

SHA1
731ce83a830d5a1b696878f51c13c7371377e082

SHA256
1bb8e80eff764ece3e250bc804f90e590312970e940c9667acff58e8f78d73d7

SHA512
5992b97166ec797a2b454d66f4bf3b0d8e845839c7a2a82717b88916a59c90796c1ae2f15239598a1d1395f3aebc56f0f74cb149d26e67e90eb7fa426c260dda

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

Filesize
883B

MD5
52c2a243ebe4d53d4feb3b437fdcbcf8

SHA1
bb02c831008f7e0966beb77108af2a5fbd553729

SHA256
7be6fd32a5a7f57923413aa1d7363ccb1d60e65b1f62e9a3df1cfda520e75405

SHA512
9b28cc6f91435f4cc8a6adce668de02c516a3dab1f1693267bcfb2dfe96aead2b21f745290411d0d8fe84949dfee81fff1f4e0d90c12f45e6bbebc16da12d9eb

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif

Filesize
153B

MD5
f0e877050328d08608abb7e9de9d538a

SHA1
e7c04a5e07aa28b96c4a52d7a0820fb4da39ebb3

SHA256
d3c370d8fe6d1f0c9d629e00d10813980560e8412b5bd737600022eec69b4474

SHA512
b9c10c3864db0ca21c9ba0acfbb197adce478fefad800cdb4dabbef08cd83126e75c55eff67e8931a99fe4ea00ba26616fec38610a79937af385008ca82b7c44

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
1b035534e85340eace724ce8f8069d52

SHA1
19e3e7d1532806bdb0392d57a4318ad1933febae

SHA256
53b45c48ce7ec79fccde10d2ae9dbc8e44001e693eebceba9353d83ed2841e76

SHA512
4707e9d6258154c627b5b918f158e28d41475f6ac43d988381c1cfb7c9592c50a3a88eb71e87e05f68483d6a317a9c3c518f96581e17a2c013d1b24f91587316

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
8KB

MD5
55259853ae059e272de839d49e0639db

SHA1
e8642c54ec128b1d37dc3d15343709f8fa4d6985

SHA256
fbd6b280445b3e1919e927def8a68bb1daf2cd233a58264e0cd6557ba116f6fe

SHA512
76f84901106121c28b92e331535fc76d3d3cad837b7e657c207add6c2845688df2f4aafa4fdd15ebbea0bdb52f77b16894ec54b7aa50cc09dbce24f96dca4f85

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
35c808ab89ac6841d11e215041905692

SHA1
b251dbd41d1a675ef8c74a078559b379103bc5d1

SHA256
1bd43af08844642564aea54950dd7e9673d858bcd96a814c055f028365ac35b3

SHA512
6e3bd251a6101df2073e83cac9156f27e421c01b674be6ed5a029378c84a1cbccf59e5b985a69db437188aae8f75386b0a27f0d5047ed1f7ea56734ebd909b7e

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
6cac87922450e204e6ae650798a5907d

SHA1
8054360fbbe60d869db17c28005b27d41a680289

SHA256
e5a94b68828de026e0d27e7fc5e1e6273da616cd00500039d6b0883411eaab9e

SHA512
24069dfef3e765aa4eeedcd34e2052ba9d1953b35e0126e5c7993e5649c79712d96bf5edf0bc9521896725e0c13e1355a684dfc0f0e7d3092e69ba82c6625eeb

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
172KB

MD5
a9bbb0f623024e6a73fa2755ee0af0f4

SHA1
5f23a13766c16991dbc3d2bf78bfdd8b2969d3f2

SHA256
34a81975f8f99ebb8b7e81892bab357faacdc6598723ad21676ad724081ab092

SHA512
3215166060c25118635b2f330ed558695467a558b657e2474172e3398e6b5ff2de6a872d4870749529bc71d23d5a768f0c6348ee9580072d5231ed3170563ffd

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk

Filesize
1KB

MD5
f8b41f707e2ec165cd90025f7d42168b

SHA1
218db654fcb7423bda1163c86e3c7e72d910d683

SHA256
6bb2d31b74a3722a12f7b0a53f07c304e803058c7e8bb022e986b8186da2b61f

SHA512
d4584d2412a2f8d32120b9f2df3ea317615e34247b7b5b9abb627412e271044020137556e507e0874c3dbacd02ead7acfbcee1f98c584953df28f52df1bb0e9a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg

Filesize
21KB

MD5
748630d135c1e3a5eae217c7e93bcada

SHA1
fdc151b26104c83ec7a8244ba82d492eed9dc47c

SHA256
359034bd55860b213a046cc5c5649c244eb9823592c295f3813bc171e41769f2

SHA512
eb5be0aadd44f87afc2356a7b53d35dfd82a588c61004a4327746b843680c77cd4c860684056a3dc9292ae52e1d289e8d806c6cce753595bba3f877b2e0000a2

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\HelpIcon_solid.gif

Filesize
1KB

MD5
6da5ec71a58bf4436bb767d4d2c6d865

SHA1
cf579ff0aef6823db6778e1cf43a0af10693e92f

SHA256
db70019a6d915449b487948200aa05eacdefa5cc7890c70a9a342e0db6199516

SHA512
883f085301903fa60d6657055d567bb545c4eb1a3632cd7ffefb1230d203b20b7c60b4ffd3d79916deb07aeb75977693b79eb302442ae3a743c64a7c9cb31b80

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\alert_lrg.gif

Filesize
952B

MD5
888fce1e81497443a661a8410e65c087

SHA1
c912d35efb33454be204cc91eae9b70f0cdc250f

SHA256
d379f718b191fe123455e77908c2643b72252028352cc961bea7e5b47872bf3c

SHA512
17d7b5bc0119d0d3ac331065317794a74b8500f5f4c78bae40d8f5c50a89f8ead90f6b1177c2454b014eff0073e05d736e900361c1622195261c5bfd1318cc44

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\aspx_file.gif

Filesize
121B

MD5
ed3b8c2b119c93694b3f02daef365fb3

SHA1
d33d342e4fb66633a19721dd9c9a2120faba4e98

SHA256
26156e457738a49d083f6fe29f0e12ffa3781e45c1c0b1a624e596ab4f2648ed

SHA512
3af2711d43af4a52877339842421da6a120e60735e1364c45c23431d79d57610f6a731d7dd9ece283b18eaa5ef1749f2134b533cefb2d10fd79e9122cc13fc6e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\branding_Full2.gif

Filesize
1KB

MD5
6f15048a5e25e788dd5c07edb411deb9

SHA1
c5f89b066bf1d4349c6437e94921f10546b0084b

SHA256
eb2ca20fbc8034e19c26d9b1c152d343c689b1896c91ed8aa7647be77211c5ad

SHA512
e4d319aa4ddeb7e88aa070e01b93dda967b16a1e847744ea8e6701f9420cce81cad346790f8bc9e953e6abdb8e7549816475df9c160595fd8dd94fdb991ca642

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg

Filesize
8KB

MD5
d0cddbf6daecb993331fc51be02d8ec5

SHA1
123f180161e7263fd5f352fe878a02f6975d5e42

SHA256
b7b925cf98b0dc4ecf059a6597975fdac57992156af91e8c0d46967c2bab8a66

SHA512
fac505ee854c79f6f230ad732eb628140a61514414fd2ec4043ff501524e97ec5a4e47d8347f098e6db1a095d6ce44fcc86e80197e149116f5fac77a98cf551a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\folder.gif

Filesize
914B

MD5
6edc6b7febfa93cb954f8e94117c5b74

SHA1
345bf79e9c5237f6e5c44372952502ddb563e012

SHA256
2e92cf385dcbe9efb04a5324ca682269c0831806c24cb4f445ef8d6a72d66b5b

SHA512
d655df02cad25860fd8bc2e13dd2174aeada9e452e6cc3961d91acae41147fe749d8f81b718b38b14e0c49d08e05cf86236eac4d37ea6b854d7792f48928e238

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onBlue.gif

Filesize
90B

MD5
145b150db22ec8bfc0600df81363cf23

SHA1
07e8084a08c6b21166d8784597f8c5baf6553710

SHA256
ac8c1b21524c338eaa0b3e8652485ef790e7b57c3d4c1145d60cb870cad7c6e1

SHA512
08829f6e6dd3391281b2341d9b092f7878acc22bf9b5f9f20bf3f42237701024a96e3c9e3b958c39519d5681e8b8dd086aa33bc9a2970bbd324cccce3be7348f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onWhite.gif

Filesize
90B

MD5
a688072805ceb2851d6f099cf6902bde

SHA1
79222bcab3cfa919c6c157591338bdb5941ec109

SHA256
5acffc0cab00574432666806aa4367e2047510d561544f8d2c26f988887dad65

SHA512
17038945d39a8e3b81bbb214c1f0e2a17c685df3fecb727898894d59a9f743c7ea333fb6d0fe7d08f42b50a7838dd8cc41e0dfbf696c750b99045fa9c0ac6f19

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\headerGRADIENT_Tall.gif

Filesize
328B

MD5
edd245fe547d77877a4ecb3f9290620c

SHA1
0e44d4b977ad4e2eb4590c7e49ef54f8a2b9ef00

SHA256
000b798f4b3e78729400f923c34e75d1b6c7581288aecf1a466ab84f591ae88d

SHA512
148736dc2bc096febb863f6fda04e949c7edf620eb64167d74fd0864bc306d6dab78b34a7e965427c39ee0139c7ccfa80e0414ba5525fde5e819db1c7d332db9

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\help.jpg

Filesize
1KB

MD5
1b745415b7b0e7684f2070146ce1048d

SHA1
99b9818a14633cd6599d55ce2e89e40812192497

SHA256
df2510bd54a2df9bed42fb5f9d5a7ec50b167ca9f3851e30658c1b8a9d48d579

SHA512
5c6d562a307bf3d828dc10388a5509883ec09fa4144681bd1b3106fd5e110900caf6c0f69cf921a478a4d703f5135528b010157c6cd0bc9d67e8b3d2a94267d4

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image1.gif

Filesize
162B

MD5
91008afd387c09b2f7d7382e66347af1

SHA1
d5e0a9f0294ad3eff50c691bd36f6fd17ba71471

SHA256
7d5824af7f155f5d88775e1713d1a4acbc8e499f7a0b9b19c74a2b602c7fcd2a

SHA512
fbd36b100b13cb06df2ef74450acea9da8e56ea11b498b90599cf71392d51afab90efe8b76cb35a46eba372deaf9a549ecc9b4faec10fe15c033118f04f0d612

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image2.gif

Filesize
586B

MD5
38e2f7185e1eccb0afd10ffff0133f21

SHA1
c470933bf3620a47f5bcb28c4a06e0ffe7a8a5a6

SHA256
6cd0583cdf3b2428af4533f691b8317900070ed28f53b9ff52be2cc09866edfe

SHA512
38c444fb6c81d54308cd3db7947bbfba5f47172c7a352697a95ee0e3a577ea299eae89b8fafbb0c783b640c914c3c2d63b918bf0254357370075ce80ecbdc603

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\requiredBang.gif

Filesize
124B

MD5
72fdf98b3b3da31c9ca59ca40f64f914

SHA1
dadf3ad899db6be5b03f0befbd1771a5af218a1b

SHA256
627ac4d083ce0b5edb7bf0f8543a9bd2c85d470915159cb570eb09e4aa196f02

SHA512
540483beb6dbdafe43145b6e2334dfa752e9e74c48aaebabb20782781bb71b8d276d52ef3e1dc8e26350c47ebe93dc2c4be06a51189a1fb79661a997bdce7e51

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg

Filesize
8KB

MD5
fc9b148608a5c5cab9a1a5d4e5a1e0fc

SHA1
6e833561e8e7b6f295e76a2af14c3572a88e7546

SHA256
f0caeff82eb6e7f3f60999ef906261475cbeb5dfb5b5f0a962aba023697f2883

SHA512
1c29dbe30f20eb78f3b6bb5060f0872b7f5a69dc7e096173fd6ebf002fb1f6669deefe8fdf1bbb498fe356bba65353a41198d919d46805fb84b8232096bccf2e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\yellowCORNER.gif

Filesize
880B

MD5
b3e966ec8ef2064eed35df03222935bd

SHA1
f01ca7164e2709f6345f4b45b7053ab1974215d5

SHA256
abcaf052a9878dd0a629fd3eecc5ffc84b100e40a9de47980ab8c1f0cb8df110

SHA512
c91461910f554701727660962a50fcc58777717e528e8625062320defc2e6c8b826415f77d046deedd30a012a48eaa8ca3f4cefe7f6bb7cf9af0f2213d393f0f

Download Submit
memory/1636-9057-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1636-8465-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1636-0-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download