xorist | fa437ba32cfb9a0adeaaa29e05d45a4dad3125494ed2f6cdf184244203d70448

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-11-2024 09:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
Size

39KB
MD5

9abc7676409e2b51f85f790a682a0e72
SHA1

0bc0a2f357bdb10f3fe1ea9a62b3db70486741fe
SHA256

fa437ba32cfb9a0adeaaa29e05d45a4dad3125494ed2f6cdf184244203d70448
SHA512

86945d6a2774d959c696b6a4907395b5f0efde716e897a9cdc82bae89f2025cb857a2c00b55c3a07ad1721aa0e964e37277d3d2153b009db8942a7a4029e6d4b
SSDEEP

384:QebFNw4Pk1itKkpAjjalrrVuqYvjSXkDCgSkORSmaMB:Q0FmBkpKjaV9Y73DCi2

Score

10^/10

xorist discovery persistence ransomware spyware stealer upx

Malware Config

Signatures

Detected Xorist Ransomware 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2336-3-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/2336-8858-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/2336-9710-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist

Xorist Ransomware
Xorist is a ransomware first seen in 2020.
ransomware xorist
Xorist family
xorist
Renames multiple (2537) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Drivers directory 8 IoCs

Processes:

9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe

Drops startup file 1 IoCs

Processes:

9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uFg679gNvv2cs7U.exe"	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe

Drops file in System32 directory 64 IoCs

Processes:

9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Redirection.help.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Language_Keywords.help.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_types.ps1xml.help.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmdp2.inf_amd64_neutral_ab710894455d7b9a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netr28ux.inf_amd64_neutral_54f2470c084714e1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_aliases.help.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\OEM\HomeBasicE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnep304.inf_amd64_ja-jp_27c560b15d9928c0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\0024\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\TCPSVCS.EXE	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_jobs.help.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wpdfs.inf_amd64_neutral_fc4ebadff3a40ae4\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\eval\Professional\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnin003.inf_amd64_neutral_3a3c6293d0cda862\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\tsusbhub.inf_amd64_neutral_c67606b3f53ae4d4\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\OEM\HomePremiumE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\winver.exe	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wialx004.inf_amd64_neutral_0a3a62ae6ed43127\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-NDIS\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Ref.help.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Arithmetic_Operators.help.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wowreg32.exe	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_command_precedence.help.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_objects.help.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_command_precedence.help.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\nettun.inf_amd64_neutral_bd24fb174fabec97\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ph3xibc11.inf_amd64_neutral_bb18e5f134c40c68\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\_Default\Ultimate\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\migwiz\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\perfmon.exe	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Break.help.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\eval\StarterN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmbr002.inf_amd64_neutral_ce2134188ab21f59\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnin002.inf_amd64_neutral_977d40799168c216\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Speech\Engines\SR\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_History.help.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\OEM\ProfessionalE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmbsb.inf_amd64_neutral_56a9f6bceeec7f72\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnin003.inf_amd64_neutral_3a3c6293d0cda862\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\OEM\ProfessionalE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\eval\ProfessionalN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\nb-NO\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wbem\xml\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\bitsadmin.exe	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wiabr009.inf_amd64_neutral_2d7b3edfda95df40\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\eval\Enterprise\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\HomeBasicN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_WMI_Cmdlets.help.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_parameters.help.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Dism\DismHost.exe	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnca003.inf_amd64_neutral_8e91d4aa9330d2f8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\0006\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mcbuilder.exe	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Assignment_Operators.help.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\arcsas.inf_amd64_neutral_c763887719bed95d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\brmfcwia.inf_amd64_neutral_817b8835aed3d6b7\BrmfRsmg.exe	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\rekeywiz.exe	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Path_Syntax.help.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mcx2.inf_amd64_neutral_8cf9cade8f7bba56\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Speech\SpeechUX\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Break.help.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmusrg.inf_amd64_neutral_814744dd97ccf09f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2336-3-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2336-8858-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2336-9710-0x0000000000400000-0x000000000040C000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\LogoCanary.png	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341551.JPG	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_decreaseindent.gif	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewAttachmentIconsMask.bmp	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\ResourceInternal.zip	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\RSSFeeds.html	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\40.png	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0315612.JPG	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02759J.JPG	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\LISTBOX.JPG	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectStatusIconsMask.bmp	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_left_hover.png	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341455.JPG	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\Tulip.jpg	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\send-email-16.png	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RADIAL\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\clock.html	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_rest.png	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\tile_drop_shadow.png	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\flyout.html	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099147.JPG	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sw.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-image-mask.png	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Lime\TAB_ON.GIF	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\images\cursors\win32_CopyDrop32x32.gif	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_thunderstorm.png	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RIPPLE\PREVIEW.GIF	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR8F.GIF	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_alignleft.gif	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Notes_btn-back-static.png	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\Mso Example Intl Setup File B.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\settings.html	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECLIPSE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR45B.GIF	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\RADIO.JPG	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR48B.GIF	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bPrev-hot.png	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382939.JPG	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21433_.GIF	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

Processes:

9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe

description	ioc	Process
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-shell-soundthemes-raga_31bf3856ad364e35_6.1.7600.16385_none_2fe300bf8e73cdbd\Windows Navigation Start.wav	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-verifier_31bf3856ad364e35_6.1.7600.16385_none_25fa2709e25e715f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_sk-sk_4adc36503d558868\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-mail-adm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ff6f7ad3c2f5987e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_tpm.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_e9a36d7a5d1f2712\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_usbvideo.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0ff02be6f0eea6bc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Vbe.Interop\14.0.0.0__71e9bce111e9429c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Windows\Media\Quirky\Windows Battery Low.wav	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..panese-imejpimm32if_31bf3856ad364e35_6.1.7601.17514_none_ff333e6f87d47aa7\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-setx.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_f02236d9f66d0dfa\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_prnep00g.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ee62ada3a1e57400\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-g..zlegadget.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8ef1bf7026e3473f\picturePuzzle.html	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gpupipeline_31bf3856ad364e35_6.1.7601.17514_none_5a5226e685faba67\DissolveNoise.png	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-http-api.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_53ea200d3ef98f2e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-i..onal-keyboard-kbdus_31bf3856ad364e35_6.1.7601.17514_none_e72ccbf15f92e33c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-i..tional-codepage-865_31bf3856ad364e35_6.1.7600.16385_none_cebf2144fc84cf60\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-msieftp.resources_31bf3856ad364e35_6.1.7600.16385_it-it_40f52b958c2b1eaf\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_pt-pt_4b9a399af2b0e098\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-e..idebarres.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_fa44150fd4c58f0a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-bckupbas.resources_31bf3856ad364e35_6.1.7600.16385_it-it_15df77958ecfb260\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..onal-codepage-20108_31bf3856ad364e35_6.1.7600.16385_none_ad4238d7007ec742\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-wpd-portabledevicesqm_31bf3856ad364e35_6.1.7601.17514_none_bb70287f31ed0f34\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-u..dem-voice.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_1c9f3fffd349960b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Windows\ehome\mcupdate.exe	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..rpautoreg.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_095167b06e013898\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-u..evicehost.resources_31bf3856ad364e35_6.1.7600.16385_it-it_69b43efa2bb9b6c6\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..l-helpchm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_071cc5479757ef31\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-stobject.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_95f571d754332e01\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-n..qossnapin.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8e1ec0d4ea6e3429\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Windows\Media\Raga\Windows Exclamation.wav	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..l-keyboard-0000081a_31bf3856ad364e35_6.1.7600.16385_none_588458f27036187e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..etoolsgui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b149e0755d92b6c7\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft.windows.d..ackmodule.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b65fadb214ac7473\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-f..utilityexfatlibrary_31bf3856ad364e35_6.1.7600.16385_none_29d5bb009f94011b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_image.inf_31bf3856ad364e35_6.1.7600.16385_none_c079423a110e8ff9\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-w..leshooter.resources_31bf3856ad364e35_6.1.7600.16385_en-us_09696feb4aa9dbb3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_wiacn001.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_922c65d7f4aa7a05\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-i..acysnapin.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa73c75baacdbeec\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-shlwapi.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_827616fb42a2a1fe\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-c..lter-html.resources_31bf3856ad364e35_7.0.7600.16385_en-us_79f0fd1584c8b6ec\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-dot3gpclient.resources_31bf3856ad364e35_6.1.7600.16385_en-us_74dbadbcc3f4d384\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-usbperf_31bf3856ad364e35_6.1.7600.16385_none_fbd761d791c06ed0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_b7f38afb92de484f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\Globalization\MCT\MCT-US\Link\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-winsock-helper-tcpip_31bf3856ad364e35_6.1.7600.16385_none_27a7f7694b388c01\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-wmi-core-repdrvfs-dll_31bf3856ad364e35_6.1.7600.16385_none_da36ab884a9c25c2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-wmi-view-provider_31bf3856ad364e35_6.1.7601.17514_none_5855f28dc44fc176\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.1.7601.17514_none_698fc88e65b943d6\wmpshare.exe	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_system.transactions_b77a5c561934e089_6.1.7600.16385_none_a064cb5a105dea3f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\Prefetch\ReadyBoot\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nbsmb_31bf3856ad364e35_6.1.7600.16385_none_bb5f82db11a747df\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-i..-optional.resources_31bf3856ad364e35_8.0.7601.17514_ja-jp_4468310064bb4cd4\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nap-oobsha.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5ad997a8f8e6c88d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..-freecell.resources_31bf3856ad364e35_6.1.7600.16385_es-es_7483dfc226be2664\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..rectplay4.resources_31bf3856ad364e35_6.1.7600.16385_it-it_098f1b9f66d9920c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-wmvxencd_31bf3856ad364e35_6.1.7600.16385_none_49662cc79bce21a1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-r..ry-editor.resources_31bf3856ad364e35_6.1.7600.16385_en-us_56c62ea31c70474f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-u..em-config.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_341a55f41ef1be52\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_4db0b909695af8f9\undocked_gray_thunderstorm.png	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..onal-codepage-20924_31bf3856ad364e35_6.1.7600.16385_none_ae4fd0a2ffcd2d94\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\403-2.htm	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sechost.resources_31bf3856ad364e35_6.1.7600.16385_it-it_69a381305aa0f73c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\JA\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe

Modifies registry class 10 IoCs

Processes:

9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd\ = "HUOLVISLWCWCBZB"	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HUOLVISLWCWCBZB\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uFg679gNvv2cs7U.exe,0"	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HUOLVISLWCWCBZB\shell\open	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HUOLVISLWCWCBZB\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uFg679gNvv2cs7U.exe"	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HUOLVISLWCWCBZB	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HUOLVISLWCWCBZB\ = "CRYPTED!"	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HUOLVISLWCWCBZB\DefaultIcon	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HUOLVISLWCWCBZB\shell\open\command	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HUOLVISLWCWCBZB\shell	9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9abc7676409e2b51f85f790a682a0e72_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt

Filesize
307B

MD5
93ba314b38cae5161f5069c29a79cdda

SHA1
898e76aea46705f3551d98fdf96ec4178e97694f

SHA256
35fdc0cafba7a29bdd5aa01d7cca04fac658686a5d78f2df6f2b9c0c432e38e2

SHA512
5400f1749292dba242e3f66683957dfac929aa9d668570a00a36cf92cebdeb21530be02ccac898440f8ecf6c5e7d068d17d1d7d978edd74147e254f2cc047efa

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
341B

MD5
4c161b3bf225aa443a3b902855456043

SHA1
16c92f11e6b7998054d12397c6731b39bb8274ea

SHA256
bf427935135f3bbc5e4becaf24ffa9ac61125e208f4cccd4081dcc332f07ea57

SHA512
5e49edc6ac3ba6fe262d4e6f8cbff8273a2b48deaa61f5bf2f8afe176c31f69498ac2cb05282f6a1cf1947e5e9ef236f6f53ec6cec4aad295bc6d7a8ab12240c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

Filesize
222B

MD5
5b7eb37998e2e1054b114c5a722418b6

SHA1
03b285dab76df1cd327ad72192db3daa0d157e70

SHA256
26efaef900362aadb417187f689c1a9ee47472d2cc264ba6bab8e86e0594e320

SHA512
47537df308748cd7e810f5412a43b122e452fd9dccc156c0d2b858e1fb0a47f818b04b3e33dacf758bb9c86ba152f506fd0699a43e054e3d7e8a80303c63ef8f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\BG_ADOBE.GIF

Filesize
24KB

MD5
c1f1574189fa8d393ad0b0baf6f28b1c

SHA1
2ad297549b1c1a790f5ace2b9b227c2b815a6e17

SHA256
44fe2af9b124d8ffdc7edcdd698ebec874711b60c7e4f500e832480a0fea0039

SHA512
50190093c75622b2c40ffd52207aa571659ad516f205ca537fc809d10c4e5ac0b4e552abbd8a19ffe47d63830d8b9f79713acb76e35f2203539ce10496f7d26a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\BUTTON.GIF

Filesize
185B

MD5
892976655a20e958a929cc39c9be0587

SHA1
392bf922ff2ad521daca50634147919fafc77d35

SHA256
bd7225373f21ad98a98d581ea609c9fcc12cb363a1ed777a27c0da6b6788d078

SHA512
06509a18a0d1e0baf30b00f08018ad9780050ccb7501e418b98bf8e2d2aa8c68bbc5329835d0b9b9ae5b8dcd3b36880f751f43aa317c07e946bfe300c9296101

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_OFF.GIF

Filesize
496B

MD5
59f05db69e04e5f14c6c4f66c220a644

SHA1
1a337142d82dd6cec71b04b728784a9f7c05b778

SHA256
b630ea7437b97079a7883bfb2989d8ecb4de303a1123e8330d9981bd906412f1

SHA512
7b8f0d5e494760a95d942beee1f3b1984bf20581e4ce0743b10b87c4ae7ab8cd5cda533f59bc500b7de30dd964c64831af2ebaa9f7d1a72058903b171b38adf0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_ON.GIF

Filesize
1KB

MD5
a15290825a9f2b7e3aaf59df7d57d54e

SHA1
1ac1ce8e4464345b61de47c29c51a10e6b8431db

SHA256
da6f0a7375b6f6530b2a3e011d7ab9f067f150c31e7ed3fe60e3ced2be4d34ef

SHA512
039f16cab43678fa8ecf181e135fd70cb4e1bf50a9cb7f99e7b3df6db8c3e3965354e99be7e869b59c4f9b2022ca9f51b0fa3e549ea32cbc8e9e84a751f16c62

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_off.gif

Filesize
341B

MD5
d0fef4b8b5b32dd62e2eafc327f9e6aa

SHA1
02e8ea77b13e1b6b1821a4f8f9de8c51d78cf45c

SHA256
29d2cf1f92c2c518f228afaf98cf8ed86b138c15eeb8aa208845f574a5029d6b

SHA512
7d42d949fd5f15c3251355ade1b35a762ab4c01d90f6f633aae42658808930f1ac33b614859b677f1286e6a699f9f78b2ca38f34523dfcfc43e263a8e474c950

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_on.gif

Filesize
222B

MD5
35b51dd320875b8776b3916450bb9f4e

SHA1
6818a764bd3e8591f957ee0bd56e81a8625a8325

SHA256
e5498fcfda527e405860e7656a77f26f4c2b27352c70f25b29cc4a6a9d4168d8

SHA512
94fef8eca8d5451582f3b6efbf30aeda11455135d71e1d224f27b03999421b3d7be799d12b204e93c80915c1595763152462e60fc8acfd60f4e3f074c6ae34cb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif

Filesize
5KB

MD5
bce3770fc4d89f850fc20fcaf362d071

SHA1
2f38c1ee2439ef95c74f684f9cfc3310e8636ddd

SHA256
44f7e6614afe137d70ed8ba353980c667197e705457e2c00988c2d985592036f

SHA512
60513f48f8dec528d80af7bfd8666e789bda429bdbfdf18d8061f21431ba9f0aba51075bf3adb0a8e9ade5387c89c71177b25222536fbe7703a423b71cdee780

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Country.gif

Filesize
31KB

MD5
0c5318dcfde1dfb4ddebf99587c963b4

SHA1
1a4af8ea004f98cad0b07c3c8a46a6b0ecbc1a65

SHA256
29633697f8e22801b8923d804cca10ee6009b3152d3e554114d58f93a2e7212c

SHA512
cb39942b1bbb93d2ab3993da12a9c5c284fdcdd820353fb51867509abb938273d4a1bdf8782005a2185ef358f902f71524e925633fcbd888c6f117bf40ac73c8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif

Filesize
4KB

MD5
fb0e3b104bf2613ccd1c7d45181c2f4c

SHA1
3ed7dbf6290f9aa640c3885e4b398fd25cd41868

SHA256
8f4232243e07a135125f79202a19f783b3145ec977d5ba45ff7b89786db8b1d6

SHA512
03537e8fc4bd4eff15461695bccd5b528a03ccff39e71030ed19231d9f64b2fa75739c57d022a0ac776d1d00d99cf7b36d8037e018ed9e5644acbdb0f78558f7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif

Filesize
21KB

MD5
1ec64abf6a854efd0352a2378a88f73d

SHA1
70d707e986b1f9946af3e18f43ced71cba58cbe5

SHA256
d99f6266a8e24ea30737e39c7a349e47ebe973759be547686e57d7b3f111ed50

SHA512
76f4ba8024730ceb27674ed3a4178ab43dd760a6a4bb11a0c89752f38437c43ab431e175ec89aa7dad3d8e6d7b0f9b10766f0886f64f9a954a53ea814c9e262c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif

Filesize
8KB

MD5
281c0b0e39f1895512adae4cee74b946

SHA1
c419fa1935ab6e14813b770379b36ea9972782a2

SHA256
3a9a71b194527b1f8c0aa1a22d622bf104d75e8991da88fe68be0427502c9408

SHA512
59050040e82d3d8cb8a3be8ed9ee4fa887d02fcee79932d0fd8a198c37eb99a11d5c9edab4cac791a12e6f0111aa2f0b25a7273a3459e9fafd472677d78c1164

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif

Filesize
15KB

MD5
8e804525168996b158d3aab7a0d87df4

SHA1
2522aa01074b1491c3ef768e81db72848fa6bf04

SHA256
6a5a7c771b7e89b492c9a3cf94c11b4af2e7b5df233931a2977b3e31fef8ae22

SHA512
98d4c86d8648e0c858b6b5e096738c3877990e3d37dfbcbaec9483b892da745f43602dabda03eff694ea21fd18c3e4d882bc21aa9e9236d4646d4ff0a45fd473

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif

Filesize
6KB

MD5
1f75226f54ca9b20b7c1bea2e570c9a8

SHA1
c18fabe516992fb66847e12a6041315125eb37fc

SHA256
21adf5c60bcfd28ca23108435ea3d9262baac0a16f16bfa4f4511685eb3ce8a3

SHA512
e8e239d2e9c46affc0a11338d8e39adc6a18e6b1e9ca7d84e180e29ffd6967ffa3568fd8a532087f488c8a700d79de28f367ea34809e7c9f7c7c8df12ec83d7d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif

Filesize
20KB

MD5
0275f7544b1444fcf74f14620acfc94f

SHA1
63536a72d924a488df835eb801c34d1ac1a3961c

SHA256
1fd1baa958eafe8f7bf1e458d9ee5768179d285cd183c6710ad68cafa642bdc6

SHA512
e5a553e947d2dde409fe4febaca392196630c8d0eed0bbdaa90c4ef446d0a25da547ad126b92536a7ce8c15c55b7fba2d12c33abf4d151a2dd969b1f41a4fdff

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif

Filesize
6KB

MD5
3bf2efb2df85e860fb2bbed843fbcf65

SHA1
55ecb96178b520faca6e66ae1f26d75bb292c0a5

SHA256
7ed4ed120c584b239229e49904cf0a6953ff8ef7103c30c79a6fdcf4098005af

SHA512
d2fab73c3dd746c0741538984f5cae13e04cfca8e3734fbd825bb21c1d3fa3546b3d61c7db76effb3f076c731dd4ba906ec9a9a3caafcc8defc698a9c4db3589

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif

Filesize
15KB

MD5
2dae3be0b684ed59e6dd76e8079b532a

SHA1
7c5408627106dda259fac8dca6ac5729248f343c

SHA256
c6741bdf9ad8939385db15319dde2d5e66edfeb76527de2a9e6b045ad7213250

SHA512
010b98ab5902f03e7f36bbb43207c705be29c8ddd9dca5b6ff780482bd860295c871eeeaa88e097f096fba9ae55dad38cb3e40427ceeff900d9bd92a9eb0cb95

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg

Filesize
2KB

MD5
7e461dc17433d8054517c35721b3c17b

SHA1
e6cfaf561fd26b2e0a2fb6d3ea0e7b7fe947a99a

SHA256
764929594bea3e1a3fc4f7129d49cf64a6db7e6b5aa0c71a5bbcd614d80fb299

SHA512
d956c8ce4b9cd6d0bafde13789f344956bceda0ca929e2c6c7d637c30873c52fd7fb3ea462f1798118c4d900c3fa698645fb5bb44584aa342deb229fd1500fa2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp

Filesize
2KB

MD5
00ed9a48822b216107be46bd174e740e

SHA1
7454b233e51650fb336a2cfcd54ada69eafd23a5

SHA256
3383f12e995dd61d21cfa1b08f2611bd53031f521067abd45572902fe3af2933

SHA512
67b80272a29920a33c6cc755dfe9fec411c2942eefaad242679172bf4d013fb2be5c26cf2e4aebf995fa1d0bacc697dce27827562e2b992bbbe189e56960bc4b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg

Filesize
6KB

MD5
6f2f9ff105d609e0630e443e5dfae93d

SHA1
885df601915bc541a93b9a21515751c476082799

SHA256
0446c0541a4af668bf2e44c5e4737690207743625e07717d35e0e81471da992d

SHA512
b8cc9aea652403aea294b7754089b2d8bfa5912a5ce3c3f2ada4cce67811b9dadb1345902591865503515be62ebbd1f2bc40d37261656fa98455399535f8aae3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF

Filesize
255B

MD5
3600511b51e11efd8bf717d625b3acaa

SHA1
dc73739c8a2e4de47ff3ede9a0c05ab026fde03f

SHA256
8b4c05197fdf22a85d1866390183195bd8c775d32beacac90f9bb5859f03a69b

SHA512
3ac52284f4061cba83733a10cd3fbc6e0d4759f4b8ec4c7ba3540abc9b8a44fd8e3e9d03de8b176b0d995461187d6c5f4860720d12ab766e761a5203b3399daa

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\background.gif

Filesize
323B

MD5
4d6807fea0a41af493c2920ce4663f2f

SHA1
93bcfb2313d3f896f3f90dab1fd519bfd94b097a

SHA256
513a6d718a83185fcc2cc4c87a3acf8f7a4e26310478f9d0c544f7b8d0e613a7

SHA512
c59752db3ea1515e3d1204e70eaa998a096f3216dc921d7cad25c7ff3929aa0b278d9a3891f713d93142ef4103702d32f3c572c9a59e7404826e24a4851040d6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF

Filesize
367B

MD5
43f79317b49f1b6089fa1e601ac77a96

SHA1
6f7f469e9e0e5b8a1aad5864b31cba1c855daf51

SHA256
babd73230f7107032b49776d8efccad673b3de82cf63332c16566a84e44628e0

SHA512
b408761237d20a65ff1f00219ec59e410be08a10aba25e949b414449904cb6adc48dcc6cd22735aa00a4141f88f008f3a9f0b53078a55468ab87d3b93bc4cf7a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF

Filesize
148B

MD5
23f29e2b51188470721024000f56c4e8

SHA1
8e06ce617c7947e8d44a072a40c5dd47ea951d66

SHA256
0430f455df87c06f2c13510aff1f08a9a6d2aaf60127881e70759651e62908d4

SHA512
81e0cb10a61c07d2935c48a17773bdf2e16def31c15e89d0d197d7f50d7ccc63abc5754a225fd3e7d0f3ce3176fdd4c8c68c4f19a3f710b734e9f5a1d9d2d9f0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HEADER.GIF

Filesize
440B

MD5
d6929139a56d8bdf40c7b9f33cb973ba

SHA1
314228d20ed8fda5a9c568cd48062213008d7a10

SHA256
a10abee3c0740577295e091c3f8fb94604a7530819906ab80f3d0726f9853617

SHA512
d831bae795ef2929a4fd728c8a94c28112af89f6807f685dd77ab77a38f59c499afd42113746031e97f2f0446dc49f910c21167fdf1f0babd05fd327168165b4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_OFF.GIF

Filesize
462B

MD5
4c9e44126ea4471fc9001396aa4afd2b

SHA1
a95a5b3658268c11bbae3fa855b0be38a363e361

SHA256
798c5cc3961458610807c8b68edd3e0f6e60fca4a12fcc0e4faba320b8f11c65

SHA512
81a4b8bb48d1d0c8668b66968db957e00b7d8f48c953c2f6ee3e234f6956a8299a1c5cfdead90f2ac30726e8bcc5eb737c34fb33c0371e795538e9d078ffde49

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF

Filesize
267B

MD5
15d1e767e02eb84ea641278272f9d630

SHA1
96f580cab523a94399666632c4aa0feb64e1bc66

SHA256
6d3c5ff3fd6aa89d28ef38f029ca049f44591f0190c68102035aa242149e338b

SHA512
f76d655328120cd140dc27dd9363a18ef683237504680430fd8e5101c00d28cebf6205d031e57f817857bc9b4ff308913f737ea49e0dd81e9795f46edb5c5bf6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HEADER.GIF

Filesize
2KB

MD5
e53ea72c1e21e95b4bb3a8920b1f5e72

SHA1
0b77db173ef418dffd045048f354db38dd644c2b

SHA256
8c3676fe8d2dca50ea18b9a11a021fc515dc315e18e1e49fa7685055a3fa9eec

SHA512
831598edf4a52a7dfc5c60dbf9991bdefedb80e6959e507e454c1a4c63a25af8a04f2e01adce0bdbcc3fe99892e0cce5b33960ff9345a5eff3011af38d921f5d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif

Filesize
233B

MD5
8c2de36fbc5668aa43160795a73011cb

SHA1
599dcd526c7f8006e5eb6a3d3c13e9af06b4cd7c

SHA256
45491eb4073022fb45b40267fc05ecaaa7b6302618eb7fa1c43e884456997eb5

SHA512
454cb76747157d62ab77b38680969ead4d5fdee162e91004f63ee22a7de28c39d697d942b6f29b859722a98733fd4547c1fd791dc23ed9ad7c9b0253e8e23848

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_OFF.GIF

Filesize
364B

MD5
7c2172ab3be24dd7557dd45c6a0637ea

SHA1
ce80353e51de8109c7a0c196420f6374eeaf48af

SHA256
eaa4cbd94ab21e62523d13311d29d5b8d16d6b9c11cc7860bddb07f6e2015c6b

SHA512
9fa936ffbd11fab1d9a33098a7e2885cb71ef6217ca6f0b26d6c512c22b2bf88d9da265a7ddeba840b3d2435ca8d02bafaa3af10c97f0f1e61b651038703a8d2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_ON.GIF

Filesize
364B

MD5
279a4c4f31a6dbe16e98885105d79a36

SHA1
41b423c0f2bd893eb14d13aa5187a1cb72d27139

SHA256
2ce379b45e0e5ede012fd62eb3ca4bbc5253d3c66a89eb179262fb768bd11785

SHA512
f24ccc4c0c0f69d54350b582344baef34cc191523e0206d81bdf51b31c3e3ce0f7fca18b1533f5158afea5ede0ea6fdeb7f2008e7de5172a2d3d7d3a04c7d9a9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\background.gif

Filesize
6KB

MD5
ee6fd6978a50c21471d9560e4f076ded

SHA1
a85b624e42927ebac2b5172d744ca9ab4b0a2418

SHA256
1f2b6e71848f182b8ef7e56f28ba4cb6ce4f032069a9bcd93e797b6f3771bf5d

SHA512
c61e7fbfa98429a897817fd4c61e759cd476a9642512b740018e806a84df5a1bf82d128b27dafd1359c5d038baadc9627d068d5fe0913240c6f718fda468416f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\BUTTON.GIF

Filesize
428B

MD5
a2052a98789c0778e012c04ce3644645

SHA1
c5043c5c97b74722f36eee0eebd199559e4b0720

SHA256
14671691cc8f36ff8d2a904a7344ec71f78232b57fb3fa6d2f7a22fb8e724c2a

SHA512
3fcc3de10522993fb6b0eebe193d19699443488740417d495ca0568480c06010a33cdedae4b9e41e5b50a556fc2266970699ececba9497d5ee81157815611b6a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\background.gif

Filesize
815B

MD5
cd5e6160900087504de5e65d542257f5

SHA1
02e1bed3c1af33d2ff0b6c25f340f293c1a884cb

SHA256
4bea43d01b725b7060148721b78fdb02e70b335a7c7f61995f7d31f89c882165

SHA512
dbc798827cd73a697a5a5e2120fc1b3c6c67ddef2eeea9860cb1480472ac13bcf3d629af1d659b5a26653b5896f423e33708564ab4e2e36196a3d53abd69bcc6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\RTF_BOLD.GIF

Filesize
870B

MD5
bd3a8cfe3c9c73dbc969517e1f4fba3d

SHA1
bc349d37436efce23331abfdad5f317e908a404d

SHA256
0b6db9a4a88e08ca9e84065ce1a62b392ba458465684a627923d654fd8ef4201

SHA512
08fd2a72d52de93b8b56f695ca2f3657f0ec9604da053ec96f844ea944bc8c64c9ea982bf915f9b23f35f1bbe88b719d983ec93695303cfc611a470225349783

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg

Filesize
3KB

MD5
fb61a631a17cd1f8350ed627b56b9f1a

SHA1
85f89b8a7208f5c77e65fcbf38f16dea698bd1d2

SHA256
19071cca91d62a99941c626393caf90005526f2f1bfdaa9003efa04421d632ad

SHA512
25be19fb446586b2f6a3d47fc650fcc2b020b54971e03f108adde69f55f3f141a5d4d12bcf049ead42ea4c9fe234b0edb8c1e8420f80a563ce46438021e1bfad

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif

Filesize
2KB

MD5
1ce4c53dadbe5db570e27dcf60070a92

SHA1
e51ca289770bbad7d6a3869a007f3de6f8ff65c6

SHA256
59c1c9635d1891341914e47682c2c1af27a9becd51158b30ff6378d4f07567a9

SHA512
6b3f7c389e164f65ab603d6b660769e94f19983586eebd32394bbe71993bf2df99a691e7a7988dc5953c1778234a29fdf63cdfa1ead151d0a0d5f3b93942e4bb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif

Filesize
19KB

MD5
d4f74f4580ec3ccc000b18d6909c32b2

SHA1
f23d4cb55e73ce42cdbb0025ad0758275025a087

SHA256
8ab93454edc4a1084d7c7a54d9ab68adc00034b95d9c8ab8f0f6fac36c9217a9

SHA512
f6fd856d77198d996511374ab9412aa8a0cab588d686edf149d691e18ea144e839f551c233e58098423f216002a97fb97dc19fae15d032e7e94b58c0ebec62d6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosefont.gif

Filesize
890B

MD5
ad2d94ddebc009158a09d4e1391f045d

SHA1
25b7d05533640ba7569fd18605c0d7011391b160

SHA256
da379d3bf239a83c3013c0550cf1e1f5130dfedb053fa12e763dd5172b3555d7

SHA512
1abd81bf5a3ad8f825ea16309fec742e46287f97801597febb7a2df127ece762a612f2ac6ca6280cd7d17a84df87f4afdc455102004c0332ddcb6975e7148dbc

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif

Filesize
852B

MD5
c8ae1005e9013c59d6725cb6e6f8153b

SHA1
19ed6c886f220b3e052d3d7f9715af1353a1047d

SHA256
fdde1ccb86e27decba7076cb1641cb9f80ab2445524da1e39129b2c524e88a1c

SHA512
23d48bf365d45056a1a4930761adb8a380d503284663933e0e0307f3bf836aba4c2804e4f0eb9d247426775ff36076e9665b91248f57e966cb72197cbeb16e07

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif

Filesize
860B

MD5
2f696dc6ab63c196d9e08fe305ffd6c4

SHA1
d8773811b43d5e28a8a6b2b80b933155617ab977

SHA256
1162881593732b16b79368b9a2eda91b621bd59ef5ec3357d7eef843feecdc62

SHA512
e7b4d5ce66564b79b5b609ae384187bc438ed0b6638eeda3e4eed13edd7189514affe40e1e1f136ab90b77fcd1fcf89a485c38883cc3dc2306133e8028fd044c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ADD.GIF

Filesize
580B

MD5
27d8b0597d524f9647f1154c9b8ec1a7

SHA1
d0b894b7239df9a33d06ded0d0f4882f3d70f027

SHA256
542334cc0b4a6b433251d80ec6c66e31e2148ae12b922984acb553ac002a64ab

SHA512
8d1da258152dd78f1dc7d039187537e2a935608922344bb68e9261335f01a246fb2a492290439526fbbe0451643501b347357ff632868129db1500f9fb36c95d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF

Filesize
899B

MD5
627ac7884cc7ee93b51518890972da56

SHA1
35be90ef6eff2624bdf8d4198c9d3e7ce361d4ab

SHA256
e73233dc84ba947d0afa025f94a034edfda2ad944a37791d2aba0447a1a4add9

SHA512
819a6e490853aee02276bfe5c4e1f9ac53478be88ed1a06bc962b114182f334a2973c8538fe4518a76e9bc297d6c0b00746e5a50bba81dae8a43a56363934d22

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIF

Filesize
625B

MD5
3e8ae2f204c870636ac7f2d0cb94ad0d

SHA1
2caa5e9ae94dbae60c50a06bbe9e31185c431724

SHA256
4e6d56857647e5ef2dc6c9a7f6510423f581853c0158e0c6272c6dbb9d8d21cb

SHA512
265592a6306768abd2a3e695271ce45a11debb0e8f23a6af34cf2263297b2bcf6a01845e50d2560b0251e9b0e2baca0799ad0ba1df5f6ec0cd0e2684ea7e5323

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF

Filesize
873B

MD5
37ad75fef88a371c74db61a821a218f7

SHA1
55596ae3121b13148e3100193201c5d2d9ccb6bb

SHA256
2e4ea28c9f8e136e1f3456bcb2e7f57ea17f20286a077353b14dbdcb32d20cbf

SHA512
c6288a05901c60c795bd6bc904044f744bd768ccd226a931febc86dee7199ef629f4c81096b576185c5075d1bdeb65e9a0832a8aaf391475eeb9e482fdb2f0a2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg

Filesize
5KB

MD5
ad9521731b0b05f498f1e36c29d708bf

SHA1
9fd2717f62ff75553486c4ac0972450f065ba1c3

SHA256
45bde624c90f44563832a3f196ce5320199753f9b8c9197000c8c582839bc09c

SHA512
997fb2bfa58422dcfa36f1a99531574eab33d9adc14b6a07d4e31f2c1faeae5b32ac1b30b3b3586ea662b47942dcec89875db5bdac501e19c7d2dcbd2a7a05f1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp

Filesize
1KB

MD5
18be4dfe32206e415fea6cf2e3a3e044

SHA1
aef549fdd33a93bc4dce3b2937dfb1d091c1498a

SHA256
71007495165c93f4c36fe5a236d1d0c963193cb4bfeb338d0edb5bdaccfd4185

SHA512
e2886d61f5b60b780e95570fc2dec6894f8f70cb754c24b5931a276b19ae24b18f4a055cd012a38f5ce34e12a2003e9fa7d20a3bfea1eae5ee16180c599ed4c0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF

Filesize
615B

MD5
634e697e3524b066e1e89654dcc59e46

SHA1
cbd98bd09361cc69b38a4b84efd757791eb64781

SHA256
c7d5a16db3ce12ab6a7c810ae620639f23d5f0bfa6ad61c2eb8877f6cd7fafb8

SHA512
ed83e4614644a0098ff98227089b996674df02c9064be05458a7549579a53437f1f1d555904ef591a960671857d902a6ddd17760964412e9804c86e2dc9d3736

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

Filesize
848B

MD5
99e91f5251bd4cf79b1acf130a96fdae

SHA1
e68d6dc5e0f808208bd919e9fb9531dd7ece6d09

SHA256
6312bc59082fe6d8d114a94009d5c73a3c8a5a6081cb1a8c1fc1d246472f4461

SHA512
9f3aec3b722962ab72e67f53f60bbda9c7d1b58dbc315f2486b9215d723ac4f6d36c83e05ff0a537ce8af70b2b9186ab84e50cec94268daffb81e02cb978c5c2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

Filesize
847B

MD5
e0747d51b51ae28ac05d3e02961298f6

SHA1
f295766aff78c4896300213ad50ab164becafb85

SHA256
8bdec0ca10d2c05f02bb524e928ee96a3f8934f0dd5c9ac8d48a5568a4749788

SHA512
13e457a7ee89fa559ef403f589040c1ee7a4464860a8d59fe06325b26d01987417fd5b62035d0b4a98d43118a3d17e9073f12ab8f983f8a7a0d0191b2a5f96a6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

Filesize
869B

MD5
8b0ac2ad2750da96a3c9dbf151155f23

SHA1
bedb2bbe935cab6e64aa14cad9af45a236b27357

SHA256
c3bad2b4d63be106251f80306a39b1801564cb565a2a79038ec8a32e63cbd33f

SHA512
e32344c3bc85dea4a38b0e8758f828033fe468376ebbd96d26dc6b778d94801667ee8a9614effb7f3bf7df2371b57a9aeb281f5fb6e0fafe9b3a39c641d70a0e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

Filesize
847B

MD5
d3ec438bf6a66eab1f9c17e67acab946

SHA1
09430ea3d005523ed7e565b71429000e61a7a1f3

SHA256
b9b1c5c00a44b92dcb6446f6bdc9e21a7d2582db071d5b3dbdeb8970d0485095

SHA512
53c11e5f90150b0b606f981ba0a9f36aea8676d21aa1d8b78bb8b252203cd1c4e0dc499c7f5ac28ab7948a770862c319473ba0093c3fead47dd68acfaab61a34

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

Filesize
863B

MD5
8161ad7cd376237f5eed64fff5ea2f3d

SHA1
0668bffedb706ae3c917f26c819146865fed4e6c

SHA256
abeef0a6222756cdb4d5649f47744dad4d10018df2090278588bd520689e683a

SHA512
755f360f6f2123e37f5c3433a3a240daf8309ecdab3c2211314d318b991477239d1dae85123a477a6cf24f81819b8058798bd7e14d1e805425eb018545da9f23

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

Filesize
861B

MD5
900a1d6422d6fad7f061abc3625bc4b1

SHA1
eb551499a830218921d11e891f67851436f0d54c

SHA256
eb00034b0ceef76f196ac9699cc42db5bc90bdcc06209037f62f41aeeefbfca7

SHA512
e047d9a57079567eea2f0f8a76cf33659a8e33ba853097bb554f18fe04c47e9a53367a58d32c98b8278aa7d1a97cf77d9e8e52eb39f0bcc04a132f87e414448d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

Filesize
850B

MD5
773af7800e7f9d476b57297068ee59d9

SHA1
2035daff91752bcc09231e4711f1c3f432973b3a

SHA256
8d1ddcd833f25e8f15f26e09453debedad0d70db08064b3a29aa8a5c8112ba00

SHA512
def0701e0ac4fb9006b8c49827c5f302227db0400d1a921059e73cc8a2dc0123e6ac71d5d0e6d0f5eac9bd94042886e81be436ebbe14eda3cf44b33d131c40e8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

Filesize
883B

MD5
a6f58cf5a8e36dd7627f583ba39a1500

SHA1
f96cf073cdeb0a3ab3b09abaf6a4459a8454bf09

SHA256
1d1b703e4830fc213f3432f6a22e490e748340a91c432108e3e838676d90cc38

SHA512
6c2bb5b4511e47ddf78b0d8a0ca6b3d6d31952d37ad4892fa06e8c9e92d7c719e1baa41b53635b1f0475794fd461081dde2d18d4b7c462e4af76f1556a9e81b7

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif

Filesize
153B

MD5
e11f42ac22e37e7d7257956375c3f091

SHA1
99e02091ed279a44a7a522ba38da3053116399a5

SHA256
56732b27d5ab3b96546374c56ebe21b72f5074788f2ee4fec3c2b3e6bea51a3f

SHA512
245e3f95969268eceae1ac42c5493e3403f43a83db96a6de205ecef7542463461e5077b9ba5752d407e2211da1d69336e69eb63eee3cb5a4ae7dc80679b7bf73

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
f4cdd175879226f2128932dbc088d726

SHA1
043cee646f79164ae1e1e5377f5c21ae06371ad5

SHA256
0ca65354481032ed96630094b26dcd9a2feb2b7781e929d144eb70aab900a78f

SHA512
5ba9b496fa677b592fcf2835850f840718bab130090a3ba9fb60c637147f5ee36c633ed474b825246c446ac2c8446f8a141026ad4469f6ce14020c5aa4b8bd7b

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
8KB

MD5
0d0314fe3536a90bd7a2f5f65b66cc8a

SHA1
d03a58dae53d18a2841873c5f37dd34ea6c28512

SHA256
5abc1b8c506b709a3cd5ad84c11e4a64e54610ea229147c1e631900aaf2f4af7

SHA512
bc3cdb5e75390e94d7c5d36113e31a1f7168e25c3d39e9fd67cee42e3af4f008aa4ccfb96e5525251ecffd2ff35dd5226f9ad42909b6781c693356567b122e9f

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
10b136d49b2576e16fa3f67ae992d4ea

SHA1
ea25592dabb4adbb8469b07c2bdc99d3b60393b6

SHA256
52b56c94ff21d9a25145defee87794e8b4bdfd72fe489998e5eff5341bca7247

SHA512
3ad7dd088341cd0efb8025bbcffaf1e330441cf0329e871dcc77c10d25eeb89c7cf793b30e1fba7dca7245eb4982557e00ca033398d486c0afb1ee2c024de508

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
9723e42d90ce0b46333b9c572ede82a7

SHA1
ac972f4cb94d3d665d715979c0ba0e6efe4553c1

SHA256
0c94e76d4a81be56dc5a7d0f44795132723a3a2e5888db9afc1e482f775874cf

SHA512
9f8b60a35dca3712ec91a97ea0fe4f8ba4cf16b58d061fb5dc7a97651481fc992683f8d9b9f05e63dcb89a57d5f214bf132bbb0853574e2b891c06e0f5c90087

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
172KB

MD5
afa77a9a29c51120c4be93c46d612cd2

SHA1
77a349808f5734c7e3a1e880d8742a8cbfb06416

SHA256
0c31085cd5f2121c584709e3e4209ddc3491bf75b109e7915507eaea29f30df6

SHA512
658900b67c21cef8b47e6cc8d1f4a759831b3dc750880f128171d58af28845051f135b7f2c6f7e2787906ac2ce45ff0009d49fd59a7b3ff84e4b8fedb2fb36f5

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk

Filesize
1KB

MD5
743c61f6cf2fe76a07efc3ddab2bcfe4

SHA1
2becca9ba873aa3e1d6f0c2854cd127f46ed0383

SHA256
e7e52459634d778d3114c083eca710ec28ccdcd7d1bc87f230ca84b354f61d5d

SHA512
ba4de6d4c29772f7f77a03da17e324000db1e7f142f8543959740bebc81aefdd33de2581718721d144327cdf35e0f78312ce5ac1624879a5c975a4d5a0a36c4c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg

Filesize
21KB

MD5
196bac369cbb81ce12cf25e051544de3

SHA1
25a10293a577a2f93c4eb2ae63b436da7df30bbd

SHA256
acefc5ef65f9728e10ba0f00512a3f65453c34106408a2359ef9a32e304e94bb

SHA512
7c9cffd13c767cfa2aace9dc74dbba2326c106b6fadeda3ed97e3fc8314b2fee493a625efc4169c5b7853cbbab80b7e7dd7894b255c1a4cbb1054b6b45bbb0a1

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\HelpIcon_solid.gif

Filesize
1KB

MD5
d1412497f7ee454cee4958d6aeca5642

SHA1
56a281295734e9b259bf0230e03c39b2e6ac5606

SHA256
c6241ca3e6d5eda0c3b4ff61d6bb97f1f255c74ea2aba0bdd5d645be1132e213

SHA512
8e7822cc8820b340e442664373d41f7007e209992bb9ad2333e6f604d48568cadcb1ec2bf25cdb47890fc4d15b2d62c00e391e639a187fc4b72e57ae7f97e010

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\alert_lrg.gif

Filesize
952B

MD5
31742353cbf6874416302f77e058d2a1

SHA1
24fbc0b098c75d56d875cf9d83dc31d6cc8fa066

SHA256
83c708ef014d7e0b6ed587b10858d1d74eb47d38a9ba63c87bf951a0c713616c

SHA512
15ec26ba0fb7420bd45732721ed457cdadecabc60575f69af32a5016f1c9d9162c87357f81e5f5303658e1ef0778a5e5c7c467e2efbd77d0ae235fedcd67a8b2

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\aspx_file.gif

Filesize
121B

MD5
bc60d114ab69b8788b87dbbafc5f6ebf

SHA1
4b567a2ea842cc00af56e4b1f429b0fff35d2c07

SHA256
7bd64e2c1dff6019282bca56a03456ac11d508fe2d32b7fd8d624d40a90ee738

SHA512
2fd55da2a543702cdd05375b78f6585610bfa15af00e87a69348cd602128f8a095184d5224fdc64452348bc4ac03b483c69457176e0a1f6710496d46ae9e7fcc

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\branding_Full2.gif

Filesize
1KB

MD5
a21fd6f5f0b0acd3e5bd12fa07036c57

SHA1
c721b8e23fb2ff860973bef70de307b2daf28099

SHA256
841418802dba5f6037de7c915eac705b87fbff18d4bcc3b56ee37e2195aab163

SHA512
b9a6c9dc7f96f1362e8bae494187362eea8f494bfcec5fec6f3816a2fbb8a1c82746c28d8450763ac4cf4b7049718019ae1b03dd305454936d2b291d1bcdb1cd

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg

Filesize
8KB

MD5
7d64869553c6dff5fc3e5697e3c55592

SHA1
4dc5c12ce4916f44593a6fb2fbae6b6d16a6dc3d

SHA256
06e9dca32f95e4f0b13fa304518e00819a76b7254a902e99bd2b807ab7036261

SHA512
f33c230d0a62ae8455fe9eb9778a43d163b59029570d299a9bfd6e7d32900b040a8e8e892764a78647d232e9b73cb158e184410d1d6cf58a03ab52420509e179

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\folder.gif

Filesize
914B

MD5
6ee389e087ba1806ac8d6fabfb1a2d96

SHA1
3ef992dc272c626865e4952be1fa2f9dbce8dc2e

SHA256
0b9202dbfe3d6eb3b40e356edf970101d30c54e9988631abeacfe8a192ce9754

SHA512
35fcb275765d6add2c8999f3e47af6b58ada53b5b02a7712cb2b625f2bfe6481bc741f99c9a88f19dfeb6b5961486aa8fc9b6916da46c63b69479944d5802b0e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\headerGRADIENT_Tall.gif

Filesize
328B

MD5
39065ca38b6900e3f6f4c88e430d3174

SHA1
f123fb98e0e05ecbf37241b98dfca9aada8779d8

SHA256
35e32daef9f104fcd3620740976a4aa4ae72c1b921e7de7b9c84638965e108ca

SHA512
a4809a7c4dfbc83fd2d176e72d881f96e9a7bc9a19161772bd95b6d75105e5f3bf1d5a645b77e54416480c06c8be396225d37f6c07ae7c3332b8cfa3f1113c21

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\help.jpg

Filesize
1KB

MD5
7ef7ca9454b42e12c9b68d9aa1f31d2e

SHA1
23f911160442139334bc2ba8aa1638a041a3a73d

SHA256
e2351c02e0283096dc1f38593ee06f5d58f0a16bbebb7dd85b2d726eff4c5d6d

SHA512
d30245a1f25485f498b194816112b78cc3c41f4ef291461c5d256b2648d352ba78994fd4662590d169ebcfa7f170d8a3f8b11e5641d10100fc47ed92eac703ae

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image1.gif

Filesize
162B

MD5
8c896b61a9faac3f24e781c58f3617e0

SHA1
b2b97665548d52eb78751a15ce15a9f0a396d32e

SHA256
9035a24d04368cedce17012f58a75f2eab05cb95930436940dbec740810fa11f

SHA512
d0a43038d01bfb8cc789286678f40de89ef124220cbb673c032f1b36853749eca45034d7b857623c436b1075d1512a3bc8a61589602167d27b133b05958f6790

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image2.gif

Filesize
586B

MD5
86f59314a5d7fbd3be25682feedbb44d

SHA1
efd24665af7bd2b27922dfe0fe534aade111b592

SHA256
0a56282cae5803caa193ad124a1273e2478e690839042ecf75fafa318c371e25

SHA512
a898f62ccb87de6e321e1ca6a6343df5f8a14334ae8527fff9b143f0c28fdf31770704a7539304a246b861dc4c2af84db9738bbdae0bb0c85155de26e967152d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\requiredBang.gif

Filesize
124B

MD5
b82373a8e89b67839ace9f1b45d687e6

SHA1
e1645515db68defaa5369836346cacf9d05cf2ac

SHA256
539583a6cbf85225bb5836797aa1968328193dd9456f8784e213a7e9d6fabb57

SHA512
173d015df6dc477476e9d18d7bac0839465a6998d68e2f6dbc0ad3475b461a453edfef37451ac27b345e5351634aaba87845fe0011c7d3962f20717a2d62caae

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg.EnCiPhErEd

Filesize
8KB

MD5
dadc0cadfb60c888fd202cc3abffc002

SHA1
cac48d34c14aac4cea071f8dbfd31ab0e3d2db33

SHA256
2b8cec1cfc007532ba6c9f78cb25d81c3979f41da7c49206f2ca12513f1785b7

SHA512
822f04294f5394a82f5ae0fdb3155ce633391c7043fb3965701b06372700521100de82c79b974a3e9b034c43caac509c804bcbe5f9472dc7ec7ba86edd4fa622

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\yellowCORNER.gif

Filesize
880B

MD5
ce7aea1c9ceefdd8530587a6a4228d5c

SHA1
3f94259020e6201964fa1285ed65a8b8c2b1386f

SHA256
4511cf895a0a729022b02812c4d67898bda6b8f63fa6ab172fee84cabd4e4bfb

SHA512
a8aba436111b4130bf985f4a7214aa433b8901f53ddd04e84bd6a4b26ec03d1abff34da870e328f5cb909b1e4ff560a96ff307d7f3e3a0a37585e67fd4219972

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe

Filesize
32KB

MD5
fea105ebf3c2cce098261596aa917e2d

SHA1
5116004481a5590d111151f0a0c7ba63c7d5d1aa

SHA256
67e4fe00dcde500b4c9eb35d4b9ee41a3bbfc3069e9598f187c219942d2385ac

SHA512
b358a99d4354dc0f36182536e09a27531b2c5052b8c0ca20b4c4e881645b7b19b93dd54de261b05d271ae2d7f954e96c2796ff9d4fe962b7e0f770d09a488deb

Download Submit
memory/2336-3-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2336-8858-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2336-9710-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download