xorist | 4e7bb6ba0e79fb93f0b6bff47048541c742fba46e717c4ddc15379886fb4d4b3

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
07-12-2024 10:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
Size

7KB
MD5

d20f575bb865c9d041e032b64b89701e
SHA1

de6fe5c229e6c249189cab8cd62109023cedde9f
SHA256

4e7bb6ba0e79fb93f0b6bff47048541c742fba46e717c4ddc15379886fb4d4b3
SHA512

91b464df5bbfb4143fb5cd174870bab27c47bbfdd3ca15c5fc93f426fbc9ac9722a2e9aabc9ad61e37ace8744a77207f255842574aaf32f3a3ddc61698b03ce9
SSDEEP

192:bzdrr1FG1WDCgmjPZ03zJNd3aVAORGMUA:bprr1gkDCgSe3p39OsMB

Score

10^/10

xorist discovery ransomware spyware stealer upx

Malware Config

Signatures

Detected Xorist Ransomware 5 IoCs

resource	yara_rule
behavioral1/memory/1620-7384-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/1620-7385-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/1620-9021-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/1620-9022-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/1620-9023-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist

Xorist Ransomware
Xorist is a ransomware first seen in 2020.
ransomware xorist
Xorist family
xorist
Renames multiple (2174) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Drivers directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\it-IT\Licenses\OEM\UltimateE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\eval\ProfessionalE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\angelu64.inf_amd64_neutral_3d6079dd78127f5e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\eval\EnterpriseN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmiodat.inf_amd64_neutral_839e9ee1a8736613\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnkm002.inf_amd64_neutral_7c42808e24ebff99\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\pl-PL\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Comparison_Operators.help.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Session_Configurations.help.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmbr006.inf_amd64_neutral_40c76453575b1208\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmgl010.inf_amd64_neutral_46f466c9e68abb4a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\migration\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_functions_advanced_parameters.help.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netirda.inf_amd64_neutral_93a886f96cea2847\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\it\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Break.help.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\OEM\EnterpriseN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Path_Syntax.help.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnrc00a.inf_amd64_neutral_565c5d04cc520c48\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\winrm\0411\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DriverStore\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Dism\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmvv.inf_amd64_neutral_14cb440c800fe9fe\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\TroubleshootingPack\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnts003.inf_amd64_neutral_33a68664c7e7ae4b\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Windows_PowerShell_2.0.help.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlx00x.inf_amd64_neutral_808baf4e08594a59\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\eval\HomePremiumE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_wildcards.help.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmetech.inf_amd64_neutral_230358eeb58f0b3b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnkm005.inf_amd64_neutral_c03c9e328608873e\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\eval\HomeBasicN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Examples\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Session_Configurations.help.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\_Default\HomeBasicN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmsuprv.inf_amd64_neutral_31d10a1a73b4feaa\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_transactions.help.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_functions_advanced.help.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnrc004.inf_amd64_neutral_bbd3435eeaf576ee\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnsa002.inf_amd64_neutral_d9df1d04d8cbe336\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\nl-NL\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_profiles.help.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\_Default\HomePremiumN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_do.help.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\averfx2swtv_x64.inf_amd64_neutral_24a71cdaabc7f783\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\eval\StarterE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netbxnda.inf_amd64_neutral_c81780c5dcabd0a0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\nete1e3e.inf_amd64_neutral_f77725472d91b1d1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\OEM\StarterN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\_Default\EnterpriseN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\uk-UA\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_functions.help.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmlasat.inf_amd64_neutral_bc1469ba40fe2114\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmlucnt.inf_amd64_neutral_642a5ab3f2a1ae20\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_scripts.help.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_script_internationalization.help.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_requires.help.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\InstallShield\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_data_sections.help.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\megasas.inf_amd64_neutral_395276dd9b7a7448\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1620-3-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1620-7384-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1620-7385-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1620-9021-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1620-9022-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1620-9023-0x0000000000400000-0x000000000040C000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\next_rest.png	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\THMBNAIL.PNG	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STRTEDGE\PREVIEW.GIF	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00037_.GIF	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14578_.GIF	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Things\COUPLER.WAV	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bPrev-disable.png	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_HighMask.bmp	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SpringGreen\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\41.png	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-new.png	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\license.html	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECHO\PREVIEW.GIF	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02470U.BMP	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR00.GIF	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_choosecolor.gif	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\Panel_Mask_PAL.wmv	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\booklist.gif	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SpringGreen\BUTTON.GIF	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\clock.html	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\27.png	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178460.JPG	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\40.png	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143753.GIF	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14757_.GIF	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_settings.png	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\shuffle_down.png	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\MCABOUT.HTM	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_Premium.gif	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_left_hover.png	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\icon.png	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\weather.html	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382958.JPG	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01750_.GIF	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Lime\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\1.png	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECHO\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\Mso Example Intl Setup File B.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-delete.avi	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_videoinset.png	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\currency.html	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\picturePuzzle.html	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationLeft_SelectionSubpicture.png	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_70.png	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\hint_over.png	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\GAC_MSIL\microsoft.transactions.bridge.resources\3.0.0.0_fr_b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-msdt.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_38d640011244b18f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_prnep00d.inf_31bf3856ad364e35_6.1.7600.16385_none_ae3f8d47fad9c2a7\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\winsxs\msil_microsoft.windows.diagnosis.sdhost_31bf3856ad364e35_6.1.7600.16385_none_65a203c8a2dd2bc2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.MemoryMappedFiles\v4.0_4.0.0.0__b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_bthpan.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_10c381982b9c3bbc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-e..ebargadgetresources_31bf3856ad364e35_6.1.7600.16385_none_88767a95b8bbf001\Gadget_Star_Full.png	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\(120DPI)alertIcon.png	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-deviceux.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_11d53c9a0172c986\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost.Resources\1.0.0.0_it_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\inf\ServiceModelEndpoint 3.0.0.0\0000\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\Media\Cityscape\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..ets-clock.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_aeae15a0d7fc043a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ehome-ehglid.resources_31bf3856ad364e35_6.1.7600.16385_es-es_897656f7467890e9\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-peertopeeradmin_31bf3856ad364e35_6.1.7600.16385_none_a33e5be2e9985753\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..ouppolicy.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2178441c76ff810b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web.Services\02d5be8209f0eac6f7725f8d83b87df6\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..container.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_52d8d57ff909b6c1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-a..ecore-acm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_59509e966577143c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-moricons_31bf3856ad364e35_6.1.7600.16385_none_410fda20fe51f655\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-diskmanagement_31bf3856ad364e35_6.1.7600.16385_none_016e0bdad110d4d1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-p..e-spoolss-licensing_31bf3856ad364e35_6.1.7600.16385_none_ea7fb3ce3b46158c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications.Adapter\8.0.0.0__b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-c..splay-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_f823594127c06f53\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..nistrator.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1112590f53def0c6\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..homebasic.resources_31bf3856ad364e35_6.1.7601.17514_de-de_95a6423a6506ef76\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_remote_requirements.help.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..tools-adm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_122baf121ffbd283\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..tx-xinput.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5932ae3ef06a79eb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..cyscripts.resources_31bf3856ad364e35_6.1.7600.16385_it-it_00cd30feee4af5e8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..ginworker.resources_31bf3856ad364e35_6.1.7600.16385_en-us_ae3287fe59b4af28\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_prnky008.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_3042f86eab69868c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-s..erbox-isv.resources_31bf3856ad364e35_6.1.7600.16385_it-it_0773dfff86ec05f8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_MSIL\system.io.log.resources\3.0.0.0_de_b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-a..apc-layer.resources_31bf3856ad364e35_6.1.7600.16385_es-es_21b6e6d65bd4c9c3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-p..age-codec.resources_31bf3856ad364e35_7.1.7601.16492_en-us_a29fc0a918aa884e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..iagnostic.resources_31bf3856ad364e35_6.1.7600.16385_it-it_0e84482c0b6ae96f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_MSIL\MMCEx.Resources\3.0.0.0_it_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-n..installer.resources_31bf3856ad364e35_6.1.7600.16385_en-us_148db478a63514af\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\winsxs\msil_mcplayerinterop_31bf3856ad364e35_6.1.7601.17514_none_b578c58439a89327\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..ginworker.resources_31bf3856ad364e35_6.1.7600.16385_it-it_3add512823df9cad\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..writerqfe.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_cbb69d5d9cd32768\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_input.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_201777abc96019f1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..rverifier.resources_31bf3856ad364e35_6.1.7600.16385_it-it_545d131af4c00289\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-o..s-shellui.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_89c12f5f5317f4bf\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-ldap-client.resources_31bf3856ad364e35_6.1.7600.16385_it-it_67ed08aa52859c02\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_nb-no_40e59f17fbfe3781\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-g..edsgadget.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_29b7ce69634b90ae\flyout.html	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-webdavredir-davclient_31bf3856ad364e35_6.1.7601.17514_none_f1f36eae68dec4c5\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-diskraid.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c048c7ea3fca805a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-help-artcon5.resources_31bf3856ad364e35_6.1.7600.16385_es-es_a3fdc7b31d7e3f7b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-s..interface.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_08c8f5f91a375d7e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-usercpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_95ba074af7bc3755\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-i..-wow64-setupdll0015_31bf3856ad364e35_6.1.7600.16385_none_4a741a78c9baaca8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-n..tconfigui.resources_31bf3856ad364e35_6.1.7601.17514_de-de_9b67b16a38db0216\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ringtonesamples_31bf3856ad364e35_6.1.7600.16385_none_135e536ebbe59c28\Ringtone 06.wma	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_prnep00g.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_16a18f73f5c168db\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\winsxs\msil_microsoft.wsman.management.resources_31bf3856ad364e35_6.1.7601.17514_it-it_b96afc9bca6d1bdc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_wcf-system.identitymodel.selectors_b03f5f7f11d50a3a_6.1.7600.16385_none_f04b673ed8e1d20c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_wpdmtphw.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b8ee4729f5f06e11\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-a..ce-useractionrecord_31bf3856ad364e35_6.1.7600.16385_none_32c4b0bc55387f75\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..epremiumn.resources_31bf3856ad364e35_6.1.7600.16385_de-de_15b4b7bedb9f974c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_locations.help.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-r..sisengine.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b18f16a48f8b75a8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LVFSQWMQKONJWPJ\shell\open	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd\ = "LVFSQWMQKONJWPJ"	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LVFSQWMQKONJWPJ	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LVFSQWMQKONJWPJ\ = "CRYPTED!"	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LVFSQWMQKONJWPJ\DefaultIcon	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LVFSQWMQKONJWPJ\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vf2armlQ0yGe8NP.exe,0"	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LVFSQWMQKONJWPJ\shell\open\command	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LVFSQWMQKONJWPJ\shell	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LVFSQWMQKONJWPJ\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vf2armlQ0yGe8NP.exe"	d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d20f575bb865c9d041e032b64b89701e_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt

Filesize
282B

MD5
69a98ef655778f1cb3764a923acbae80

SHA1
22683321e95c9a631039d15fc49ac5d3e639ac54

SHA256
2ff127d5bc4c7333c8f522aa4b456684eca97c06d452bf7d00b6a99b49b11b0e

SHA512
610fc09f40124e1a74ff303ddd95ad5809679be9e0c381e5d367ecf8e1e137c3da188142de7a2c5fe2b1225e12482245f2b5c417d43d73618108bfb1c32a5ed2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
341B

MD5
fd99ced5d90bcf5b072fd40bbb45d696

SHA1
ba6fb25f2b5fd07008636001691f078843b22b07

SHA256
3d3ee048738fdb1a3addd21f418afb49b0b342302fb71cfee2a234a4f2537195

SHA512
b3a28ee6fac294134fddd0a3c8b84e25b902e05788c82f724196c30f3b7a6ebe68a2390cdc264865a5943b78eb0d2ab9805367bde3ed8ba642c49eb062954efe

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

Filesize
222B

MD5
3ff498d186716602d4746228105f760b

SHA1
6a69ce74f1806faf88670d38a4f9e0bce72f6aa1

SHA256
61ea8e1060c50e9c24ec57227ea5eace361c002afa5be583c759cad62124f82c

SHA512
ef81d732fca6aca5ba89a003404ee45e958c4e1f0ddc13b1bb18c6896bf87f0e7ed92f8ca81d6eda4b4663edcb833c6936283aa5f0d5a64a842875207475f531

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\BG_ADOBE.GIF

Filesize
24KB

MD5
6725a82151dd3d10d219dd875734da96

SHA1
de762493052bad973cf7ae163a9f71ce569e5c34

SHA256
e159849370012be8965ab5c6178bc576cd15d6ace0c5194261242e822331efe6

SHA512
ae55febf67a44cb93c556fab2510b26ca258f4aed1a9819fc2ce202db88a5ee30e0f2109060d505a47ac35bdd7ae1845b713a6430e2ad6b636eb6dd64e169a59

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\BUTTON.GIF

Filesize
185B

MD5
7979eb44ea3724b899816b327be7cd52

SHA1
e11fcf64e14bf7b921f70beb41653aff6924d6d0

SHA256
9968a4b8a51f9634411b165847eb5ee8e0add24085b3acf20e0ec252c1866e54

SHA512
23623b2af5424c06bcbf3e08ccc76891ca7d557afc0413be303f26023ea146dc759e79a4e8bee3a1363caae99c15e9fdc8bbf87c5b2009d27a98968c8f37dcb6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_OFF.GIF

Filesize
496B

MD5
8e44234ec80bec756dca587082d841e4

SHA1
9371625ed05fcbea03c8411ec4ea15315ff59957

SHA256
b0623617d931dc6976c324fe58291a56b865fd6f30124fb90a4ab03dcca12297

SHA512
5dd21cb142db0704a45f2137e157c1b98ef7061050c34fb045f78663e0dd0f7f0ae842e8317766251b7cf7a23252a5c3f8c85a5983be2c2efdd2e54c5f99e906

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_ON.GIF

Filesize
1KB

MD5
7f498e7457698d239fd7c53d7a1aef24

SHA1
df921677652d5dfd62e9b95d9e5e267527ec19f6

SHA256
4d8709a911e39523864245df2c54e255ca35606841923ef889e9a8e5ed028aa1

SHA512
567bb6367a2091b26866b98556d07e2ddf614c4b1d22f7c6dd394feb0ed5ecd17aa814386daa250975e742bf3f6e4cd22c5ed0166e2dbe90d5fa2ae458df96ad

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_off.gif

Filesize
341B

MD5
de219f48c61a8e0ab9a2bb956b5aaeb6

SHA1
c7e9cc1dca0ef65eea2adf7fc9eea9d1d3f87049

SHA256
d5d0f986b32c3e1631182409d57226590115dc7cf16b86da3c1cfb3fc684e027

SHA512
aa1301ca3cd9926b44daf2ce1f2ad6d67fb4869eb0be75e36d6563f6da8588456bde01c7543c0dfba932053e77c4a6903d537a5029bc454cdf6198213b47b497

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_on.gif

Filesize
222B

MD5
2be67b787afd21b7d1e019a167722d1e

SHA1
f9de525a30f7cd46fd1dac638c5778f127ebbd36

SHA256
74ee2f2809d6fc8c714b0f37bb489f6e9d1d31f25580b35d6a6598c72d2c631b

SHA512
32395fcd49646f4861450979638151f7cabd6e83b7184003740f351f1b7ee2340e31dcce3c808221b6eb0b1f99ffcf395d2df7f797bd2af2e12c268783b91077

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif

Filesize
5KB

MD5
ffcbf1d985b6788dc6d10a61f6aa44c0

SHA1
9b9a558b53ff0fb165e34a163fa86cd316af444f

SHA256
55eeb007bdd1fdc28484adbca2cf4ea56f2d0e8c5f07fa11cdb59f5cef7f9ff9

SHA512
0e641d248ad1c3a3d964b329eeef54ddf84877731f3e280144d3d1251f4484b917aedfdd0ebb855e58a1a7cdbb3f1c23f4621d0e4290c8f224aac87b88234353

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Country.gif

Filesize
31KB

MD5
c0e0a95badc42a7fc72ce6b3a2af70a6

SHA1
7cb9cd15f9ffa356b79972ac5c54f02e23b4393e

SHA256
5f4daab266409a077414f23efe98573935f0e97b881eb1a6110f650c058ade69

SHA512
b9862717a5ab4923901e5720cfb6d28e81ee7111ca0bbda86fe003d5f15d3ab0116df0a52593907b5473c40b5d9dae04b3ecfcafd164958f3113193fa6517d03

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif

Filesize
4KB

MD5
ed7d598e99323b2304af7bec96802687

SHA1
4b776e876399241a30ac7135331cd3c290b42f1b

SHA256
4c15287e260427dbb80b792e7561eb0498d8691aacf6d796627d32f292f3b13a

SHA512
b05f3e4ebb329ab00496268899ec167b2e1c3cbffebcd170bb5a4a01607072b1ed5a6bc174a2645959722b1385b856862e669eb2e13445de65416ef32f972400

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif

Filesize
21KB

MD5
63d7e382d7f762ea9bd0d87f0ee068e5

SHA1
9f4b65a889f2efa60f55ff5ca06dced46b966160

SHA256
1192c7577728d1201790e014b71e22991ad2a1620ce4734deadfea6457758be6

SHA512
63d7f9b0162d7f92cbcda28d6037ed4877ba1fbf2106152c434febd80ce18a5737b4ee47f7629c48d26df075977889a550e278473c1905e6b6b9b19a9a03e507

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Groove.gif

Filesize
106B

MD5
752e858fc4b76b91e9ba937eaa01fa0a

SHA1
b734ab426303c41cf8986572bda21f49b896b8cc

SHA256
488917f8053f8d00fc13305b91795607eb4061cbc8d56775a647da794295d62b

SHA512
c78a3c62b443acd567dd7bb1a65af4e008985499f805976efc7ac9b1d6540992bd88c1cdb068951d36ca9ca258bd3426f961174f9946df2f0712c94a3e088022

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif

Filesize
8KB

MD5
2f0e445c15cd3c0a78c7bddc332a851d

SHA1
c209c9331384be111928b547b5aa88a4c52a0645

SHA256
8fffa7c8b6f543ee67bcb3af4525d83b921caf3f82d4a50fa43f3fd623a67b1a

SHA512
8f9f65e0385fcfae567caf3009e7346d40da8ef7e1395d463857eb2fe0b3fb61caa3e78d40dbe5f5280780bde88da1cd68d901ca6e3e2aebff2883643f05a97c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif

Filesize
15KB

MD5
cf497b5ffe4ae22644dfa009e3a23eef

SHA1
d970ee25c81b4f207ca39f103ec3c0a6d7336d2a

SHA256
faf9e15c5c9deb2e7384b4b7474f7e53d05a229a79657af8752eac57a12b6523

SHA512
3de96c2d67e5f8845853576bef85bfb232ae7dc96753b1337a91b542144c731b72b70842728b9eb79f776fc57ea6ae68dd597faf62d2d25fe8145166cc8a2de3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif

Filesize
6KB

MD5
86622dcb698e908fcda1dc9bdae4937f

SHA1
9b7c6dad90cf1f75603d623d3b83e1d9cb9473aa

SHA256
8707b012a89327325798f460932b1589d5ffbd9b090aa4bb21b8516e9a470858

SHA512
b753c5aa34eea18b9d4fcba9bbceab046f41274d018561fa80534efbbd0cba82c0eb1a5fad6993d82d972ad32ebbdfa2ee7e397d52416cd032c1c663f46189b3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif

Filesize
20KB

MD5
cb0eab44be5f09625b0c1d891e0c9632

SHA1
dd2595222f66304c557f3b444eaaa95964794481

SHA256
1ff717d2f139ba5669abe84983d1c705b302ca8edaa2d44b6602d671e06fe14c

SHA512
bebd6394575f6deb50472d5e71f724f3da5c9080c036cfa659982ae283e737227f66f3e4b29ffe46ed8cdd23d7c7880e62b690f584bdfb5d74fc0b3257ce98e6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif

Filesize
6KB

MD5
b61bfd04ec7bc3afb9f566bdea7778dc

SHA1
7dcc3f37ad5a6fae479186c8599aa00ec4ecbab4

SHA256
4306b70e2025fcdc3144da4962f886a3422e41bdda8123212b06f09b955112fa

SHA512
47122ca781c9972448b936c9e237136f3768e51cca0a23590dee2fbf16d8a56f7ddb7072db9c6b61eb4bdff37cfab252faafe1f5e071f0f1edba5a785e2b6edd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif

Filesize
15KB

MD5
6ff072dd3fe8b2812f33cb2702daf2d6

SHA1
1d9ee5c7fec193afaf302b2bf38974de5e6a0276

SHA256
ca8e2cd68e734bb5880888ab3881293c81c81414c00d16a1a00640d0a06878a3

SHA512
817767ad45a41277a2245743660d7cb3f1dca5e12af04a3245951c518651f3345cc272749c141fbe38ab3fd7f3f6caf03ef210464faf96d7b5e2b32dd844417e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg.EnCiPhErEd

Filesize
2KB

MD5
fb7bd8e861152d5ec0a6d21f1e5200ab

SHA1
b1ac88e3e064c66777520aabf53b7b5acfaa7f41

SHA256
79331c2218ac76c5549c772402c29f767c6b9af473c8146fd87ed5449e13403a

SHA512
75d6a7785bb158c22091a6a534fcce9902b2b9c6f3b16b0d942263ea2c2d5a372c8308f70ad14db199cf719b7d69a4218339a2a5abc5e5950f7d159fc13c6154

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp

Filesize
2KB

MD5
e31b4400c44be6d007752110b2f0986a

SHA1
9fbde203d74d30128180f9cbf536ae6b6a31593a

SHA256
9780926fd36259b3bc6dee91d70015012d6413d4aafea173928b9faebcd2448a

SHA512
36192505859792e4271638ada16d4eae3d54b4ef9cd17bcd67f879d30a7e51191ea982dc7157f35501dba47a7773813f46a86cbc63de354cd691c09bc6fc8b4b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg

Filesize
6KB

MD5
8ad573e15bdadf062bc158aef78c2d69

SHA1
677394c60db79f053d6dc81703af23c76c09c675

SHA256
ac74d92859a566aa15004c9dae4fc270c6e863b036ebdca4aa84f4c5685c9833

SHA512
74cf055979589249c07aa1a6595fa474b0a00d7aaa6448c980e694236d8e8c92807306e55fafe7666742adbd0234042e98e2b5d72385acc4132fe414b9b289b5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF

Filesize
255B

MD5
db1a24e227400110bf72e961ae0fa7a5

SHA1
2ac10ad93707e6489c7eb2c76d9c339f02d8f05c

SHA256
0764e1c7af5ec7cc7578dad636db7cdee512e670ebee59c09e6c9915deb40856

SHA512
e757184d2a6e94202ceb5e7eac87ee7ef3c16d95aa3e15390ce30a9793812d0e6aeffbd16e3c3cc6b9dd52b177ac8a3a4384ad61147ca8b19396f9cda17ced84

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\background.gif

Filesize
323B

MD5
34c8bf685fb93053da1c9397c75d36f8

SHA1
8adcc762e3d313cf15eb3a28f66eb4d780309612

SHA256
1e889ce947d7889cba7af1082aad0440527dc792cda6921de2e57d0d8472d779

SHA512
421356e72efa9b90e819569af4f6df57c845c122ec6b54b0db518ddcb214b0a86c3d0abc35af7234074c30dafbfd33d8824ac62b042f9688c95c2e6590f0e55f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF

Filesize
367B

MD5
1046885ffdc8ae577909ad488e046e14

SHA1
c6a238d0535cdeda4198a9cfb3808f58df002725

SHA256
4b3a34cbde77f6510c534e1ce5a4eb4ab830dffbc7d2353e3e69adfeeea44170

SHA512
0b9aff1757e8a44d24fd031bc0d430172125dd32c2faa40b89bb601c97427850983acbd0d6533f44429dfcf2a29ecb5a6fb14553658397c5247e4ebfa9194022

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF

Filesize
148B

MD5
1fe175a66c7f875b142db5bce48f1dae

SHA1
ae841933cc1f8fbbfdb2bf6da1c8c034f1229102

SHA256
95eaf1c3d397c612e0ba43f7dacf9fc9040d870222118b32f5be9568b007689a

SHA512
bb4454bf8480be45ea32b5b83ae14978348350d2309251b9f369606cd0304ed4299ce08fd6242288fad0152b9de5a297fb5474e21477b61bd44d30ad423be7ef

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HEADER.GIF

Filesize
440B

MD5
8cbfbf0992cb07474953b75cdc5f60d8

SHA1
31d2a7fbcc2e1f80642931c52386ad799c9f79b1

SHA256
64d99e81bdc9199af75ec3ea0bc962ecf85a81314a64aaf5d638e0b806b54f2d

SHA512
f1f63e59530e8e7b5d9323c73714d9d0bcad2d9e6e691c135e676f2479200fd85fb9b42c87761f9638feb849099a6783209701b5bef6cb7df5e7f25cd532f6c6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_OFF.GIF

Filesize
462B

MD5
2bf549fa2417f41073e07a044b5c3475

SHA1
27c6666b52a9e4bf3b598d3a6ee8585bc8f4f00d

SHA256
16ec4f2035a0eff235a944564657b64ecad4fb68dd9246a3128009a439eaad53

SHA512
0c767f82b58d46a7d8f89031d66daa3fbf7720606d9e23def1bb662f600b20cf66b399b728db6579ba17b18c8a1242674000727f97fe948b7a24184a52d087a5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF

Filesize
267B

MD5
7b09ecdfbdd8cadb8a168666d79b87ce

SHA1
30aef75e2e3e4f87c6cdd42c0e14a45d821fda37

SHA256
85e1316ee0b5bfdbd1d381888e15397121ec33249c04ed37909f6a28b05a7bb6

SHA512
2cba15da8e1df9f1964d11c616a379cb1bf218ce56c206cd45209b5895a93da4638a53ad95f89be27c53de1863fedd9f9517823c7f2baa70ca49cb6ad8915f39

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HEADER.GIF

Filesize
2KB

MD5
3f47d66fc2fffcda6f9ab086aa21e458

SHA1
1ee5c19c55af2abfd8efe9183e53ea4c2eb67051

SHA256
148ecbf911de788c47c8c00c9a8e23f611d68c7ab3324ae1d123a17bc1b9adea

SHA512
b3fbb6906b05cc6b7b1df4786e1219004b0a4ab481f57e0c644fd608a24e652527cf1d4b15c8c02ce66eea41d8f484b9d62b09d91a84dca4ce4b209636491d44

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif

Filesize
233B

MD5
2b21f3382ad38a5cace6fd6bf9089e6d

SHA1
a27e6ba4769e659c3924b4a48142921553cd8de8

SHA256
b62093f5b9566fbeb2b788f92b86fdb72d3aaa3772c1fb062fdb684a1ccd53da

SHA512
43241591eff98984b9b0c5a923bf01222120158a841fd9b74ee4eec25f59c7d0feb2c90f4938db4bf48c741ef769f05a756efac4f4866bcb4b66de7463725d05

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_OFF.GIF

Filesize
364B

MD5
09c7755b76cf94becc44ed119ddabe58

SHA1
0d94ae1d87ad276e0e88d7418de9b0dfe3dde3d3

SHA256
80a24b62fbffeb75478fc3c4e4406e58531ae4f230e29ae906fd7f9005f1ea66

SHA512
8abac5ef4aa2d596a19132d8b131378ccaa0bde96fe0f43cd179bb4d75ffabb8ac7757a44c66980302ca867764733dd49aacf2e0f817362b014c2ff201671f86

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_ON.GIF

Filesize
364B

MD5
18f7b230344cdb57bf299afa1172f141

SHA1
c6be16f74c92987006127fd86de425fd3b383be5

SHA256
50cd3e915a861749934493b6ae4755fc6269582adfd23a2046652cc3fd878719

SHA512
79d989c2adb1673200d67bbdd959cb7b834371ca48a95a480755dc855cf44328a8900083c09f9fb29013513ad3e067744346484e8ac96c4d454ad05d2739157c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\background.gif

Filesize
6KB

MD5
9f737e0c0a2c6050b1f5e299d9edc505

SHA1
471d9ccfb54a1ce11d1973917f9532df70b2eceb

SHA256
71f19fd9dc8f75a13e8d20c9dc2ea255ca7716696f7b7d19dd1c46c8a2b36668

SHA512
15a3fc4b5ce6d078652fe03f5cda3d666e2b4fa7410ee4f7189665a85b53457332d8d0040f6bb20a3d559093dad0ae2c26615b514ae1ce87133aa7044a822772

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\BUTTON.GIF

Filesize
428B

MD5
9fe800702e20557c7830b7e66e92dbcb

SHA1
87719af7eb2b6fc95e340110f9c61cb05f7fa03e

SHA256
17db0cbb36dc32dd1da4a9798df95394e5a90a52ee453f3faf283d1469e3db97

SHA512
04e1f83c0dea7ed0ef1c8128c39d522f046c77048c5a0bfd775a1a7d8461b20cdc4fd07d65187b4297ec20b5f78aa08d8f70aa9abcc60879f37643c394209586

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\background.gif

Filesize
815B

MD5
fe782b7ced0e5e8fd72c760ab0b29fef

SHA1
d0a89bf1dc60f25809cb8a41e42413ca066c0799

SHA256
ff80bc3d9fb76a6d3f1c79d2d0a07d44788c16acf1cd7dc6011f056aa622f919

SHA512
77c6e21a3544835042c2af721fa9bfa5110151f21e95e40108b8d2f5c7feec93b8334b53733b3c82cfd3eeae695db7338042495150cac7c25685614f9cc676e9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\RTF_BOLD.GIF

Filesize
870B

MD5
825b8d3b8d976bdeaea0c8aaf5d8b466

SHA1
ed88796f1dec889f3b52b7c3c156cd5eb4fdfe87

SHA256
273d03caccfb1c104eb3eae9e56f12d2ca4521c59224108486d6f82594a1a345

SHA512
be17eb53feae873a3b2f28cf0fe36c2e4dfb5c8968e27ee33f8f7e26c8ff214da6ef3255fe0fd899691c2d9b3f953cc95c120c953dbf911e833799efa27ee5d4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg

Filesize
3KB

MD5
e05dc1f7110879dc69e3c982a7d3b5c7

SHA1
8224939c7f27f4332b58ea07849a7413411c71fd

SHA256
3a6189108ef6889099495535fdd4080b1dd33c6d63ecf5b67ef3b91227c8dcc3

SHA512
02a6d6db889cd587f1a20314bb122e49cebda660999f1c05e710edc1cddfdedf9771fa5dceb77f03b37547cbeb10d1513b3a54a3e751d376361337a8dbb57481

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif

Filesize
2KB

MD5
2c623e52ae0d39d7cbb4d13ad4139af0

SHA1
3d3bb5c2fa8efebfe37b0f490e091419690a3f58

SHA256
a48cef03713fe0c5cdfbf3367dae298f45be7195c33ecc275be58149988a4a93

SHA512
992db6529403b39f8e359fdc08af888f4e4840fde59437074913117adced3dbfa943b65cc20f2ac62447a994ae9e64af06707ab863d6b2beaebd0d6993135665

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif

Filesize
19KB

MD5
8b8f902344660190daaf1f5da304b6c5

SHA1
d239ca966f292b32ca237d7c66606a15e1a1c2a3

SHA256
aed9629d9cdb32622b161eddb1962f83140c9046bccd2280d336c4d83c1a8b2d

SHA512
2ac24a1b3abd20c96589ed0ce962720614c10587b6cc7a9de3ccc51fd2438692afa397ad022c476b64684565aa6caac24606d1b3ebf09102ba908d774029adb4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosefont.gif

Filesize
890B

MD5
e434ef822bd2a8d1620a67327957e27a

SHA1
defea2d021293defaee1a5a2d76717362834ddb7

SHA256
1bf354768cf28217e4a6efbc582431c956b0608b615ff8b107722be0abe8bd9e

SHA512
e61ff9d3082edbebadc76a3266af5f46de299f6d76d9daf90e57204b482b8e49c61d9277e7f545f9819cf7071cc5d71e178ffa8a6e6600071e883332f7e3d9e3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif

Filesize
852B

MD5
f5b0a07fb358122add84afbebf104919

SHA1
c0b7e5df11982927198d6ac45079f7918437d508

SHA256
af81eb29a8dc6dd4b773a325d3c3d5c922d3c124cf913757c3ca25e45c13eab3

SHA512
45b3b224b0adfe8138ea5d71688d08f57e471a9f592d321b7affcebfa97e6de42d9c8db93f15c48217004ae0e282062fde1b83961309d5453ece669c99a4173f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif

Filesize
860B

MD5
0b8c3855385bd93dd009b7f6cff74cac

SHA1
3f28e016893605cfc452fa4e799db7d1935bf556

SHA256
2f2781ca0dbfda982c78414fc30f1c224d6f5358def8b765eaab6ef3998b93b1

SHA512
d490c6965a57bc5dba5d4588026488c709c7f9a377c5f6cf4ae70ea1d01fba12bfb82ab9d314760a33ca3072e82e0c0b612e8d08825fe720ba099c3f96b628ff

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ADD.GIF

Filesize
580B

MD5
ca20cf79cea7f4f7413743f64622517d

SHA1
f38397d1968b13f4444d0d93b510f30b3a45368e

SHA256
b46672130c7c7694552d80ef60ff0c1009782c657db51b575e74980b6731939e

SHA512
81cd260331f339f1bf1553463f5ed4e1be805b983ddd1aa61efd04b399e93876a26cd6aa8f6a6b0ac7752e6f2c6b1662792e7f1b117dd884d2e36dc9de539c7b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF

Filesize
899B

MD5
0801b86fb94c28a85587306e0b8358f4

SHA1
4795a5a47b2e2de4710437afc0c89968b0870256

SHA256
7e2afb765df1e5156801167982235ad890f3f30d974e64f1ff4513576be7e00a

SHA512
892f3d46c46ef57129e123d69de20eab51644c1b454701a0bb7439a3d820119c02c3ab2f5cb41c1eac42c447cb2e08880f4dcf86a95ff30cbc4a4a2e318b18df

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIF

Filesize
625B

MD5
b9f1ad5d89eed003b77b22c28ec48734

SHA1
58b04a78ef364425dc2586e545ff60171193de8e

SHA256
af230c7ec6625067ffd88f83919c841b9fa81c28d41cc5296c307f20e8240108

SHA512
bcc48e3eefe61299be3d1197afac0c0c2753fc9d52a454a00305899e88a96a1026557c0b8e5b9165d8997dde73ce6d8231234226e4de796e742a553056ec515f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF

Filesize
873B

MD5
7cd043d207322f77c2607c8a7dd54b00

SHA1
81d6275f3b6a3a213703e739cf655bd91d225b9d

SHA256
56d214b0c34ab185b8d2e013fa51d0e5feb1e04b38d0c83b11ab06072dfedbd2

SHA512
8201a62a5881ad89f357516f0660437f97e1de0851c353754c85fae625231738003e0b0c21b3f056c51237add3258b0c9c58ffc9b44606f128b1cb299c1994ed

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg

Filesize
5KB

MD5
366bc0d1cea0e1357cde545eb9265928

SHA1
7dbe7f1a3960777aa5d4876cda32ceb3facf59e5

SHA256
b13a7115d1f786d98daca9e16250b20d12333f5031ce0c8ffc832dde3f441048

SHA512
baf31e085daefe9d35ddeedee4825ac5956d8c11fc73703aea0177bd8e7c56922de5166da0d49a1dae6ce4bb79bd3a6a60ee77ed38cf07bef2bc67ef0b038729

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp

Filesize
1KB

MD5
fac08a38598f8b5b48d4419c33b0ebea

SHA1
27e1f0ce9e892a64c1f726ed8b94128d40d51a2f

SHA256
72e687055c1e688daab3db828ffd7a63d9b858eacf96f5437a42fdf797b55db6

SHA512
091114d7095c3c70a0082305d2626394713f58e6dac9517848ff8e0e2bae5e350e71c02eb5fab91c84b8b61c7ef1f25b687c5f4529906e358fe3008a52a722f9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF

Filesize
615B

MD5
fe474c9b178cd70c70d02cd3cad8b82b

SHA1
4c061251a42d91bd2aa42de08f469c60ea1bc18f

SHA256
9ac2cc357a7afdde3d6177312c582cb602455fdb116d44dad56f891d2fa10559

SHA512
cf61abdd3340382b5ead1be8be3daff838eb9ba414efb211bd059124c30f2f278805fbaefa30ed8128ce7be9937605a7b46e3e8daadd54480fb228a3b14e07b0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

Filesize
848B

MD5
eb32d0d11b0de39dd27bc75377620a1a

SHA1
9d0ab58a900b75aef72305acb35837151f50a838

SHA256
3b2d9a0c50a824c5f66fad6394f7b1ccc2dcb007f11c7e67555c565193d0f7cb

SHA512
4a91481e3e9512b88e6ca6d45d28a78b8dc91610ea734a0021e12e6af655a2db8eef0003dba2d7368bf8e9971907c1f149fbdb2815c7bd8a1b106e5931059f45

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

Filesize
847B

MD5
e8ce61d7067668bccfbd8a9edaa45d95

SHA1
2984215ab907213cdbae2772d7b905b831963b8c

SHA256
b14af31c0126fd6227d593e3b2738fbdfa48af7c9cb18404ba9705653aa9eda4

SHA512
d62c58ac19f0ca9588a7bfd43fe72e235d71186597f87d6167e97f6fafcd32130818b5fbae11e24ae84b49f31ed0946965f57a604a0e15ba8b47692e80aed8ae

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

Filesize
869B

MD5
74e68b3c0e2004ac330abecbfacf4c65

SHA1
c86dfee8b045866bcb8010b6ff8734c863562ec1

SHA256
d0dd641559bb2886ec871168cf92ea4e67b526e8f6ac3bf390ec66588cfbb2dd

SHA512
9e019f8b7e81f598322bf451655efe134cba3e7b6df095b6e43033abf9e1e2e98ebf2f1919a68dc17a2b67afd6c57124c1e2d0b7d9fbc6ed40c5eaa8dbf1bf3d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

Filesize
847B

MD5
935930cb0abd4ff18609e61e83efde14

SHA1
30432af160723e53c9a6c35de0fd48c399197146

SHA256
796f4a1b6d597e4b1960758dc7eb98deb73e094947fff060d3ad580bdcfe8a82

SHA512
904c8c17808684b6cf3c0f85b61489e86f0200bf9ecbbc2049b80989d8554f5fd32af07d42681a6c80bea211e67b84caa1f5b4cdb7a29c86a260ff0dadcbab99

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

Filesize
863B

MD5
2a0107fc802892326b1b8f76f2c37044

SHA1
cf8c8e9cb982100968f070524331f6412aae34e9

SHA256
75eb60b9ef921d66ba4b0f36c9c4007fb7217781b81e9dda2c4ebd46ae6cb399

SHA512
c2d9a9e451313c651a453ebf0a0095d4ee21ad5429186e4aaae6b3361c7d1ffef0ac84daf5faf8cf03fe27372aa8d3ae7fc8a3c7d7210361989fa4a23d2c241c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

Filesize
861B

MD5
77ca023d5e01413eb0ff15bffd08b828

SHA1
3099980a64387180482d0d9dfede74f3b269c86b

SHA256
1718d701a7c8f43211d0ef16aca7a91803a5e82dd0413b78ac429a9c7270107a

SHA512
dc067a840fab9c27d030a4acbf793a78b3d216d5e5b97c01adee7dd12651a32751c9ff45ff55efa18e5a6e73030c21776fe754d4b924dbe843638fccb9c378be

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

Filesize
850B

MD5
59d1abeb7e396225db6b0ceccca20ff0

SHA1
2b8b3d6c2bfeb9d9845e6efda7542ae08edc4fc0

SHA256
f3b3f71cdbf0284583d39f974e7787490ec33ae2594a6b3b8331fde391319e88

SHA512
7606f9ea4a5fab5539cd089666aa500f5860039e75df7ccc4961f5ca5ebb43c921541d06000eebf11700c0a780c68d9b03e7e63618f79ae20d553b4dc22b39f7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

Filesize
883B

MD5
b177f8a311ec8e2da311ea160835bfc8

SHA1
5d29513cb015c9e938796c571d7714cf78156a28

SHA256
844a4cbf6a6c6cadac578963616d8f263070bdf7a5e158705002583ab56e31c2

SHA512
5af5da71ced1b58e6168450ba433ddc89819ebe56c8d5f237b6475fd4c81a5c17e4986f2fabb5f4c1a5d94a54040676fe827b8ea243a61351bafcfa64025bd68

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif

Filesize
153B

MD5
909e8ba569e1e67dc9d66359f1aedd54

SHA1
8e023a452996be5c64f99e6cc99fc830839a79c8

SHA256
b0b918a9b5cae8758c441e9accfd89ed9ebaedc967e300e7361760efe5e9e7f6

SHA512
e25ab14d078fb910f59660e96b10e8f57ff3a4f35e878c7d26cfdc6d76e729f60cc80886f8bacb5a2d00b211b66de7597bbaba8f858d0d84d89dbf9dfe5ff48e

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
780ebb89234abff69d92c62a0ba1f12e

SHA1
51995ecddd86d67b9a6f48111e9372872ee5eeff

SHA256
7570c994084371fddaa694b2b671f1c8b682ca67bb71783de4cc02910830bbc5

SHA512
4d69bf8c119f50ccd6dbd3e1992565ca1ce31ef97b0c5d18b3d233aa70a3e20044af39380f379a29506188a16fb5d5454a435e9b25375b55e1ffc2f61e9c149a

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
8KB

MD5
0754d53f03a51ec0645669a9aca51363

SHA1
8cd5679f10997754132de46ba4de42fac21bc9b3

SHA256
4d565d23944740b9e7cee2c71da4a7ee7d8048f61d88c34715f58ebbfd296fe3

SHA512
52948997d78c8e74c172db4701a00166c4369c7c72134562747df273eb5aad70b569d116717effa38661afaa837833543b4547da9079ee211a569bd8f3def8aa

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
87397db0da0245625ad26d6eabe402d4

SHA1
a0b04ce9d724fb80fbfb7665134bfadf56a2081b

SHA256
80d5be328daa7b20f0f9d8202cf163cfee8eedf54d24be69d612649ceaa1fac5

SHA512
8dd3a4e7f6dc803e2ae269dc5f677d0b23e4a96b4749586c4da2969cd1a58c015e16aa06f7374219da95d68c02c48df8bd8807284ffb8eeeba330e7b98ea8597

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
83eb89f1c160f6526220411bca02156b

SHA1
319a558e5cde28d3ffc0d111d074a9daeb0a5cee

SHA256
151f97bcc89cb53b80b70b154874e4903cb63b9275c5b36978c6f35538d8743c

SHA512
9714823f0b238afac99ddfd8a5ad8e54c0fc372241a2cd6032b047580518c2b64a0975350096331077b0d20e97bb39b11f3e060a4765c6063cac6bfce40ed61c

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
172KB

MD5
38f4baf68364d18a69122f613cdec04f

SHA1
6ff3a6b33a5fb8a5f3bbda401ff06e6a78542fbb

SHA256
997a1de232bd3b20977db91f486925047472c7fdcbe46e19fe13600cb742a74c

SHA512
4772db01c26cc1261bedbc23e0ccd6268afebbde01627094177f3a96770931350d6513750bf676c4236b9de34991c2993dfdc70f54442b240a75f044aec8c788

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk

Filesize
1KB

MD5
82d4ece07647c3fdf25d5d6f99385ca6

SHA1
db8ca9245e3d7d7281bbe21f248566ca72edeeca

SHA256
214467d5fa50d63be890986df633bef636111239891dc863d210de60340f2e5f

SHA512
e6dbc0139b2772abc8a7e6affea55d457ce0d26335e5839ee66fc5f71a0ee700bf7d4bbca309e9144be6a93e772153e08975f4614d988e613c8f59f4c61540c7

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg

Filesize
21KB

MD5
06b213732503cf09f464b3d93252565f

SHA1
f68701ea84b0cb35ec930924020de8064f2c4fde

SHA256
048a249213927ad13b0ce49099311b68cdf3216c24e2ddc0595df72697317914

SHA512
fd985ff2d094029e255012507b91ed737985521ef078c4bb5e6b2193a053cbba7783c74ff44db0a1f86f180894a4917e37952d2efa24112c70e5a3f4471c7192

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\HelpIcon_solid.gif

Filesize
1KB

MD5
4307a2d58750b4429e96a57bacd8f268

SHA1
31c7467a806ebcc273ecd3c1e5fb52694812a09a

SHA256
dc9f80deccb9b4d8e3285b42dbbbd791c98d7a17a801c6ebf6f2e8e20ed197ff

SHA512
556e96063257394697d5c3b4a42c9a569567a8a80dc77018b2152ecf862865708352091ab1dba46b42f8245a31dbf7c6e66a885d120a0893bd0b31f3fa9706f9

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\alert_lrg.gif

Filesize
952B

MD5
8061002ebfa98b93241dec85c19892a4

SHA1
b4839f045b0f9792dfe6d29b4d2d3827b024f2c9

SHA256
0b6103016804a37bda61ac2576d04cb31a6ebd1fcfcdef92b083b9136ff7d719

SHA512
d181b60910b4756838eabe868cd73cde3a92515a9cc2f6fcd336ad68f9db4461160894ed1f94f2b9ba0e087395366a9d6028baf0637bcd90c0241c6e181b68d0

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\aspx_file.gif

Filesize
121B

MD5
032c4ee69321c35913cf6f2c80fc20e0

SHA1
68c567e190663a8ec8546a2d899539dcbd44d30b

SHA256
0afe39722d2ba94a90d65ee67607c07f623f9714b08ba6db11ccc36d1c152def

SHA512
75e685c217df59289998b54e5db8ab03fc26cf6f4904c8e5969e4abf46f30c64816500376e26536bd2f81d54653513fff0a8ac267464874e3ccab3f970a5c312

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\branding_Full2.gif

Filesize
1KB

MD5
e991ec0ae02a9e13a38d397ccecb4003

SHA1
c0bcf9968bd209c767c5690e83e63bca658c1b7f

SHA256
c57827752789559827539a951d0b90108c4b7be1fa7d8e37c084c611c38ac5a3

SHA512
a93e912ba4ce5476fbb7cad2da3485a7bbccdd9bf1654186ebe2b9705499d40e10434ee86bd244ebf99a796bb6f7a0e0fe6471f21896666b1843e7e929345de0

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg

Filesize
8KB

MD5
929aae4e9502908a9baba0cee77b446c

SHA1
49738ac06a11a90d03fea489f32eaecf1de99fee

SHA256
426a4471d19960e4e2d75ab495093a34fefb64484f3598a7109b1e1439079a97

SHA512
5c589a329292b527d73913d8da6ccdb9fe17cba72a7811de051b55283a309fc1fe217f3e73c49ce125c6ca0df9761447926325a9a2f1e9fb8402d5222866e27b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\folder.gif

Filesize
914B

MD5
e3b779eabe6ef8ba2d3e663b622da698

SHA1
3b76d9c4de72cae0047f91f5d7b3517944180e0d

SHA256
6cf155655ac8330fb55fc9c1f60f097e39805df720edb4b34853fff140991b0d

SHA512
4259015e7893a92d71c2feedbbfc5a111cd93a05f7171ec35b8f9ba96c9e1129fc1b6ecc1b34bb5cc951e1a52ab2c539f5e7da5e758a764cdf8c91505f12cc33

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onBlue.gif

Filesize
90B

MD5
435a7d0a8ffb995138b68ae1b83b0103

SHA1
6d58d94d2588688f35c0eb74c4f5ba7efc50c091

SHA256
eb363739f1a3552750c219cce7c3412ab5f437ae1ed6cac3b53adf5b0620a232

SHA512
1921f0b80bbcc5019cfc4993072bc7878d9399e84cb20614f807e18f45221c7d44d21fdbee1e30df8cceb0d0f68f0091e49bf1865eebb575ed757d820326757d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onWhite.gif

Filesize
90B

MD5
a4858bdfc6a8c2f77c7666b9cba76f0c

SHA1
3d6bc50e18d155c41261435546c028e9bfac5d9d

SHA256
524d28a45b8635deaef0e96cbeb656e30e3c2a3089519d3c0b87ebfe1960c4de

SHA512
92d56756f47453801b0645769a4590fcf2e03847f054f65d875c2c6e891c34b7b379719e8096a804a41bb5e9697fa19dd7e2af79ec1430430db5ae9214140b66

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\headerGRADIENT_Tall.gif

Filesize
328B

MD5
46ee30b647eb5a70ac55dfea93bc2d39

SHA1
68387846ec7fa66f891f5451cd023bec2145fd29

SHA256
7fe576714d6c24bb3ae0ac0a25a6284517baa5f13e5d84e36f28716611e3add2

SHA512
0169f5fba5bdf081c803e01f9d1a2d64a18bdc48a26f129eba05d7de565bf364a2e8acd123f16fd2a4b47819c5bf048a7708cbd7d7823ca6372fe269feb5b5a2

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\help.jpg

Filesize
1KB

MD5
a317e1a356b508f2b1ad5c9b60a0a900

SHA1
babca3a9bbdddab9789d070d016e0400b4cafda5

SHA256
5c56022b20ad4eefd3d2705d01cd4c9b4d79d85a25e3c17c0b69d5719a10a893

SHA512
5700abf38904d291866287c0ba80bb22f1dafbb4ab3c229c9e08b7d3f2a6d442a770d5b3119ed782fee673c663152b76de245eb46fd6972fc415ca10f638d047

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image1.gif

Filesize
162B

MD5
a1c3c8cb124a41ba2239a38aa8355800

SHA1
23f908a4e9656de2e046296f11c8cce639385549

SHA256
bc24172c6fc4299cb3c0cba51d7a5b7eb958035162b98aa87011483711706c0d

SHA512
40afd69353c95f580ca3d4416bb907a5275021c7a260df35148f61a2c00a49960b7f488391bb9dd6f9500e8f8e6dc484be7b37e7f000d7cd2257d871bd21cd05

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image2.gif.EnCiPhErEd

Filesize
586B

MD5
9c26c820ac84cbe1d80329de3e47b4db

SHA1
400d998f929aefc7d2aaa78debdddd9b181ca14b

SHA256
b26a7aef9574712a5ebe76d3c7e0dabe25a0b6e3b8fc049858a2ad4ec127b280

SHA512
6280155e9025489b5a6cdda8643e2e0140c77dd3a1f9f1e39ccadbdfcf3a0453f7898d4310ba861a49bc61089d4af13f6ed62b96adf3c3092b238252e81ae744

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\requiredBang.gif

Filesize
124B

MD5
0e23894f14731a2bb52be66630d1229e

SHA1
b35185907b74f35bb53ba142f61d1ebb5ad35065

SHA256
b00760d1aeea0b81c8ec55d08a4389b6c043310ca577bd5bf9bf74b4a6f911de

SHA512
bb2ba9c8f8b00d46d72784fdb41bae53921eb13162de5730d24dd39a2de6b3f9c61ee613ca81d6cf4ac7fd8790b26b4f51062c66a8bd32c9a6e31ded2204cb39

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg

Filesize
8KB

MD5
260894c2b9e3cb88e15274eebde32479

SHA1
f61eff12adcf75fa95ca5289b5f76abb8e954f0e

SHA256
91a8a6d4b7e3fd56a168a18d5ab9c882c684afcf590a8973c87ed6cf0a3b5e2a

SHA512
7baed9bdbeb3dd564347293c8776cea3b85e479d94738e517108f44a6ecabf85ff8ea41076d7a53b3508ab9b380dc581856002bc097c585e99a68a24baff09e2

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\yellowCORNER.gif

Filesize
880B

MD5
54a0e48fbbe84a2cc7c58210e208402c

SHA1
aa86784d6e0fe09d0cee1e8125e1da420ac4721e

SHA256
b4ec9276c71b7c5945073a6076be4930a55e77ccdd8a0e1e9792b4a0cab660c4

SHA512
ff0a6fb506a898f267da58cc91fc0f37b11252161fe90f11e48d925799aa19a72f6559cca923db6b7544e0ff48da77fc4c22cdc465751ee4a150e493ce02b23c

Download Submit
memory/1620-7385-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1620-7384-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1620-3-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1620-9021-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1620-9022-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1620-9023-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download