xorist | a642995fb7ae9985298e04175c77c11392065e26078152da3d027a07cfa2a6ab

Analysis

max time kernel
119s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
04/03/2025, 20:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
Size

36KB
MD5

4f823f471e3d8bf47beae025c4d46985
SHA1

107fa36e5c95af503de06a55563693a6c1ebad64
SHA256

a642995fb7ae9985298e04175c77c11392065e26078152da3d027a07cfa2a6ab
SHA512

503e6299e08fb2823d80369764e6c5ace73f15fd8db06ecebc7b4aa5394e754fb0ea340390cf1c6293c9db07b96979da06035752d949fb373b8651ac4c9337ea
SSDEEP

384:f4eSvefsbbdkJ3eVk6d72/5Y/W9hgELqNEOSMr4JtzZa6bqWk6RBzGkyw:QeSmfsa472xY/0mEGNNAtzdl3yw

Score

10^/10

xorist discovery persistence ransomware spyware stealer upx

Malware Config

Signatures

Detected Xorist Ransomware 15 IoCs

resource	yara_rule
behavioral1/memory/1244-12-0x0000000000400000-0x000000000040E000-memory.dmp	family_xorist
behavioral1/memory/1244-13-0x0000000000400000-0x000000000040E000-memory.dmp	family_xorist
behavioral1/memory/1244-2514-0x0000000000400000-0x000000000040E000-memory.dmp	family_xorist
behavioral1/memory/1244-2518-0x0000000000400000-0x000000000040E000-memory.dmp	family_xorist
behavioral1/memory/1244-5245-0x0000000000400000-0x000000000040E000-memory.dmp	family_xorist
behavioral1/memory/1244-7438-0x0000000000400000-0x000000000040E000-memory.dmp	family_xorist
behavioral1/memory/1244-8883-0x0000000000400000-0x000000000040E000-memory.dmp	family_xorist
behavioral1/memory/1244-9115-0x0000000000400000-0x000000000040E000-memory.dmp	family_xorist
behavioral1/memory/1244-9116-0x0000000000400000-0x000000000040E000-memory.dmp	family_xorist
behavioral1/memory/1244-9117-0x0000000000400000-0x000000000040E000-memory.dmp	family_xorist
behavioral1/memory/1244-9118-0x0000000000400000-0x000000000040E000-memory.dmp	family_xorist
behavioral1/memory/1244-9119-0x0000000000400000-0x000000000040E000-memory.dmp	family_xorist
behavioral1/memory/1244-9120-0x0000000000400000-0x000000000040E000-memory.dmp	family_xorist
behavioral1/memory/1244-9121-0x0000000000400000-0x000000000040E000-memory.dmp	family_xorist
behavioral1/memory/1244-9122-0x0000000000400000-0x000000000040E000-memory.dmp	family_xorist

Xorist Ransomware
Xorist is a ransomware first seen in 2020.
ransomware xorist
Xorist family
xorist
Renames multiple (2169) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Drivers directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\SysWOW64\drivers\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\SysWOW64\drivers\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\SysWOW64\drivers\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\SysWOW64\drivers\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\SysWOW64\drivers\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\B2tDIq01UDEex3r.exe"	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\StarterE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\SysWOW64\IME\imekr8\applets\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-TextServicesFramework-Migration-DL\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\SysWOW64\Speech\Common\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\System32\DriverStore\FileRepository\atiilhag.inf_amd64_neutral_0a660e899f5038a2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netimm.inf_amd64_neutral_9b64397618841a19\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlx003.inf_amd64_neutral_d1510a8315a2ea0d\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wpdcomp.inf_amd64_neutral_11bbf54c8508434e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_do.help.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Windows_PowerShell_ISE.help.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmnova.inf_amd64_neutral_b52d8db82d8c3be9\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ws3cap.inf_amd64_neutral_eeaccb8f1560f5fb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_remote_output.help.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmcxpv6.inf_amd64_neutral_f62ac4bd04e653d0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Foreach.help.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmtexas.inf_amd64_neutral_7572473d88d69307\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ql2300.inf_amd64_neutral_ca8487daf77ff7cb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\OEM\StarterE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_providers.help.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\System32\DriverStore\FileRepository\bthspp.inf_amd64_neutral_1b15060bdfbd09e1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmolic.inf_amd64_neutral_a53ac1a125d227fc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\SysWOW64\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\OEM\HomePremiumE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\OEM\Ultimate\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_escape_characters.help.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnky007.inf_amd64_neutral_e637699044f367f3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnnr004.inf_amd64_neutral_3319ff2548f89fd8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Foreach.help.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\TroubleshootingPack\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\System32\LogFiles\Scm\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-msmq-messagingcoreservice\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_pssessions.help.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmsun1.inf_amd64_neutral_6184912bd8e5b438\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\SysWOW64\he-IL\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\SysWOW64\IME\IMEJP10\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_PSSnapins.help.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_PSSnapins.help.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\de-DE\about_BITS_Cmdlets.help.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnod002.inf_amd64_neutral_a10c656b6c7c053c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\eval\UltimateE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\_Default\UltimateE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\PostMigRes\Web\base_images\WindowsMail.bmp	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\SysWOW64\WCN\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\System32\DriverStore\FileRepository\nete1g3e.inf_amd64_neutral_7f08406e40c6ede2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\eval\EnterpriseN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\Starter\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\SysWOW64\Msdtc\Trace\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_providers.help.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_History.help.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_remote_FAQ.help.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\eval\HomePremium\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\UltimateN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\SysWOW64\migwiz\replacementmanifests\microsoft-activedirectory-webservices\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_For.help.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Break.help.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_providers.help.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlx00b.inf_amd64_neutral_89b555703683b583\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Command_Syntax.help.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_functions_advanced_parameters.help.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\SysWOW64\zh-HK\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\System32\DriverStore\FileRepository\crcdisk.inf_amd64_neutral_d10626d1f8b423c3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netvg62a.inf_amd64_neutral_5817ae5135655364\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\OEM\Ultimate\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2280 set thread context of 1244	2280	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe	29

UPX packed file 19 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1244-9-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/1244-11-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/1244-6-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/1244-5-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/1244-12-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/1244-13-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/1244-2514-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/1244-2518-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/1244-5245-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/1244-7438-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/1244-8883-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/1244-9115-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/1244-9116-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/1244-9117-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/1244-9118-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/1244-9119-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/1244-9120-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/1244-9121-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/1244-9122-0x0000000000400000-0x000000000040E000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsMacroTemplate.html	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rss_headline_glow_floating.png	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA6\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR24F.GIF	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\corner.png	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\1047x576black.png	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0177257.JPG	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OSPP.HTM	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Program Files\Java\jre7\lib\images\cursors\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00139_.GIF	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21329_.GIF	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-crescent.png	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\settings.html	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate\TAB_OFF.GIF	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-new.png	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_hover.png	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_Premium.gif	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-new_partly-cloudy.png	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21342_.GIF	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR34F.GIF	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\LoginTool24x24Images.jpg	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR43F.GIF	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\MMHMM.WAV	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\1047x576black.png	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Media Renderer\DMR_120.png	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\ParentMenuButtonIcon.png	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\play_hov.png	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382931.JPG	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15018_.GIF	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\BUTTON.GIF	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Green Bubbles.htm	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21309_.GIF	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\JUDGESCH.GIF	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_INTRO_BG_PAL.wmv	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\license.html	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR35F.GIF	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonUp_On.png	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Program Files\Windows Sidebar\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\js\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\720x480icongraphic.png	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\about.html	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\RSSFeeds.html	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)notConnectedStateIcon.png	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SATIN\THMBNAIL.PNG	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\3082\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\PLA\Reports\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..ional-codepage-1255_31bf3856ad364e35_6.1.7600.16385_none_7f65562923221762\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-wmpdui.resources_31bf3856ad364e35_6.1.7600.16385_en-us_d5915994377e8d86\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\inf\ASP.NET\001F\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\winsxs\amd64_machine.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_2daccc45d1e19aa2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-cpu_31bf3856ad364e35_6.1.7600.16385_none_a79a90daaf5bbeef\drag.png	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\winsxs\amd64_prnlx004.inf_31bf3856ad364e35_6.1.7600.16385_none_48b53049f85347d0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\assembly\GAC_MSIL\PresentationBuildTasks.resources\3.0.0.0_es_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\inf\ASP.NET\0005\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\inf\ESENT\0410\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-driverquery.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b016605ced214a11\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..c-style-performance_31bf3856ad364e35_6.1.7600.16385_none_1d8aecb671a2bda5\ParentMenuButtonIconSubpict.png	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\OrangeCircles.jpg	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\winsxs\amd64_netfx-microsoft.vsa_b03f5f7f11d50a3a_6.1.7600.16385_none_b5fa97e3aada9ab1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\winsxs\amd64_wcf-smdiagnostics_b03f5f7f11d50a3a_6.1.7601.17514_none_f5ecee5ec06d0cf0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-p..i-ntprint.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_a1a48fbbd497d2d2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-help-print.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_de2b3645413da070\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..ado15-rll.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b8d09557a34245e0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-winlogon-adm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_1fc94b65b3d8ffd0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\winsxs\amd64_prnep00g.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_bf5dc250e4c66645\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-a..ence-infrastructure_31bf3856ad364e35_6.1.7601.17514_none_3d8bb37f97ba22ff\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-a..core-base.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c5ebc31e0daac1f4\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ie-iexpress.resources_31bf3856ad364e35_8.0.7600.16385_ja-jp_c90506c872cc37d9\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\winsxs\amd64_mpio.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_6025ec5bc6b70789\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-forfiles.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_0755685b08ca9106\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-timedate.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c61dacbb765a687c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Configuration.Install.resources\2.0.0.0_es_b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Drawing.resources\2.0.0.0_fr_b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiTVMSMusic\32c163c5b3420fb95f4bc8b5a365a6bd\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\winsxs\amd64_fundisc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_39f7c221d6911606\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-dims-keyroam.resources_31bf3856ad364e35_6.1.7600.16385_it-it_a246a47f239b6805\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-ca-component_31bf3856ad364e35_6.1.7601.17514_none_fae061a2e0ae5019\CA-wp2.jpg	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-r..onmanager.resources_31bf3856ad364e35_6.1.7600.16385_es-es_89dd32fa1cfe2718\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\winsxs\amd64_wcf-m_svc_mod_end_perf_h_31bf3856ad364e35_6.1.7600.16385_none_819e8545cdbf46af\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ehome-ehrec.resources_31bf3856ad364e35_6.1.7600.16385_es-es_2f1d98728e8cda07\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..omebasicn.resources_31bf3856ad364e35_6.1.7600.16385_es-es_712dbc2cbc5c6e97\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-mediaplayer-wmerror_31bf3856ad364e35_6.1.7600.16385_none_9349e494d0a77439\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-qedit.resources_31bf3856ad364e35_6.1.7600.16385_de-de_cfa252a43fc00ab4\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..g-jscript.resources_31bf3856ad364e35_8.0.7600.16385_en-us_caa5c43a171d613a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..fessional.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_24fc9bf8d1741053\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\winsxs\x86_netfx35cdf-csd_cdf_installer_31bf3856ad364e35_6.1.7600.16385_none_58326e688d4907c6\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-help-privacy.resources_31bf3856ad364e35_6.1.7600.16385_de-de_47fcc022dc7f8167\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..ylistener.resources_31bf3856ad364e35_6.1.7600.16385_it-it_50e13bd0c915c530\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\winsxs\msil_microsoft.powershel..agnostics.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b02bed25d4c4a149\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-commandprompt_31bf3856ad364e35_6.1.7601.17514_none_f387767e655cd5ab\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_Special_Characters.help.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_56cc3687acc564e8\about_Comparison_Operators.help.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-p..structure.resources_31bf3856ad364e35_6.1.7600.16385_es-es_cb31547d0a230c7b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-qos.resources_31bf3856ad364e35_6.1.7600.16385_de-de_f8bb71ef0d8be245\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-forfiles.resources_31bf3856ad364e35_6.1.7600.16385_es-es_346f188c0408f481\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..idmanager.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_4afe4488845b7426\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..languages.resources_31bf3856ad364e35_6.1.7601.17514_en-us_1103106d0f5d1d1c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\winsxs\amd64_msmouse.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ba0f6fb479f3aa94\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\winsxs\x86_system.printing_31bf3856ad364e35_6.1.7601.17514_none_7547cca8d45e66b2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-b..t-strings.resources_31bf3856ad364e35_6.1.7600.16385_it-it_0674c047a69b0d1b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-font-truetype-consolas_31bf3856ad364e35_6.1.7600.16385_none_c5e444bbbf030bfa\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..foldersui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_129ee4511671dc6b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-e..rding-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27f4507e6ef6c2dd\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..-logagent.resources_31bf3856ad364e35_6.1.7600.16385_it-it_6bce6ae371d3a168\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-csrss.resources_31bf3856ad364e35_6.1.7600.16385_de-de_31768b4153e628b1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\assembly\GAC_MSIL\SecurityAuditPoliciesSnapIn.resources\6.1.0.0_fr_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c02a16e1ae17ab94\about_try_catch_finally.help.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..soundthemes-savanna_31bf3856ad364e35_6.1.7600.16385_none_8501e89d0b011992\Windows User Account Control.wav	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
File created	C:\Windows\winsxs\amd64_rndiscmp.inf_31bf3856ad364e35_6.1.7600.16385_none_75d9f3947b790616\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe

Modifies registry class 10 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MJTQGYZADYSMNYB\ = "CRYPTED!"	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MJTQGYZADYSMNYB\shell\open\command	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MJTQGYZADYSMNYB\shell	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MJTQGYZADYSMNYB\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\B2tDIq01UDEex3r.exe"	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd\ = "MJTQGYZADYSMNYB"	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MJTQGYZADYSMNYB	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MJTQGYZADYSMNYB\DefaultIcon	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MJTQGYZADYSMNYB\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\B2tDIq01UDEex3r.exe,0"	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MJTQGYZADYSMNYB\shell\open	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2280	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 1244	2280	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe	29
PID 2280 wrote to memory of 1244	2280	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe	29
PID 2280 wrote to memory of 1244	2280	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe	29
PID 2280 wrote to memory of 1244	2280	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe	29
PID 2280 wrote to memory of 1244	2280	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe	29
PID 2280 wrote to memory of 1244	2280	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe	29
PID 2280 wrote to memory of 1244	2280	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe	29
PID 2280 wrote to memory of 1244	2280	JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe	29

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4f823f471e3d8bf47beae025c4d46985.exe"
  2⤵
  - Drops file in Drivers directory
  - Drops startup file
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:1244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt

Filesize
282B

MD5
69a98ef655778f1cb3764a923acbae80

SHA1
22683321e95c9a631039d15fc49ac5d3e639ac54

SHA256
2ff127d5bc4c7333c8f522aa4b456684eca97c06d452bf7d00b6a99b49b11b0e

SHA512
610fc09f40124e1a74ff303ddd95ad5809679be9e0c381e5d367ecf8e1e137c3da188142de7a2c5fe2b1225e12482245f2b5c417d43d73618108bfb1c32a5ed2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
341B

MD5
085e615d8199a11e73a10e18eaaacfa8

SHA1
19da6aef5e4c2b85699456f6db620f9b222a6f1c

SHA256
c8222cd20fe641d2741f1e8bcbd64ab121063c3a5d1b7332fd5641c87155482d

SHA512
5e31293d5c9f71ab88c412a7ef8a133e5fbc2935eddeb111fe0dcc4f32a742ecbf14412957e9371b87d2edeb273b4015a333766276dedff7f5a879134ca53e9f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

Filesize
222B

MD5
31c47d9103c91ca63013fe3120787e96

SHA1
115fb985d35f79f70c59620d09d20df0447e5a3a

SHA256
b04ddf755cc5096f8ca2c8adbf386b761bf7c6f13e414fe40c5d23f9f4f9e8fc

SHA512
75145978cc1d8cac45bc16dcde6acbbd9001e5893c89ea1ed50c3e14aacb5dfbc59718ee6b2bbd9effab311ce8ddc41260938e1cd3c4f55ce0319ca82e6bb1bd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\BG_ADOBE.GIF

Filesize
24KB

MD5
27c27393c78470f43b31c98c4bb48c5d

SHA1
ff7d9c1807b2243fc4b96bbd9afca4567a1ea741

SHA256
9ed33338533d232bcc0961b5ac25d2ca1a53882f6cd3106ed93ce5dbe246bbb1

SHA512
440328f53aacf8ba7438ed76636c509b55642ad09a1b61662b237835955c34b14921e9fc1b2c8ce29df088c10e174c82b4c511e3ca85149e0a6479d577d4fbd9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\BUTTON.GIF

Filesize
185B

MD5
215442231eb66be7b6733144953d8de7

SHA1
6034f7dbadf989bd8d0fb2e8ce7c3b5df0bb673e

SHA256
1e9b2d600a1fc6a43b8e7bc25cbbf6678923122a66581c75c811479e8245d39a

SHA512
b844392038a2dda5cb5c5fdfb06dc4bc494e55448d0e373275a6ff0b3707742534dc341f19d31bb1901c2a679847c4cd2a0e95bb7f574975bd70b8ef52c79f33

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_OFF.GIF

Filesize
496B

MD5
37e5e39e578234e59fb573453489511a

SHA1
b945543a44cde4085d98fb02d50ceab5e0c40e95

SHA256
36a802287f38556141ec7669d1eb96f99182ae066bb8536eddcb67d8cc7c0fb7

SHA512
525ee08846dfe815e1ffa72c4b5edd24ad8eab1735a2e4a9bc7dfcdcab485b3eae9bbca40ef9f7470458db4f8551ec201cf0b173f79f8ea2aa4b29d23e17a3eb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_ON.GIF

Filesize
1KB

MD5
4f12256949c75688dcbf3a74491fe511

SHA1
6ec607c3b17b7d11220287b6432a45b344abaeff

SHA256
736475b8e1ea91139601ac4651192d3a2f022b9fea096ab1a40860f24dd02bc3

SHA512
52b85b43d2fcbd2049d0c58c4b63e5a99385e53920c487b4cb7129740e3c1089a97bff12e8f4995fa7eea40c23ff59ec2067d36ab62e72e486159c476b3a4694

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_off.gif

Filesize
341B

MD5
4a8b45dc560081f5d672c9e6607b130d

SHA1
a90b2f2cb3e5e08900d3a4a16b88a1ff6fd6428e

SHA256
899f6f1ee1f3929a0eae579f67594a4acc0044ddef067327b91812e301cc9405

SHA512
da9d22a8b9936a2e74769dd1fad30c59f6b3676daa84e0596a8f08b2e66fe17429eda925c1a71a6c1a44ecd035411402f6899c0862ecbcc9dcddd222086c22d0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_on.gif

Filesize
222B

MD5
44c1b8a418d0bfb352931e46d0e4553c

SHA1
6f948f88ecea70f0a986ab06762642454b466dd7

SHA256
c1f65b3e57a57e670452674f1564ef86baa87647c955c909cb3e1a2ce14186a5

SHA512
e2b56b90fe732571daf4866a8cfa1cf5ded8d1093fd40350a8d96c0a161b2569c0da60e05426aa2a9ff7b8117d1601d6ffe737e4c551c45615477f8f048e612e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif

Filesize
5KB

MD5
c23a287bb729f1c58f665c38619f63c5

SHA1
d2c1400c7cd3c7b565a602904e64d393a8203985

SHA256
46602eab9374158de0251939440a3ab63f473148d8b4aeba4534d31861bfc9a9

SHA512
d163d3c60285a4412a040c1b55f837b59a69ae5c97df905e7264bf88e4876518bf5d3849fe7eec591ac0d16558943a0715e00b10547619ad9d6e56ed8ca2e483

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Country.gif

Filesize
31KB

MD5
577c38362de11508f0d943ba150f5607

SHA1
8e11f99835286803a31a6f6964484fa3a325b4b1

SHA256
923dc4ae6562c5cb9f11da66c470fa7bf4559fdf7de29ae330965816a7354f81

SHA512
067872eedf10accb06bf0cc1a5c33af934f9943cff651c5e3090c6ee410a56b8a9ff9eb4d3b97dc3d3e12e8813bc37dafd28fae790742749f2ae4caeb4acd708

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif

Filesize
4KB

MD5
ba21c5e30054eff865e48b54df0ad2c8

SHA1
5c15e7d286ece943957ec06b9faa138d6ba34f11

SHA256
a8428221bf74cb3c6ce0f1770982ea05b0bdde54afbd23afa8165c19d051bb9a

SHA512
3fc6ea76abacf95ee4b10f885583d0774fd2c5999ec73febc2fce0986cd39d295f51852472dafb64813f5bba1a36447b0ee566b78b7fc6f67842abce19be0b84

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif

Filesize
21KB

MD5
338576d1229c658f786fc0843158a986

SHA1
0243abdcdfcf5e87d5fdee80f9bab2d9da32cd5e

SHA256
fd2546e5da3e7a9c993e2c066e75347a4d4a0e793766f5967812ee02b76facf2

SHA512
d0a440b02f396ceccdbce4c8f5783ed2a3ef4ec310d0429df2c2cde2b7aab31a890dc7a4aa9a46653e52a1fa8a7c0df672ec1b696be00d2cecc2f33761f77031

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Groove.gif

Filesize
106B

MD5
cb1b9897102109e4a6d2f19ed9454950

SHA1
d4d4ca51b4e73ca968e56cfbdee426350e3f4239

SHA256
6a4601e73a96fbfb777287983f80250411a5e802315e2613fbc6a4d5ac50fb41

SHA512
29fa1534ee8c42d7e41f5fcee43b83aa988ab79cc712c49c604167e5bcca74090b05297011301b8782d1cb111c04bf84e668a45390fa6840edaacdf4dda78c8d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif

Filesize
8KB

MD5
0b6a4e595ebad84888a24f9d0d2e738d

SHA1
0cad7c1e35169f300bba18a92dba8de6725e940f

SHA256
8af2ec7dc507b57a26c4ae57d4ccfce6b66a47c32914e4d72d4146788269fffe

SHA512
ce555778897c8089fc0c685e5aeaba2c2df2266647840461bf6ae82fe5bda2ad031c65abc24755851813e7348a53fd0e7fb00eff675649cc5ed86032607872d0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif

Filesize
15KB

MD5
e97a4475e53b80b560403869eebc26c0

SHA1
f3b7f8dc8dc9924be5bf0761c1231b2549955192

SHA256
498e7efd9584875733783ec58a45fcdc9e0eb19926e437b55295105f79554c6b

SHA512
54c444fdb911db71d9458d3988792961440e2e32ab61d4c06e49597390e597fd9d07720fbbcc1fc9cae7c9a4815995e948953f2cd4a1dc9ca41f09c026d5f3f5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif

Filesize
6KB

MD5
c8b3b40e00dc90dad133034e579b2244

SHA1
906cf93b6145b0bcaf5e8c10c1a5493b085a271e

SHA256
43dc4539503ca8c156f6b8102c0f058e030da1b42b2cd04af019771e28e1a8f6

SHA512
bac038b152af73d76714e8b74d32c9753e8dbd1b348d657ee7a8ce1fbe09f202eb80a78284990e5f6cbeed0dfa84a855515499beffe202785ea61ec106f07174

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif

Filesize
20KB

MD5
58413f046c0ac638f665d5353253a5ac

SHA1
98967b6b3efae507c302682465d86160d0cf0578

SHA256
18dfa3811010c784a81a5da0f0a01acebe794bc73f4bc9afcf6ab2b072d5109c

SHA512
7abbab9f3cf25f059d7afc84fd22675f9dca91a065c4aa6332aad21c65b8169492cfc583ac38855560ff201b5c925c09971ead89c08926fa7fcd3d2be6ad386c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif

Filesize
6KB

MD5
2286506820b5183e49f8154df8108654

SHA1
a850ac011f06c15d91fdd1e629489158f6615ca2

SHA256
c9a37d393c390b5c1804164f7f896b0af6a30a3244c310030345a062c6a640a8

SHA512
5818702e50aeb489780fabafeb0787000c7ad030e50eebad42aaa852a5f05022846445a2f7ba73771b6da720e54c6b9031209324807279c7fa2ec58f4baac5f1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif

Filesize
15KB

MD5
072e87215df27130fb4750430f39b021

SHA1
87cf552e01e49816be11758f2c93a5b0c883ade4

SHA256
02c36a84ea24e7923850893a3f4af74a32c581f148be006e2e6e4cb37ec8a1fe

SHA512
7d0795bc051dde148b6f4ad45d36d213eef82082e35dcf998b8c79df02abd3382e10c89eb926aa31397d71deae5a428cf4aec5dc9619982be201594ebf58db85

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg

Filesize
2KB

MD5
a5ae087744c46b04fd8cab3417c1c2f6

SHA1
d102e3cf3a7b7a11487a49111af7ff68b9a17ec3

SHA256
49bf7584f2cbad07cff81de29ef287f7bb4f5e4b45d7768c46631e50fb1974ed

SHA512
c5c9cce4943c5b39183ec247c07b493b59eddbea5d1371c3fa1165642ebaacfe421801932547c3d68019df63a4f646ce4fc34ce51c98295831604006c5ad5bbd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp

Filesize
2KB

MD5
d252a1113ec563d6c564c6b06b97bfee

SHA1
299415205c4188f8d6bb46af8407070df256641d

SHA256
4bafd583599b7693be2cf7047bbb962b1adb60b3089428c51eb24a349fc2dd02

SHA512
c6383210b41c8c0289dce89a2f62528003390f0fad9a382319d57e9a6f498dd4d357b35144326a784326b3af3e960e629fd641da6477d208aff461e20bce8f78

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg

Filesize
6KB

MD5
ba267ac0c5151afabca6d1139f076665

SHA1
ae98c7c6dffbb3221e6d90451231afe1e770803b

SHA256
450a83a4d945e80445b73c5596b15551db38c02c543f44b86be1a8f3effafd03

SHA512
03f9dce108574f771ee40a45023321e7651a9b3a5470a6da63ec0dc9a8c78807fd61055bb0745389498cba953b6e5d9c7aad748080cfb371ffe597080766838b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF

Filesize
255B

MD5
e886a337b27784eb7fe258201f54c61c

SHA1
0474476917333f7349915eeb9078b476028407e8

SHA256
033658976a198a903560f52aa8d79b539f43c854c9cb19b47bd5281a7a8180d4

SHA512
6da56977619381f73f6e1c42894b5d9fa00e3f62df237e5d06146167b39211de75ce72cca011798342c72947273a9bc45318293f808526834d8a3219eb92ae37

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\background.gif

Filesize
323B

MD5
52c36bc8687cff9d3843bdeb027afc2e

SHA1
234c1755f3d2ba8dc844bd8cd6fc321e815e4610

SHA256
9c72f6cf8b9f1da014ac4d18c313f3522b81da4a6999a0d10be10060aaa07b60

SHA512
28c470bd141c1c2bfa2630b74946b566cb55546272493fb6648f89507a3921d5454f269db5e8d5c9242a3ad9affd7f35b5603b147ace75c6a8e1f93a082faca6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF

Filesize
367B

MD5
4b3559e474e68565600e9de4cf93fd5a

SHA1
3f1619d9b815b30ace394ffd5a711d63e691de09

SHA256
a557d9f63c57f7d587cc4089f9181cc80b5246c848fef9c6d76d58a0cbffc8d1

SHA512
adeb313cb39bcd03ac4f8ad1fd3f4d08153da477928fb9a16a0d3fbd44ca3de1486369f19b3bfb3e41ead38ddc5f55542c5d983d0f240bcb44f836697beac8e3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF

Filesize
148B

MD5
6e30bbcd20cfeed7dfe9e6e0cf116e8c

SHA1
93aae1533686a7bc7b835600504a3efa6d46f826

SHA256
efac868b98052fda6d2cd43667f8feb41ee0840d8e941ad7cb4cc5d9604b94e4

SHA512
cdf0070888aba1420a9f485285cf26a250be18d1057c08022d46dd83991aa21ff87794cc42d810ba74b4972e14cb693dc4281c5ec353b487d59b5ccfdd12eaa6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HEADER.GIF

Filesize
440B

MD5
b2f7243fb75c100a8bc75270b8eeed1d

SHA1
a750cbd8c5e921b255260e0b3af1cc0ce6f9a4e6

SHA256
fcf605f7180c0b299800423c96ade0dc9ebe1f05d559eefb449bdc42ad91fedf

SHA512
ac46fe0225379bf8739bb06abf3f7e7677a2cbd2d9d5dec1e9f497f6dc879e050f3062e5ba3ecfe989778f3aa4d0f7848c0863449ed977c5799e9c5916f4d38d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_OFF.GIF

Filesize
462B

MD5
cfc3f5b5952c8eb7c18151d03b9f1279

SHA1
843f4487f1724c7f1f128043397cb16a9dd7451c

SHA256
749701187c0214b2e53cf624a78dcc01e4fcdbb9d65b929e67fea00289e13b9b

SHA512
a52f7687ea95d5a68878229bc18e1f466894d62e63d8319cbad2a0e9af34eaf2fa2faef2dfe9af5eb166b0f2e084273535b94451225632f9a96d67ee70a263b0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF

Filesize
267B

MD5
211c5c91a034f33d1008c14f952c596a

SHA1
55b1461da95c0363be422d4959e74c490dd0293f

SHA256
7e4dafdfa5d527714200012ab572fba55a46fbc8d0500b0240837cf4dd1eb759

SHA512
fe839560f7638a697532ca00c117c20b69176f69bc38bc044e9cbace0cd6cf9b553c6a895733eb02351ebd2690b43aa157f0ec47afb90d183a42280c40af390e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HEADER.GIF

Filesize
2KB

MD5
d2ce9f266d3a8df55e56edffe8dbf4f0

SHA1
d3ea8c0701b93e1fbb8398986f3e34eb8d271583

SHA256
fa39e12c9c509330b50b507a9317c5ce9611d44a551bda3c53126a4031fe66a6

SHA512
084b55f21cbf4920ab87fe96d661a1cc3cf20c0b9ea11665918a3dff992b27336144ed30e8820a9103b94b54c5b1217baf389ca6fc58dd146e30327ba1a9d929

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif

Filesize
233B

MD5
73971d78fd1a74acdbd5ed548b703298

SHA1
7eaae543c20577c5dc663f62e528d1d75e6df9de

SHA256
5cde3c9552b7b5364411065973d4f6631636fdb3ebb52b302234d5be25f03dc5

SHA512
9fb7487afc78a02d95ccb5983dae06f366bf667caebf372c121cc5bf00ef8a2af6842784fe408b5c21a9685039353015911421fba039b38c87cf932235053d80

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_OFF.GIF

Filesize
364B

MD5
904a85717dd77ee4156c43f686c5dc14

SHA1
aab3409db66d948f7e467fc8d7722095e54ab7bb

SHA256
b0a4aa979c31db13ca38dd3372f802acab478b5d3e6a332e39eee21c853e97ad

SHA512
4c3646bafbe8b4e018be6b6c2c50838d980db3621b827329d53ad56009f010ba617d5779d010bfad7c6a6374da301db2da0884845c9f12ff2881c35b4206242f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_ON.GIF

Filesize
364B

MD5
a7fb4d79c7e2d3fbc474674a901612d4

SHA1
7a23a9520a1eb7156d026c9c7f10bad57ff4aa7d

SHA256
7a92a9a8698540263ff283cd7d3fc35f8cf53d20f5fe5fe76894ff1259084ebf

SHA512
e0ca67e2567402003ebbd26f5d75da806b3832ae8daa1c710ecc0333b1e1e716305251e4197ea17c446c729b7641dd72899bb77acd37d936ff70f76391dcf301

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\background.gif

Filesize
6KB

MD5
f0f47a1f4e9c756aa4ee91efbac9436d

SHA1
1929d23aa0e6e635c217de00afc9ae3f28ab72be

SHA256
10707634002b323f65c5202cf0030cab8156b96b5bceb10e33d32d9707edb679

SHA512
0c3b2978bc833bfa5a671545962a774b8ca944c112cc9bd94b92e8575117cc926f4ab915876cd147c4cd1572c71874a88170125094e7caf772c1b38c2abb7b2d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\BUTTON.GIF

Filesize
428B

MD5
a1844e95fe31d4892c6dc2526529982e

SHA1
1e6792188fca639ff9fbf6300f6e835504b5944c

SHA256
fdc73604e66ca2686a1af6afb3fa80a5d9a48b1cbac35da779f569371badd392

SHA512
9341384b3211a2f4b8e3792e09a882a3ef837131a5a05eaf430c62b3edac2de91b0a03a3e2bee97cd9c068d0bfeabb35dd6f375712b09dc63ca1c1c2347d20cb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\background.gif

Filesize
815B

MD5
8c51dc5cd47715bd2208e62a6e0f952e

SHA1
f82da3957d06ccf1ba4abc54d185ffa7561b9058

SHA256
7e90a648850e0cdeeca42c80c4223b9acd8d951f7d93336bd9160c072329f94c

SHA512
adc11a0dc6fd56b9bcae63426a5f6863e31e847ae32b8398db9edf940f77e1a4fd3948dfdd4bfe91b7b3fbe014aec4829dc3f06931c28fb360f75701097646b5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\RTF_BOLD.GIF

Filesize
870B

MD5
c4124257f2c2fbda4d96f3b626ccb5f0

SHA1
23da752610bd151c979ee1fdcd6338e7ed673347

SHA256
f9c9269789051d25de7b5cea7879cddc14e2ac3bd9dae62232a52b5ae9c77a74

SHA512
0fc301e6462d7277df8884dec06a56a96cc7b132ff0b5b52d8e20f5f99b02f5770c59abc4ad41e64ec2f15c01adcab627cb178481c40bf7aba54152b3908b977

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg

Filesize
3KB

MD5
f1233b9b0f19aba278becd0241479bdf

SHA1
1bd6f2dfacc201d04faacdeb53095e57d91ca1c9

SHA256
36f1f07afebcadcbc962b5e09531a05768323f23addb4e7ff17223d7a9f9804d

SHA512
3fd7231b46d577309746191805a5adbfc1aada0898fb9d2bff412fe51cb1331fa6c052687f1039ba35854d664bdd75bff51dfbca06b9d74b9f25f9fae3b9fe6d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif

Filesize
2KB

MD5
15544fe8c56575219a7b2b91a4d0a39a

SHA1
a341e268510ddd22eaa7ceba2135a51b7e54a107

SHA256
50ad4dbd4c878076260674238dd47f9b3f018ba5b69eb965dad35ae22f5ab307

SHA512
e0db11158e2f094fc661e2b22d232c39f417d57f6b80d5c76a010ea5c24e4ea4c6b5fbd8d2d5b7a178dc181389a32bd062e08863a375793ca8beeed65d496e4d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif

Filesize
19KB

MD5
744b34035335b16a2989b3c50ab51d25

SHA1
f4efe9f9e51b0fda46875f1361befd6c87f26242

SHA256
ada838eed0a0bf746e544abca66f85faacb47eb6216602dc4be25335f5e62ba5

SHA512
cf828fa25aa77016f78fb122c67537ce11c485c42e77e590da30d34e59f4d39f4499d2cfd6731764d5aa903cf790583088141d59d582cdcc92ff1350f5336a05

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosefont.gif

Filesize
890B

MD5
6b75af3d80cc3709f4a0d9ca865668b6

SHA1
492b3643505dd095adc2b76e5f9d5043a73659d3

SHA256
25f8f73c5c4f6ef2b4db46a1163a97a43c46683abfd55114bc7d2ca175004e1f

SHA512
8eabeed829696a8396f6b09219ba2c6f808704b810fed9a621f0c5ecabd6fb959ad04c2aaac7e5267d1c357c1c99d5b91867e42662fbbdce3178b25c91bf00e1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif

Filesize
852B

MD5
a9827b738cd277e2f809d992f7607185

SHA1
292fb5ec555ce2b2631dd1d4eacfef15fda0db31

SHA256
8cbbde9540701720e6d255ca1e905b5dd0ee5829bc4474361cac3a7681defe74

SHA512
bff82a5a695e65039f7487aa16c44ddb9872c50070d4a60582c1db824578efd6dd325030cf06fc7cddc9e2ea37fca7268c1fc631f381d6303329a6ca9f679efa

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif

Filesize
860B

MD5
7c97d3de6383a883b9940a9f48a2ef83

SHA1
9bede07e8e6d3b75a28bea814e692efd5a4fd5e0

SHA256
a10707f03e8a833ae9bab66a192a20c77b077517278efb532db8f9e0dbce757d

SHA512
b1d1c0789749bbc7c893aeae95882bdc842b1d266bf46237eeebe966fb3bfecab6fbabbf7e5fdeadfb41827a450871819dc617146e02201a04c4b8107bf98925

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ADD.GIF

Filesize
580B

MD5
6a8ae6f3ae33d856b6a0c6fd57fd03e4

SHA1
ae59d2198ecde00ba3c9b89485bcc4aa65e977ef

SHA256
347dae11a99f8c3db31cbcdc127ef27b5b6951b7a4b3b92ae094a3a1e6ceec2a

SHA512
d74559b7d818ddcf9ecad1ef0750b609d2480a763f29ea1fbbbbb9fcf2f460d2a24c7af72b3d5e4744578e969caa37ae8c316b5c5e7b505911ca394a952a91fa

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF

Filesize
899B

MD5
7456971d1489853e88da97f57234ad92

SHA1
c97f2c348d5d62698d48ea24ad96b7a0386cb16c

SHA256
8f3b3dd5dafc61add6b06aad25ae7f71de2f5aebf8eea1dcafced5bbe2152dc7

SHA512
b220f2cbf33946aa7353e42ad66f2426c6ed8a79a79df43693f609406c3afb16e1238a4e54ae702d5bd86cb8ead8e8168b1f320f8c6c1e39e3be0a8be481470a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIF

Filesize
625B

MD5
5f4f64aab5a19de3b2b9910001be832b

SHA1
6de54aa16b364ee9a899e3852a941ce1f0ceb3d7

SHA256
86d5c722b3e8b8025fd4c573235de23cb5ba0e43ae54000b403a3ebbfdaed7df

SHA512
920b2de34d48eb2e52401160819d9a18995c5e0915993f1e36aa072817d12c1b84278da23157ac95ed6ae04ba7a3bf42ab6731241d49281bb4ae95726c01b5ae

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF

Filesize
873B

MD5
9cfbba49d95efd76c03e1755ecd10252

SHA1
7fc334e48fd1d5bcbca0e84ecdf75215ec0477d1

SHA256
1b4258cf229f2a072e0ba3eb1543b4739a83253fb8fd42dc54f3d1abab954166

SHA512
da4d259f59c05b58e325b3481589cd80f8a1617de6840543d3bdf6361a9895228ad9413c05365157139a1e28b480616469869c098512020aa26373876f3a9eb2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg

Filesize
5KB

MD5
6631282ef7ccb73ddda35b0c0facae2c

SHA1
06b2e05812f31480d58af6cfd6e8b882071d5d49

SHA256
7a7fff3643b8b267ae3338c5fd6578fc07c2ce7c788d8af2b2ae0e8726bdc16c

SHA512
250faecf05f02ca0ac952ed963b4336634019e05cb0fbe8dc36084118f0cc8487eef0fd896149e110a86266c8406ab7757560ec10a828476a8496488c6299238

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp

Filesize
1KB

MD5
d8ea461decba12bda605225543859e05

SHA1
d9ebcaa111c00abe7f77c7654687b66131155815

SHA256
c5d71c1993f3065b8d7e4dd995e2c16a79933b047aa390b5f0335cabd15eed58

SHA512
e65a1e90bd07330cdc322bcb4dd1f456a9253575a7baf49c75e9f82693496ad547ff2635f71eeeaf69c12f4848bc80ebc07cd7f4a014f974729d1bd17f622d19

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF

Filesize
615B

MD5
ec7c1f4d28645b37a33d01c03888da8c

SHA1
4d32b6dfbba3d50f20cafa573887159bf925f1e8

SHA256
ec5e5c628e73c08ba973ec2e5dd65cdff916f810a606be80693fbba21b9a5038

SHA512
42e9b37be48d0277f629fe60c13091d9fb19c56e62e42e77bc936a145d511132df25a914ffeddf147764c55d777234019936eed0f965b32b57d328bb4ac85859

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

Filesize
848B

MD5
fde6d0b9c4c7d71d8f49e51c7a3ef13c

SHA1
34ecae8c7d9f942279b05fa3d5a289c46ef055be

SHA256
872a40ee7ed857144293319527dd47871389bb1ac14a553a7662493f691588d4

SHA512
0cfd369ca23abd11f70b0e197bc6a7c23c3d44ce7a876723456475cdef1b615d9b0466c904963ad2fa00c706008c57440cc5b31e4fab45876c5e46d15a0d3ab4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

Filesize
847B

MD5
46a3f8f121a21b0d1d5f0d3d6060938f

SHA1
aabe38d23aeee1819100b0cd0f448e97a352ebaa

SHA256
15d6d14b6cfcb41724dc33ce87040ffe43e4255fb62d52e93a5b0213b6ceb5e6

SHA512
bffb7ab5ca7d59033ab9b77c1cf9d4d00bde640c58f4d3510466caf4c2c7ba52cfcc102c82e2a1ff122f2ffe6eecd5d7609541c35851f1d7591cf3c02d73eb3f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

Filesize
869B

MD5
e1eb732b1811d67a42a4bd77c19348fb

SHA1
6cceded84fb6a3be8c46fa003bea0b1f6e39709c

SHA256
93a33a277218b3a089f8eb62b4c5dd0916a79915c27182d8b6368e0276aa6d78

SHA512
71eb3529cd27bad8cc3d40bb531d667fb9efdc45f2e72e5395e47ba2341e0cb90705ab38450313ef88a3867e0bff6b37e3d014b9c242d54a7e1ae4ef47a54dbb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

Filesize
847B

MD5
3a57d5570bea9d83b701c022de0b806e

SHA1
2039039fad818f0d268c5ef589557383627c5571

SHA256
9939a4bfea864fe5dfc42af940f1b4f926cbf6ae11a61e05b4ace22643b36e1d

SHA512
0fa579188409d1def07dae2addc2553d639bba4249ba2b50cb2d571f4144f138bef7f47e74b566a17c981ac56976d0508eb1365e3f7f81f67714066bb45096b6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

Filesize
863B

MD5
c1b456992ac53a3c12a0c417142d001e

SHA1
939c812b68365ca549cbb72eb28a8ecb760a31a1

SHA256
c02b519610d1477c686eeb7ca12268ea80fc3f94b98715ab6e4904598b59a130

SHA512
3a60f6ca8a38b35e4d698ffe7651fba26b68d3dfe28a218b0959f9cf768849f1ec58f214e8758ac57ba5fb547a4bbe7aa2dc640ec1b39171e05514ee87b1d75d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

Filesize
861B

MD5
f06ba4913d96f0e004fef671f2ba0229

SHA1
c0df680f1fe784f2f97dd04f9dc2ae1ee50b4920

SHA256
0518662a7748577d29e44bb4baca70d14c26068339a7b305b30ca3c51fd892be

SHA512
dff364a114a9ba4ea4a6a898f7553b684238ecac13945ed2894d9e2948fba6ded4a8bea26ee7b7c45c8f62b72dfa0907d0f6246a3b7abf2b70a0741c9a4ae476

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

Filesize
850B

MD5
c7608e903c2ba4ba468943cc77716a65

SHA1
ca5281c13a2ce6a5cc7b22281b405a782d077f03

SHA256
16eb018c633697bce3e8ed707510fdb7d13bfaaf5df462496e668f5767c351e9

SHA512
f6ba143bb7099e143ff6925882c3f5657a88b378a795c07cd055259535a7a233b4e769414acaf5463ef19a675abb87d4c52761a0346c53b2ee11bdc26b8e5f0f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

Filesize
883B

MD5
d23386294ac657daf104adcb9cf5045b

SHA1
1079cfa64070c73624b42f78d725aba83f824c3b

SHA256
20dc3d22de3bbc385954ca1e97403deb5a1d6e8f0891ea34e03fa09a897f7a1c

SHA512
d830e238d22fb7b1fbec242ec3586f75a654532b22cc32531ff4e232d7c27986c7d56079c82d2b8347c58ddb0b02040aab91bd680170fc4a8b67fd7f0b08fe8d

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif

Filesize
153B

MD5
93095ff6e2ff79d4b6c92847faba3616

SHA1
a120843b8559b75b8c262230e83131ea85e7efa1

SHA256
e797e51cfe47f1864be3afffe1f54e14884659502ba9205d219491b4835c41a0

SHA512
f97a849ea9285faf3034ce2f519c4550ddac67dcf4914c7cae3ed7d82ebed324a7478bd05c48b8fea1b31338e066538e1deec7c32ece060882b27a986e605a3c

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
d6912b97e4d5c03ae4faf64709de7642

SHA1
835500dcb6a8c17a45bc6fb7870b29dadeda5e21

SHA256
cf7659ce1937afadfd069022f3821f7cc4654745482a323b4d9bb2efc6beaf29

SHA512
3d57dabf5207d01bd4d390f4b3e212b7fa3cd1e878ce535ac7ae141f9dfa2e5ed7c3095287c43aa4a1e01f9482181b4b29316364df0efe6f71304e8aae53c850

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
8KB

MD5
b0ef9c044a83882c17ba62c9818be224

SHA1
4f7a6dd036918fcb841e1e63f66e05a1c9e89b97

SHA256
94551e41054141c135acd6afc54eb67dd4c6c749c8b807062c30dc11cc9d2ecc

SHA512
d33e2db74bdd583159e7b48b7cd275034614cbfb3dd4d984676e59bfeb20b1237c11defb20bdcc5f25afd996595a8a727841896ca44144394cfa2d8ec7e95486

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
5647682dff9fec7f87a8ec10cc187702

SHA1
007e93c5dbe0fbb07b7304bda7db0d142e59ca25

SHA256
c666eec31cff237d184e330a6b235ac37849256bcf06b831bdaaf4278b24bbb4

SHA512
01a27349ade64c294413786a516c69bd671e462eaa419194c070b5cea69edfa104caf228a4f5e8ab67fd9ee2ac1d89eb6a3b303ba726b699e7c1e68160387c80

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
b0ebd38920532a74d42f0f74f8d5ed8e

SHA1
b5243fa7711d725d0a6fab61e79af2fd075cecff

SHA256
fcd311285c3fa05dd0b0fd345a284e7dca35101e8ccfa9073b61534ec793caa7

SHA512
d16229d599396f2acf9617ae241032c7137389780c909bee3626d4f1152b8e30294fa3ecafbbd8ab2a26597caf02566b7561383b4429b7f992239bb3f53a9b78

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
172KB

MD5
4149cf56fd87851ecfbeea6129041ba4

SHA1
ea6702a2abd5e6320c3f91aed52006d50f8c3146

SHA256
bf21f0085217cda2218cb26456ff46e4613f9d1c9c4ebf2a436004f10d77d858

SHA512
511ba24e8e7b0319097d15556014371fffec4f698ec932be2b320c14a03565b96d317d4249856a7d997f262a2046d39a229cbf82040e5710c406d2563807f58c

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk

Filesize
1KB

MD5
75f1813742f97569375d1fc07f4a6faf

SHA1
d69bd138b81230b7b4d0b8dc99da4b1a52447b9d

SHA256
f846b75effbc502a2783cb098ad0d65dffe14fe35d1d8675001743cf2eb90a5d

SHA512
1167da8cd9c3cf337dd511d1f7c6b2a3f653e878766d43a7703804ecf84dfe894ff35093065d2e4107c544de558663dbcf5546db537ce21201d937c6b295418e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\security_watermark.jpg

Filesize
49B

MD5
9f9d7c3ba5d3c98c3d926f63b29239da

SHA1
4074ca1b6563d5ee19f0cd4ebe5fd28e1420fd52

SHA256
9139ece6eaae1f2a08374b2f0a4b16ebfc16dfc59b884bc630a210ed1501290b

SHA512
84dd120db602be5ec763d7c63f62be3b4af26318eaba3cd80d3ebbba4da4be7f913da5cb05012250acf45fe0bc83acb9a949a5e3294b9654f2abf95d60d353e3

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg

Filesize
21KB

MD5
a9e3301664ae496d1ebb3b8b9cead3e9

SHA1
802e56cc296e9918179ae06eaf2cdbb23e3ca4e0

SHA256
aa608421cae334022918a2c10ec36c7bbd739e3ac8247fde4587350079a1e10a

SHA512
e6418bfc27a8ce2d2e7b70e80837453c8996f0d9b51729db23b79d37c7e81f794589604a66130dda2d70a589ae356ce134fadff0e1e14b2bc35682fe8f13229c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\HelpIcon_solid.gif

Filesize
1KB

MD5
924048d8d467ccf3acd886d2956afd1c

SHA1
5737d95520aaa46b1060ca80c998c25acedc041e

SHA256
36eaf48d2108524414459e147ed1212d34589d20aa97a72e2858684b90f625d5

SHA512
81e09d28e17f560f26e9068d0ab9cdb31cb90d765ee4758ea8b0c9407d25e1f01e9cf8ec274db7ad1ad8712d4c23c9261750cb83e8b04d7be8f73d7295395c47

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\alert_lrg.gif

Filesize
952B

MD5
aa49658b5a2e8ad127a24a75af0ce9e4

SHA1
d44c0ed0c68d40436b39e1bd57376681fa7b2389

SHA256
980feb78d893eb74e3daa71d2c509f7e5cbb8fdb09352f0356aaf0a64f22b640

SHA512
ff178fd4d321a9005e1f895d3d2c6bc8c37ab61ead05b33c2f57eb1840e6dd5bbb3a85eaa7dd7512dda17751d1cd1185cc7c746b545ea44ab3a67b323f1c3d0b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\aspx_file.gif

Filesize
121B

MD5
7bd56cfeda28ecfdc8566d8570556b35

SHA1
57a5e59f215875850182f9296f979abeed7ca629

SHA256
f61940b42a6c710aefcdf8697fa35130f124c703d7e908fd7beafcf3bab6cd41

SHA512
95814f8401e44a91afd139f3e3c5b2de15812f02b2434cdb0ef5f8cf5a9d6eb93207659cbd1c7d29486a0c17d53832620c2a97af1785f9ba6e90e94dde105303

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\branding_Full2.gif

Filesize
1KB

MD5
86751e5709e5c217b4a50bb9697b4adb

SHA1
943662c5f23ddbe0337da0de7158d7f33dcbaa14

SHA256
b63e9c5d1c27671352e87e2be3392be0ef48624c964f302ef79211924268a271

SHA512
fbfe2200e1500165f164904a88c04d28c4630f06072f474aade92f63602b29c13144fd7a80cf07e687b74c246a9112c1d1cb270ce1d358bc9e8df452439473b2

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg

Filesize
8KB

MD5
f23ece125bce2f70569e83652689ac2d

SHA1
310725a77ea1e30bf270ae7a4b50235e08723a04

SHA256
9598058699f1e2b042b525b805b1ea0d06b29112f93880f97042fe77c82178a1

SHA512
37cdd6caa54c3724bc55b73cb2e1588b1adbb8b420401fae8662eba3d410a6a831b8ac328ccdb0d5e8e4a69156a54544913df282e87531c4c97a13a7c854a32a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\deselectedTab_1x1.gif

Filesize
61B

MD5
096f4681925780029c2e42cbd36aba87

SHA1
406e33e9f52e87168bc3b1056095ccaa4d7cf4ae

SHA256
99059973b4d6f81d47a9a1953b09a19b671e79141d2783006fc09007e393c8ed

SHA512
4cf442089a2a840b5be215aa6524841345b9e2019588785025182a651849230b92535755d0adb36b9f32ed6760a10128b58ebb5cb74989af0e1cf6fe7a6c0eee

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\folder.gif

Filesize
914B

MD5
83a4d9a931bb46b99e7aec01c192ebab

SHA1
40ad48b547e84c942d0ad3c3c29c985af116c184

SHA256
e90123d8a8cc54b8ea0e438d5d6fe4611dcf5b194e68f034301bcf2bb35bc9cd

SHA512
f14676b9d894c685e43941f88b23cb629ae12b4b62569540caf59957b762ab41bab1c2eef0a2821895382bfaebc39000d018a20c2c9e171dd1193efb97392aa1

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onBlue.gif

Filesize
90B

MD5
583d94e53487ffd8187dc71e719aeeb0

SHA1
2855204767df9d7fd4fa6925269b6e809af92210

SHA256
8e7ec64cfb60ff3131cc76abc51eb30bd13020a99325f3b2c4f912f20c40d620

SHA512
1dc3b9de11adf8311ffe34c8fac588260e4e50a1bb4058a489953da475686734ec711f4d4dbdaefee27ebf7de09be7546308501141adac1bae3f14a443b51312

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onWhite.gif

Filesize
90B

MD5
1d1cbe2850df99ae2bec4e302bca9a4c

SHA1
0e0fcdfa235ea1813dbcf1f51e822009eb15c90e

SHA256
19c732c1f5bbe2eb8ed9fd758614f538ebce52cc8b2e78ccb4d6450ce7d46d6d

SHA512
f5ef0e3c48d5cccadb10196452922dca59954a3dada3ad92e8c56d06b404432f87abae7c7cb8efc12da510de62dce6dee02f6cb872ab56ffc97bb0a45117a36c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\headerGRADIENT_Tall.gif

Filesize
328B

MD5
6659ff5b159be2027d72e23767c751b2

SHA1
bc8cbb6b85e37e775e6d4d16bee78fac2dbf4432

SHA256
903cd712bc6ee07e95d7ba75f8eb5a800a57277a85673a55c739a84355a14271

SHA512
da74eedf8ac87003100444fc5b4e89bc9d54c4aa65b55a065029406cf61d99f10067dbc83fff8905f63aa2d2e118aafa33acb4b903cd62bd926539f7b9d89f47

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\help.jpg

Filesize
1KB

MD5
d1fb315b7912a1b3be547f961555964d

SHA1
0d187084885d8d9e8276d0855d7c364d8e2d4ad3

SHA256
f86222c5dbfff5f0887ae5567b23f41f2066b83369e40895fc490a672917540d

SHA512
46283c1a0a5bdfb7e24abf8e453b9c037944d7f81972846bb30971f7b4c7ad6c663ed2b52fd5cb3b43acde3c9df25c6706f0bd29fbe0131ba996d8b921c02f9e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image1.gif

Filesize
162B

MD5
1cadcd214253f9255c5d392a3c14b9c8

SHA1
daf7987256dc751df02f737dffcefc7022111111

SHA256
d0b5ec753455631f66c43d0b4ac6080b97a544a14f3475f5e9eabc851a73f89d

SHA512
1b0af146bb746787c6e1c7cdfa228be54509fd8423172907bf3d22f5fd5d318ae9cedf3efe63f4b75ccd2c672397d3a0ea445a4b55c187b65a8146cfb03278fd

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image2.gif

Filesize
586B

MD5
3895e35e2d83d980a350b1b1ce167ae8

SHA1
266e994ff47340055d25c86e5c8977724c34678e

SHA256
d423ecd6bcf1c64d00457c0af5dd4055dcc92ffeb884818c78a6601623c777a7

SHA512
4e06f21cf68cd84d4ae73635566cdbea877eeb55b57fda4c1037fc1b465db2e7396c2966ea69521fc9cde0fa62f9b1355f39857a971c702b793632dcc9585e5e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\requiredBang.gif

Filesize
124B

MD5
0b8938a43e262aac32b00ca2d298a1ce

SHA1
284869981150915bb90c2883a30f7f81942df88d

SHA256
a0242a3b303344926a74cf7de74a81b771b87c669a893237cd8591f1eb43432a

SHA512
185dffd31be62cdc0ea8f2574a6ddbbddd3911181be566af1ddc42560476bbda0d86eb3711fdccdfd41d089b6b98ab7085340f2dfa7d4449ed03edc6b2751e79

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\selectedTab_leftCorner.gif

Filesize
65B

MD5
e8a730d1185cd6b194944fcfe297e80d

SHA1
a13238eefef318549cde3284b9545876cc6dbc6e

SHA256
fc731c226948631d5e96d50c297b6e264200ec89db12ebd2b1596d2597470e14

SHA512
4e2e88a838261a4b39b43835d9b7e4cb17596b4f07a20218f8105d2076e6d0f0c551e32c1ee9a352f8895d7addbeb6811cae1758fe0372b6049a256fecd2f5dc

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\selectedTab_rightCorner.gif

Filesize
65B

MD5
22b19c00b7348ab83a474750a2c790ce

SHA1
271e3cfebfe35dd5371c0b64b645358c3c1a62cf

SHA256
1dc20a7e194b4337fa37404691d71e99797161723cf466e2bc079a024ae8a5f5

SHA512
98feb923fcc20b67057a040a025c8fd1d2757531ba97026b297716ade9b1db7170a82c586717f759c7658fb2058df5bad23f161aceff5b92a7d139422fe1c899

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg

Filesize
8KB

MD5
f1285ae6f51de7aced9a26d0b9977e21

SHA1
d0e523053e8dfc5c34005e3afb5ddd9657270573

SHA256
42633c994ea3d6d3af86662326837bd06d3eddaed7f80af401581b80a1243933

SHA512
ca2051e1417004a86256ab474ab2b5e18958ed3ff6b13b1e8ee728c35c9d3c21345b952585e34933a919697757b80ad740722cd100f8fcfae5dbe9fdee333cd1

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\unSelectedTab_leftCorner.gif

Filesize
65B

MD5
b1ae5f294ff5d49566b51ae285bf6c5d

SHA1
58a44f32ee08a3d0e382092730c91478c6884697

SHA256
ce45d7377685f7c6d9b00a16d006dfe6d5e5885856fa75606bfd878e5df54ef1

SHA512
4c24fa7e5307f1aa98507fb272f555ab58bad7e2a2589c35089687b48b2ec752675a6bd0fd9d99eba9960e0bfa9dd24e2438a897813c6d8ea903004b7bf0018a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\unSelectedTab_rightCorner.gif

Filesize
65B

MD5
e7371853ebedc78dffa660de178fe904

SHA1
791b3d3950a4b915ba4b3aac817bac4f27e8d67c

SHA256
4c9981689f91b2bce269a37bbc24a269c9e30e10e0154ea83d737049cc4b53c0

SHA512
aca85bf51a638718372b3d42f7dd7509d6dd7a08d6c271189f074940515b221a7e6d997b4037d240f8405597dd6ffd84a233caf7ae4a3b16aa97b66bfcead2cd

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\yellowCORNER.gif

Filesize
880B

MD5
cc00c7927c0bec9932536fa4de5216b6

SHA1
54ac5ba6bac1e6ed2138852b1ac77ac7f5a922d4

SHA256
f8cb5fa7d94d127675418182c0406ebf8af80d1cb758ca4960f09cca95c609cf

SHA512
45c8d6405d3c1b5b23a988dc26d9d6d4c898977706dfa3bf6a5c0d2eb09b9dc174bbd18925d30a7fa6f2f1bbc34a0bbb9d47af33eb23a23d68ce63a046e9a7bc

Download Submit
memory/1244-11-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1244-2518-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1244-3-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1244-2514-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1244-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1244-6-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1244-5-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1244-7438-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1244-12-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1244-5245-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1244-13-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1244-9-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1244-8883-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1244-9115-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1244-9116-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1244-9117-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1244-9118-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1244-9119-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1244-9120-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1244-9121-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1244-9122-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads